current version

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2025.6.0
+current_version = 2025.6.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize =
+serialize = 
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:rc_t]
-values =
+values = 
 	rc
 	final
 optional_value = final

.dockerignore

@@ -5,8 +5,10 @@ dist/**
 build/**
 build_docs/**
 *Dockerfile
+**/*Dockerfile
 blueprints/local
 .git
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
 !gen-go-api/
+.venv

.github/dependabot.yml

@@ -100,6 +100,13 @@ updates:
       goauthentik:
         patterns:
           - "@goauthentik/*"
+      eslint:
+        patterns:
+          - "@eslint/*"
+          - "@typescript-eslint/*"
+          - "eslint-*"
+          - "eslint"
+          - "typescript-eslint"
   - package-ecosystem: npm
     directory: "/lifecycle/aws"
     schedule:

.github/workflows/ci-website.yml

@@ -41,32 +41,60 @@ jobs:
       - name: test
         working-directory: website/
         run: npm test
-  build:
+  build-container:
     runs-on: ubuntu-latest
-    name: ${{ matrix.job }}
-    strategy:
-      fail-fast: false
-      matrix:
-        job:
-          - build
+    permissions:
+      # Needed to upload container images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
         with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        run: npm ci
-      - name: build
-        working-directory: website/
-        run: npm run ${{ matrix.job }}
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.6.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/dev-docs
+      - name: Login to Container Registry
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build Docker Image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          tags: ${{ steps.ev.outputs.imageTags }}
+          file: website/Dockerfile
+          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          platforms: linux/amd64,linux/arm64
+          context: .
+          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   ci-website-mark:
     if: always()
     needs:
       - lint
       - test
-      - build
+      - build-container
     runs-on: ubuntu-latest
     steps:
       - uses: re-actors/alls-green@release/v1

.github/workflows/release-publish.yml

@@ -20,6 +20,49 @@ jobs:
       release: true
       registry_dockerhub: true
       registry_ghcr: true
+  build-docs:
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload container images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.6.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/docs
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build Docker Image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          tags: ${{ steps.ev.outputs.imageTags }}
+          file: website/Dockerfile
+          push: true
+          platforms: linux/amd64,linux/arm64
+          context: .
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        if: true
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
@@ -193,6 +236,6 @@ jobs:
           SENTRY_ORG: authentik-security-inc
           SENTRY_PROJECT: authentik
         with:
-          version: authentik@${{ steps.ev.outputs.version }}
+          release: authentik@${{ steps.ev.outputs.version }}
           sourcemaps: "./web/dist"
           url_prefix: "~/static/dist"

Dockerfile

@@ -1,26 +1,7 @@
 # syntax=docker/dockerfile:1
 
-# Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24 AS website-builder
-
-ENV NODE_ENV=production
-
-WORKDIR /work/website
-
-RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
-    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
-    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
-    npm ci --include=dev
-
-COPY ./website /work/website/
-COPY ./blueprints /work/blueprints/
-COPY ./schema.yml /work/
-COPY ./SECURITY.md /work/
-
-RUN npm run build-bundled
-
-# Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24 AS web-builder
+# Stage 1: Build webui
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -32,7 +13,7 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
     --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
     --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
+    --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./package.json /work
@@ -43,7 +24,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build && \
     npm run build:sfe
 
-# Stage 3: Build go proxy
+# Stage 2: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
 
 ARG TARGETOS
@@ -68,8 +49,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 COPY ./cmd /go/src/goauthentik.io/cmd
 COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
 COPY ./web/static.go /go/src/goauthentik.io/web/static.go
-COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
-COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY --from=node-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=node-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
 COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
@@ -80,7 +61,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
     go build -o /go/authentik ./cmd/server
 
-# Stage 4: MaxMind GeoIP
+# Stage 3: MaxMind GeoIP
 FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
@@ -93,10 +74,10 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     mkdir -p /usr/share/GeoIP && \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
-# Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.11 AS uv
-# Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
+# Stage 4: Download uv
+FROM ghcr.io/astral-sh/uv:0.7.13 AS uv
+# Stage 5: Base python image
+FROM ghcr.io/goauthentik/fips-python:3.13.4-slim-bookworm-fips AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
     PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
@@ -109,7 +90,7 @@ WORKDIR /ak-root/
 
 COPY --from=uv /uv /uvx /bin/
 
-# Stage 7: Python dependencies
+# Stage 6: Python dependencies
 FROM python-base AS python-deps
 
 ARG TARGETARCH
@@ -144,7 +125,7 @@ RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
     --mount=type=cache,target=/root/.cache/uv \
     uv sync --frozen --no-install-project --no-dev
 
-# Stage 8: Run
+# Stage 7: Run
 FROM python-base AS final-image
 
 ARG VERSION
@@ -187,9 +168,8 @@ COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
-COPY --from=web-builder /work/web/dist/ /web/dist/
-COPY --from=web-builder /work/web/authentik/ /web/authentik/
-COPY --from=website-builder /work/website/build/ /website/help/
+COPY --from=node-builder /work/web/dist/ /web/dist/
+COPY --from=node-builder /work/web/authentik/ /web/authentik/
 COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2025.6.0"
+__version__ = "2025.6.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/metrics.py

@@ -1,79 +0,0 @@
-"""authentik administration metrics"""
-
-from datetime import timedelta
-
-from django.db.models.functions import ExtractHour
-from drf_spectacular.utils import extend_schema, extend_schema_field
-from guardian.shortcuts import get_objects_for_user
-from rest_framework.fields import IntegerField, SerializerMethodField
-from rest_framework.permissions import IsAuthenticated
-from rest_framework.request import Request
-from rest_framework.response import Response
-from rest_framework.views import APIView
-
-from authentik.core.api.utils import PassiveSerializer
-from authentik.events.models import EventAction
-
-
-class CoordinateSerializer(PassiveSerializer):
-    """Coordinates for diagrams"""
-
-    x_cord = IntegerField(read_only=True)
-    y_cord = IntegerField(read_only=True)
-
-
-class LoginMetricsSerializer(PassiveSerializer):
-    """Login Metrics per 1h"""
-
-    logins = SerializerMethodField()
-    logins_failed = SerializerMethodField()
-    authorizations = SerializerMethodField()
-
-    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_logins(self, _):
-        """Get successful logins per 8 hours for the last 7 days"""
-        user = self.context["user"]
-        return (
-            get_objects_for_user(user, "authentik_events.view_event").filter(
-                action=EventAction.LOGIN
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
-
-    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_logins_failed(self, _):
-        """Get failed logins per 8 hours for the last 7 days"""
-        user = self.context["user"]
-        return (
-            get_objects_for_user(user, "authentik_events.view_event").filter(
-                action=EventAction.LOGIN_FAILED
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
-
-    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_authorizations(self, _):
-        """Get successful authorizations per 8 hours for the last 7 days"""
-        user = self.context["user"]
-        return (
-            get_objects_for_user(user, "authentik_events.view_event").filter(
-                action=EventAction.AUTHORIZE_APPLICATION
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
-
-
-class AdministrationMetricsViewSet(APIView):
-    """Login Metrics per 1h"""
-
-    permission_classes = [IsAuthenticated]
-
-    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
-    def get(self, request: Request) -> Response:
-        """Login Metrics per 1h"""
-        serializer = LoginMetricsSerializer(True)
-        serializer.context["user"] = request.user
-        return Response(serializer.data)

authentik/admin/tests/test_api.py

@@ -36,11 +36,6 @@ class TestAdminAPI(TestCase):
         body = loads(response.content)
         self.assertEqual(len(body), 0)
 
-    def test_metrics(self):
-        """Test metrics API"""
-        response = self.client.get(reverse("authentik_api:admin_metrics"))
-        self.assertEqual(response.status_code, 200)
-
     def test_apps(self):
         """Test apps API"""
         response = self.client.get(reverse("authentik_api:apps-list"))

authentik/admin/urls.py

@@ -3,7 +3,6 @@
 from django.urls import path
 
 from authentik.admin.api.meta import AppsViewSet, ModelViewSet
-from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.version_history import VersionHistoryViewSet
@@ -12,11 +11,6 @@ from authentik.admin.api.workers import WorkerView
 api_urlpatterns = [
     ("admin/apps", AppsViewSet, "apps"),
     ("admin/models", ModelViewSet, "models"),
-    path(
-        "admin/metrics/",
-        AdministrationMetricsViewSet.as_view(),
-        name="admin_metrics",
-    ),
     path("admin/version/", VersionView.as_view(), name="admin_version"),
     ("admin/version/history", VersionHistoryViewSet, "version_history"),
     path("admin/workers/", WorkerView.as_view(), name="admin_workers"),

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -134,7 +134,7 @@ class Command(BaseCommand):
                 "id": {"type": "string"},
                 "state": {
                     "type": "string",
-                    "enum": [s.value for s in BlueprintEntryDesiredState],
+                    "enum": sorted([s.value for s in BlueprintEntryDesiredState]),
                     "default": "present",
                 },
                 "conditions": {"type": "array", "items": {"type": "boolean"}},
@@ -205,7 +205,7 @@ class Command(BaseCommand):
                 "type": "object",
                 "required": ["permission"],
                 "properties": {
-                    "permission": {"type": "string", "enum": perms},
+                    "permission": {"type": "string", "enum": sorted(perms)},
                     "user": {"type": "integer"},
                     "role": {"type": "string"},
                 },

authentik/blueprints/v1/meta/registry.py

@@ -47,7 +47,7 @@ class MetaModelRegistry:
         models = apps.get_models()
         for _, value in self.models.items():
             models.append(value)
-        return models
+        return sorted(models, key=str)
 
     def get_model(self, app_label: str, model_id: str) -> type[Model]:
         """Get model checks if any virtual models are registered, and falls back

authentik/brands/tests.py

@@ -148,3 +148,14 @@ class TestBrands(APITestCase):
                 "default_locale": "",
             },
         )
+
+    def test_custom_css(self):
+        """Test custom_css"""
+        brand = create_test_brand()
+        brand.branding_custom_css = """* {
+            font-family: "Foo bar";
+        }"""
+        brand.save()
+        res = self.client.get(reverse("authentik_core:if-user"))
+        self.assertEqual(res.status_code, 200)
+        self.assertIn(brand.branding_custom_css, res.content.decode())

authentik/brands/utils.py

@@ -5,6 +5,8 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
+from django.utils.html import _json_script_escapes
+from django.utils.safestring import mark_safe
 
 from authentik import get_full_version
 from authentik.brands.models import Brand
@@ -32,8 +34,13 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
     """Context Processor that injects brand object into every template"""
     brand = getattr(request, "brand", DEFAULT_BRAND)
     tenant = getattr(request, "tenant", Tenant())
+    # similarly to `json_script` we escape everything HTML-related, however django
+    # only directly exposes this as a function that also wraps it in a <script> tag
+    # which we dont want for CSS
+    brand_css = mark_safe(str(brand.branding_custom_css).translate(_json_script_escapes))  # nosec
     return {
         "brand": brand,
+        "brand_css": brand_css,
         "footer_links": tenant.footer_links,
         "html_meta": {**get_http_meta()},
         "version": get_full_version(),

authentik/core/api/applications.py

@@ -2,11 +2,9 @@
 
 from collections.abc import Iterator
 from copy import copy
-from datetime import timedelta
 
 from django.core.cache import cache
 from django.db.models import QuerySet
-from django.db.models.functions import ExtractHour
 from django.shortcuts import get_object_or_404
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
@@ -20,7 +18,6 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
-from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
@@ -28,7 +25,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
-from authentik.events.models import EventAction
 from authentik.lib.utils.file import (
     FilePathSerializer,
     FileUploadSerializer,
@@ -321,18 +317,3 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         """Set application icon (as URL)"""
         app: Application = self.get_object()
         return set_file_url(request, app, "meta_icon")
-
-    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
-    @extend_schema(responses={200: CoordinateSerializer(many=True)})
-    @action(detail=True, pagination_class=None, filter_backends=[])
-    def metrics(self, request: Request, slug: str):
-        """Metrics for application logins"""
-        app = self.get_object()
-        return Response(
-            get_objects_for_user(request.user, "authentik_events.view_event").filter(
-                action=EventAction.AUTHORIZE_APPLICATION,
-                context__authorized_application__pk=app.pk.hex,
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )

authentik/core/api/users.py

@@ -6,7 +6,6 @@ from typing import Any
 
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
-from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
@@ -52,7 +51,6 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
-from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
@@ -317,53 +315,6 @@ class SessionUserSerializer(PassiveSerializer):
     original = UserSelfSerializer(required=False)
 
 
-class UserMetricsSerializer(PassiveSerializer):
-    """User Metrics"""
-
-    logins = SerializerMethodField()
-    logins_failed = SerializerMethodField()
-    authorizations = SerializerMethodField()
-
-    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_logins(self, _):
-        """Get successful logins per 8 hours for the last 7 days"""
-        user = self.context["user"]
-        request = self.context["request"]
-        return (
-            get_objects_for_user(request.user, "authentik_events.view_event").filter(
-                action=EventAction.LOGIN, user__pk=user.pk
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
-
-    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_logins_failed(self, _):
-        """Get failed logins per 8 hours for the last 7 days"""
-        user = self.context["user"]
-        request = self.context["request"]
-        return (
-            get_objects_for_user(request.user, "authentik_events.view_event").filter(
-                action=EventAction.LOGIN_FAILED, context__username=user.username
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
-
-    @extend_schema_field(CoordinateSerializer(many=True))
-    def get_authorizations(self, _):
-        """Get failed logins per 8 hours for the last 7 days"""
-        user = self.context["user"]
-        request = self.context["request"]
-        return (
-            get_objects_for_user(request.user, "authentik_events.view_event").filter(
-                action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk
-            )
-            # 3 data points per day, so 8 hour spans
-            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
-        )
-
-
 class UsersFilter(FilterSet):
     """Filter for users"""
 
@@ -607,17 +558,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             update_session_auth_hash(self.request, user)
         return Response(status=204)
 
-    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
-    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
-    @action(detail=True, pagination_class=None, filter_backends=[])
-    def metrics(self, request: Request, pk: int) -> Response:
-        """User metrics per 1h"""
-        user: User = self.get_object()
-        serializer = UserMetricsSerializer(instance={})
-        serializer.context["user"] = user
-        serializer.context["request"] = request
-        return Response(serializer.data)
-
     @permission_required("authentik_core.reset_user_password")
     @extend_schema(
         responses={

authentik/core/templates/base/skeleton.html

@@ -16,7 +16,7 @@
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand.branding_custom_css }}</style>
+        <style>{{ brand_css }}</style>
         <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
         <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
         {% block head %}

authentik/core/templates/if/admin.html

@@ -10,7 +10,7 @@
 {% endblock %}
 
 {% block body %}
-<ak-message-container></ak-message-container>
+<ak-message-container alignment="bottom"></ak-message-container>
 <ak-interface-admin>
     <ak-loading></ak-loading>
 </ak-interface-admin>

authentik/core/tests/test_users_api.py

@@ -81,22 +81,6 @@ class TestUsersAPI(APITestCase):
         response = self.client.get(reverse("authentik_api:user-list"), {"include_groups": "true"})
         self.assertEqual(response.status_code, 200)
 
-    def test_metrics(self):
-        """Test user's metrics"""
-        self.client.force_login(self.admin)
-        response = self.client.get(
-            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def test_metrics_denied(self):
-        """Test user's metrics (non-superuser)"""
-        self.client.force_login(self.user)
-        response = self.client.get(
-            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
-        )
-        self.assertEqual(response.status_code, 403)
-
     def test_recovery_no_flow(self):
         """Test user recovery link (no recovery flow set)"""
         self.client.force_login(self.admin)

authentik/events/api/events.py

@@ -1,28 +1,36 @@
 """Events API Views"""
 
 from datetime import timedelta
-from json import loads
 
 import django_filters
-from django.db.models.aggregates import Count
+from django.db.models import Count, ExpressionWrapper, F, QuerySet
+from django.db.models import DateTimeField as DjangoDateTimeField
 from django.db.models.fields.json import KeyTextTransform, KeyTransform
-from django.db.models.functions import ExtractDay, ExtractHour
+from django.db.models.functions import TruncHour
 from django.db.models.query_utils import Q
+from django.utils.timezone import now
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import DictField, IntegerField
+from rest_framework.fields import ChoiceField, DateTimeField, DictField, IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 
-from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.core.api.object_types import TypeCreateSerializer
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.events.models import Event, EventAction
 
 
+class EventVolumeSerializer(PassiveSerializer):
+    """Count of events of action created on day"""
+
+    action = ChoiceField(choices=EventAction.choices)
+    time = DateTimeField()
+    count = IntegerField()
+
+
 class EventSerializer(ModelSerializer):
     """Event Serializer"""
 
@@ -53,7 +61,7 @@ class EventsFilter(django_filters.FilterSet):
     """Filter for events"""
 
     username = django_filters.CharFilter(
-        field_name="user", lookup_expr="username", label="Username"
+        field_name="user", label="Username", method="filter_username"
     )
     context_model_pk = django_filters.CharFilter(
         field_name="context",
@@ -78,12 +86,19 @@ class EventsFilter(django_filters.FilterSet):
         field_name="action",
         lookup_expr="icontains",
     )
+    actions = django_filters.MultipleChoiceFilter(
+        field_name="action",
+        choices=EventAction.choices,
+    )
     brand_name = django_filters.CharFilter(
         field_name="brand",
         lookup_expr="name",
         label="Brand name",
     )
 
+    def filter_username(self, queryset, name, value):
+        return queryset.filter(Q(user__username=value) | Q(context__username=value))
+
     def filter_context_model_pk(self, queryset, name, value):
         """Because we store the PK as UUID.hex,
         we need to remove the dashes that a client may send. We can't use a
@@ -156,45 +171,37 @@ class EventViewSet(ModelViewSet):
         return Response(EventTopPerUserSerializer(instance=events, many=True).data)
 
     @extend_schema(
-        responses={200: CoordinateSerializer(many=True)},
-    )
-    @action(detail=False, methods=["GET"], pagination_class=None)
-    def volume(self, request: Request) -> Response:
-        """Get event volume for specified filters and timeframe"""
-        queryset = self.filter_queryset(self.get_queryset())
-        return Response(queryset.get_events_per(timedelta(days=7), ExtractHour, 7 * 3))
-
-    @extend_schema(
-        responses={200: CoordinateSerializer(many=True)},
-        filters=[],
+        responses={200: EventVolumeSerializer(many=True)},
         parameters=[
             OpenApiParameter(
-                "action",
-                type=OpenApiTypes.STR,
-                location=OpenApiParameter.QUERY,
-                required=False,
-            ),
-            OpenApiParameter(
-                "query",
-                type=OpenApiTypes.STR,
+                "history_days",
+                type=OpenApiTypes.NUMBER,
                 location=OpenApiParameter.QUERY,
                 required=False,
+                default=7,
             ),
         ],
     )
     @action(detail=False, methods=["GET"], pagination_class=None)
-    def per_month(self, request: Request):
-        """Get the count of events per month"""
-        filtered_action = request.query_params.get("action", EventAction.LOGIN)
-        try:
-            query = loads(request.query_params.get("query", "{}"))
-        except ValueError:
-            return Response(status=400)
+    def volume(self, request: Request) -> Response:
+        """Get event volume for specified filters and timeframe"""
+        queryset: QuerySet[Event] = self.filter_queryset(self.get_queryset())
+        delta = timedelta(days=7)
+        time_delta = request.query_params.get("history_days", 7)
+        if time_delta:
+            delta = timedelta(days=min(int(time_delta), 60))
         return Response(
-            get_objects_for_user(request.user, "authentik_events.view_event")
-            .filter(action=filtered_action)
-            .filter(**query)
-            .get_events_per(timedelta(weeks=4), ExtractDay, 30)
+            queryset.filter(created__gte=now() - delta)
+            .annotate(hour=TruncHour("created"))
+            .annotate(
+                time=ExpressionWrapper(
+                    F("hour") - (F("hour__hour") % 6) * timedelta(hours=1),
+                    output_field=DjangoDateTimeField(),
+                )
+            )
+            .values("time", "action")
+            .annotate(count=Count("pk"))
+            .order_by("time", "action")
         )
 
     @extend_schema(responses={200: TypeCreateSerializer(many=True)})

authentik/events/models.py

@@ -1,7 +1,5 @@
 """authentik events models"""
 
-import time
-from collections import Counter
 from datetime import timedelta
 from difflib import get_close_matches
 from functools import lru_cache
@@ -11,11 +9,6 @@ from uuid import uuid4
 
 from django.apps import apps
 from django.db import connection, models
-from django.db.models import Count, ExpressionWrapper, F
-from django.db.models.fields import DurationField
-from django.db.models.functions import Extract
-from django.db.models.manager import Manager
-from django.db.models.query import QuerySet
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.utils.timezone import now
@@ -124,60 +117,6 @@ class EventAction(models.TextChoices):
     CUSTOM_PREFIX = "custom_"
 
 
-class EventQuerySet(QuerySet):
-    """Custom events query set with helper functions"""
-
-    def get_events_per(
-        self,
-        time_since: timedelta,
-        extract: Extract,
-        data_points: int,
-    ) -> list[dict[str, int]]:
-        """Get event count by hour in the last day, fill with zeros"""
-        _now = now()
-        max_since = timedelta(days=60)
-        # Allow maximum of 60 days to limit load
-        if time_since.total_seconds() > max_since.total_seconds():
-            time_since = max_since
-        date_from = _now - time_since
-        result = (
-            self.filter(created__gte=date_from)
-            .annotate(age=ExpressionWrapper(_now - F("created"), output_field=DurationField()))
-            .annotate(age_interval=extract("age"))
-            .values("age_interval")
-            .annotate(count=Count("pk"))
-            .order_by("age_interval")
-        )
-        data = Counter({int(d["age_interval"]): d["count"] for d in result})
-        results = []
-        interval_delta = time_since / data_points
-        for interval in range(1, -data_points, -1):
-            results.append(
-                {
-                    "x_cord": time.mktime((_now + (interval_delta * interval)).timetuple()) * 1000,
-                    "y_cord": data[interval * -1],
-                }
-            )
-        return results
-
-
-class EventManager(Manager):
-    """Custom helper methods for Events"""
-
-    def get_queryset(self) -> QuerySet:
-        """use custom queryset"""
-        return EventQuerySet(self.model, using=self._db)
-
-    def get_events_per(
-        self,
-        time_since: timedelta,
-        extract: Extract,
-        data_points: int,
-    ) -> list[dict[str, int]]:
-        """Wrap method from queryset"""
-        return self.get_queryset().get_events_per(time_since, extract, data_points)
-
-
 class Event(SerializerModel, ExpiringModel):
     """An individual Audit/Metrics/Notification/Error Event"""
 
@@ -193,8 +132,6 @@ class Event(SerializerModel, ExpiringModel):
     # Shadow the expires attribute from ExpiringModel to override the default duration
     expires = models.DateTimeField(default=default_event_duration)
 
-    objects = EventManager()
-
     @staticmethod
     def _get_app_from_request(request: HttpRequest) -> str:
         if not isinstance(request, HttpRequest):

authentik/flows/views/executor.py

@@ -69,6 +69,7 @@ SESSION_KEY_APPLICATION_PRE = "authentik/flows/application_pre"
 SESSION_KEY_GET = "authentik/flows/get"
 SESSION_KEY_POST = "authentik/flows/post"
 SESSION_KEY_HISTORY = "authentik/flows/history"
+SESSION_KEY_AUTH_STARTED = "authentik/flows/auth_started"
 QS_KEY_TOKEN = "flow_token"  # nosec
 QS_QUERY = "query"
 
@@ -454,6 +455,7 @@ class FlowExecutorView(APIView):
             SESSION_KEY_APPLICATION_PRE,
             SESSION_KEY_PLAN,
             SESSION_KEY_GET,
+            SESSION_KEY_AUTH_STARTED,
             # We might need the initial POST payloads for later requests
             # SESSION_KEY_POST,
             # We don't delete the history on purpose, as a user might

authentik/flows/views/interface.py

@@ -6,7 +6,8 @@ from django.shortcuts import get_object_or_404
 from ua_parser.user_agent_parser import Parse
 
 from authentik.core.views.interface import InterfaceView
-from authentik.flows.models import Flow
+from authentik.flows.models import Flow, FlowDesignation
+from authentik.flows.views.executor import SESSION_KEY_AUTH_STARTED
 
 
 class FlowInterfaceView(InterfaceView):
@@ -14,6 +15,12 @@ class FlowInterfaceView(InterfaceView):
 
     def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
         flow = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        if (
+            not self.request.user.is_authenticated
+            and flow.designation == FlowDesignation.AUTHENTICATION
+        ):
+            self.request.session[SESSION_KEY_AUTH_STARTED] = True
+            self.request.session.save()
         kwargs["flow"] = flow
         kwargs["flow_background_url"] = flow.background_url(self.request)
         kwargs["inspector"] = "inspector" in self.request.GET

authentik/outposts/consumer.py

@@ -37,6 +37,9 @@ class WebsocketMessageInstruction(IntEnum):
     # Provider specific message
     PROVIDER_SPECIFIC = 3
 
+    # Session ended
+    SESSION_END = 4
+
 
 @dataclass(slots=True)
 class WebsocketMessage:
@@ -145,6 +148,14 @@ class OutpostConsumer(JsonWebsocketConsumer):
             asdict(WebsocketMessage(instruction=WebsocketMessageInstruction.TRIGGER_UPDATE))
         )
 
+    def event_session_end(self, event):
+        """Event handler which is called when a session is ended"""
+        self.send_json(
+            asdict(
+                WebsocketMessage(instruction=WebsocketMessageInstruction.SESSION_END, args=event)
+            )
+        )
+
     def event_provider_specific(self, event):
         """Event handler which can be called by provider-specific
         implementations to send specific messages to the outpost"""

authentik/outposts/signals.py

@@ -1,17 +1,24 @@
 """authentik outpost signals"""
 
+from django.contrib.auth.signals import user_logged_out
 from django.core.cache import cache
 from django.db.models import Model
 from django.db.models.signals import m2m_changed, post_save, pre_delete, pre_save
 from django.dispatch import receiver
+from django.http import HttpRequest
 from structlog.stdlib import get_logger
 
 from authentik.brands.models import Brand
-from authentik.core.models import Provider
+from authentik.core.models import AuthenticatedSession, Provider, User
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.utils.reflection import class_to_path
 from authentik.outposts.models import Outpost, OutpostServiceConnection
-from authentik.outposts.tasks import CACHE_KEY_OUTPOST_DOWN, outpost_controller, outpost_post_save
+from authentik.outposts.tasks import (
+    CACHE_KEY_OUTPOST_DOWN,
+    outpost_controller,
+    outpost_post_save,
+    outpost_session_end,
+)
 
 LOGGER = get_logger()
 UPDATE_TRIGGERING_MODELS = (
@@ -73,3 +80,17 @@ def pre_delete_cleanup(sender, instance: Outpost, **_):
     instance.user.delete()
     cache.set(CACHE_KEY_OUTPOST_DOWN % instance.pk.hex, instance)
     outpost_controller.delay(instance.pk.hex, action="down", from_cache=True)
+
+
+@receiver(user_logged_out)
+def logout_revoke_direct(sender: type[User], request: HttpRequest, **_):
+    """Catch logout by direct logout and forward to providers"""
+    if not request.session or not request.session.session_key:
+        return
+    outpost_session_end.delay(request.session.session_key)
+
+
+@receiver(pre_delete, sender=AuthenticatedSession)
+def logout_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
+    """Catch logout by expiring sessions being deleted"""
+    outpost_session_end.delay(instance.session.session_key)

authentik/outposts/tasks.py

@@ -1,5 +1,6 @@
 """outpost tasks"""
 
+from hashlib import sha256
 from os import R_OK, access
 from pathlib import Path
 from socket import gethostname
@@ -49,6 +50,11 @@ LOGGER = get_logger()
 CACHE_KEY_OUTPOST_DOWN = "goauthentik.io/outposts/teardown/%s"
 
 
+def hash_session_key(session_key: str) -> str:
+    """Hash the session key for sending session end signals"""
+    return sha256(session_key.encode("ascii")).hexdigest()
+
+
 def controller_for_outpost(outpost: Outpost) -> type[BaseController] | None:
     """Get a controller for the outpost, when a service connection is defined"""
     if not outpost.service_connection:
@@ -289,3 +295,20 @@ def outpost_connection_discovery(self: SystemTask):
                 url=unix_socket_path,
             )
     self.set_status(TaskStatus.SUCCESSFUL, *messages)
+
+
+@CELERY_APP.task()
+def outpost_session_end(session_id: str):
+    """Update outpost instances connected to a single outpost"""
+    layer = get_channel_layer()
+    hashed_session_id = hash_session_key(session_id)
+    for outpost in Outpost.objects.all():
+        LOGGER.info("Sending session end signal to outpost", outpost=outpost)
+        group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
+        async_to_sync(layer.group_send)(
+            group,
+            {
+                "type": "event.session.end",
+                "session_id": hashed_session_id,
+            },
+        )

authentik/outposts/tests/test_ws.py

@@ -1,11 +1,9 @@
 """Websocket tests"""
 
 from dataclasses import asdict
-from unittest.mock import patch
 
 from channels.routing import URLRouter
 from channels.testing import WebsocketCommunicator
-from django.contrib.contenttypes.models import ContentType
 from django.test import TransactionTestCase
 
 from authentik import __version__
@@ -16,12 +14,6 @@ from authentik.providers.proxy.models import ProxyProvider
 from authentik.root import websocket
 
 
-def patched__get_ct_cached(app_label, codename):
-    """Caches `ContentType` instances like its `QuerySet` does."""
-    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
-
-
-@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestOutpostWS(TransactionTestCase):
     """Websocket tests"""
 

authentik/policies/apps.py

@@ -39,3 +39,4 @@ class AuthentikPoliciesConfig(ManagedAppConfig):
     label = "authentik_policies"
     verbose_name = "authentik Policies"
     default = True
+    mountpoint = "policy/"

authentik/policies/templates/policies/buffer.html

@@ -0,0 +1,89 @@
+{% extends 'login/base_full.html' %}
+
+{% load static %}
+{% load i18n %}
+
+{% block head %}
+{{ block.super }}
+<script>
+  let redirecting = false;
+  const checkAuth = async () => {
+    if (redirecting) return true;
+    const url = "{{ check_auth_url }}";
+    console.debug("authentik/policies/buffer: Checking authentication...");
+    try {
+      const result = await fetch(url, {
+        method: "HEAD",
+      });
+      if (result.status >= 400) {
+        return false
+      }
+      console.debug("authentik/policies/buffer: Continuing");
+      redirecting = true;
+      if ("{{ auth_req_method }}" === "post") {
+        document.querySelector("form").submit();
+      } else {
+        window.location.assign("{{ continue_url|escapejs }}");
+      }
+    } catch {
+      return false;
+    }
+  };
+  let timeout = 100;
+  let offset = 20;
+  let attempt = 0;
+  const main = async () => {
+    attempt += 1;
+    await checkAuth();
+    console.debug(`authentik/policies/buffer: Waiting ${timeout}ms...`);
+    setTimeout(main, timeout);
+    timeout += (offset * attempt);
+    if (timeout >= 2000) {
+      timeout = 2000;
+    }
+  }
+  document.addEventListener("visibilitychange", async () => {
+    if (document.hidden) return;
+    console.debug("authentik/policies/buffer: Checking authentication on tab activate...");
+    await checkAuth();
+  });
+  main();
+</script>
+{% endblock %}
+
+{% block title %}
+{% trans 'Waiting for authentication...' %} - {{ brand.branding_title }}
+{% endblock %}
+
+{% block card_title %}
+{% trans 'Waiting for authentication...' %}
+{% endblock %}
+
+{% block card %}
+<form class="pf-c-form" method="{{ auth_req_method }}" action="{{ continue_url }}">
+  {% if auth_req_method == "post" %}
+    {% for key, value in auth_req_body.items %}
+      <input type="hidden" name="{{ key }}" value="{{ value }}" />
+    {% endfor %}
+  {% endif %}
+  <div class="pf-c-empty-state">
+    <div class="pf-c-empty-state__content">
+      <div class="pf-c-empty-state__icon">
+        <span class="pf-c-spinner pf-m-xl" role="progressbar">
+          <span class="pf-c-spinner__clipper"></span>
+          <span class="pf-c-spinner__lead-ball"></span>
+          <span class="pf-c-spinner__tail-ball"></span>
+        </span>
+      </div>
+      <h1 class="pf-c-title pf-m-lg">
+        {% trans "You're already authenticating in another tab. This page will refresh once authentication is completed." %}
+      </h1>
+    </div>
+  </div>
+  <div class="pf-c-form__group pf-m-action">
+    <a href="{{ auth_req_url }}" class="pf-c-button pf-m-primary pf-m-block">
+      {% trans "Authenticate in this tab" %}
+    </a>
+  </div>
+</form>
+{% endblock %}

authentik/policies/tests/test_views.py

@@ -0,0 +1,121 @@
+from django.contrib.auth.models import AnonymousUser
+from django.contrib.sessions.middleware import SessionMiddleware
+from django.http import HttpResponse
+from django.test import RequestFactory, TestCase
+from django.urls import reverse
+
+from authentik.core.models import Application, Provider
+from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.flows.models import FlowDesignation
+from authentik.flows.planner import FlowPlan
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import dummy_get_response
+from authentik.policies.views import (
+    QS_BUFFER_ID,
+    SESSION_KEY_BUFFER,
+    BufferedPolicyAccessView,
+    BufferView,
+    PolicyAccessView,
+)
+
+
+class TestPolicyViews(TestCase):
+    """Test PolicyAccessView"""
+
+    def setUp(self):
+        super().setUp()
+        self.factory = RequestFactory()
+        self.user = create_test_user()
+
+    def test_pav(self):
+        """Test simple policy access view"""
+        provider = Provider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+
+        class TestView(PolicyAccessView):
+            def resolve_provider_application(self):
+                self.provider = provider
+                self.application = app
+
+            def get(self, *args, **kwargs):
+                return HttpResponse("foo")
+
+        req = self.factory.get("/")
+        req.user = self.user
+        res = TestView.as_view()(req)
+        self.assertEqual(res.status_code, 200)
+        self.assertEqual(res.content, b"foo")
+
+    def test_pav_buffer(self):
+        """Test simple policy access view"""
+        provider = Provider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
+
+        class TestView(BufferedPolicyAccessView):
+            def resolve_provider_application(self):
+                self.provider = provider
+                self.application = app
+
+            def get(self, *args, **kwargs):
+                return HttpResponse("foo")
+
+        req = self.factory.get("/")
+        req.user = AnonymousUser()
+        middleware = SessionMiddleware(dummy_get_response)
+        middleware.process_request(req)
+        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
+        req.session.save()
+        res = TestView.as_view()(req)
+        self.assertEqual(res.status_code, 302)
+        self.assertTrue(res.url.startswith(reverse("authentik_policies:buffer")))
+
+    def test_pav_buffer_skip(self):
+        """Test simple policy access view (skip buffer)"""
+        provider = Provider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
+
+        class TestView(BufferedPolicyAccessView):
+            def resolve_provider_application(self):
+                self.provider = provider
+                self.application = app
+
+            def get(self, *args, **kwargs):
+                return HttpResponse("foo")
+
+        req = self.factory.get("/?skip_buffer=true")
+        req.user = AnonymousUser()
+        middleware = SessionMiddleware(dummy_get_response)
+        middleware.process_request(req)
+        req.session[SESSION_KEY_PLAN] = FlowPlan(flow.pk)
+        req.session.save()
+        res = TestView.as_view()(req)
+        self.assertEqual(res.status_code, 302)
+        self.assertTrue(res.url.startswith(reverse("authentik_flows:default-authentication")))
+
+    def test_buffer(self):
+        """Test buffer view"""
+        uid = generate_id()
+        req = self.factory.get(f"/?{QS_BUFFER_ID}={uid}")
+        req.user = AnonymousUser()
+        middleware = SessionMiddleware(dummy_get_response)
+        middleware.process_request(req)
+        ts = generate_id()
+        req.session[SESSION_KEY_BUFFER % uid] = {
+            "method": "get",
+            "body": {},
+            "url": f"/{ts}",
+        }
+        req.session.save()
+
+        res = BufferView.as_view()(req)
+        self.assertEqual(res.status_code, 200)
+        self.assertIn(ts, res.render().content.decode())

authentik/policies/urls.py

@@ -1,7 +1,14 @@
 """API URLs"""
 
+from django.urls import path
+
 from authentik.policies.api.bindings import PolicyBindingViewSet
 from authentik.policies.api.policies import PolicyViewSet
+from authentik.policies.views import BufferView
+
+urlpatterns = [
+    path("buffer", BufferView.as_view(), name="buffer"),
+]
 
 api_urlpatterns = [
     ("policies/all", PolicyViewSet),

authentik/policies/views.py

@@ -1,23 +1,37 @@
 """authentik access helper classes"""
 
 from typing import Any
+from uuid import uuid4
 
 from django.contrib import messages
 from django.contrib.auth.mixins import AccessMixin
 from django.contrib.auth.views import redirect_to_login
-from django.http import HttpRequest, HttpResponse
+from django.http import HttpRequest, HttpResponse, QueryDict
+from django.shortcuts import redirect
+from django.urls import reverse
+from django.utils.http import urlencode
 from django.utils.translation import gettext as _
-from django.views.generic.base import View
+from django.views.generic.base import TemplateView, View
 from structlog.stdlib import get_logger
 
 from authentik.core.models import Application, Provider, User
-from authentik.flows.views.executor import SESSION_KEY_APPLICATION_PRE, SESSION_KEY_POST
+from authentik.flows.models import Flow, FlowDesignation
+from authentik.flows.planner import FlowPlan
+from authentik.flows.views.executor import (
+    SESSION_KEY_APPLICATION_PRE,
+    SESSION_KEY_AUTH_STARTED,
+    SESSION_KEY_PLAN,
+    SESSION_KEY_POST,
+)
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyRequest, PolicyResult
 
 LOGGER = get_logger()
+QS_BUFFER_ID = "af_bf_id"
+QS_SKIP_BUFFER = "skip_buffer"
+SESSION_KEY_BUFFER = "authentik/policies/pav_buffer/%s"
 
 
 class RequestValidationError(SentryIgnoredException):
@@ -125,3 +139,65 @@ class PolicyAccessView(AccessMixin, View):
             for message in result.messages:
                 messages.error(self.request, _(message))
         return result
+
+
+def url_with_qs(url: str, **kwargs):
+    """Update/set querystring of `url` with the parameters in `kwargs`. Original query string
+    parameters are retained"""
+    if "?" not in url:
+        return url + f"?{urlencode(kwargs)}"
+    url, _, qs = url.partition("?")
+    qs = QueryDict(qs, mutable=True)
+    qs.update(kwargs)
+    return url + f"?{urlencode(qs.items())}"
+
+
+class BufferView(TemplateView):
+    """Buffer view"""
+
+    template_name = "policies/buffer.html"
+
+    def get_context_data(self, **kwargs):
+        buf_id = self.request.GET.get(QS_BUFFER_ID)
+        buffer: dict = self.request.session.get(SESSION_KEY_BUFFER % buf_id)
+        kwargs["auth_req_method"] = buffer["method"]
+        kwargs["auth_req_body"] = buffer["body"]
+        kwargs["auth_req_url"] = url_with_qs(buffer["url"], **{QS_SKIP_BUFFER: True})
+        kwargs["check_auth_url"] = reverse("authentik_api:user-me")
+        kwargs["continue_url"] = url_with_qs(buffer["url"], **{QS_BUFFER_ID: buf_id})
+        return super().get_context_data(**kwargs)
+
+
+class BufferedPolicyAccessView(PolicyAccessView):
+    """PolicyAccessView which buffers access requests in case the user is not logged in"""
+
+    def handle_no_permission(self):
+        plan: FlowPlan | None = self.request.session.get(SESSION_KEY_PLAN)
+        authenticating = self.request.session.get(SESSION_KEY_AUTH_STARTED)
+        if plan:
+            flow = Flow.objects.filter(pk=plan.flow_pk).first()
+            if not flow or flow.designation != FlowDesignation.AUTHENTICATION:
+                LOGGER.debug("Not buffering request, no flow or flow not for authentication")
+                return super().handle_no_permission()
+        if not plan and authenticating is None:
+            LOGGER.debug("Not buffering request, no flow plan active")
+            return super().handle_no_permission()
+        if self.request.GET.get(QS_SKIP_BUFFER):
+            LOGGER.debug("Not buffering request, explicit skip")
+            return super().handle_no_permission()
+        buffer_id = str(uuid4())
+        LOGGER.debug("Buffering access request", bf_id=buffer_id)
+        self.request.session[SESSION_KEY_BUFFER % buffer_id] = {
+            "body": self.request.POST,
+            "url": self.request.build_absolute_uri(self.request.get_full_path()),
+            "method": self.request.method.lower(),
+        }
+        return redirect(
+            url_with_qs(reverse("authentik_policies:buffer"), **{QS_BUFFER_ID: buffer_id})
+        )
+
+    def dispatch(self, request, *args, **kwargs):
+        response = super().dispatch(request, *args, **kwargs)
+        if QS_BUFFER_ID in self.request.GET:
+            self.request.session.pop(SESSION_KEY_BUFFER % self.request.GET[QS_BUFFER_ID], None)
+        return response

authentik/providers/oauth2/views/authorize.py

@@ -30,7 +30,7 @@ from authentik.flows.stage import StageView
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.lib.views import bad_request_message
 from authentik.policies.types import PolicyRequest
-from authentik.policies.views import PolicyAccessView, RequestValidationError
+from authentik.policies.views import BufferedPolicyAccessView, RequestValidationError
 from authentik.providers.oauth2.constants import (
     PKCE_METHOD_PLAIN,
     PKCE_METHOD_S256,
@@ -326,7 +326,7 @@ class OAuthAuthorizationParams:
         return code
 
 
-class AuthorizationFlowInitView(PolicyAccessView):
+class AuthorizationFlowInitView(BufferedPolicyAccessView):
     """OAuth2 Flow initializer, checks access to application and starts flow"""
 
     params: OAuthAuthorizationParams

authentik/providers/proxy/signals.py

@@ -1,23 +0,0 @@
-"""Proxy provider signals"""
-
-from django.contrib.auth.signals import user_logged_out
-from django.db.models.signals import pre_delete
-from django.dispatch import receiver
-from django.http import HttpRequest
-
-from authentik.core.models import AuthenticatedSession, User
-from authentik.providers.proxy.tasks import proxy_on_logout
-
-
-@receiver(user_logged_out)
-def logout_proxy_revoke_direct(sender: type[User], request: HttpRequest, **_):
-    """Catch logout by direct logout and forward to proxy providers"""
-    if not request.session or not request.session.session_key:
-        return
-    proxy_on_logout.delay(request.session.session_key)
-
-
-@receiver(pre_delete, sender=AuthenticatedSession)
-def logout_proxy_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
-    """Catch logout by expiring sessions being deleted"""
-    proxy_on_logout.delay(instance.session.session_key)

authentik/providers/proxy/tasks.py

@@ -1,26 +0,0 @@
-"""proxy provider tasks"""
-
-from asgiref.sync import async_to_sync
-from channels.layers import get_channel_layer
-
-from authentik.outposts.consumer import OUTPOST_GROUP
-from authentik.outposts.models import Outpost, OutpostType
-from authentik.providers.oauth2.id_token import hash_session_key
-from authentik.root.celery import CELERY_APP
-
-
-@CELERY_APP.task()
-def proxy_on_logout(session_id: str):
-    """Update outpost instances connected to a single outpost"""
-    layer = get_channel_layer()
-    hashed_session_id = hash_session_key(session_id)
-    for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
-        group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
-        async_to_sync(layer.group_send)(
-            group,
-            {
-                "type": "event.provider.specific",
-                "sub_type": "logout",
-                "session_id": hashed_session_id,
-            },
-        )

authentik/providers/rac/views.py

@@ -18,11 +18,11 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import RedirectStage
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
-from authentik.policies.views import PolicyAccessView
+from authentik.policies.views import BufferedPolicyAccessView
 from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider
 
 
-class RACStartView(PolicyAccessView):
+class RACStartView(BufferedPolicyAccessView):
     """Start a RAC connection by checking access and creating a connection token"""
 
     endpoint: Endpoint

authentik/providers/saml/views/flows.py

@@ -35,8 +35,8 @@ REQUEST_KEY_SAML_SIG_ALG = "SigAlg"
 REQUEST_KEY_SAML_RESPONSE = "SAMLResponse"
 REQUEST_KEY_RELAY_STATE = "RelayState"
 
-SESSION_KEY_AUTH_N_REQUEST = "authentik/providers/saml/authn_request"
-SESSION_KEY_LOGOUT_REQUEST = "authentik/providers/saml/logout_request"
+PLAN_CONTEXT_SAML_AUTH_N_REQUEST = "authentik/providers/saml/authn_request"
+PLAN_CONTEXT_SAML_LOGOUT_REQUEST = "authentik/providers/saml/logout_request"
 
 
 # This View doesn't have a URL on purpose, as its called by the FlowExecutor
@@ -50,10 +50,11 @@ class SAMLFlowFinalView(ChallengeStageView):
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         application: Application = self.executor.plan.context[PLAN_CONTEXT_APPLICATION]
         provider: SAMLProvider = get_object_or_404(SAMLProvider, pk=application.provider_id)
-        if SESSION_KEY_AUTH_N_REQUEST not in self.request.session:
+        if PLAN_CONTEXT_SAML_AUTH_N_REQUEST not in self.executor.plan.context:
+            self.logger.warning("No AuthNRequest in context")
             return self.executor.stage_invalid()
 
-        auth_n_request: AuthNRequest = self.request.session.pop(SESSION_KEY_AUTH_N_REQUEST)
+        auth_n_request: AuthNRequest = self.executor.plan.context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST]
         try:
             response = AssertionProcessor(provider, request, auth_n_request).build_response()
         except SAMLException as exc:
@@ -106,6 +107,3 @@ class SAMLFlowFinalView(ChallengeStageView):
     def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
         # We'll never get here since the challenge redirects to the SP
         return HttpResponseBadRequest()
-
-    def cleanup(self):
-        self.request.session.pop(SESSION_KEY_AUTH_N_REQUEST, None)

authentik/providers/saml/views/slo.py

@@ -19,9 +19,9 @@ from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.processors.logout_request_parser import LogoutRequestParser
 from authentik.providers.saml.views.flows import (
+    PLAN_CONTEXT_SAML_LOGOUT_REQUEST,
     REQUEST_KEY_RELAY_STATE,
     REQUEST_KEY_SAML_REQUEST,
-    SESSION_KEY_LOGOUT_REQUEST,
 )
 
 LOGGER = get_logger()
@@ -33,6 +33,10 @@ class SAMLSLOView(PolicyAccessView):
 
     flow: Flow
 
+    def __init__(self, **kwargs):
+        super().__init__(**kwargs)
+        self.plan_context = {}
+
     def resolve_provider_application(self):
         self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
         self.provider: SAMLProvider = get_object_or_404(
@@ -59,6 +63,7 @@ class SAMLSLOView(PolicyAccessView):
             request,
             {
                 PLAN_CONTEXT_APPLICATION: self.application,
+                **self.plan_context,
             },
         )
         plan.append_stage(in_memory_stage(SessionEndStage))
@@ -83,7 +88,7 @@ class SAMLSLOBindingRedirectView(SAMLSLOView):
                 self.request.GET[REQUEST_KEY_SAML_REQUEST],
                 relay_state=self.request.GET.get(REQUEST_KEY_RELAY_STATE, None),
             )
-            self.request.session[SESSION_KEY_LOGOUT_REQUEST] = logout_request
+            self.plan_context[PLAN_CONTEXT_SAML_LOGOUT_REQUEST] = logout_request
         except CannotHandleAssertion as exc:
             Event.new(
                 EventAction.CONFIGURATION_ERROR,
@@ -111,7 +116,7 @@ class SAMLSLOBindingPOSTView(SAMLSLOView):
                 payload[REQUEST_KEY_SAML_REQUEST],
                 relay_state=payload.get(REQUEST_KEY_RELAY_STATE, None),
             )
-            self.request.session[SESSION_KEY_LOGOUT_REQUEST] = logout_request
+            self.plan_context[PLAN_CONTEXT_SAML_LOGOUT_REQUEST] = logout_request
         except CannotHandleAssertion as exc:
             LOGGER.info(str(exc))
             return bad_request_message(self.request, str(exc))

authentik/providers/saml/views/sso.py

@@ -15,16 +15,16 @@ from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.views.executor import SESSION_KEY_POST
 from authentik.lib.views import bad_request_message
-from authentik.policies.views import PolicyAccessView
+from authentik.policies.views import BufferedPolicyAccessView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
 from authentik.providers.saml.models import SAMLBindings, SAMLProvider
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.providers.saml.views.flows import (
+    PLAN_CONTEXT_SAML_AUTH_N_REQUEST,
     REQUEST_KEY_RELAY_STATE,
     REQUEST_KEY_SAML_REQUEST,
     REQUEST_KEY_SAML_SIG_ALG,
     REQUEST_KEY_SAML_SIGNATURE,
-    SESSION_KEY_AUTH_N_REQUEST,
     SAMLFlowFinalView,
 )
 from authentik.stages.consent.stage import (
@@ -35,10 +35,14 @@ from authentik.stages.consent.stage import (
 LOGGER = get_logger()
 
 
-class SAMLSSOView(PolicyAccessView):
+class SAMLSSOView(BufferedPolicyAccessView):
     """SAML SSO Base View, which plans a flow and injects our final stage.
     Calls get/post handler."""
 
+    def __init__(self, **kwargs):
+        super().__init__(**kwargs)
+        self.plan_context = {}
+
     def resolve_provider_application(self):
         self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
         self.provider: SAMLProvider = get_object_or_404(
@@ -68,6 +72,7 @@ class SAMLSSOView(PolicyAccessView):
                     PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
                     % {"application": self.application.name},
                     PLAN_CONTEXT_CONSENT_PERMISSIONS: [],
+                    **self.plan_context,
                 },
             )
         except FlowNonApplicableException:
@@ -83,7 +88,7 @@ class SAMLSSOView(PolicyAccessView):
 
     def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:
         """GET and POST use the same handler, but we can't
-        override .dispatch easily because PolicyAccessView's dispatch"""
+        override .dispatch easily because BufferedPolicyAccessView's dispatch"""
         return self.get(request, application_slug)
 
 
@@ -103,7 +108,7 @@ class SAMLSSOBindingRedirectView(SAMLSSOView):
                 self.request.GET.get(REQUEST_KEY_SAML_SIGNATURE),
                 self.request.GET.get(REQUEST_KEY_SAML_SIG_ALG),
             )
-            self.request.session[SESSION_KEY_AUTH_N_REQUEST] = auth_n_request
+            self.plan_context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST] = auth_n_request
         except CannotHandleAssertion as exc:
             Event.new(
                 EventAction.CONFIGURATION_ERROR,
@@ -137,7 +142,7 @@ class SAMLSSOBindingPOSTView(SAMLSSOView):
                 payload[REQUEST_KEY_SAML_REQUEST],
                 payload.get(REQUEST_KEY_RELAY_STATE),
             )
-            self.request.session[SESSION_KEY_AUTH_N_REQUEST] = auth_n_request
+            self.plan_context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST] = auth_n_request
         except CannotHandleAssertion as exc:
             LOGGER.info(str(exc))
             return bad_request_message(self.request, str(exc))
@@ -151,4 +156,4 @@ class SAMLSSOBindingInitView(SAMLSSOView):
         """Create SAML Response from scratch"""
         LOGGER.debug("No SAML Request, using IdP-initiated flow.")
         auth_n_request = AuthNRequestParser(self.provider).idp_initiated()
-        self.request.session[SESSION_KEY_AUTH_N_REQUEST] = auth_n_request
+        self.plan_context[PLAN_CONTEXT_SAML_AUTH_N_REQUEST] = auth_n_request

authentik/rbac/tests/test_decorators.py

@@ -1,12 +1,29 @@
 """test decorators api"""
 
-from django.urls import reverse
 from guardian.shortcuts import assign_perm
+from rest_framework.decorators import action
+from rest_framework.request import Request
+from rest_framework.response import Response
 from rest_framework.test import APITestCase
+from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_user
 from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import get_request
+from authentik.rbac.decorators import permission_required
+
+
+class MVS(ModelViewSet):
+
+    queryset = Application.objects.all()
+    lookup_field = "slug"
+
+    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
+    @action(detail=True, pagination_class=None, filter_backends=[])
+    def test(self, request: Request, slug: str):
+        self.get_object()
+        return Response(status=200)
 
 
 class TestAPIDecorators(APITestCase):
@@ -18,41 +35,33 @@ class TestAPIDecorators(APITestCase):
 
     def test_obj_perm_denied(self):
         """Test object perm denied"""
-        self.client.force_login(self.user)
+        request = get_request("", user=self.user)
         app = Application.objects.create(name=generate_id(), slug=generate_id())
-        response = self.client.get(
-            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
-        )
+        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
         self.assertEqual(response.status_code, 403)
 
     def test_obj_perm_global(self):
         """Test object perm successful (global)"""
         assign_perm("authentik_core.view_application", self.user)
         assign_perm("authentik_events.view_event", self.user)
-        self.client.force_login(self.user)
         app = Application.objects.create(name=generate_id(), slug=generate_id())
-        response = self.client.get(
-            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
-        )
-        self.assertEqual(response.status_code, 200)
+        request = get_request("", user=self.user)
+        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
+        self.assertEqual(response.status_code, 200, response.data)
 
     def test_obj_perm_scoped(self):
         """Test object perm successful (scoped)"""
         assign_perm("authentik_events.view_event", self.user)
         app = Application.objects.create(name=generate_id(), slug=generate_id())
         assign_perm("authentik_core.view_application", self.user, app)
-        self.client.force_login(self.user)
-        response = self.client.get(
-            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
-        )
+        request = get_request("", user=self.user)
+        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
         self.assertEqual(response.status_code, 200)
 
     def test_other_perm_denied(self):
         """Test other perm denied"""
-        self.client.force_login(self.user)
         app = Application.objects.create(name=generate_id(), slug=generate_id())
         assign_perm("authentik_core.view_application", self.user, app)
-        response = self.client.get(
-            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
-        )
+        request = get_request("", user=self.user)
+        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
         self.assertEqual(response.status_code, 403)

authentik/root/test_runner.py

@@ -3,25 +3,44 @@
 import os
 from argparse import ArgumentParser
 from unittest import TestCase
+from unittest.mock import patch
 
 import pytest
 from django.conf import settings
+from django.contrib.contenttypes.models import ContentType
 from django.test.runner import DiscoverRunner
+from structlog.stdlib import get_logger
 
 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import sentry_init
 from authentik.root.signals import post_startup, pre_startup, startup
-from tests.e2e.utils import get_docker_tag
 
 # globally set maxDiff to none to show full assert error
 TestCase.maxDiff = None
 
 
+def get_docker_tag() -> str:
+    """Get docker-tag based off of CI variables"""
+    env_pr_branch = "GITHUB_HEAD_REF"
+    default_branch = "GITHUB_REF"
+    branch_name = os.environ.get(default_branch, "main")
+    if os.environ.get(env_pr_branch, "") != "":
+        branch_name = os.environ[env_pr_branch]
+    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
+    return f"gh-{branch_name}"
+
+
+def patched__get_ct_cached(app_label, codename):
+    """Caches `ContentType` instances like its `QuerySet` does."""
+    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
+
+
 class PytestTestRunner(DiscoverRunner):  # pragma: no cover
     """Runs pytest to discover and run tests."""
 
     def __init__(self, **kwargs):
         super().__init__(**kwargs)
+        self.logger = get_logger().bind(runner="pytest")
 
         self.args = []
         if self.failfast:
@@ -34,22 +53,33 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
         if kwargs.get("no_capture", False):
             self.args.append("--capture=no")
 
+        self._setup_test_environment()
+
+    def _setup_test_environment(self):
+        """Configure test environment settings"""
         settings.TEST = True
         settings.CELERY["task_always_eager"] = True
-        CONFIG.set("events.context_processors.geoip", "tests/GeoLite2-City-Test.mmdb")
-        CONFIG.set("events.context_processors.asn", "tests/GeoLite2-ASN-Test.mmdb")
-        CONFIG.set("blueprints_dir", "./blueprints")
-        CONFIG.set(
-            "outposts.container_image_base",
-            f"ghcr.io/goauthentik/dev-%(type)s:{get_docker_tag()}",
-        )
-        CONFIG.set("tenants.enabled", False)
-        CONFIG.set("outposts.disable_embedded_outpost", False)
-        CONFIG.set("error_reporting.sample_rate", 0)
-        CONFIG.set("error_reporting.environment", "testing")
-        CONFIG.set("error_reporting.send_pii", True)
-        sentry_init()
 
+        # Test-specific configuration
+        test_config = {
+            "events.context_processors.geoip": "tests/GeoLite2-City-Test.mmdb",
+            "events.context_processors.asn": "tests/GeoLite2-ASN-Test.mmdb",
+            "blueprints_dir": "./blueprints",
+            "outposts.container_image_base": f"ghcr.io/goauthentik/dev-%(type)s:{get_docker_tag()}",
+            "tenants.enabled": False,
+            "outposts.disable_embedded_outpost": False,
+            "error_reporting.sample_rate": 0,
+            "error_reporting.environment": "testing",
+            "error_reporting.send_pii": True,
+        }
+
+        for key, value in test_config.items():
+            CONFIG.set(key, value)
+
+        sentry_init()
+        self.logger.debug("Test environment configured")
+
+        # Send startup signals
         pre_startup.send(sender=self, mode="test")
         startup.send(sender=self, mode="test")
         post_startup.send(sender=self, mode="test")
@@ -72,7 +102,21 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
             help="Disable any capturing of stdout/stderr during tests.",
         )
 
-    def run_tests(self, test_labels, extra_tests=None, **kwargs):
+    def _validate_test_label(self, label: str) -> bool:
+        """Validate test label format"""
+        if not label:
+            return False
+
+        # Check for invalid characters, but allow forward slashes and colons
+        # for paths and pytest markers
+        invalid_chars = set('\\*?"<>|')
+        if any(c in label for c in invalid_chars):
+            self.logger.error("Invalid characters in test label", label=label)
+            return False
+
+        return True
+
+    def run_tests(self, test_labels: list[str], extra_tests=None, **kwargs):
         """Run pytest and return the exitcode.
 
         It translates some of Django's test command option to pytest's.
@@ -82,10 +126,17 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
         The extra_tests argument has been deprecated since Django 5.x
         It is kept for compatibility with PyCharm's Django test runner.
         """
+        if not test_labels:
+            self.logger.error("No test files specified")
+            return 1
 
         for label in test_labels:
+            if not self._validate_test_label(label):
+                return 1
+
             valid_label_found = False
             label_as_path = os.path.abspath(label)
+
             # File path has been specified
             if os.path.exists(label_as_path):
                 self.args.append(label_as_path)
@@ -93,24 +144,31 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
             elif "::" in label:
                 self.args.append(label)
                 valid_label_found = True
-            # Convert dotted module path to file_path::class::method
             else:
+                # Check if the label is a dotted module path
                 path_pieces = label.split(".")
-                # Check whether only class or class and method are specified
                 for i in range(-1, -3, -1):
-                    path = os.path.join(*path_pieces[:i]) + ".py"
-                    label_as_path = os.path.abspath(path)
-                    if os.path.exists(label_as_path):
-                        path_method = label_as_path + "::" + "::".join(path_pieces[i:])
-                        self.args.append(path_method)
-                        valid_label_found = True
-                        break
+                    try:
+                        path = os.path.join(*path_pieces[:i]) + ".py"
+                        if os.path.exists(path):
+                            if i < -1:
+                                path_method = path + "::" + "::".join(path_pieces[i:])
+                                self.args.append(path_method)
+                            else:
+                                self.args.append(path)
+                            valid_label_found = True
+                            break
+                    except (TypeError, IndexError):
+                        continue
 
             if not valid_label_found:
-                raise RuntimeError(
-                    f"One of the test labels: {label!r}, "
-                    f"is not supported. Use a dotted module name or "
-                    f"path instead."
-                )
+                self.logger.error("Test file not found", label=label)
+                return 1
 
-        return pytest.main(self.args)
+        self.logger.info("Running tests", test_files=self.args)
+        with patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached):
+            try:
+                return pytest.main(self.args)
+            except Exception as e:
+                self.logger.error("Error running tests", error=str(e), test_files=self.args)
+                return 1

authentik/stages/email/tasks.py

@@ -100,9 +100,11 @@ def send_mail(
         # Because we use the Message-ID as UID for the task, manually assign it
         message_object.extra_headers["Message-ID"] = message_id
 
-        # Add the logo (we can't add it in the previous message since MIMEImage
-        # can't be converted to json)
-        message_object.attach(logo_data())
+        # Add the logo if it is used in the email body (we can't add it in the
+        # previous message since MIMEImage can't be converted to json)
+        body = get_email_body(message_object)
+        if "cid:logo" in body:
+            message_object.attach(logo_data())
 
         if (
             message_object.to

authentik/stages/email/templates/email/base.html

@@ -96,7 +96,7 @@
                 <table width="100%" style="background-color: #FFFFFF; border-spacing: 0; margin-top: 15px;">
                   <tr height="80">
                     <td align="center" style="padding: 20px 0;">
-                      <img src="{% block logo_url %}cid:logo.png{% endblock %}" border="0=" alt="authentik logo" class="flexibleImage logo">
+                      <img src="{% block logo_url %}cid:logo{% endblock %}" border="0=" alt="authentik logo" class="flexibleImage logo">
                     </td>
                   </tr>
                   {% block content %}

authentik/stages/email/utils.py

@@ -19,7 +19,8 @@ def logo_data() -> MIMEImage:
         path = Path("web/dist/assets/icons/icon_left_brand.png")
     with open(path, "rb") as _logo_file:
         logo = MIMEImage(_logo_file.read())
-    logo.add_header("Content-ID", "logo.png")
+    logo.add_header("Content-ID", "<logo>")
+    logo.add_header("Content-Disposition", "inline", filename="logo.png")
     return logo
 
 

cmd/ldap/main.go

@@ -2,17 +2,13 @@ package main
 
 import (
 	"fmt"
-	"net/url"
 	"os"
 
-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"goauthentik.io/internal/common"
-	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/debug"
-	"goauthentik.io/internal/outpost/ak"
+	"goauthentik.io/internal/outpost/ak/entrypoint"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/ldap"
 )
@@ -25,65 +21,15 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`
 
 var rootCmd = &cobra.Command{
-	Long:    helpMessage,
-	Version: constants.FullVersion(),
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		log.SetLevel(log.DebugLevel)
-		log.SetFormatter(&log.JSONFormatter{
-			FieldMap: log.FieldMap{
-				log.FieldKeyMsg:  "event",
-				log.FieldKeyTime: "timestamp",
-			},
-			DisableHTMLEscape: true,
-		})
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		debug.EnableDebugServer()
-		akURL := config.Get().AuthentikHost
-		if akURL == "" {
-			fmt.Println("env AUTHENTIK_HOST not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-		akToken := config.Get().AuthentikToken
-		if akToken == "" {
-			fmt.Println("env AUTHENTIK_TOKEN not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		akURLActual, err := url.Parse(akURL)
+	Long:             helpMessage,
+	Version:          constants.FullVersion(),
+	PersistentPreRun: common.PreRun,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		err := entrypoint.OutpostMain("authentik.outpost.ldap", ldap.NewServer)
 		if err != nil {
-			fmt.Println(err)
 			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		ex := common.Init()
-		defer common.Defer()
-		go func() {
-			for {
-				<-ex
-				os.Exit(0)
-			}
-		}()
-
-		ac := ak.NewAPIController(*akURLActual, akToken)
-		if ac == nil {
-			os.Exit(1)
-		}
-		defer ac.Shutdown()
-
-		ac.Server = ldap.NewServer(ac)
-
-		err = ac.Start()
-		if err != nil {
-			log.WithError(err).Panic("Failed to run server")
-		}
-
-		for {
-			<-ex
 		}
+		return err
 	},
 }
 

cmd/proxy/main.go

@@ -2,17 +2,13 @@ package main
 
 import (
 	"fmt"
-	"net/url"
 	"os"
 
-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"goauthentik.io/internal/common"
-	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/debug"
-	"goauthentik.io/internal/outpost/ak"
+	"goauthentik.io/internal/outpost/ak/entrypoint"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/proxyv2"
 )
@@ -28,65 +24,15 @@ Optionally, you can set these:
 - AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST`
 
 var rootCmd = &cobra.Command{
-	Long:    helpMessage,
-	Version: constants.FullVersion(),
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		log.SetLevel(log.DebugLevel)
-		log.SetFormatter(&log.JSONFormatter{
-			FieldMap: log.FieldMap{
-				log.FieldKeyMsg:  "event",
-				log.FieldKeyTime: "timestamp",
-			},
-			DisableHTMLEscape: true,
-		})
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		debug.EnableDebugServer()
-		akURL := config.Get().AuthentikHost
-		if akURL == "" {
-			fmt.Println("env AUTHENTIK_HOST not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-		akToken := config.Get().AuthentikToken
-		if akToken == "" {
-			fmt.Println("env AUTHENTIK_TOKEN not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		akURLActual, err := url.Parse(akURL)
+	Long:             helpMessage,
+	Version:          constants.FullVersion(),
+	PersistentPreRun: common.PreRun,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		err := entrypoint.OutpostMain("authentik.outpost.proxy", proxyv2.NewProxyServer)
 		if err != nil {
-			fmt.Println(err)
 			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		ex := common.Init()
-		defer common.Defer()
-		go func() {
-			for {
-				<-ex
-				os.Exit(0)
-			}
-		}()
-
-		ac := ak.NewAPIController(*akURLActual, akToken)
-		if ac == nil {
-			os.Exit(1)
-		}
-		defer ac.Shutdown()
-
-		ac.Server = proxyv2.NewProxyServer(ac)
-
-		err = ac.Start()
-		if err != nil {
-			log.WithError(err).Panic("Failed to run server")
-		}
-
-		for {
-			<-ex
 		}
+		return err
 	},
 }
 

cmd/rac/main.go

@@ -2,16 +2,13 @@ package main
 
 import (
 	"fmt"
-	"net/url"
 	"os"
 
-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/debug"
-	"goauthentik.io/internal/outpost/ak"
+	"goauthentik.io/internal/outpost/ak/entrypoint"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/rac"
 )
@@ -24,65 +21,15 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`
 
 var rootCmd = &cobra.Command{
-	Long:    helpMessage,
-	Version: constants.FullVersion(),
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		log.SetLevel(log.DebugLevel)
-		log.SetFormatter(&log.JSONFormatter{
-			FieldMap: log.FieldMap{
-				log.FieldKeyMsg:  "event",
-				log.FieldKeyTime: "timestamp",
-			},
-			DisableHTMLEscape: true,
-		})
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		debug.EnableDebugServer()
-		akURL, found := os.LookupEnv("AUTHENTIK_HOST")
-		if !found {
-			fmt.Println("env AUTHENTIK_HOST not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-		akToken, found := os.LookupEnv("AUTHENTIK_TOKEN")
-		if !found {
-			fmt.Println("env AUTHENTIK_TOKEN not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		akURLActual, err := url.Parse(akURL)
+	Long:             helpMessage,
+	Version:          constants.FullVersion(),
+	PersistentPreRun: common.PreRun,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		err := entrypoint.OutpostMain("authentik.outpost.rac", rac.NewServer)
 		if err != nil {
-			fmt.Println(err)
 			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		ex := common.Init()
-		defer common.Defer()
-		go func() {
-			for {
-				<-ex
-				os.Exit(0)
-			}
-		}()
-
-		ac := ak.NewAPIController(*akURLActual, akToken)
-		if ac == nil {
-			os.Exit(1)
-		}
-		defer ac.Shutdown()
-
-		ac.Server = rac.NewServer(ac)
-
-		err = ac.Start()
-		if err != nil {
-			log.WithError(err).Panic("Failed to run server")
-		}
-
-		for {
-			<-ex
 		}
+		return err
 	},
 }
 

cmd/radius/main.go

@@ -2,16 +2,13 @@ package main
 
 import (
 	"fmt"
-	"net/url"
 	"os"
 
-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/debug"
-	"goauthentik.io/internal/outpost/ak"
+	"goauthentik.io/internal/outpost/ak/entrypoint"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/radius"
 )
@@ -24,65 +21,15 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`
 
 var rootCmd = &cobra.Command{
-	Long:    helpMessage,
-	Version: constants.FullVersion(),
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		log.SetLevel(log.DebugLevel)
-		log.SetFormatter(&log.JSONFormatter{
-			FieldMap: log.FieldMap{
-				log.FieldKeyMsg:  "event",
-				log.FieldKeyTime: "timestamp",
-			},
-			DisableHTMLEscape: true,
-		})
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		debug.EnableDebugServer()
-		akURL, found := os.LookupEnv("AUTHENTIK_HOST")
-		if !found {
-			fmt.Println("env AUTHENTIK_HOST not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-		akToken, found := os.LookupEnv("AUTHENTIK_TOKEN")
-		if !found {
-			fmt.Println("env AUTHENTIK_TOKEN not set!")
-			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		akURLActual, err := url.Parse(akURL)
+	Long:             helpMessage,
+	Version:          constants.FullVersion(),
+	PersistentPreRun: common.PreRun,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		err := entrypoint.OutpostMain("authentik.outpost.radius", radius.NewServer)
 		if err != nil {
-			fmt.Println(err)
 			fmt.Println(helpMessage)
-			os.Exit(1)
-		}
-
-		ex := common.Init()
-		defer common.Defer()
-		go func() {
-			for {
-				<-ex
-				os.Exit(0)
-			}
-		}()
-
-		ac := ak.NewAPIController(*akURLActual, akToken)
-		if ac == nil {
-			os.Exit(1)
-		}
-		defer ac.Shutdown()
-
-		ac.Server = radius.NewServer(ac)
-
-		err = ac.Start()
-		if err != nil {
-			log.WithError(err).Panic("Failed to run server")
-		}
-
-		for {
-			<-ex
 		}
+		return err
 	},
 }
 

cmd/server/server.go

@@ -22,21 +22,12 @@ import (
 )
 
 var rootCmd = &cobra.Command{
-	Use:     "authentik",
-	Short:   "Start authentik instance",
-	Version: constants.FullVersion(),
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		log.SetLevel(log.DebugLevel)
-		log.SetFormatter(&log.JSONFormatter{
-			FieldMap: log.FieldMap{
-				log.FieldKeyMsg:  "event",
-				log.FieldKeyTime: "timestamp",
-			},
-			DisableHTMLEscape: true,
-		})
-	},
+	Use:              "authentik",
+	Short:            "Start authentik instance",
+	Version:          constants.FullVersion(),
+	PersistentPreRun: common.PreRun,
 	Run: func(cmd *cobra.Command, args []string) {
-		debug.EnableDebugServer()
+		debug.EnableDebugServer("authentik.core")
 		l := log.WithField("logger", "authentik.root")
 
 		if config.Get().ErrorReporting.Enabled {
@@ -99,7 +90,7 @@ func attemptProxyStart(ws *web.WebServer, u *url.URL) {
 		})
 
 		srv := proxyv2.NewProxyServer(ac)
-		ws.ProxyServer = srv
+		ws.ProxyServer = srv.(*proxyv2.ProxyServer)
 		ac.Server = srv
 		l.Debug("attempting to start outpost")
 		err := ac.StartBackgroundTasks()

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.1}
     restart: unless-stopped
     command: server
     environment:
@@ -55,7 +55,7 @@ services:
       redis:
         condition: service_healthy
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.1}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -4,6 +4,7 @@ go 1.24.0
 
 require (
 	beryju.io/ldap v0.1.0
+	github.com/avast/retry-go/v4 v4.6.1
 	github.com/coreos/go-oidc/v3 v3.14.1
 	github.com/getsentry/sentry-go v0.33.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
@@ -16,21 +17,22 @@ require (
 	github.com/gorilla/securecookie v1.1.2
 	github.com/gorilla/sessions v1.4.0
 	github.com/gorilla/websocket v1.5.3
+	github.com/grafana/pyroscope-go v1.2.2
 	github.com/jellydator/ttlcache/v3 v3.3.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.1
 	github.com/prometheus/client_golang v1.22.0
-	github.com/redis/go-redis/v9 v9.9.0
+	github.com/redis/go-redis/v9 v9.10.0
 	github.com/sethvargo/go-envconfig v1.3.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025060.1
+	goauthentik.io/api/v3 v3.2025061.2
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.14.0
+	golang.org/x/sync v0.15.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
@@ -58,8 +60,10 @@ require (
 	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
+	github.com/grafana/pyroscope-go/godeltaprof v0.1.8 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect

go.sum

@@ -41,6 +41,8 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
+github.com/avast/retry-go/v4 v4.6.1 h1:VkOLRubHdisGrHnTu89g08aQEWEgRU7LVEop3GbIcMk=
+github.com/avast/retry-go/v4 v4.6.1/go.mod h1:V6oF8njAwxJ5gRo1Q7Cxab24xs5NCWZBeaHHBklR8mA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
@@ -178,6 +180,10 @@ github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2e
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/grafana/pyroscope-go v1.2.2 h1:uvKCyZMD724RkaCEMrSTC38Yn7AnFe8S2wiAIYdDPCE=
+github.com/grafana/pyroscope-go v1.2.2/go.mod h1:zzT9QXQAp2Iz2ZdS216UiV8y9uXJYQiGE1q8v1FyhqU=
+github.com/grafana/pyroscope-go/godeltaprof v0.1.8 h1:iwOtYXeeVSAeYefJNaxDytgjKtUuKQbJqgAIjlnicKg=
+github.com/grafana/pyroscope-go/godeltaprof v0.1.8/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -245,8 +251,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redis/go-redis/v9 v9.9.0 h1:URbPQ4xVQSQhZ27WMQVmZSo3uT3pL+4IdHVcYq2nVfM=
-github.com/redis/go-redis/v9 v9.9.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/redis/go-redis/v9 v9.10.0 h1:FxwK3eV8p/CQa0Ch276C7u2d0eNC9kCmAYQ7mCXCzVs=
+github.com/redis/go-redis/v9 v9.10.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@@ -262,6 +268,8 @@ github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -290,8 +298,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025060.1 h1:H/TDuroJlQicuxrWEnLcO3lzQaHuR28xrUb1L2362Vo=
-goauthentik.io/api/v3 v3.2025060.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025061.2 h1:bKmrl82Gz6J8lz3f+QIH9g+MEkl3MvkMXF34GktesA0=
+goauthentik.io/api/v3 v3.2025061.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -376,8 +384,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
-golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
+golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

internal/common/prerun.go

@@ -0,0 +1,17 @@
+package common
+
+import (
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+func PreRun(cmd *cobra.Command, args []string) {
+	log.SetLevel(log.DebugLevel)
+	log.SetFormatter(&log.JSONFormatter{
+		FieldMap: log.FieldMap{
+			log.FieldKeyMsg:  "event",
+			log.FieldKeyTime: "timestamp",
+		},
+		DisableHTMLEscape: true,
+	})
+}

internal/constants/constants.go

@@ -33,4 +33,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2025.6.0"
+const VERSION = "2025.6.1"

internal/debug/debug.go

@@ -5,19 +5,24 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/pprof"
+	"os"
+	"runtime"
 
 	"github.com/gorilla/mux"
+	"github.com/grafana/pyroscope-go"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/utils/web"
 )
 
-func EnableDebugServer() {
-	l := log.WithField("logger", "authentik.go_debugger")
+var l = log.WithField("logger", "authentik.debugger.go")
+
+func EnableDebugServer(appName string) {
 	if !config.Get().Debug {
 		return
 	}
 	h := mux.NewRouter()
+	enablePyroscope(appName)
 	h.HandleFunc("/debug/pprof/", pprof.Index)
 	h.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
 	h.HandleFunc("/debug/pprof/profile", pprof.Profile)
@@ -54,3 +59,38 @@ func EnableDebugServer() {
 		}
 	}()
 }
+
+func enablePyroscope(appName string) {
+	p, pok := os.LookupEnv("AUTHENTIK_PYROSCOPE_HOST")
+	if !pok {
+		return
+	}
+	l.Debug("Enabling pyroscope")
+	runtime.SetMutexProfileFraction(5)
+	runtime.SetBlockProfileRate(5)
+	hostname, err := os.Hostname()
+	if err != nil {
+		panic(err)
+	}
+	_, err = pyroscope.Start(pyroscope.Config{
+		ApplicationName: appName,
+		ServerAddress:   p,
+		Logger:          pyroscope.StandardLogger,
+		Tags:            map[string]string{"hostname": hostname},
+		ProfileTypes: []pyroscope.ProfileType{
+			pyroscope.ProfileCPU,
+			pyroscope.ProfileAllocObjects,
+			pyroscope.ProfileAllocSpace,
+			pyroscope.ProfileInuseObjects,
+			pyroscope.ProfileInuseSpace,
+			pyroscope.ProfileGoroutines,
+			pyroscope.ProfileMutexCount,
+			pyroscope.ProfileMutexDuration,
+			pyroscope.ProfileBlockCount,
+			pyroscope.ProfileBlockDuration,
+		},
+	})
+	if err != nil {
+		panic(err)
+	}
+}

internal/outpost/ak/api.go

@@ -13,6 +13,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/avast/retry-go/v4"
 	"github.com/getsentry/sentry-go"
 	"github.com/google/uuid"
 	"github.com/gorilla/websocket"
@@ -25,8 +26,6 @@ import (
 	"goauthentik.io/internal/utils/web"
 )
 
-type WSHandler func(ctx context.Context, args map[string]interface{})
-
 const ConfigLogLevel = "log_level"
 
 // APIController main controller which connects to the authentik api via http and ws
@@ -43,12 +42,11 @@ type APIController struct {
 
 	reloadOffset time.Duration
 
-	wsConn              *websocket.Conn
-	lastWsReconnect     time.Time
-	wsIsReconnecting    bool
-	wsBackoffMultiplier int
-	wsHandlers          []WSHandler
-	refreshHandlers     []func()
+	eventConn        *websocket.Conn
+	lastWsReconnect  time.Time
+	wsIsReconnecting bool
+	eventHandlers    []EventHandler
+	refreshHandlers  []func()
 
 	instanceUUID uuid.UUID
 }
@@ -83,20 +81,19 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 
 	// Because we don't know the outpost UUID, we simply do a list and pick the first
 	// The service account this token belongs to should only have access to a single outpost
-	var outposts *api.PaginatedOutpostList
-	var err error
-	for {
-		outposts, _, err = apiClient.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
-
-		if err == nil {
-			break
-		}
-
-		log.WithError(err).Error("Failed to fetch outpost configuration, retrying in 3 seconds")
-		time.Sleep(time.Second * 3)
-	}
+	outposts, _ := retry.DoWithData[*api.PaginatedOutpostList](
+		func() (*api.PaginatedOutpostList, error) {
+			outposts, _, err := apiClient.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
+			return outposts, err
+		},
+		retry.Attempts(0),
+		retry.Delay(time.Second*3),
+		retry.OnRetry(func(attempt uint, err error) {
+			log.WithError(err).Error("Failed to fetch outpost configuration, retrying in 3 seconds")
+		}),
+	)
 	if len(outposts.Results) < 1 {
-		panic("No outposts found with given token, ensure the given token corresponds to an authenitk Outpost")
+		log.Panic("No outposts found with given token, ensure the given token corresponds to an authenitk Outpost")
 	}
 	outpost := outposts.Results[0]
 
@@ -119,22 +116,25 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 		token:  token,
 		logger: log,
 
-		reloadOffset:        time.Duration(rand.Intn(10)) * time.Second,
-		instanceUUID:        uuid.New(),
-		Outpost:             outpost,
-		wsHandlers:          []WSHandler{},
-		wsBackoffMultiplier: 1,
-		refreshHandlers:     make([]func(), 0),
+		reloadOffset:    time.Duration(rand.Intn(10)) * time.Second,
+		instanceUUID:    uuid.New(),
+		Outpost:         outpost,
+		eventHandlers:   []EventHandler{},
+		refreshHandlers: make([]func(), 0),
 	}
 	ac.logger.WithField("offset", ac.reloadOffset.String()).Debug("HA Reload offset")
-	err = ac.initWS(akURL, outpost.Pk)
+	err = ac.initEvent(akURL, outpost.Pk)
 	if err != nil {
-		go ac.reconnectWS()
+		go ac.recentEvents()
 	}
 	ac.configureRefreshSignal()
 	return ac
 }
 
+func (a *APIController) Log() *log.Entry {
+	return a.logger
+}
+
 // Start Starts all handlers, non-blocking
 func (a *APIController) Start() error {
 	err := a.Server.Refresh()
@@ -196,7 +196,7 @@ func (a *APIController) OnRefresh() error {
 	return err
 }
 
-func (a *APIController) getWebsocketPingArgs() map[string]interface{} {
+func (a *APIController) getEventPingArgs() map[string]interface{} {
 	args := map[string]interface{}{
 		"version":        constants.VERSION,
 		"buildHash":      constants.BUILD(""),
@@ -222,12 +222,12 @@ func (a *APIController) StartBackgroundTasks() error {
 		"build":        constants.BUILD(""),
 	}).Set(1)
 	go func() {
-		a.logger.Debug("Starting WS Handler...")
-		a.startWSHandler()
+		a.logger.Debug("Starting Event Handler...")
+		a.startEventHandler()
 	}()
 	go func() {
-		a.logger.Debug("Starting WS Health notifier...")
-		a.startWSHealth()
+		a.logger.Debug("Starting Event health notifier...")
+		a.startEventHealth()
 	}()
 	go func() {
 		a.logger.Debug("Starting Interval updater...")

internal/outpost/ak/api_event.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/avast/retry-go/v4"
 	"github.com/gorilla/websocket"
 	"github.com/prometheus/client_golang/prometheus"
 	"goauthentik.io/internal/config"
@@ -30,7 +31,7 @@ func (ac *APIController) getWebsocketURL(akURL url.URL, outpostUUID string, quer
 	return wsUrl
 }
 
-func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
+func (ac *APIController) initEvent(akURL url.URL, outpostUUID string) error {
 	query := akURL.Query()
 	query.Set("instance_uuid", ac.instanceUUID.String())
 
@@ -57,19 +58,19 @@ func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
 		return err
 	}
 
-	ac.wsConn = ws
+	ac.eventConn = ws
 	// Send hello message with our version
-	msg := websocketMessage{
-		Instruction: WebsocketInstructionHello,
-		Args:        ac.getWebsocketPingArgs(),
+	msg := Event{
+		Instruction: EventKindHello,
+		Args:        ac.getEventPingArgs(),
 	}
 	err = ws.WriteJSON(msg)
 	if err != nil {
-		ac.logger.WithField("logger", "authentik.outpost.ak-ws").WithError(err).Warning("Failed to hello to authentik")
+		ac.logger.WithField("logger", "authentik.outpost.events").WithError(err).Warning("Failed to hello to authentik")
 		return err
 	}
 	ac.lastWsReconnect = time.Now()
-	ac.logger.WithField("logger", "authentik.outpost.ak-ws").WithField("outpost", outpostUUID).Info("Successfully connected websocket")
+	ac.logger.WithField("logger", "authentik.outpost.events").WithField("outpost", outpostUUID).Info("Successfully connected websocket")
 	return nil
 }
 
@@ -77,19 +78,19 @@ func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
 func (ac *APIController) Shutdown() {
 	// Cleanly close the connection by sending a close message and then
 	// waiting (with timeout) for the server to close the connection.
-	err := ac.wsConn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
+	err := ac.eventConn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, ""))
 	if err != nil {
 		ac.logger.WithError(err).Warning("failed to write close message")
 		return
 	}
-	err = ac.wsConn.Close()
+	err = ac.eventConn.Close()
 	if err != nil {
 		ac.logger.WithError(err).Warning("failed to close websocket")
 	}
 	ac.logger.Info("finished shutdown")
 }
 
-func (ac *APIController) reconnectWS() {
+func (ac *APIController) recentEvents() {
 	if ac.wsIsReconnecting {
 		return
 	}
@@ -100,46 +101,47 @@ func (ac *APIController) reconnectWS() {
 		Path:   strings.ReplaceAll(ac.Client.GetConfig().Servers[0].URL, "api/v3", ""),
 	}
 	attempt := 1
-	for {
-		q := u.Query()
-		q.Set("attempt", strconv.Itoa(attempt))
-		u.RawQuery = q.Encode()
-		err := ac.initWS(u, ac.Outpost.Pk)
-		attempt += 1
-		if err != nil {
-			ac.logger.Infof("waiting %d seconds to reconnect", ac.wsBackoffMultiplier)
-			time.Sleep(time.Duration(ac.wsBackoffMultiplier) * time.Second)
-			ac.wsBackoffMultiplier = ac.wsBackoffMultiplier * 2
-			// Limit to 300 seconds (5m)
-			if ac.wsBackoffMultiplier >= 300 {
-				ac.wsBackoffMultiplier = 300
+	_ = retry.Do(
+		func() error {
+			q := u.Query()
+			q.Set("attempt", strconv.Itoa(attempt))
+			u.RawQuery = q.Encode()
+			err := ac.initEvent(u, ac.Outpost.Pk)
+			attempt += 1
+			if err != nil {
+				return err
 			}
-		} else {
 			ac.wsIsReconnecting = false
-			ac.wsBackoffMultiplier = 1
-			return
-		}
-	}
+			return nil
+		},
+		retry.Delay(1*time.Second),
+		retry.MaxDelay(5*time.Minute),
+		retry.DelayType(retry.BackOffDelay),
+		retry.Attempts(0),
+		retry.OnRetry(func(attempt uint, err error) {
+			ac.logger.Infof("waiting %d seconds to reconnect", attempt)
+		}),
+	)
 }
 
-func (ac *APIController) startWSHandler() {
-	logger := ac.logger.WithField("loop", "ws-handler")
+func (ac *APIController) startEventHandler() {
+	logger := ac.logger.WithField("loop", "event-handler")
 	for {
-		var wsMsg websocketMessage
-		if ac.wsConn == nil {
-			go ac.reconnectWS()
+		var wsMsg Event
+		if ac.eventConn == nil {
+			go ac.recentEvents()
 			time.Sleep(time.Second * 5)
 			continue
 		}
-		err := ac.wsConn.ReadJSON(&wsMsg)
+		err := ac.eventConn.ReadJSON(&wsMsg)
 		if err != nil {
 			ConnectionStatus.With(prometheus.Labels{
 				"outpost_name": ac.Outpost.Name,
 				"outpost_type": ac.Server.Type(),
 				"uuid":         ac.instanceUUID.String(),
 			}).Set(0)
-			logger.WithError(err).Warning("ws read error")
-			go ac.reconnectWS()
+			logger.WithError(err).Warning("event read error")
+			go ac.recentEvents()
 			time.Sleep(time.Second * 5)
 			continue
 		}
@@ -149,7 +151,8 @@ func (ac *APIController) startWSHandler() {
 			"uuid":         ac.instanceUUID.String(),
 		}).Set(1)
 		switch wsMsg.Instruction {
-		case WebsocketInstructionTriggerUpdate:
+		case EventKindAck:
+		case EventKindTriggerUpdate:
 			time.Sleep(ac.reloadOffset)
 			logger.Debug("Got update trigger...")
 			err := ac.OnRefresh()
@@ -164,30 +167,33 @@ func (ac *APIController) startWSHandler() {
 					"build":        constants.BUILD(""),
 				}).SetToCurrentTime()
 			}
-		case WebsocketInstructionProviderSpecific:
-			for _, h := range ac.wsHandlers {
-				h(context.Background(), wsMsg.Args)
+		default:
+			for _, h := range ac.eventHandlers {
+				err := h(context.Background(), wsMsg)
+				if err != nil {
+					ac.logger.WithError(err).Warning("failed to run event handler")
+				}
 			}
 		}
 	}
 }
 
-func (ac *APIController) startWSHealth() {
+func (ac *APIController) startEventHealth() {
 	ticker := time.NewTicker(time.Second * 10)
 	for ; true; <-ticker.C {
-		if ac.wsConn == nil {
-			go ac.reconnectWS()
+		if ac.eventConn == nil {
+			go ac.recentEvents()
 			time.Sleep(time.Second * 5)
 			continue
 		}
-		err := ac.SendWSHello(map[string]interface{}{})
+		err := ac.SendEventHello(map[string]interface{}{})
 		if err != nil {
-			ac.logger.WithField("loop", "ws-health").WithError(err).Warning("ws write error")
-			go ac.reconnectWS()
+			ac.logger.WithField("loop", "event-health").WithError(err).Warning("event write error")
+			go ac.recentEvents()
 			time.Sleep(time.Second * 5)
 			continue
 		} else {
-			ac.logger.WithField("loop", "ws-health").Trace("hello'd")
+			ac.logger.WithField("loop", "event-health").Trace("hello'd")
 			ConnectionStatus.With(prometheus.Labels{
 				"outpost_name": ac.Outpost.Name,
 				"outpost_type": ac.Server.Type(),
@@ -230,19 +236,19 @@ func (ac *APIController) startIntervalUpdater() {
 	}
 }
 
-func (a *APIController) AddWSHandler(handler WSHandler) {
-	a.wsHandlers = append(a.wsHandlers, handler)
+func (a *APIController) AddEventHandler(handler EventHandler) {
+	a.eventHandlers = append(a.eventHandlers, handler)
 }
 
-func (a *APIController) SendWSHello(args map[string]interface{}) error {
-	allArgs := a.getWebsocketPingArgs()
+func (a *APIController) SendEventHello(args map[string]interface{}) error {
+	allArgs := a.getEventPingArgs()
 	for key, value := range args {
 		allArgs[key] = value
 	}
-	aliveMsg := websocketMessage{
-		Instruction: WebsocketInstructionHello,
+	aliveMsg := Event{
+		Instruction: EventKindHello,
 		Args:        allArgs,
 	}
-	err := a.wsConn.WriteJSON(aliveMsg)
+	err := a.eventConn.WriteJSON(aliveMsg)
 	return err
 }

internal/outpost/ak/api_event_msg.go

@@ -0,0 +1,37 @@
+package ak
+
+import (
+	"context"
+
+	"github.com/mitchellh/mapstructure"
+)
+
+type EventKind int
+
+const (
+	// Code used to acknowledge a previous message
+	EventKindAck EventKind = 0
+	// Code used to send a healthcheck keepalive
+	EventKindHello EventKind = 1
+	// Code received to trigger a config update
+	EventKindTriggerUpdate EventKind = 2
+	// Code received to trigger some provider specific function
+	EventKindProviderSpecific EventKind = 3
+	// Code received to identify the end of a session
+	EventKindSessionEnd EventKind = 4
+)
+
+type EventHandler func(ctx context.Context, msg Event) error
+
+type Event struct {
+	Instruction EventKind   `json:"instruction"`
+	Args        interface{} `json:"args"`
+}
+
+func (wm Event) ArgsAs(out interface{}) error {
+	return mapstructure.Decode(wm.Args, out)
+}
+
+type EventArgsSessionEnd struct {
+	SessionID string `mapstructure:"session_id"`
+}

internal/outpost/ak/api_event_test.go

@@ -15,7 +15,7 @@ func URLMustParse(u string) *url.URL {
 	return ur
 }
 
-func TestWebsocketURL(t *testing.T) {
+func TestEventWebsocketURL(t *testing.T) {
 	u := URLMustParse("http://localhost:9000?foo=bar")
 	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
 	ac := &APIController{}
@@ -23,7 +23,7 @@ func TestWebsocketURL(t *testing.T) {
 	assert.Equal(t, "ws://localhost:9000/ws/outpost/23470845-7263-4fe3-bd79-ec1d7bf77d77/?foo=bar", nu.String())
 }
 
-func TestWebsocketURL_Query(t *testing.T) {
+func TestEventWebsocketURL_Query(t *testing.T) {
 	u := URLMustParse("http://localhost:9000?foo=bar")
 	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
 	ac := &APIController{}
@@ -33,7 +33,7 @@ func TestWebsocketURL_Query(t *testing.T) {
 	assert.Equal(t, "ws://localhost:9000/ws/outpost/23470845-7263-4fe3-bd79-ec1d7bf77d77/?bar=baz&foo=bar", nu.String())
 }
 
-func TestWebsocketURL_Subpath(t *testing.T) {
+func TestEventWebsocketURL_Subpath(t *testing.T) {
 	u := URLMustParse("http://localhost:9000/foo/bar/")
 	uuid := "23470845-7263-4fe3-bd79-ec1d7bf77d77"
 	ac := &APIController{}

internal/outpost/ak/api_ws_msg.go

@@ -1,19 +0,0 @@
-package ak
-
-type websocketInstruction int
-
-const (
-	// WebsocketInstructionAck Code used to acknowledge a previous message
-	WebsocketInstructionAck websocketInstruction = 0
-	// WebsocketInstructionHello Code used to send a healthcheck keepalive
-	WebsocketInstructionHello websocketInstruction = 1
-	// WebsocketInstructionTriggerUpdate Code received to trigger a config update
-	WebsocketInstructionTriggerUpdate websocketInstruction = 2
-	// WebsocketInstructionProviderSpecific Code received to trigger some provider specific function
-	WebsocketInstructionProviderSpecific websocketInstruction = 3
-)
-
-type websocketMessage struct {
-	Instruction websocketInstruction   `json:"instruction"`
-	Args        map[string]interface{} `json:"args"`
-}

internal/outpost/ak/entrypoint/entrypoint.go

@@ -0,0 +1,51 @@
+package entrypoint
+
+import (
+	"errors"
+	"net/url"
+	"os"
+
+	"goauthentik.io/internal/common"
+	"goauthentik.io/internal/config"
+	"goauthentik.io/internal/debug"
+	"goauthentik.io/internal/outpost/ak"
+)
+
+func OutpostMain(appName string, server func(ac *ak.APIController) ak.Outpost) error {
+	debug.EnableDebugServer(appName)
+	akURL := config.Get().AuthentikHost
+	if akURL == "" {
+		return errors.New("environment variable `AUTHENTIK_HOST` not set")
+	}
+	akToken := config.Get().AuthentikToken
+	if akToken == "" {
+		return errors.New("environment variable `AUTHENTIK_TOKEN` not set")
+	}
+
+	akURLActual, err := url.Parse(akURL)
+	if err != nil {
+		return err
+	}
+
+	ex := common.Init()
+	defer common.Defer()
+
+	ac := ak.NewAPIController(*akURLActual, akToken)
+	if ac == nil {
+		os.Exit(1)
+	}
+	defer ac.Shutdown()
+
+	ac.Server = server(ac)
+
+	err = ac.Start()
+	if err != nil {
+		ac.Log().WithError(err).Panic("Failed to run server")
+		return err
+	}
+
+	for {
+		<-ex
+		return nil
+	}
+}

internal/outpost/ak/global.go

@@ -48,20 +48,20 @@ func doGlobalSetup(outpost api.Outpost, globalConfig *api.Config) {
 	if globalConfig.ErrorReporting.Enabled {
 		if !initialSetup {
 			l.WithField("env", globalConfig.ErrorReporting.Environment).Debug("Error reporting enabled")
-		}
-		err := sentry.Init(sentry.ClientOptions{
-			Dsn:           globalConfig.ErrorReporting.SentryDsn,
-			Environment:   globalConfig.ErrorReporting.Environment,
-			EnableTracing: true,
-			TracesSampler: sentryutils.SamplerFunc(float64(globalConfig.ErrorReporting.TracesSampleRate)),
-			Release:       fmt.Sprintf("authentik@%s", constants.VERSION),
-			HTTPTransport: webutils.NewUserAgentTransport(constants.UserAgentOutpost(), http.DefaultTransport),
-			IgnoreErrors: []string{
-				http.ErrAbortHandler.Error(),
-			},
-		})
-		if err != nil {
-			l.WithField("env", globalConfig.ErrorReporting.Environment).WithError(err).Warning("Failed to initialise sentry")
+			err := sentry.Init(sentry.ClientOptions{
+				Dsn:           globalConfig.ErrorReporting.SentryDsn,
+				Environment:   globalConfig.ErrorReporting.Environment,
+				EnableTracing: true,
+				TracesSampler: sentryutils.SamplerFunc(float64(globalConfig.ErrorReporting.TracesSampleRate)),
+				Release:       fmt.Sprintf("authentik@%s", constants.VERSION),
+				HTTPTransport: webutils.NewUserAgentTransport(constants.UserAgentOutpost(), http.DefaultTransport),
+				IgnoreErrors: []string{
+					http.ErrAbortHandler.Error(),
+				},
+			})
+			if err != nil {
+				l.WithField("env", globalConfig.ErrorReporting.Environment).WithError(err).Warning("Failed to initialise sentry")
+			}
 		}
 	}
 

internal/outpost/ak/test.go

@@ -55,11 +55,10 @@ func MockAK(outpost api.Outpost, globalConfig api.Config) *APIController {
 		token:  token,
 		logger: log,
 
-		reloadOffset:        time.Duration(rand.Intn(10)) * time.Second,
-		instanceUUID:        uuid.New(),
-		Outpost:             outpost,
-		wsBackoffMultiplier: 1,
-		refreshHandlers:     make([]func(), 0),
+		reloadOffset:    time.Duration(rand.Intn(10)) * time.Second,
+		instanceUUID:    uuid.New(),
+		Outpost:         outpost,
+		refreshHandlers: make([]func(), 0),
 	}
 	ac.logger.WithField("offset", ac.reloadOffset.String()).Debug("HA Reload offset")
 	return ac

internal/outpost/flow/executor.go

@@ -127,7 +127,7 @@ func (fe *FlowExecutor) getAnswer(stage StageComponent) string {
 	return ""
 }
 
-func (fe *FlowExecutor) GetSession() *http.Cookie {
+func (fe *FlowExecutor) SessionCookie() *http.Cookie {
 	return fe.session
 }
 

internal/outpost/flow/session.go

@@ -0,0 +1,19 @@
+package flow
+
+import "github.com/golang-jwt/jwt/v5"
+
+type SessionCookieClaims struct {
+	jwt.Claims
+
+	SessionID     string `json:"sid"`
+	Authenticated bool   `json:"authenticated"`
+}
+
+func (fe *FlowExecutor) Session() *jwt.Token {
+	sc := fe.SessionCookie()
+	if sc == nil {
+		return nil
+	}
+	t, _, _ := jwt.NewParser().ParseUnverified(sc.Value, &SessionCookieClaims{})
+	return t
+}

internal/outpost/ldap/bind.go

@@ -38,7 +38,14 @@ func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LD
 		username, err := instance.binder.GetUsername(bindDN)
 		if err == nil {
 			selectedApp = instance.GetAppSlug()
-			return instance.binder.Bind(username, req)
+			c, err := instance.binder.Bind(username, req)
+			if c == ldap.LDAPResultSuccess {
+				f := instance.GetFlags(req.BindDN)
+				ls.connectionsSync.Lock()
+				ls.connections[f.SessionID()] = conn
+				ls.connectionsSync.Unlock()
+			}
+			return c, err
 		} else {
 			req.Log().WithError(err).Debug("Username not for instance")
 		}

internal/outpost/ldap/bind/direct/bind.go

@@ -27,8 +27,9 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 
 	passed, err := fe.Execute()
 	flags := flags.UserFlags{
-		Session: fe.GetSession(),
-		UserPk:  flags.InvalidUserPK,
+		Session:    fe.SessionCookie(),
+		SessionJWT: fe.Session(),
+		UserPk:     flags.InvalidUserPK,
 	}
 	// only set flags if we don't have flags for this DN yet
 	// as flags are only checked during the bind, we can remember whether a certain DN

internal/outpost/ldap/close.go

@@ -0,0 +1,20 @@
+package ldap
+
+import "net"
+
+func (ls *LDAPServer) Close(dn string, conn net.Conn) error {
+	ls.connectionsSync.Lock()
+	defer ls.connectionsSync.Unlock()
+	key := ""
+	for k, c := range ls.connections {
+		if c == conn {
+			key = k
+			break
+		}
+	}
+	if key == "" {
+		return nil
+	}
+	delete(ls.connections, key)
+	return nil
+}

internal/outpost/ldap/flags/flags.go

@@ -1,16 +1,30 @@
 package flags
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"net/http"
 
+	"github.com/golang-jwt/jwt/v5"
 	"goauthentik.io/api/v3"
+	"goauthentik.io/internal/outpost/flow"
 )
 
 const InvalidUserPK = -1
 
 type UserFlags struct {
-	UserInfo  *api.User
-	UserPk    int32
-	CanSearch bool
-	Session   *http.Cookie
+	UserInfo   *api.User
+	UserPk     int32
+	CanSearch  bool
+	Session    *http.Cookie
+	SessionJWT *jwt.Token
+}
+
+func (uf UserFlags) SessionID() string {
+	if uf.SessionJWT == nil {
+		return ""
+	}
+	h := sha256.New()
+	h.Write([]byte(uf.SessionJWT.Claims.(*flow.SessionCookieClaims).SessionID))
+	return hex.EncodeToString(h.Sum(nil))
 }

internal/outpost/ldap/ldap.go

@@ -18,21 +18,26 @@ import (
 )
 
 type LDAPServer struct {
-	s           *ldap.Server
-	log         *log.Entry
-	ac          *ak.APIController
-	cs          *ak.CryptoStore
-	defaultCert *tls.Certificate
-	providers   []*ProviderInstance
+	s               *ldap.Server
+	log             *log.Entry
+	ac              *ak.APIController
+	cs              *ak.CryptoStore
+	defaultCert     *tls.Certificate
+	providers       []*ProviderInstance
+	connections     map[string]net.Conn
+	connectionsSync sync.Mutex
 }
 
-func NewServer(ac *ak.APIController) *LDAPServer {
+func NewServer(ac *ak.APIController) ak.Outpost {
 	ls := &LDAPServer{
-		log:       log.WithField("logger", "authentik.outpost.ldap"),
-		ac:        ac,
-		cs:        ak.NewCryptoStore(ac.Client.CryptoApi),
-		providers: []*ProviderInstance{},
+		log:             log.WithField("logger", "authentik.outpost.ldap"),
+		ac:              ac,
+		cs:              ak.NewCryptoStore(ac.Client.CryptoApi),
+		providers:       []*ProviderInstance{},
+		connections:     map[string]net.Conn{},
+		connectionsSync: sync.Mutex{},
 	}
+	ac.AddEventHandler(ls.handleWSSessionEnd)
 	s := ldap.NewServer()
 	s.EnforceLDAP = true
 
@@ -50,6 +55,7 @@ func NewServer(ac *ak.APIController) *LDAPServer {
 	s.BindFunc("", ls)
 	s.UnbindFunc("", ls)
 	s.SearchFunc("", ls)
+	s.CloseFunc("", ls)
 	return ls
 }
 
@@ -117,3 +123,23 @@ func (ls *LDAPServer) TimerFlowCacheExpiry(ctx context.Context) {
 		p.binder.TimerFlowCacheExpiry(ctx)
 	}
 }
+
+func (ls *LDAPServer) handleWSSessionEnd(ctx context.Context, msg ak.Event) error {
+	if msg.Instruction != ak.EventKindSessionEnd {
+		return nil
+	}
+	mmsg := ak.EventArgsSessionEnd{}
+	err := msg.ArgsAs(&mmsg)
+	if err != nil {
+		return err
+	}
+	ls.connectionsSync.Lock()
+	defer ls.connectionsSync.Unlock()
+	ls.log.Info("Disconnecting session due to session end event")
+	conn, ok := ls.connections[mmsg.SessionID]
+	if !ok {
+		return nil
+	}
+	delete(ls.connections, mmsg.SessionID)
+	return conn.Close()
+}

internal/outpost/ldap/search/direct/schema.go

@@ -44,38 +44,40 @@ func (ds *DirectSearcher) SearchSubschema(req *search.Request) (ldap.ServerSearc
 					{
 						Name: "attributeTypes",
 						Values: []string{
-							"( 2.5.4.0 NAME 'objectClass' SYNTAX '1.3.6.1.4.1.1466.115.121.1.38' NO-USER-MODIFICATION )",
-							"( 2.5.4.4 NAME 'sn' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 2.5.4.3 NAME 'cn' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 2.5.4.6 NAME 'c' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 2.5.4.7 NAME 'l' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 2.5.4.10 NAME 'o' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )",
-							"( 2.5.4.11 NAME 'ou' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )",
-							"( 2.5.4.12 NAME 'title' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 2.5.4.13 NAME 'description' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )",
-							"( 2.5.4.20 NAME 'telephoneNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 2.5.4.31 NAME 'member' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' )",
-							"( 2.5.4.42 NAME 'givenName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 2.5.21.2 NAME 'dITContentRules' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' NO-USER-MODIFICATION )",
-							"( 2.5.21.5 NAME 'attributeTypes' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' NO-USER-MODIFICATION )",
-							"( 2.5.21.6 NAME 'objectClasses' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' NO-USER-MODIFICATION )",
 							"( 0.9.2342.19200300.100.1.1 NAME 'uid' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 0.9.2342.19200300.100.1.3 NAME 'mail' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 0.9.2342.19200300.100.1.41 NAME 'mobile' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 1.2.840.113556.1.2.13 NAME 'displayName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
-							"( 1.2.840.113556.1.2.146 NAME 'company' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' NO-USER-MODIFICATION )",
+							"( 1.2.840.113556.1.2.13 NAME 'displayName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 1.2.840.113556.1.2.131 NAME 'co' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 1.2.840.113556.1.2.141 NAME 'department' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 1.2.840.113556.1.2.146 NAME 'company' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 1.2.840.113556.1.4.1 NAME 'name' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE NO-USER-MODIFICATION )",
-							"( 1.2.840.113556.1.4.44 NAME 'homeDirectory' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 1.2.840.113556.1.4.261 NAME 'division' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 1.2.840.113556.1.4.44 NAME 'homeDirectory' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 							"( 1.2.840.113556.1.4.750 NAME 'groupType' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )",
 							"( 1.2.840.113556.1.4.782 NAME 'objectCategory' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' SINGLE-VALUE )",
 							"( 1.3.6.1.1.1.1.0 NAME 'uidNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )",
 							"( 1.3.6.1.1.1.1.1 NAME 'gidNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )",
 							"( 1.3.6.1.1.1.1.12 NAME 'memberUid' SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' )",
+							"( 2.5.18.1 NAME 'createTimestamp' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION )",
+							"( 2.5.18.2 NAME 'modifyTimestamp' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION )",
+							"( 2.5.21.2 NAME 'dITContentRules' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' NO-USER-MODIFICATION )",
+							"( 2.5.21.5 NAME 'attributeTypes' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' NO-USER-MODIFICATION )",
+							"( 2.5.21.6 NAME 'objectClasses' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' NO-USER-MODIFICATION )",
+							"( 2.5.4.0 NAME 'objectClass' SYNTAX '1.3.6.1.4.1.1466.115.121.1.38' NO-USER-MODIFICATION )",
+							"( 2.5.4.10 NAME 'o' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )",
+							"( 2.5.4.11 NAME 'ou' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )",
+							"( 2.5.4.12 NAME 'title' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 2.5.4.13 NAME 'description' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )",
+							"( 2.5.4.20 NAME 'telephoneNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 2.5.4.3 NAME 'cn' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 2.5.4.31 NAME 'member' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' )",
+							"( 2.5.4.4 NAME 'sn' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 2.5.4.42 NAME 'givenName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 2.5.4.6 NAME 'c' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
+							"( 2.5.4.7 NAME 'l' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )",
 
 							// Custom attributes
 							// Temporarily use 1.3.6.1.4.1.26027.1.1 as a base

internal/outpost/ldap/search/request.go

@@ -53,6 +53,14 @@ func NewRequest(bindDN string, searchReq ldap.SearchRequest, conn net.Conn) (*Re
 	if err != nil && len(searchReq.Filter) > 0 {
 		l.WithError(err).WithField("objectClass", filterOC).Warning("invalid filter object class")
 	}
+
+	// Handle comma-separated attributes
+	normalizedAttributes := normalizeAttributes(searchReq.Attributes)
+	if len(normalizedAttributes) != len(searchReq.Attributes) {
+		// Create a copy of the search request with normalized attributes
+		searchReq.Attributes = normalizedAttributes
+	}
+
 	return &Request{
 		SearchRequest:     searchReq,
 		BindDN:            bindDN,
@@ -64,6 +72,31 @@ func NewRequest(bindDN string, searchReq ldap.SearchRequest, conn net.Conn) (*Re
 	}, span
 }
 
+// normalizeAttributes handles the case where attributes might be passed as comma-separated strings
+// rather than as individual array elements
+func normalizeAttributes(attributes []string) []string {
+	if len(attributes) == 0 {
+		return attributes
+	}
+
+	result := make([]string, 0, len(attributes))
+	for _, attr := range attributes {
+		if strings.Contains(attr, ",") {
+			// Split comma-separated attributes and add them individually
+			parts := strings.Split(attr, ",")
+			for _, part := range parts {
+				part = strings.TrimSpace(part)
+				if part != "" {
+					result = append(result, part)
+				}
+			}
+		} else {
+			result = append(result, attr)
+		}
+	}
+	return result
+}
+
 func (r *Request) Context() context.Context {
 	return r.ctx
 }

internal/outpost/ldap/search/request_test.go

@@ -0,0 +1,98 @@
+package search
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestNormalizeAttributes(t *testing.T) {
+	tests := []struct {
+		name           string
+		input          []string
+		expectedOutput []string
+	}{
+		{
+			name:           "Empty input",
+			input:          []string{},
+			expectedOutput: []string{},
+		},
+		{
+			name:           "No commas",
+			input:          []string{"uid", "cn", "sn"},
+			expectedOutput: []string{"uid", "cn", "sn"},
+		},
+		{
+			name:           "Single comma-separated string",
+			input:          []string{"uid,cn,sn"},
+			expectedOutput: []string{"uid", "cn", "sn"},
+		},
+		{
+			name:           "Mixed input",
+			input:          []string{"uid,cn", "sn"},
+			expectedOutput: []string{"uid", "cn", "sn"},
+		},
+		{
+			name:           "With spaces",
+			input:          []string{"uid, cn, sn"},
+			expectedOutput: []string{"uid", "cn", "sn"},
+		},
+		{
+			name:           "Empty parts",
+			input:          []string{"uid,, cn"},
+			expectedOutput: []string{"uid", "cn"},
+		},
+		{
+			name:           "Single element",
+			input:          []string{"uid"},
+			expectedOutput: []string{"uid"},
+		},
+		{
+			name:           "Only commas",
+			input:          []string{",,,"},
+			expectedOutput: []string{},
+		},
+		{
+			name:           "Multiple comma-separated attributes",
+			input:          []string{"uid,cn", "sn,mail", "givenName"},
+			expectedOutput: []string{"uid", "cn", "sn", "mail", "givenName"},
+		},
+		{
+			name:           "Case preservation",
+			input:          []string{"uid,CN,sAMAccountName"},
+			expectedOutput: []string{"uid", "CN", "sAMAccountName"},
+		},
+		{
+			name:           "Leading and trailing spaces",
+			input:          []string{" uid , cn , sn "},
+			expectedOutput: []string{"uid", "cn", "sn"},
+		},
+		{
+			name:           "Real-world LDAP attribute examples",
+			input:          []string{"objectClass,memberOf,mail", "sAMAccountName,userPrincipalName"},
+			expectedOutput: []string{"objectClass", "memberOf", "mail", "sAMAccountName", "userPrincipalName"},
+		},
+		{
+			name:           "Jira-style attribute format",
+			input:          []string{"uid,cn,sn"},
+			expectedOutput: []string{"uid", "cn", "sn"},
+		},
+		{
+			name:           "Single string with single attribute",
+			input:          []string{"cn"},
+			expectedOutput: []string{"cn"},
+		},
+		{
+			name:           "Mix of standard and operational attributes",
+			input:          []string{"uid,+", "createTimestamp"},
+			expectedOutput: []string{"uid", "+", "createTimestamp"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := normalizeAttributes(tt.input)
+			assert.Equal(t, tt.expectedOutput, result)
+		})
+	}
+}

internal/outpost/proxyv2/application/application.go

@@ -5,6 +5,7 @@ import (
 	"crypto/sha256"
 	"crypto/tls"
 	"encoding/gob"
+	"encoding/hex"
 	"fmt"
 	"html/template"
 	"net/http"
@@ -118,8 +119,8 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
 	mux := mux.NewRouter()
 
 	// Save cookie name, based on hashed client ID
-	h := sha256.New()
-	bs := string(h.Sum([]byte(*p.ClientId)))
+	hs := sha256.Sum256([]byte(*p.ClientId))
+	bs := hex.EncodeToString(hs[:])
 	sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8])
 
 	// When HOST_BROWSER is set, use that as Host header for token requests to make the issuer match

internal/outpost/proxyv2/application/claims.go

@@ -3,6 +3,7 @@ package application
 type ProxyClaims struct {
 	UserAttributes  map[string]interface{} `json:"user_attributes"`
 	BackendOverride string                 `json:"backend_override"`
+	HostHeader      string                 `json:"host_header"`
 	IsSuperuser     bool                   `json:"is_superuser"`
 }
 

internal/outpost/proxyv2/application/mode_proxy.go

@@ -74,13 +74,18 @@ func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
 		r.URL.Scheme = ou.Scheme
 		r.URL.Host = ou.Host
 		claims := a.getClaimsFromSession(r)
-		if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {
-			u, err := url.Parse(claims.Proxy.BackendOverride)
-			if err != nil {
-				a.log.WithField("backend_override", claims.Proxy.BackendOverride).WithError(err).Warning("failed parse user backend override")
-			} else {
-				r.URL.Scheme = u.Scheme
-				r.URL.Host = u.Host
+		if claims != nil && claims.Proxy != nil {
+			if claims.Proxy.BackendOverride != "" {
+				u, err := url.Parse(claims.Proxy.BackendOverride)
+				if err != nil {
+					a.log.WithField("backend_override", claims.Proxy.BackendOverride).WithError(err).Warning("failed parse user backend override")
+				} else {
+					r.URL.Scheme = u.Scheme
+					r.URL.Host = u.Host
+				}
+			}
+			if claims.Proxy.HostHeader != "" {
+				r.Host = claims.Proxy.HostHeader
 			}
 		}
 		a.log.WithField("upstream_url", r.URL.String()).Trace("final upstream url")

internal/outpost/proxyv2/proxyv2.go

@@ -35,7 +35,7 @@ type ProxyServer struct {
 	akAPI       *ak.APIController
 }
 
-func NewProxyServer(ac *ak.APIController) *ProxyServer {
+func NewProxyServer(ac *ak.APIController) ak.Outpost {
 	l := log.WithField("logger", "authentik.outpost.proxyv2")
 	defaultCert, err := crypto.GenerateSelfSignedCert()
 	if err != nil {
@@ -66,7 +66,7 @@ func NewProxyServer(ac *ak.APIController) *ProxyServer {
 	globalMux.PathPrefix("/outpost.goauthentik.io/static").HandlerFunc(s.HandleStatic)
 	globalMux.Path("/outpost.goauthentik.io/ping").HandlerFunc(sentryutils.SentryNoSample(s.HandlePing))
 	rootMux.PathPrefix("/").HandlerFunc(s.Handle)
-	ac.AddWSHandler(s.handleWSMessage)
+	ac.AddEventHandler(s.handleWSMessage)
 	return s
 }
 

internal/outpost/proxyv2/ws.go

@@ -3,48 +3,27 @@ package proxyv2
 import (
 	"context"
 
-	"github.com/mitchellh/mapstructure"
+	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/proxyv2/application"
 )
 
-type WSProviderSubType string
-
-const (
-	WSProviderSubTypeLogout WSProviderSubType = "logout"
-)
-
-type WSProviderMsg struct {
-	SubType   WSProviderSubType `mapstructure:"sub_type"`
-	SessionID string            `mapstructure:"session_id"`
-}
-
-func ParseWSProvider(args map[string]interface{}) (*WSProviderMsg, error) {
-	msg := &WSProviderMsg{}
-	err := mapstructure.Decode(args, &msg)
-	if err != nil {
-		return nil, err
+func (ps *ProxyServer) handleWSMessage(ctx context.Context, msg ak.Event) error {
+	if msg.Instruction != ak.EventKindSessionEnd {
+		return nil
 	}
-	return msg, nil
-}
-
-func (ps *ProxyServer) handleWSMessage(ctx context.Context, args map[string]interface{}) {
-	msg, err := ParseWSProvider(args)
+	mmsg := ak.EventArgsSessionEnd{}
+	err := msg.ArgsAs(&mmsg)
 	if err != nil {
-		ps.log.WithError(err).Warning("invalid provider-specific ws message")
-		return
+		return err
 	}
-	switch msg.SubType {
-	case WSProviderSubTypeLogout:
-		for _, p := range ps.apps {
-			ps.log.WithField("provider", p.Host).Debug("Logging out")
-			err := p.Logout(ctx, func(c application.Claims) bool {
-				return c.Sid == msg.SessionID
-			})
-			if err != nil {
-				ps.log.WithField("provider", p.Host).WithError(err).Warning("failed to logout")
-			}
+	for _, p := range ps.apps {
+		ps.log.WithField("provider", p.Host).Debug("Logging out")
+		err := p.Logout(ctx, func(c application.Claims) bool {
+			return c.Sid == mmsg.SessionID
+		})
+		if err != nil {
+			ps.log.WithField("provider", p.Host).WithError(err).Warning("failed to logout")
 		}
-	default:
-		ps.log.WithField("sub_type", msg.SubType).Warning("invalid sub_type")
 	}
+	return nil
 }

internal/outpost/rac/rac.go

@@ -6,7 +6,6 @@ import (
 	"strconv"
 	"sync"
 
-	"github.com/mitchellh/mapstructure"
 	log "github.com/sirupsen/logrus"
 	"github.com/wwt/guac"
 
@@ -23,14 +22,14 @@ type RACServer struct {
 	conns map[string]connection.Connection
 }
 
-func NewServer(ac *ak.APIController) *RACServer {
+func NewServer(ac *ak.APIController) ak.Outpost {
 	rs := &RACServer{
 		log:   log.WithField("logger", "authentik.outpost.rac"),
 		ac:    ac,
 		connm: sync.RWMutex{},
 		conns: map[string]connection.Connection{},
 	}
-	ac.AddWSHandler(rs.wsHandler)
+	ac.AddEventHandler(rs.wsHandler)
 	return rs
 }
 
@@ -52,12 +51,14 @@ func parseIntOrZero(input string) int {
 	return x
 }
 
-func (rs *RACServer) wsHandler(ctx context.Context, args map[string]interface{}) {
+func (rs *RACServer) wsHandler(ctx context.Context, msg ak.Event) error {
+	if msg.Instruction != ak.EventKindProviderSpecific {
+		return nil
+	}
 	wsm := WSMessage{}
-	err := mapstructure.Decode(args, &wsm)
+	err := msg.ArgsAs(&wsm)
 	if err != nil {
-		rs.log.WithError(err).Warning("invalid ws message")
-		return
+		return err
 	}
 	config := guac.NewGuacamoleConfiguration()
 	config.Protocol = wsm.Protocol
@@ -71,23 +72,23 @@ func (rs *RACServer) wsHandler(ctx context.Context, args map[string]interface{})
 	}
 	cc, err := connection.NewConnection(rs.ac, wsm.DestChannelID, config)
 	if err != nil {
-		rs.log.WithError(err).Warning("failed to setup connection")
-		return
+		return err
 	}
 	cc.OnError = func(err error) {
 		rs.connm.Lock()
 		delete(rs.conns, wsm.ConnID)
-		_ = rs.ac.SendWSHello(map[string]interface{}{
+		_ = rs.ac.SendEventHello(map[string]interface{}{
 			"active_connections": len(rs.conns),
 		})
 		rs.connm.Unlock()
 	}
 	rs.connm.Lock()
 	rs.conns[wsm.ConnID] = *cc
-	_ = rs.ac.SendWSHello(map[string]interface{}{
+	_ = rs.ac.SendEventHello(map[string]interface{}{
 		"active_connections": len(rs.conns),
 	})
 	rs.connm.Unlock()
+	return nil
 }
 
 func (rs *RACServer) Start() error {

internal/outpost/radius/handler.go

@@ -2,6 +2,7 @@ package radius
 
 import (
 	"crypto/sha512"
+	"encoding/hex"
 	"time"
 
 	"github.com/getsentry/sentry-go"
@@ -68,7 +69,9 @@ func (rs *RadiusServer) ServeRADIUS(w radius.ResponseWriter, r *radius.Request)
 		}
 	}
 	if pi == nil {
-		nr.Log().WithField("hashed_secret", string(sha512.New().Sum(r.Secret))).Warning("No provider found")
+		hs := sha512.Sum512([]byte(r.Secret))
+		bs := hex.EncodeToString(hs[:])
+		nr.Log().WithField("hashed_secret", bs).Warning("No provider found")
 		_ = w.Write(r.Response(radius.CodeAccessReject))
 		return
 	}

internal/outpost/radius/radius.go

@@ -34,7 +34,7 @@ type RadiusServer struct {
 	providers []*ProviderInstance
 }
 
-func NewServer(ac *ak.APIController) *RadiusServer {
+func NewServer(ac *ak.APIController) ak.Outpost {
 	rs := &RadiusServer{
 		log:       log.WithField("logger", "authentik.outpost.radius"),
 		ac:        ac,

internal/utils/web/http_tracing.go

@@ -2,7 +2,6 @@ package web
 
 import (
 	"context"
-	"fmt"
 	"net/http"
 
 	"github.com/getsentry/sentry-go"
@@ -20,7 +19,7 @@ func NewTracingTransport(ctx context.Context, inner http.RoundTripper) *tracingT
 func (tt *tracingTransport) RoundTrip(r *http.Request) (*http.Response, error) {
 	span := sentry.StartSpan(tt.ctx, "authentik.go.http_request")
 	r.Header.Set("sentry-trace", span.ToSentryTrace())
-	span.Description = fmt.Sprintf("%s %s", r.Method, r.URL.String())
+	span.Description = r.Method + " " + r.URL.String()
 	span.SetTag("url", r.URL.String())
 	span.SetTag("method", r.Method)
 	defer span.Finish()

internal/web/static.go

@@ -31,8 +31,6 @@ func (ws *WebServer) configureStatic() {
 		return h
 	}
 
-	helpHandler := http.FileServer(http.Dir("./website/help/"))
-
 	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/static/dist/").Handler(pathStripper(
 		distFs,
 		"static/dist/",
@@ -78,13 +76,6 @@ func (ws *WebServer) configureStatic() {
 		))
 	}
 
-	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/help/").Handler(pathStripper(
-		helpHandler,
-		config.Get().Web.Path,
-		"/if/help/",
-	))
-	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/help").Handler(http.RedirectHandler(fmt.Sprintf("%sif/help/", config.Get().Web.Path), http.StatusMovedPermanently))
-
 	staticRouter.PathPrefix(config.Get().Web.Path).Path("/robots.txt").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		rw.Header()["Content-Type"] = []string{"text/plain"}
 		rw.WriteHeader(200)

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1017.1",
+                "aws-cdk": "^2.1018.1",
                 "cross-env": "^7.0.3"
             },
             "engines": {
@@ -17,16 +17,16 @@
             }
         },
         "node_modules/aws-cdk": {
-            "version": "2.1017.1",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1017.1.tgz",
-            "integrity": "sha512-KtDdkMhfVjDeexjpMrVoSlz2mTYI5BE/KotvJ7iFbZy1G0nkpW1ImZ54TdBefeeFmZ+8DAjU3I6nUFtymyOI1A==",
+            "version": "2.1018.1",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1018.1.tgz",
+            "integrity": "sha512-kFPRox5kSm+ktJ451o0ng9rD+60p5Kt1CZIWw8kXnvqbsxN2xv6qbmyWSXw7sGVXVwqrRKVj+71/JeDr+LMAZw==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {
                 "cdk": "bin/cdk"
             },
             "engines": {
-                "node": ">= 14.15.0"
+                "node": ">= 18.0.0"
             },
             "optionalDependencies": {
                 "fsevents": "2.3.2"

lifecycle/aws/package.json

@@ -10,7 +10,7 @@
         "node": ">=20"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1017.1",
+        "aws-cdk": "^2.1018.1",
         "cross-env": "^7.0.3"
     }
 }

lifecycle/aws/template.yaml

@@ -26,7 +26,7 @@ Parameters:
     Description: authentik Docker image
   AuthentikVersion:
     Type: String
-    Default: 2025.6.0
+    Default: 2025.6.1
     Description: authentik Docker image tag
   AuthentikServerCPU:
     Type: Number

package-lock.json

@@ -1,12 +1,12 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.6.0",
+    "version": "2025.6.1",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "@goauthentik/authentik",
-            "version": "2025.6.0",
+            "version": "2025.6.1",
             "devDependencies": {
                 "@trivago/prettier-plugin-sort-imports": "^5.2.2",
                 "prettier": "^3.3.3",

package.json

@@ -1,6 +1,6 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2025.6.0",
+    "version": "2025.6.1",
     "private": true,
     "type": "module",
     "devDependencies": {

packages/eslint-config/package-lock.json

@@ -576,17 +576,17 @@
             "license": "MIT"
         },
         "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "8.33.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.33.0.tgz",
-            "integrity": "sha512-CACyQuqSHt7ma3Ns601xykeBK/rDeZa3w6IS6UtMQbixO5DWy+8TilKkviGDH6jtWCo8FGRKEK5cLLkPvEammQ==",
+            "version": "8.34.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.34.0.tgz",
+            "integrity": "sha512-QXwAlHlbcAwNlEEMKQS2RCgJsgXrTJdjXT08xEgbPFa2yYQgVjBymxP5DrfrE7X7iodSzd9qBUHUycdyVJTW1w==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/regexpp": "^4.10.0",
-                "@typescript-eslint/scope-manager": "8.33.0",
-                "@typescript-eslint/type-utils": "8.33.0",
-                "@typescript-eslint/utils": "8.33.0",
-                "@typescript-eslint/visitor-keys": "8.33.0",
+                "@typescript-eslint/scope-manager": "8.34.0",
+                "@typescript-eslint/type-utils": "8.34.0",
+                "@typescript-eslint/utils": "8.34.0",
+                "@typescript-eslint/visitor-keys": "8.34.0",
                 "graphemer": "^1.4.0",
                 "ignore": "^7.0.0",
                 "natural-compare": "^1.4.0",
@@ -600,7 +600,7 @@
                 "url": "https://opencollective.com/typescript-eslint"
             },
             "peerDependencies": {
-                "@typescript-eslint/parser": "^8.33.0",
+                "@typescript-eslint/parser": "^8.34.0",
                 "eslint": "^8.57.0 || ^9.0.0",
                 "typescript": ">=4.8.4 <5.9.0"
             }
@@ -616,16 +616,16 @@
             }
         },
         "node_modules/@typescript-eslint/parser": {
-            "version": "8.33.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.33.0.tgz",
-            "integrity": "sha512-JaehZvf6m0yqYp34+RVnihBAChkqeH+tqqhS0GuX1qgPpwLvmTPheKEs6OeCK6hVJgXZHJ2vbjnC9j119auStQ==",
+            "version": "8.34.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.34.0.tgz",
+            "integrity": "sha512-vxXJV1hVFx3IXz/oy2sICsJukaBrtDEQSBiV48/YIV5KWjX1dO+bcIr/kCPrW6weKXvsaGKFNlwH0v2eYdRRbA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/scope-manager": "8.33.0",
-                "@typescript-eslint/types": "8.33.0",
-                "@typescript-eslint/typescript-estree": "8.33.0",
-                "@typescript-eslint/visitor-keys": "8.33.0",
+                "@typescript-eslint/scope-manager": "8.34.0",
+                "@typescript-eslint/types": "8.34.0",
+                "@typescript-eslint/typescript-estree": "8.34.0",
+                "@typescript-eslint/visitor-keys": "8.34.0",
                 "debug": "^4.3.4"
             },
             "engines": {
@@ -641,14 +641,14 @@
             }
         },
         "node_modules/@typescript-eslint/project-service": {
-            "version": "8.33.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.33.0.tgz",
-            "integrity": "sha512-d1hz0u9l6N+u/gcrk6s6gYdl7/+pp8yHheRTqP6X5hVDKALEaTn8WfGiit7G511yueBEL3OpOEpD+3/MBdoN+A==",
+            "version": "8.34.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.34.0.tgz",
+            "integrity": "sha512-iEgDALRf970/B2YExmtPMPF54NenZUf4xpL3wsCRx/lgjz6ul/l13R81ozP/ZNuXfnLCS+oPmG7JIxfdNYKELw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/tsconfig-utils": "^8.33.0",
-                "@typescript-eslint/types": "^8.33.0",
+                "@typescript-eslint/tsconfig-utils": "^8.34.0",
+                "@typescript-eslint/types": "^8.34.0",
                 "debug": "^4.3.4"
             },
             "engines": {
@@ -657,17 +657,20 @@
             "funding": {
                 "type": "opencollective",
                 "url": "https://opencollective.com/typescript-eslint"
+            },
+            "peerDependencies": {
+                "typescript": ">=4.8.4 <5.9.0"
             }
         },
         "node_modules/@typescript-eslint/scope-manager": {
-            "version": "8.33.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.33.0.tgz",
-            "integrity": "sha512-LMi/oqrzpqxyO72ltP+dBSP6V0xiUb4saY7WLtxSfiNEBI8m321LLVFU9/QDJxjDQG9/tjSqKz/E3380TEqSTw==",
+            "version": "8.34.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.34.0.tgz",
+            "integrity": "sha512-9Ac0X8WiLykl0aj1oYQNcLZjHgBojT6cW68yAgZ19letYu+Hxd0rE0veI1XznSSst1X5lwnxhPbVdwjDRIomRw==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.33.0",
-                "@typescript-eslint/visitor-keys": "8.33.0"
+                "@typescript-eslint/types": "8.34.0",
+                "@typescript-eslint/visitor-keys": "8.34.0"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -678,9 +681,9 @@
             }
         },
         "node_modules/@typescript-eslint/tsconfig-utils": {
-            "version": "8.33.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.33.0.tgz",
-            "integrity": "sha512-sTkETlbqhEoiFmGr1gsdq5HyVbSOF0145SYDJ/EQmXHtKViCaGvnyLqWFFHtEXoS0J1yU8Wyou2UGmgW88fEug==",
+            "version": "8.34.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.34.0.tgz",
+            "integrity": "sha512-+W9VYHKFIzA5cBeooqQxqNriAP0QeQ7xTiDuIOr71hzgffm3EL2hxwWBIIj4GuofIbKxGNarpKqIq6Q6YrShOA==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -695,14 +698,14 @@
             }
         },
         "node_modules/@typescript-eslint/type-utils": {
-            "version": "8.33.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.33.0.tgz",
-            "integrity": "sha512-lScnHNCBqL1QayuSrWeqAL5GmqNdVUQAAMTaCwdYEdWfIrSrOGzyLGRCHXcCixa5NK6i5l0AfSO2oBSjCjf4XQ==",
+            "version": "8.34.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.34.0.tgz",
+            "integrity": "sha512-n7zSmOcUVhcRYC75W2pnPpbO1iwhJY3NLoHEtbJwJSNlVAZuwqu05zY3f3s2SDWWDSo9FdN5szqc73DCtDObAg==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/typescript-estree": "8.33.0",
-                "@typescript-eslint/utils": "8.33.0",
+                "@typescript-eslint/typescript-estree": "8.34.0",
+                "@typescript-eslint/utils": "8.34.0",
                 "debug": "^4.3.4",
                 "ts-api-utils": "^2.1.0"
             },
@@ -719,9 +722,9 @@
             }
         },
         "node_modules/@typescript-eslint/types": {
-            "version": "8.33.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.33.0.tgz",
-            "integrity": "sha512-DKuXOKpM5IDT1FA2g9x9x1Ug81YuKrzf4mYX8FAVSNu5Wo/LELHWQyM1pQaDkI42bX15PWl0vNPt1uGiIFUOpg==",
+            "version": "8.34.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.34.0.tgz",
+            "integrity": "sha512-9V24k/paICYPniajHfJ4cuAWETnt7Ssy+R0Rbcqo5sSFr3QEZ/8TSoUi9XeXVBGXCaLtwTOKSLGcInCAvyZeMA==",
             "dev": true,
             "license": "MIT",
             "engines": {
@@ -733,16 +736,16 @@
             }
         },
         "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "8.33.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.33.0.tgz",
-            "integrity": "sha512-vegY4FQoB6jL97Tu/lWRsAiUUp8qJTqzAmENH2k59SJhw0Th1oszb9Idq/FyyONLuNqT1OADJPXfyUNOR8SzAQ==",
+            "version": "8.34.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.34.0.tgz",
+            "integrity": "sha512-rOi4KZxI7E0+BMqG7emPSK1bB4RICCpF7QD3KCLXn9ZvWoESsOMlHyZPAHyG04ujVplPaHbmEvs34m+wjgtVtg==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/project-service": "8.33.0",
-                "@typescript-eslint/tsconfig-utils": "8.33.0",
-                "@typescript-eslint/types": "8.33.0",
-                "@typescript-eslint/visitor-keys": "8.33.0",
+                "@typescript-eslint/project-service": "8.34.0",
+                "@typescript-eslint/tsconfig-utils": "8.34.0",
+                "@typescript-eslint/types": "8.34.0",
+                "@typescript-eslint/visitor-keys": "8.34.0",
                 "debug": "^4.3.4",
                 "fast-glob": "^3.3.2",
                 "is-glob": "^4.0.3",
@@ -801,16 +804,16 @@
             }
         },
         "node_modules/@typescript-eslint/utils": {
-            "version": "8.33.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.33.0.tgz",
-            "integrity": "sha512-lPFuQaLA9aSNa7D5u2EpRiqdAUhzShwGg/nhpBlc4GR6kcTABttCuyjFs8BcEZ8VWrjCBof/bePhP3Q3fS+Yrw==",
+            "version": "8.34.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.34.0.tgz",
+            "integrity": "sha512-8L4tWatGchV9A1cKbjaavS6mwYwp39jql8xUmIIKJdm+qiaeHy5KMKlBrf30akXAWBzn2SqKsNOtSENWUwg7XQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
                 "@eslint-community/eslint-utils": "^4.7.0",
-                "@typescript-eslint/scope-manager": "8.33.0",
-                "@typescript-eslint/types": "8.33.0",
-                "@typescript-eslint/typescript-estree": "8.33.0"
+                "@typescript-eslint/scope-manager": "8.34.0",
+                "@typescript-eslint/types": "8.34.0",
+                "@typescript-eslint/typescript-estree": "8.34.0"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -825,13 +828,13 @@
             }
         },
         "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "8.33.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.33.0.tgz",
-            "integrity": "sha512-7RW7CMYoskiz5OOGAWjJFxgb7c5UNjTG292gYhWeOAcFmYCtVCSqjqSBj5zMhxbXo2JOW95YYrUWJfU0zrpaGQ==",
+            "version": "8.34.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.34.0.tgz",
+            "integrity": "sha512-qHV7pW7E85A0x6qyrFn+O+q1k1p3tQCsqIZ1KZ5ESLXY57aTvUd3/a4rdPTeXisvhXn2VQG0VSKUqs8KHF2zcA==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/types": "8.33.0",
+                "@typescript-eslint/types": "8.34.0",
                 "eslint-visitor-keys": "^4.2.0"
             },
             "engines": {
@@ -4032,15 +4035,15 @@
             }
         },
         "node_modules/typescript-eslint": {
-            "version": "8.33.0",
-            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.33.0.tgz",
-            "integrity": "sha512-5YmNhF24ylCsvdNW2oJwMzTbaeO4bg90KeGtMjUw0AGtHksgEPLRTUil+coHwCfiu4QjVJFnjp94DmU6zV7DhQ==",
+            "version": "8.34.0",
+            "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.34.0.tgz",
+            "integrity": "sha512-MRpfN7uYjTrTGigFCt8sRyNqJFhjN0WwZecldaqhWm+wy0gaRt8Edb/3cuUy0zdq2opJWT6iXINKAtewnDOltQ==",
             "dev": true,
             "license": "MIT",
             "dependencies": {
-                "@typescript-eslint/eslint-plugin": "8.33.0",
-                "@typescript-eslint/parser": "8.33.0",
-                "@typescript-eslint/utils": "8.33.0"
+                "@typescript-eslint/eslint-plugin": "8.34.0",
+                "@typescript-eslint/parser": "8.34.0",
+                "@typescript-eslint/utils": "8.34.0"
             },
             "engines": {
                 "node": "^18.18.0 || ^20.9.0 || >=21.1.0"

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "authentik"
-version = "2025.6.0"
+version = "2025.6.1"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.13.*"
@@ -9,11 +9,11 @@ dependencies = [
     "celery==5.5.3",
     "channels==4.2.2",
     "channels-redis==4.2.1",
-    "cryptography==45.0.3",
+    "cryptography==45.0.4",
     "dacite==1.9.2",
     "deepmerge==2.0",
     "defusedxml==0.7.1",
-    "django==5.1.9",
+    "django==5.1.11",
     "django-countries==7.6.1",
     "django-cte==1.3.3",
     "django-filter==25.1",
@@ -35,15 +35,15 @@ dependencies = [
     "flower==2.0.1",
     "geoip2==5.1.0",
     "geopy==2.4.1",
-    "google-api-python-client==2.171.0",
+    "google-api-python-client==2.172.0",
     "gssapi==1.9.0",
     "gunicorn==23.0.0",
     "jsonpatch==1.33",
     "jwcrypto==1.5.6",
-    "kubernetes==32.0.1",
+    "kubernetes==33.1.0",
     "ldap3==2.9.1",
     "lxml==5.4.0",
-    "msgraph-sdk==1.32.0",
+    "msgraph-sdk==1.33.0",
     "opencontainers==0.0.14",
     "packaging==25.0",
     "paramiko==3.5.1",
@@ -56,13 +56,13 @@ dependencies = [
     "pyyaml==6.0.2",
     "requests-oauthlib==2.0.0",
     "scim2-filter-parser==0.7.0",
-    "sentry-sdk==2.29.1",
+    "sentry-sdk==2.30.0",
     "service-identity==24.2.0",
     "setproctitle==1.3.6",
     "structlog==25.4.0",
     "swagger-spec-validator==3.0.4",
     "tenant-schemas-celery==3.0.0",
-    "twilio==9.6.2",
+    "twilio==9.6.3",
     "ua-parser==1.0.1",
     "unidecode==1.4.0",
     "urllib3<3",
@@ -140,6 +140,7 @@ skip = [
     "**/storybook-static",
     "**/web/src/locales",
     "**/web/xliff",
+    "**/web/out",
     "./web/storybook-static",
     "./web/custom-elements.json",
     "./website/build",

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2025.6.0
+  version: 2025.6.1
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -38,33 +38,6 @@ paths:
               schema:
                 $ref: '#/components/schemas/GenericError'
           description: ''
-  /admin/metrics/:
-    get:
-      operationId: admin_metrics_retrieve
-      description: Login Metrics per 1h
-      tags:
-      - admin
-      security:
-      - authentik: []
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/LoginMetrics'
-          description: ''
-        '400':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ValidationError'
-          description: ''
-        '403':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/GenericError'
-          description: ''
   /admin/models/:
     get:
       operationId: admin_models_list
@@ -4136,42 +4109,6 @@ paths:
               schema:
                 $ref: '#/components/schemas/GenericError'
           description: ''
-  /core/applications/{slug}/metrics/:
-    get:
-      operationId: core_applications_metrics_list
-      description: Metrics for application logins
-      parameters:
-      - in: path
-        name: slug
-        schema:
-          type: string
-          description: Internal application name, used in URLs.
-        required: true
-      tags:
-      - core
-      security:
-      - authentik: []
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                type: array
-                items:
-                  $ref: '#/components/schemas/Coordinate'
-          description: ''
-        '400':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ValidationError'
-          description: ''
-        '403':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/GenericError'
-          description: ''
   /core/applications/{slug}/set_icon/:
     post:
       operationId: core_applications_set_icon_create
@@ -6071,40 +6008,6 @@ paths:
               schema:
                 $ref: '#/components/schemas/GenericError'
           description: ''
-  /core/users/{id}/metrics/:
-    get:
-      operationId: core_users_metrics_retrieve
-      description: User metrics per 1h
-      parameters:
-      - in: path
-        name: id
-        schema:
-          type: integer
-        description: A unique integer value identifying this User.
-        required: true
-      tags:
-      - core
-      security:
-      - authentik: []
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/UserMetrics'
-          description: ''
-        '400':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ValidationError'
-          description: ''
-        '403':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/GenericError'
-          description: ''
   /core/users/{id}/recovery/:
     post:
       operationId: core_users_recovery_create
@@ -7112,6 +7015,42 @@ paths:
         name: action
         schema:
           type: string
+      - in: query
+        name: actions
+        schema:
+          type: array
+          items:
+            type: string
+            enum:
+            - authorize_application
+            - configuration_error
+            - custom_
+            - email_sent
+            - flow_execution
+            - impersonation_ended
+            - impersonation_started
+            - invitation_used
+            - login
+            - login_failed
+            - logout
+            - model_created
+            - model_deleted
+            - model_updated
+            - password_set
+            - policy_exception
+            - policy_execution
+            - property_mapping_exception
+            - secret_rotate
+            - secret_view
+            - source_linked
+            - suspicious_request
+            - system_exception
+            - system_task_exception
+            - system_task_execution
+            - update_available
+            - user_write
+        explode: true
+        style: form
       - in: query
         name: brand_name
         schema:
@@ -7398,44 +7337,6 @@ paths:
               schema:
                 $ref: '#/components/schemas/GenericError'
           description: ''
-  /events/events/per_month/:
-    get:
-      operationId: events_events_per_month_list
-      description: Get the count of events per month
-      parameters:
-      - in: query
-        name: action
-        schema:
-          type: string
-      - in: query
-        name: query
-        schema:
-          type: string
-      tags:
-      - events
-      security:
-      - authentik: []
-      responses:
-        '200':
-          content:
-            application/json:
-              schema:
-                type: array
-                items:
-                  $ref: '#/components/schemas/Coordinate'
-          description: ''
-        '400':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ValidationError'
-          description: ''
-        '403':
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/GenericError'
-          description: ''
   /events/events/top_per_user/:
     get:
       operationId: events_events_top_per_user_list
@@ -7483,6 +7384,42 @@ paths:
         name: action
         schema:
           type: string
+      - in: query
+        name: actions
+        schema:
+          type: array
+          items:
+            type: string
+            enum:
+            - authorize_application
+            - configuration_error
+            - custom_
+            - email_sent
+            - flow_execution
+            - impersonation_ended
+            - impersonation_started
+            - invitation_used
+            - login
+            - login_failed
+            - logout
+            - model_created
+            - model_deleted
+            - model_updated
+            - password_set
+            - policy_exception
+            - policy_execution
+            - property_mapping_exception
+            - secret_rotate
+            - secret_view
+            - source_linked
+            - suspicious_request
+            - system_exception
+            - system_task_exception
+            - system_task_execution
+            - update_available
+            - user_write
+        explode: true
+        style: form
       - in: query
         name: brand_name
         schema:
@@ -7512,6 +7449,11 @@ paths:
         schema:
           type: string
         description: Context Model Primary Key
+      - in: query
+        name: history_days
+        schema:
+          type: number
+          default: 7
       - name: ordering
         required: false
         in: query
@@ -7540,7 +7482,7 @@ paths:
               schema:
                 type: array
                 items:
-                  $ref: '#/components/schemas/Coordinate'
+                  $ref: '#/components/schemas/EventVolume'
           description: ''
         '400':
           content:
@@ -43596,19 +43538,6 @@ components:
       - sidebar_left
       - sidebar_right
       type: string
-    Coordinate:
-      type: object
-      description: Coordinates for diagrams
-      properties:
-        x_cord:
-          type: integer
-          readOnly: true
-        y_cord:
-          type: integer
-          readOnly: true
-      required:
-      - x_cord
-      - y_cord
     CountryCodeEnum:
       enum:
       - AF
@@ -44986,6 +44915,21 @@ components:
       - application
       - counted_events
       - unique_users
+    EventVolume:
+      type: object
+      description: Count of events of action created on day
+      properties:
+        action:
+          $ref: '#/components/schemas/EventActions'
+        time:
+          type: string
+          format: date-time
+        count:
+          type: integer
+      required:
+      - action
+      - count
+      - time
     EventsRequestedEnum:
       enum:
       - https://schemas.openid.net/secevent/caep/event-type/session-revoked
@@ -48297,29 +48241,6 @@ components:
           xak-flow-redirect: '#/components/schemas/RedirectChallenge'
           ak-source-oauth-apple: '#/components/schemas/AppleLoginChallenge'
           ak-source-plex: '#/components/schemas/PlexAuthenticationChallenge'
-    LoginMetrics:
-      type: object
-      description: Login Metrics per 1h
-      properties:
-        logins:
-          type: array
-          items:
-            $ref: '#/components/schemas/Coordinate'
-          readOnly: true
-        logins_failed:
-          type: array
-          items:
-            $ref: '#/components/schemas/Coordinate'
-          readOnly: true
-        authorizations:
-          type: array
-          items:
-            $ref: '#/components/schemas/Coordinate'
-          readOnly: true
-      required:
-      - authorizations
-      - logins
-      - logins_failed
     LoginSource:
       type: object
       description: Serializer for Login buttons of sources
@@ -60729,29 +60650,6 @@ components:
       - username_link
       - username_deny
       type: string
-    UserMetrics:
-      type: object
-      description: User Metrics
-      properties:
-        logins:
-          type: array
-          items:
-            $ref: '#/components/schemas/Coordinate'
-          readOnly: true
-        logins_failed:
-          type: array
-          items:
-            $ref: '#/components/schemas/Coordinate'
-          readOnly: true
-        authorizations:
-          type: array
-          items:
-            $ref: '#/components/schemas/Coordinate'
-          readOnly: true
-      required:
-      - authorizations
-      - logins
-      - logins_failed
     UserOAuthSourceConnection:
       type: object
       description: User source connection

tests/e2e/docker-compose.yml

@@ -1,13 +1,13 @@
 services:
   chrome:
     platform: linux/x86_64
-    image: docker.io/selenium/standalone-chrome:136.0
+    image: docker.io/selenium/standalone-chrome:137.0
     volumes:
       - /dev/shm:/dev/shm
     network_mode: host
     restart: always
   mailpit:
-    image: docker.io/axllent/mailpit:v1.25.1
+    image: docker.io/axllent/mailpit:v1.26.0
     ports:
       - 1025:1025
       - 8025:8025

tests/e2e/proxy_forward_auth/traefik_single/config-static.yaml

@@ -1,4 +1,4 @@
-# yaml-language-server: $schema=https://json.schemastore.org/traefik-v2.json
+# yaml-language-server: $schema=https://json.schemastore.org/traefik-v3.json
 api:
   insecure: true
   debug: true

tests/e2e/test_flows_authenticators_webauthn.py

@@ -0,0 +1,97 @@
+"""test flow with WebAuthn Stage"""
+
+from selenium.webdriver.common.virtual_authenticator import (
+    Protocol,
+    Transport,
+    VirtualAuthenticatorOptions,
+)
+
+from authentik.blueprints.tests import apply_blueprint
+from authentik.stages.authenticator_webauthn.models import (
+    AuthenticatorWebAuthnStage,
+    WebAuthnDevice,
+)
+from tests.e2e.test_flows_login_sfe import login_sfe
+from tests.e2e.utils import SeleniumTestCase, retry
+
+
+class TestFlowsAuthenticatorWebAuthn(SeleniumTestCase):
+    """test flow with WebAuthn Stage"""
+
+    host = "localhost"
+
+    def register(self):
+        options = VirtualAuthenticatorOptions(
+            protocol=Protocol.CTAP2,
+            transport=Transport.INTERNAL,
+            has_resident_key=True,
+            has_user_verification=True,
+            is_user_verified=True,
+        )
+        self.driver.add_virtual_authenticator(options)
+
+        self.driver.get(self.url("authentik_core:if-flow", flow_slug="default-authentication-flow"))
+        self.login()
+
+        self.wait_for_url(self.if_user_url("/library"))
+        self.assert_user(self.user)
+
+        self.driver.get(
+            self.url(
+                "authentik_flows:configure",
+                stage_uuid=AuthenticatorWebAuthnStage.objects.first().stage_uuid,
+            )
+        )
+
+        self.wait_for_url(self.if_user_url("/library"))
+        self.assertTrue(WebAuthnDevice.objects.filter(user=self.user, confirmed=True).exists())
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @apply_blueprint("default/flow-default-authenticator-webauthn-setup.yaml")
+    def test_webauthn_setup(self):
+        """Test WebAuthn setup"""
+        self.register()
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @apply_blueprint("default/flow-default-authenticator-webauthn-setup.yaml")
+    def test_webauthn_authenticate(self):
+        """Test WebAuthn authentication"""
+        self.register()
+        self.driver.delete_all_cookies()
+
+        self.driver.get(self.url("authentik_core:if-flow", flow_slug="default-authentication-flow"))
+        self.login()
+
+        self.wait_for_url(self.if_user_url("/library"))
+
+        self.assert_user(self.user)
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @apply_blueprint("default/flow-default-authenticator-webauthn-setup.yaml")
+    def test_webauthn_authenticate_sfe(self):
+        """Test WebAuthn authentication (SFE)"""
+        self.register()
+        self.driver.delete_all_cookies()
+
+        self.driver.get(
+            self.url(
+                "authentik_core:if-flow",
+                flow_slug="default-authentication-flow",
+                query={"sfe": True},
+            )
+        )
+        login_sfe(self.driver, self.user)
+        self.wait_for_url(self.if_user_url("/library"))
+        self.assert_user(self.user)

tests/e2e/test_flows_login_sfe.py

@@ -4,34 +4,35 @@ from time import sleep
 
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
+from selenium.webdriver.remote.webdriver import WebDriver
 
 from authentik.blueprints.tests import apply_blueprint
+from authentik.core.models import User
 from tests.e2e.utils import SeleniumTestCase, retry
 
 
+def login_sfe(driver: WebDriver, user: User):
+    """Do entire login flow adjusted for SFE"""
+    flow_executor = driver.find_element(By.ID, "flow-sfe-container")
+    identification_stage = flow_executor.find_element(By.ID, "ident-form")
+
+    identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").click()
+    identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
+        user.username
+    )
+    identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
+        Keys.ENTER
+    )
+
+    password_stage = flow_executor.find_element(By.ID, "password-form")
+    password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(user.username)
+    password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(Keys.ENTER)
+    sleep(1)
+
+
 class TestFlowsLoginSFE(SeleniumTestCase):
     """test default login flow"""
 
-    def login(self):
-        """Do entire login flow adjusted for SFE"""
-        flow_executor = self.driver.find_element(By.ID, "flow-sfe-container")
-        identification_stage = flow_executor.find_element(By.ID, "ident-form")
-
-        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").click()
-        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
-            self.user.username
-        )
-        identification_stage.find_element(By.CSS_SELECTOR, "input[name=uid_field]").send_keys(
-            Keys.ENTER
-        )
-
-        password_stage = flow_executor.find_element(By.ID, "password-form")
-        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(
-            self.user.username
-        )
-        password_stage.find_element(By.CSS_SELECTOR, "input[name=password]").send_keys(Keys.ENTER)
-        sleep(1)
-
     @retry()
     @apply_blueprint(
         "default/flow-default-authentication-flow.yaml",
@@ -46,6 +47,6 @@ class TestFlowsLoginSFE(SeleniumTestCase):
                 query={"sfe": True},
             )
         )
-        self.login()
+        login_sfe(self.driver, self.user)
         self.wait_for_url(self.if_user_url("/library"))
         self.assert_user(self.user)