clean up recovery process by admin

* web: Add InvalidationFlow to Radius Provider dialogues

## What

- Bugfix: adds the InvalidationFlow to the Radius Provider dialogues
  - Repairs: `{"invalidation_flow":["This field is required."]}` message, which was *not* propagated
    to the Notification.
- Nitpick: Pretties `?foo=${true}` expressions: `s/\?([^=]+)=\$\{true\}/\1/`

## Note

Yes, I know I'm going to have to do more magic when we harmonize the forms, and no, I didn't add the
Property Mappings to the wizard, and yes, I know I'm going to have pain with the *new* version of
the wizard. But this is a serious bug; you can't make Radius servers with *either* of the current
dialogues at the moment.

* This (temporary) change is needed to prevent the unit tests from failing.

\# What

\# Why

\# How

\# Designs

\# Test Steps

\# Other Notes

* Revert "This (temporary) change is needed to prevent the unit tests from failing."

This reverts commit dddde09be5.

* web: Make using the wizard the default for new applications

# What

1. I removed the "Wizard Hint" bar and migrated the "Create With Wizard" button down to the default
   position as "Create With Provider," moving the "Create" button to a secondary position.
   Primary coloring has been kept for both.

2. Added an alert to the "Create" legacy dialog:

> Using this form will only create an Application. In order to authenticate with the application,
> you will have to manually pair it with a Provider.

3. Updated the subtitle on the Wizard dialog:

``` diff
-    wizardDescription = msg("Create a new application");
+    wizardDescription = msg("Create a new application and configure a provider for it.");
```

4. Updated the User page so that, if the User is-a Administrator and the number of Applications in
   the system is zero, the user will be invited to create a new Application using the Wizard rather
   than the legacy Form:

```diff
     renderNewAppButton() {
         const href = paramURL("/core/applications", {
-            createForm: true,
+            createWizard: true,
         });
```

5. Fixed a bug where, on initial render, if the `this.brand` field was not available, an error would
   appear in the console. The effects were usually harmless, as brand information came quickly and
   filled in before the user could notice, but it looked bad in the debugger.

6. Fixed a bug in testing where the wizard page "Configure Policy Bindings" had been changed to
   "Configure Policy/User/Group Binding".

# Testing

Since the wizard OUID didn't change (`data-ouia-component-id="start-application-wizard"`), the E2E
tests for "Application Wizard" completed without any substantial changes to the routine or to the
tests.

``` sh
npm run test:e2e:watch -- --spec ./tests/specs/new-application-by-wizard.ts
```

# User documentation changes required.

These changes were made at the request of docs, as an initial draft to show how the page looks with
the Application Wizard as he default tool for creating new Applications.

# Developer documentation changes required.

None.

.bumpversion.cfg

@@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2024.10.5
+current_version = 2024.12.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize = 
+serialize =
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:rc_t]
-values = 
+values =
 	rc
 	final
 optional_value = final
@@ -31,4 +31,4 @@ optional_value = final
 
 [bumpversion:file:web/src/common/constants.ts]
 
-[bumpversion:file:website/docs/install-config/install/aws/template.yaml]
+[bumpversion:file:lifecycle/aws/template.yaml]

.github/actions/comment-pr-instructions/action.yml

@@ -35,14 +35,6 @@ runs:
             AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
             ```
 
-            For arm64, use these values:
-
-            ```shell
-            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
-            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
-            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            ```
-
             Afterwards, run the upgrade commands from the latest release notes.
           </details>
           <details>
@@ -60,18 +52,6 @@ runs:
                     tag: ${{ inputs.tag }}
             ```
 
-            For arm64, use these values:
-
-            ```yaml
-            authentik:
-                outposts:
-                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}-arm64
-            ```
-
             Afterwards, run the upgrade commands from the latest release notes.
           </details>
         edit-mode: replace

.github/actions/docker-push-variables/action.yml

@@ -9,6 +9,9 @@ inputs:
   image-arch:
     required: false
     description: "Docker image arch"
+  release:
+    required: true
+    description: "True if this is a release build, false if this is a dev/PR build"
 
 outputs:
   shouldPush:
@@ -29,15 +32,24 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
+  imageTagsJSON:
+    description: "Docker image tags, as a JSON array"
+    value: ${{ steps.ev.outputs.imageTagsJSON }}
   attestImageNames:
     description: "Docker image names used for attestation"
     value: ${{ steps.ev.outputs.attestImageNames }}
+  cacheTo:
+    description: "cache-to value for the docker build step"
+    value: ${{ steps.ev.outputs.cacheTo }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}
   imageMainName:
     description: "Docker image main name"
     value: ${{ steps.ev.outputs.imageMainName }}
+  imageBuildArgs:
+    description: "Docker image build args"
+    value: ${{ steps.ev.outputs.imageBuildArgs }}
 
 runs:
   using: "composite"
@@ -48,6 +60,8 @@ runs:
       env:
         IMAGE_NAME: ${{ inputs.image-name }}
         IMAGE_ARCH: ${{ inputs.image-arch }}
+        RELEASE: ${{ inputs.release }}
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        REF: ${{ github.ref }}
       run: |
         python3 ${{ github.action_path }}/push_vars.py

.github/actions/docker-push-variables/push_vars.py

@@ -2,6 +2,7 @@
 
 import configparser
 import os
+from json import dumps
 from time import time
 
 parser = configparser.ConfigParser()
@@ -48,7 +49,7 @@ if is_release:
             ]
 else:
     suffix = ""
-    if image_arch and image_arch != "amd64":
+    if image_arch:
         suffix = f"-{image_arch}"
     for name in image_names:
         image_tags += [
@@ -70,12 +71,31 @@ def get_attest_image_names(image_with_tags: list[str]):
     return ",".join(set(image_tags))
 
 
+# Generate `cache-to` param
+cache_to = ""
+if should_push:
+    _cache_tag = "buildcache"
+    if image_arch:
+        _cache_tag += f"-{image_arch}"
+    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
+
+
+image_build_args = []
+if os.getenv("RELEASE", "false").lower() == "true":
+    image_build_args = [f"VERSION={os.getenv('REF')}"]
+else:
+    image_build_args = [f"GIT_BUILD_HASH={sha}"]
+image_build_args = "\n".join(image_build_args)
+
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldPush={str(should_push).lower()}", file=_output)
     print(f"sha={sha}", file=_output)
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)
     print(f"imageTags={','.join(image_tags)}", file=_output)
+    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
     print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
+    print(f"cacheTo={cache_to}", file=_output)
+    print(f"imageBuildArgs={image_build_args}", file=_output)

.github/actions/docker-push-variables/test.sh

@@ -1,7 +1,18 @@
 #!/bin/bash -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+# Non-pushing PR
 GITHUB_OUTPUT=/dev/stdout \
     GITHUB_REF=ref \
     GITHUB_SHA=sha \
     IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
+    GITHUB_REPOSITORY=goauthentik/authentik \
+    python $SCRIPT_DIR/push_vars.py
+
+# Pushing PR/main
+GITHUB_OUTPUT=/dev/stdout \
+    GITHUB_REF=ref \
+    GITHUB_SHA=sha \
+    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
+    GITHUB_REPOSITORY=goauthentik/authentik \
+    DOCKER_USERNAME=foo \
     python $SCRIPT_DIR/push_vars.py

.github/dependabot.yml

@@ -82,6 +82,16 @@ updates:
       docusaurus:
         patterns:
           - "@docusaurus/*"
+  - package-ecosystem: npm
+    directory: "/lifecycle/aws"
+    schedule:
+      interval: daily
+      time: "04:00"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "lifecycle/aws:"
+    labels:
+      - dependencies
   - package-ecosystem: pip
     directory: "/"
     schedule:

.github/workflows/_reusable-docker-build-single.yaml

@@ -0,0 +1,96 @@
+# Re-usable workflow for a single-architecture build
+name: Single-arch Container build
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string
+      image_arch:
+        required: true
+        type: string
+      runs-on:
+        required: true
+        type: string
+      registry_dockerhub:
+        default: false
+        type: boolean
+      registry_ghcr:
+        default: false
+        type: boolean
+      release:
+        default: false
+        type: boolean
+    outputs:
+      image-digest:
+        value: ${{ jobs.build.outputs.image-digest }}
+
+jobs:
+  build:
+    name: Build ${{ inputs.image_arch }}
+    runs-on: ${{ inputs.runs-on }}
+    outputs:
+      image-digest: ${{ steps.push.outputs.digest }}
+    permissions:
+      # Needed to upload container images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3.4.0
+      - uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+          image-arch: ${{ inputs.image_arch }}
+          release: ${{ inputs.release }}
+      - name: Login to Docker Hub
+        if: ${{ inputs.registry_dockerhub }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: ${{ inputs.registry_ghcr }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty clients
+        if: ${{ inputs.release }}
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
+      - name: generate ts client
+        if: ${{ !inputs.release }}
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          build-args: |
+            ${{ steps.ev.outputs.imageBuildArgs }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          platforms: linux/${{ inputs.image_arch }}
+          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
+          cache-to: ${{ steps.ev.outputs.cacheTo }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/_reusable-docker-build.yaml

@@ -0,0 +1,104 @@
+# Re-usable workflow for a multi-architecture build
+name: Multi-arch container build
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string
+      registry_dockerhub:
+        default: false
+        type: boolean
+      registry_ghcr:
+        default: true
+        type: boolean
+      release:
+        default: false
+        type: boolean
+    outputs: {}
+
+jobs:
+  build-server-amd64:
+    uses: ./.github/workflows/_reusable-docker-build-single.yaml
+    secrets: inherit
+    with:
+      image_name: ${{ inputs.image_name }}
+      image_arch: amd64
+      runs-on: ubuntu-latest
+      registry_dockerhub: ${{ inputs.registry_dockerhub }}
+      registry_ghcr: ${{ inputs.registry_ghcr }}
+      release: ${{ inputs.release }}
+  build-server-arm64:
+    uses: ./.github/workflows/_reusable-docker-build-single.yaml
+    secrets: inherit
+    with:
+      image_name: ${{ inputs.image_name }}
+      image_arch: arm64
+      runs-on: ubuntu-22.04-arm
+      registry_dockerhub: ${{ inputs.registry_dockerhub }}
+      registry_ghcr: ${{ inputs.registry_ghcr }}
+      release: ${{ inputs.release }}
+  get-tags:
+    runs-on: ubuntu-latest
+    needs:
+      - build-server-amd64
+      - build-server-arm64
+    outputs:
+      tags: ${{ steps.ev.outputs.imageTagsJSON }}
+      shouldPush: ${{ steps.ev.outputs.shouldPush }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+  merge-server:
+    runs-on: ubuntu-latest
+    if: ${{ needs.get-tags.outputs.shouldPush == 'true' }}
+    needs:
+      - get-tags
+      - build-server-amd64
+      - build-server-arm64
+    strategy:
+      fail-fast: false
+      matrix:
+        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+      - name: Login to Docker Hub
+        if: ${{ inputs.registry_dockerhub }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: ${{ inputs.registry_ghcr }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: int128/docker-manifest-create-action@v2
+        id: build
+        with:
+          tags: ${{ matrix.tag }}
+          sources: |
+            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
+            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true

.github/workflows/ci-aws-cfn.yml

@@ -25,10 +25,10 @@ jobs:
         uses: ./.github/actions/setup
       - uses: actions/setup-node@v4
         with:
-          node-version-file: website/package.json
+          node-version-file: lifecycle/aws/package.json
           cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
+          cache-dependency-path: lifecycle/aws/package-lock.json
+      - working-directory: lifecycle/aws/
         run: |
           npm ci
       - name: Check changes have been applied

.github/workflows/ci-main-daily.yml

@@ -0,0 +1,28 @@
+---
+name: authentik-ci-main-daily
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Every night at 3am
+    - cron: "0 3 * * *"
+
+jobs:
+  test-container:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+          - docs
+          - version-2024-12
+          - version-2024-10
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          current="$(pwd)"
+          dir="/tmp/authentik/${{ matrix.version }}"
+          mkdir -p $dir
+          cd $dir
+          wget https://${{ matrix.version }}.goauthentik.io/docker-compose.yml
+          ${current}/scripts/test_docker.sh

.github/workflows/ci-main.yml

@@ -43,15 +43,26 @@ jobs:
         uses: ./.github/actions/setup
       - name: run migrations
         run: poetry run python -m lifecycle.migrate
-  test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
+  test-make-seed:
     runs-on: ubuntu-latest
+    steps:
+      - id: seed
+        run: |
+          echo "seed=$(printf "%d\n" "0x$(openssl rand -hex 4)")" >> "$GITHUB_OUTPUT"
+    outputs:
+      seed: ${{ steps.seed.outputs.seed }}
+  test-migrations-from-stable:
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    needs: test-make-seed
     strategy:
       fail-fast: false
       matrix:
         psql:
           - 15-alpine
           - 16-alpine
+        run_id: [1, 2, 3, 4, 5]
     steps:
       - uses: actions/checkout@v4
         with:
@@ -93,18 +104,23 @@ jobs:
         env:
           # Test in the main database that we just migrated from the previous stable version
           AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
+          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
+          CI_RUN_ID: ${{ matrix.run_id }}
+          CI_TOTAL_RUNS: "5"
         run: |
-          poetry run make test
+          poetry run make ci-test
   test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }}
+    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 20
+    needs: test-make-seed
     strategy:
       fail-fast: false
       matrix:
         psql:
           - 15-alpine
           - 16-alpine
+        run_id: [1, 2, 3, 4, 5]
     steps:
       - uses: actions/checkout@v4
       - name: Setup authentik env
@@ -112,9 +128,12 @@ jobs:
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: run unittest
+        env:
+          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
+          CI_RUN_ID: ${{ matrix.run_id }}
+          CI_TOTAL_RUNS: "5"
         run: |
-          poetry run make test
-          poetry run coverage xml
+          poetry run make ci-test
       - if: ${{ always() }}
         uses: codecov/codecov-action@v5
         with:
@@ -134,7 +153,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.11.0
+        uses: helm/kind-action@v1.12.0
       - name: run integration
         run: |
           poetry run coverage run manage.py test tests/integration
@@ -223,68 +242,18 @@ jobs:
         with:
           jobs: ${{ toJSON(needs) }}
   build:
-    strategy:
-      fail-fast: false
-      matrix:
-        arch:
-          - amd64
-          - arm64
-    needs: ci-core-mark
-    runs-on: ubuntu-latest
     permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
       packages: write
       # Needed for attestation
       id-token: write
       attestations: write
-    timeout-minutes: 120
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/dev-server
-          image-arch: ${{ matrix.arch }}
-      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: generate ts client
-        run: make gen-client-ts
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
-          build-args: |
-            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
-          platforms: linux/${{ matrix.arch }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+    needs: ci-core-mark
+    uses: ./.github/workflows/_reusable-docker-build.yaml
+    secrets: inherit
+    with:
+      image_name: ghcr.io/goauthentik/dev-server
+      release: false
   pr-comment:
     needs:
       - build

.github/workflows/ci-outpost.yml

@@ -72,7 +72,7 @@ jobs:
           - rac
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
       packages: write
       # Needed for attestation
       id-token: write
@@ -82,7 +82,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.4.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables

.github/workflows/release-publish.yml

@@ -7,64 +7,23 @@ on:
 
 jobs:
   build-server:
-    runs-on: ubuntu-latest
+    uses: ./.github/workflows/_reusable-docker-build.yaml
+    secrets: inherit
     permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
       packages: write
       # Needed for attestation
       id-token: write
       attestations: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/server,beryju/authentik
-      - name: Docker Login Registry
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
-        run: |
-          mkdir -p ./gen-ts-api
-          mkdir -p ./gen-go-api
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          push: true
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          build-args: |
-            VERSION=${{ github.ref }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          platforms: linux/amd64,linux/arm64
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+    with:
+      image_name: ghcr.io/goauthentik/server,beryju/authentik
+      release: true
+      registry_dockerhub: true
+      registry_ghcr: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
       packages: write
       # Needed for attestation
       id-token: write
@@ -83,7 +42,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.4.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -188,8 +147,8 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
       - name: Upload template
         run: |
-          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
-          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
+          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
+          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
   test-release:
     needs:
       - build-server

.github/workflows/release-tag.yml

@@ -14,16 +14,7 @@ jobs:
       - uses: actions/checkout@v4
       - name: Pre-release test
         run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
-          docker buildx install
-          mkdir -p ./gen-ts-api
-          docker build -t testing:latest .
-          echo "AUTHENTIK_IMAGE=testing" >> .env
-          echo "AUTHENTIK_TAG=latest" >> .env
-          docker compose up --no-start
-          docker compose start postgresql redis
-          docker compose run -u root server test-all
+          make test-docker
       - id: generate_token
         uses: tibdex/github-app-token@v2
         with:

.github/workflows/repo-stale.yml

@@ -1,8 +1,8 @@
-name: 'authentik-repo-stale'
+name: "authentik-repo-stale"
 
 on:
   schedule:
-    - cron: '30 1 * * *'
+    - cron: "30 1 * * *"
   workflow_dispatch:
 
 permissions:
@@ -25,7 +25,7 @@ jobs:
           days-before-stale: 60
           days-before-close: 7
           exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question,status/reviewing
-          stale-issue-label: wontfix
+          stale-issue-label: status/stale
           stale-issue-message: >
             This issue has been automatically marked as stale because it has not had
             recent activity. It will be closed if no further activity occurs. Thank you

.gitignore

@@ -209,3 +209,6 @@ source_docs/
 
 ### Golang ###
 /vendor/
+
+### Docker ###
+docker-compose.override.yml

.vscode/extensions.json

@@ -2,6 +2,7 @@
     "recommendations": [
         "bashmish.es6-string-css",
         "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
+        "charliermarsh.ruff",
         "dbaeumer.vscode-eslint",
         "EditorConfig.EditorConfig",
         "esbenp.prettier-vscode",
@@ -10,12 +11,12 @@
         "Gruntfuggly.todo-tree",
         "mechatroner.rainbow-csv",
         "ms-python.black-formatter",
-        "charliermarsh.ruff",
+        "ms-python.black-formatter",
+        "ms-python.debugpy",
         "ms-python.python",
         "ms-python.vscode-pylance",
-        "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx"
+        "unifiedjs.vscode-mdx",
     ]
 }

.vscode/launch.json

@@ -2,26 +2,76 @@
     "version": "0.2.0",
     "configurations": [
         {
-            "name": "Python: PDB attach Server",
-            "type": "python",
+            "name": "Debug: Attach Server Core",
+            "type": "debugpy",
             "request": "attach",
             "connect": {
                 "host": "localhost",
-                "port": 6800
+                "port": 9901
             },
-            "justMyCode": true,
+            "pathMappings": [
+                {
+                    "localRoot": "${workspaceFolder}",
+                    "remoteRoot": "."
+                }
+            ],
             "django": true
         },
         {
-            "name": "Python: PDB attach Worker",
-            "type": "python",
+            "name": "Debug: Attach Worker",
+            "type": "debugpy",
             "request": "attach",
             "connect": {
                 "host": "localhost",
-                "port": 6900
+                "port": 9901
             },
-            "justMyCode": true,
+            "pathMappings": [
+                {
+                    "localRoot": "${workspaceFolder}",
+                    "remoteRoot": "."
+                }
+            ],
             "django": true
+        },
+        {
+            "name": "Debug: Start Server Router",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/server",
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug: Start LDAP Outpost",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/ldap",
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug: Start Proxy Outpost",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/proxy",
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug: Start RAC Outpost",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/rac",
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug: Start Radius Outpost",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/radius",
+            "cwd": "${workspaceFolder}"
         }
     ]
 }

.vscode/settings.json

@@ -33,7 +33,8 @@
         "!If sequence",
         "!Index scalar",
         "!KeyOf scalar",
-        "!Value scalar"
+        "!Value scalar",
+        "!AtIndex scalar"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",

CODEOWNERS

@@ -15,6 +15,7 @@ go.mod                          @goauthentik/backend
 go.sum                          @goauthentik/backend
 # Infrastructure
 .github/                        @goauthentik/infrastructure
+lifecycle/aws/                  @goauthentik/infrastructure
 Dockerfile                      @goauthentik/infrastructure
 *Dockerfile                     @goauthentik/infrastructure
 .dockerignore                   @goauthentik/infrastructure
@@ -25,6 +26,9 @@ CODEOWNERS                      @goauthentik/infrastructure
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
+# Locale
+locale/                         @goauthentik/backend @goauthentik/frontend
+web/xliff/                      @goauthentik/backend @goauthentik/frontend
 # Docs & Website
 website/                        @goauthentik/docs
 CODE_OF_CONDUCT.md              @goauthentik/docs

Dockerfile

@@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-deps
 
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -116,15 +116,30 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
     --mount=type=cache,target=/root/.cache/pip \
     --mount=type=cache,target=/root/.cache/pypoetry \
+    pip install --no-cache cffi && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+        build-essential libffi-dev \
+        # Required for cryptography
+        curl pkg-config \
+        # Required for lxml
+        libxslt-dev zlib1g-dev \
+        # Required for xmlsec
+        libltdl-dev \
+        # Required for kadmin
+        sccache clang && \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
+    . "$HOME/.cargo/env" && \
     python -m venv /ak-root/venv/ && \
     bash -c "source ${VENV_PATH}/bin/activate && \
-    pip3 install --upgrade pip && \
-    pip3 install poetry && \
+    pip3 install --upgrade pip poetry && \
+    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
     poetry install --only=main --no-ansi --no-interaction --no-root && \
-    pip install --force-reinstall /wheels/*"
+    pip uninstall cryptography -y && \
+    poetry install --only=main --no-ansi --no-interaction --no-root"
 
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS final-image
 
 ARG VERSION
 ARG GIT_BUILD_HASH
@@ -140,10 +155,12 @@ WORKDIR /
 
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
+    apt-get upgrade -y && \
     # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
+    pip3 install --no-cache-dir --upgrade pip && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
     adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
@@ -176,9 +193,8 @@ ENV TMPDIR=/dev/shm/ \
     PYTHONUNBUFFERED=1 \
     PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
     VENV_PATH="/ak-root/venv" \
-    POETRY_VIRTUALENVS_CREATE=false
-
-ENV GOFIPS=1
+    POETRY_VIRTUALENVS_CREATE=false \
+    GOFIPS=1
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
 

Makefile

@@ -5,7 +5,9 @@ PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik tests scripts lifecycle .github website/docs/install-config/install/aws
+PY_SOURCES = authentik tests scripts lifecycle .github
+GO_SOURCES = cmd internal
+WEB_SOURCES = web/src web/packages
 DOCKER_IMAGE ?= "authentik:test"
 
 GEN_API_TS = "gen-ts-api"
@@ -20,10 +22,11 @@ CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
 		-S 'website/docs/developer-docs/api/reference/**' \
-		authentik \
-		internal \
-		cmd \
-		web/src \
+		-S '**/node_modules/**' \
+		-S '**/dist/**' \
+		$(PY_SOURCES) \
+		$(GO_SOURCES) \
+		$(WEB_SOURCES) \
 		website/src \
 		website/blog \
 		website/docs \
@@ -45,15 +48,6 @@ help:  ## Show this help
 go-test:
 	go test -timeout 0 -v -race -cover ./...
 
-test-docker:  ## Run all tests in a docker-compose
-	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
-	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
-	docker compose pull -q
-	docker compose up --no-start
-	docker compose start postgresql redis
-	docker compose run -u root server test-all
-	rm -f .env
-
 test: ## Run the server tests and produce a coverage report (locally)
 	coverage run manage.py test --keepdb authentik
 	coverage html
@@ -78,6 +72,9 @@ migrate: ## Run the Authentik Django server's migrations
 
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 
+aws-cfn:
+	cd lifecycle/aws && npm run aws-cfn
+
 core-i18n-extract:
 	ak makemessages \
 		--add-location file \
@@ -149,7 +146,7 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \
@@ -252,9 +249,6 @@ website-build:
 website-watch:  ## Build and watch the documentation website, updating automatically
 	cd website && npm run watch
 
-aws-cfn:
-	cd website && npm run aws-cfn
-
 #########################
 ## Docker
 #########################
@@ -263,6 +257,9 @@ docker:  ## Build a docker image of the current source tree
 	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
 
+test-docker:
+	BUILD=true ./scripts/test_docker.sh
+
 #########################
 ## CI
 #########################
@@ -287,3 +284,8 @@ ci-bandit: ci--meta-debug
 
 ci-pending-migrations: ci--meta-debug
 	ak makemigrations --check
+
+ci-test: ci--meta-debug
+	coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
+	coverage report
+	coverage xml

SECURITY.md

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
-| 2024.8.x  | ✅        |
 | 2024.10.x | ✅        |
+| 2024.12.x | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.10.5"
+__version__ = "2024.12.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 
@@ -16,5 +16,5 @@ def get_full_version() -> str:
     """Get full version, with build hash appended"""
     version = __version__
     if (build_hash := get_build_hash()) != "":
-        version += "." + build_hash
+        return f"{version}+{build_hash}"
     return version

authentik/admin/api/system.py

@@ -7,7 +7,9 @@ from sys import version as python_version
 from typing import TypedDict
 
 from cryptography.hazmat.backends.openssl.backend import backend
+from django.conf import settings
 from django.utils.timezone import now
+from django.views.debug import SafeExceptionReporterFilter
 from drf_spectacular.utils import extend_schema
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
@@ -52,10 +54,16 @@ class SystemInfoSerializer(PassiveSerializer):
     def get_http_headers(self, request: Request) -> dict[str, str]:
         """Get HTTP Request headers"""
         headers = {}
+        raw_session = request._request.COOKIES.get(settings.SESSION_COOKIE_NAME)
         for key, value in request.META.items():
             if not isinstance(value, str):
                 continue
-            headers[key] = value
+            actual_value = value
+            if raw_session in actual_value:
+                actual_value = actual_value.replace(
+                    raw_session, SafeExceptionReporterFilter.cleansed_substitute
+                )
+            headers[key] = actual_value
         return headers
 
     def get_http_host(self, request: Request) -> str:

authentik/admin/api/workers.py

@@ -1,12 +1,16 @@
 """authentik administration overview"""
 
+from socket import gethostname
+
 from django.conf import settings
 from drf_spectacular.utils import extend_schema, inline_serializer
-from rest_framework.fields import IntegerField
+from packaging.version import parse
+from rest_framework.fields import BooleanField, CharField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
+from authentik import get_full_version
 from authentik.rbac.permissions import HasPermission
 from authentik.root.celery import CELERY_APP
 
@@ -16,11 +20,38 @@ class WorkerView(APIView):
 
     permission_classes = [HasPermission("authentik_rbac.view_system_info")]
 
-    @extend_schema(responses=inline_serializer("Workers", fields={"count": IntegerField()}))
+    @extend_schema(
+        responses=inline_serializer(
+            "Worker",
+            fields={
+                "worker_id": CharField(),
+                "version": CharField(),
+                "version_matching": BooleanField(),
+            },
+            many=True,
+        )
+    )
     def get(self, request: Request) -> Response:
         """Get currently connected worker count."""
-        count = len(CELERY_APP.control.ping(timeout=0.5))
+        raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
+        our_version = parse(get_full_version())
+        response = []
+        for worker in raw:
+            key = list(worker.keys())[0]
+            version = worker[key].get("version")
+            version_matching = False
+            if version:
+                version_matching = parse(version) == our_version
+            response.append(
+                {"worker_id": key, "version": version, "version_matching": version_matching}
+            )
         # In debug we run with `task_always_eager`, so tasks are ran on the main process
         if settings.DEBUG:  # pragma: no cover
-            count += 1
-        return Response({"count": count})
+            response.append(
+                {
+                    "worker_id": f"authentik-debug@{gethostname()}",
+                    "version": get_full_version(),
+                    "version_matching": True,
+                }
+            )
+        return Response(response)

authentik/admin/apps.py

@@ -1,11 +1,10 @@
 """authentik admin app config"""
 
-from prometheus_client import Gauge, Info
+from prometheus_client import Info
 
 from authentik.blueprints.apps import ManagedAppConfig
 
 PROM_INFO = Info("authentik_version", "Currently running authentik version")
-GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
 
 
 class AuthentikAdminConfig(ManagedAppConfig):

authentik/admin/signals.py

@@ -1,14 +1,35 @@
 """admin signals"""
 
 from django.dispatch import receiver
+from packaging.version import parse
+from prometheus_client import Gauge
 
-from authentik.admin.apps import GAUGE_WORKERS
+from authentik import get_full_version
 from authentik.root.celery import CELERY_APP
 from authentik.root.monitoring import monitoring_set
 
+GAUGE_WORKERS = Gauge(
+    "authentik_admin_workers",
+    "Currently connected workers, their versions and if they are the same version as authentik",
+    ["version", "version_matched"],
+)
+
+
+_version = parse(get_full_version())
+
 
 @receiver(monitoring_set)
 def monitoring_set_workers(sender, **kwargs):
     """Set worker gauge"""
-    count = len(CELERY_APP.control.ping(timeout=0.5))
-    GAUGE_WORKERS.set(count)
+    raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
+    worker_version_count = {}
+    for worker in raw:
+        key = list(worker.keys())[0]
+        version = worker[key].get("version")
+        version_matching = False
+        if version:
+            version_matching = parse(version) == _version
+        worker_version_count.setdefault(version, {"count": 0, "matching": version_matching})
+        worker_version_count[version]["count"] += 1
+    for version, stats in worker_version_count.items():
+        GAUGE_WORKERS.labels(version, stats["matching"]).set(stats["count"])

authentik/admin/tests/test_api.py

@@ -34,7 +34,7 @@ class TestAdminAPI(TestCase):
         response = self.client.get(reverse("authentik_api:admin_workers"))
         self.assertEqual(response.status_code, 200)
         body = loads(response.content)
-        self.assertEqual(body["count"], 0)
+        self.assertEqual(len(body), 0)
 
     def test_metrics(self):
         """Test metrics API"""

authentik/api/authorization.py

@@ -1,67 +0,0 @@
-"""API Authorization"""
-
-from django.conf import settings
-from django.db.models import Model
-from django.db.models.query import QuerySet
-from django_filters.rest_framework import DjangoFilterBackend
-from rest_framework.authentication import get_authorization_header
-from rest_framework.filters import BaseFilterBackend
-from rest_framework.permissions import BasePermission
-from rest_framework.request import Request
-
-from authentik.api.authentication import validate_auth
-from authentik.rbac.filters import ObjectFilter
-
-
-class OwnerFilter(BaseFilterBackend):
-    """Filter objects by their owner"""
-
-    owner_key = "user"
-
-    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
-        if request.user.is_superuser:
-            return queryset
-        return queryset.filter(**{self.owner_key: request.user})
-
-
-class SecretKeyFilter(DjangoFilterBackend):
-    """Allow access to all objects when authenticated with secret key as token.
-
-    Replaces both DjangoFilterBackend and ObjectFilter"""
-
-    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
-        auth_header = get_authorization_header(request)
-        token = validate_auth(auth_header)
-        if token and token == settings.SECRET_KEY:
-            return queryset
-        queryset = ObjectFilter().filter_queryset(request, queryset, view)
-        return super().filter_queryset(request, queryset, view)
-
-
-class OwnerPermissions(BasePermission):
-    """Authorize requests by an object's owner matching the requesting user"""
-
-    owner_key = "user"
-
-    def has_permission(self, request: Request, view) -> bool:
-        """If the user is authenticated, we allow all requests here. For listing, the
-        object-level permissions are done by the filter backend"""
-        return request.user.is_authenticated
-
-    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
-        """Check if the object's owner matches the currently logged in user"""
-        if not hasattr(obj, self.owner_key):
-            return False
-        owner = getattr(obj, self.owner_key)
-        if owner != request.user:
-            return False
-        return True
-
-
-class OwnerSuperuserPermissions(OwnerPermissions):
-    """Similar to OwnerPermissions, except always allow access for superusers"""
-
-    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
-        if request.user.is_superuser:
-            return True
-        return super().has_object_permission(request, view, obj)

authentik/blueprints/management/commands/blueprint_shell.py

@@ -0,0 +1,68 @@
+"""Test and debug Blueprints"""
+
+import atexit
+import readline
+from pathlib import Path
+from pprint import pformat
+from sys import exit as sysexit
+from textwrap import indent
+
+from django.core.management.base import BaseCommand, no_translations
+from structlog.stdlib import get_logger
+from yaml import load
+
+from authentik.blueprints.v1.common import BlueprintLoader, EntryInvalidError
+from authentik.core.management.commands.shell import get_banner_text
+from authentik.lib.utils.errors import exception_to_string
+
+LOGGER = get_logger()
+
+
+class Command(BaseCommand):
+    """Test and debug Blueprints"""
+
+    lines = []
+
+    def __init__(self, *args, **kwargs) -> None:
+        super().__init__(*args, **kwargs)
+        histfolder = Path("~").expanduser() / Path(".local/share/authentik")
+        histfolder.mkdir(parents=True, exist_ok=True)
+        histfile = histfolder / Path("blueprint_shell_history")
+        readline.parse_and_bind("tab: complete")
+        readline.parse_and_bind("set editing-mode vi")
+
+        try:
+            readline.read_history_file(str(histfile))
+        except FileNotFoundError:
+            pass
+
+        atexit.register(readline.write_history_file, str(histfile))
+
+    @no_translations
+    def handle(self, *args, **options):
+        """Interactively debug blueprint files"""
+        self.stdout.write(get_banner_text("Blueprint shell"))
+        self.stdout.write("Type '.eval' to evaluate previously entered statement(s).")
+
+        def do_eval():
+            yaml_input = "\n".join([line for line in self.lines if line])
+            data = load(yaml_input, BlueprintLoader)
+            self.stdout.write(pformat(data))
+            self.lines = []
+
+        while True:
+            try:
+                line = input("> ")
+                if line == ".eval":
+                    do_eval()
+                else:
+                    self.lines.append(line)
+            except EntryInvalidError as exc:
+                self.stdout.write("Failed to evaluate expression:")
+                self.stdout.write(indent(exception_to_string(exc), prefix="  "))
+            except EOFError:
+                break
+            except KeyboardInterrupt:
+                self.stdout.write()
+                sysexit(0)
+        self.stdout.write()

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -126,7 +126,7 @@ class Command(BaseCommand):
         def_name_perm = f"model_{model_path}_permissions"
         def_path_perm = f"#/$defs/{def_name_perm}"
         self.schema["$defs"][def_name_perm] = self.model_permissions(model)
-        return {
+        template = {
             "type": "object",
             "required": ["model", "identifiers"],
             "properties": {
@@ -143,6 +143,11 @@ class Command(BaseCommand):
                 "identifiers": {"$ref": def_path},
             },
         }
+        # Meta models don't require identifiers, as there's no matching database model to find
+        if issubclass(model, BaseMetaModel):
+            del template["properties"]["identifiers"]
+            template["required"].remove("identifiers")
+        return template
 
     def field_to_jsonschema(self, field: Field) -> dict:
         """Convert a single field to json schema"""

authentik/blueprints/tests/fixtures/tags.yaml

@@ -146,6 +146,10 @@ entries:
                   ]
               ]
               nested_context: !Context context2
+              at_index_sequence: !AtIndex [!Context sequence, 0]
+              at_index_sequence_default: !AtIndex [!Context sequence, 100, "non existent"]
+              at_index_mapping: !AtIndex [!Context mapping, "key2"]
+              at_index_mapping_default: !AtIndex [!Context mapping, "invalid", "non existent"]
       identifiers:
           name: test
       conditions:

authentik/blueprints/tests/test_v1.py

@@ -215,6 +215,10 @@ class TestBlueprintsV1(TransactionTestCase):
                     },
                     "nested_context": "context-nested-value",
                     "env_null": None,
+                    "at_index_sequence": "foo",
+                    "at_index_sequence_default": "non existent",
+                    "at_index_mapping": 2,
+                    "at_index_mapping_default": "non existent",
                 }
             ).exists()
         )

authentik/blueprints/v1/common.py

@@ -24,6 +24,10 @@ from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.models import PolicyBindingModel
 
 
+class UNSET:
+    """Used to test whether a key has not been set."""
+
+
 def get_attrs(obj: SerializerModel) -> dict[str, Any]:
     """Get object's attributes via their serializer, and convert it to a normal dict"""
     serializer: Serializer = obj.serializer(obj)
@@ -198,6 +202,9 @@ class Blueprint:
 class YAMLTag:
     """Base class for all YAML Tags"""
 
+    def __repr__(self) -> str:
+        return str(self.resolve(BlueprintEntry(""), Blueprint()))
+
     def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
         """Implement yaml tag logic"""
         raise NotImplementedError
@@ -556,6 +563,53 @@ class Value(EnumeratedItem):
             raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry) from exc
 
 
+class AtIndex(YAMLTag):
+    """Get value at index of a sequence or mapping"""
+
+    obj: YAMLTag | dict | list | tuple
+    attribute: int | str | YAMLTag
+    default: Any | UNSET
+
+    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
+        super().__init__()
+        self.obj = loader.construct_object(node.value[0])
+        self.attribute = loader.construct_object(node.value[1])
+        if len(node.value) == 2:  # noqa: PLR2004
+            self.default = UNSET
+        else:
+            self.default = loader.construct_object(node.value[2])
+
+    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
+        if isinstance(self.obj, YAMLTag):
+            obj = self.obj.resolve(entry, blueprint)
+        else:
+            obj = self.obj
+        if isinstance(self.attribute, YAMLTag):
+            attribute = self.attribute.resolve(entry, blueprint)
+        else:
+            attribute = self.attribute
+
+        if isinstance(obj, list | tuple):
+            try:
+                return obj[attribute]
+            except TypeError as exc:
+                raise EntryInvalidError.from_entry(
+                    f"Invalid index for list: {attribute}", entry
+                ) from exc
+            except IndexError as exc:
+                if self.default is UNSET:
+                    raise EntryInvalidError.from_entry(
+                        f"Index out of range: {attribute}", entry
+                    ) from exc
+                return self.default
+        if attribute in obj:
+            return obj[attribute]
+        else:
+            if self.default is UNSET:
+                raise EntryInvalidError.from_entry(f"Key does not exist: {attribute}", entry)
+            return self.default
+
+
 class BlueprintDumper(SafeDumper):
     """Dump dataclasses to yaml"""
 
@@ -606,6 +660,7 @@ class BlueprintLoader(SafeLoader):
         self.add_constructor("!Enumerate", Enumerate)
         self.add_constructor("!Value", Value)
         self.add_constructor("!Index", Index)
+        self.add_constructor("!AtIndex", AtIndex)
 
 
 class EntryInvalidError(SentryIgnoredException):

authentik/blueprints/v1/importer.py

@@ -50,7 +50,7 @@ from authentik.enterprise.providers.microsoft_entra.models import (
     MicrosoftEntraProviderGroup,
     MicrosoftEntraProviderUser,
 )
-from authentik.enterprise.providers.rac.models import ConnectionToken
+from authentik.enterprise.providers.ssf.models import StreamEvent
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
     EndpointDevice,
     EndpointDeviceConnection,
@@ -71,6 +71,7 @@ from authentik.providers.oauth2.models import (
     DeviceToken,
     RefreshToken,
 )
+from authentik.providers.rac.models import ConnectionToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
@@ -131,6 +132,7 @@ def excluded_models() -> list[type[Model]]:
         EndpointDevice,
         EndpointDeviceConnection,
         DeviceToken,
+        StreamEvent,
     )
 
 

authentik/brands/api.py

@@ -14,10 +14,10 @@ from rest_framework.response import Response
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 
-from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.rbac.filters import SecretKeyFilter
 from authentik.tenants.utils import get_current_tenant
 
 

authentik/core/api/application_entitlements.py

@@ -0,0 +1,58 @@
+"""Application Roles API Viewset"""
+
+from django.http import HttpRequest
+from django.utils.translation import gettext_lazy as _
+from rest_framework.exceptions import ValidationError
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
+from authentik.core.models import (
+    Application,
+    ApplicationEntitlement,
+)
+
+
+class ApplicationEntitlementSerializer(ModelSerializer):
+    """ApplicationEntitlement Serializer"""
+
+    def validate_app(self, app: Application) -> Application:
+        """Ensure user has permission to view"""
+        request: HttpRequest = self.context.get("request")
+        if not request and SERIALIZER_CONTEXT_BLUEPRINT in self.context:
+            return app
+        user = request.user
+        if user.has_perm("view_application", app) or user.has_perm(
+            "authentik_core.view_application"
+        ):
+            return app
+        raise ValidationError(_("User does not have access to application."), code="invalid")
+
+    class Meta:
+        model = ApplicationEntitlement
+        fields = [
+            "pbm_uuid",
+            "name",
+            "app",
+            "attributes",
+        ]
+
+
+class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
+    """ApplicationEntitlement Viewset"""
+
+    queryset = ApplicationEntitlement.objects.all()
+    serializer_class = ApplicationEntitlementSerializer
+    search_fields = [
+        "pbm_uuid",
+        "name",
+        "app",
+        "attributes",
+    ]
+    filterset_fields = [
+        "pbm_uuid",
+        "name",
+        "app",
+    ]
+    ordering = ["name"]

authentik/core/api/authenticated_sessions.py

@@ -2,16 +2,12 @@
 
 from typing import TypedDict
 
-from django_filters.rest_framework import DjangoFilterBackend
-from guardian.utils import get_anonymous_user
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
-from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 
-from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
@@ -110,11 +106,4 @@ class AuthenticatedSessionViewSet(
     search_fields = ["user__username", "last_ip", "last_user_agent"]
     filterset_fields = ["user__username", "last_ip", "last_user_agent"]
     ordering = ["user__username"]
-    permission_classes = [OwnerSuperuserPermissions]
-    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
-
-    def get_queryset(self):
-        user = self.request.user if self.request else get_anonymous_user()
-        if user.is_superuser:
-            return super().get_queryset()
-        return super().get_queryset().filter(user=user.pk)
+    owner_field = "user"

authentik/core/api/devices.py

@@ -3,6 +3,7 @@
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
+from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import (
     BooleanField,
     CharField,
@@ -16,7 +17,6 @@ from rest_framework.viewsets import ViewSet
 
 from authentik.core.api.utils import MetaNameSerializer
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
-from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
@@ -73,7 +73,9 @@ class AdminDeviceViewSet(ViewSet):
     def get_devices(self, **kwargs):
         """Get all devices in all child classes"""
         for model in device_classes():
-            device_set = model.objects.filter(**kwargs)
+            device_set = get_objects_for_user(
+                self.request.user, f"{model._meta.app_label}.view_{model._meta.model_name}", model
+            ).filter(**kwargs)
             yield from device_set
 
     @extend_schema(
@@ -86,10 +88,6 @@ class AdminDeviceViewSet(ViewSet):
         ],
         responses={200: DeviceSerializer(many=True)},
     )
-    @permission_required(
-        None,
-        [f"{model._meta.app_label}.view_{model._meta.model_name}" for model in device_classes()],
-    )
     def list(self, request: Request) -> Response:
         """Get all devices for current user"""
         kwargs = {}

authentik/core/api/groups.py

@@ -4,6 +4,7 @@ from json import loads
 
 from django.db.models import Prefetch
 from django.http import Http404
+from django.utils.translation import gettext as _
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.utils import (
@@ -81,9 +82,37 @@ class GroupSerializer(ModelSerializer):
         if not self.instance or not parent:
             return parent
         if str(parent.group_uuid) == str(self.instance.group_uuid):
-            raise ValidationError("Cannot set group as parent of itself.")
+            raise ValidationError(_("Cannot set group as parent of itself."))
         return parent
 
+    def validate_is_superuser(self, superuser: bool):
+        """Ensure that the user creating this group has permissions to set the superuser flag"""
+        request: Request = self.context.get("request", None)
+        if not request:
+            return superuser
+        # If we're updating an instance, and the state hasn't changed, we don't need to check perms
+        if self.instance and superuser == self.instance.is_superuser:
+            return superuser
+        user: User = request.user
+        perm = (
+            "authentik_core.enable_group_superuser"
+            if superuser
+            else "authentik_core.disable_group_superuser"
+        )
+        has_perm = user.has_perm(perm)
+        if self.instance and not has_perm:
+            has_perm = user.has_perm(perm, self.instance)
+        if not has_perm:
+            raise ValidationError(
+                _(
+                    (
+                        "User does not have permission to set "
+                        "superuser status to {superuser_status}."
+                    ).format_map({"superuser_status": superuser})
+                )
+            )
+        return superuser
+
     class Meta:
         model = Group
         fields = [

authentik/core/api/sources.py

@@ -2,19 +2,16 @@
 
 from collections.abc import Iterable
 
-from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodField
-from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 
-from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
@@ -88,7 +85,7 @@ class SourceViewSet(
     serializer_class = SourceSerializer
     lookup_field = "slug"
     search_fields = ["slug", "name"]
-    filterset_fields = ["slug", "name", "managed"]
+    filterset_fields = ["slug", "name", "managed", "pbm_uuid"]
 
     def get_queryset(self):  # pragma: no cover
         return Source.objects.select_subclasses()
@@ -159,9 +156,9 @@ class SourceViewSet(
 
 
 class UserSourceConnectionSerializer(SourceSerializer):
-    """OAuth Source Serializer"""
+    """User source connection"""
 
-    source = SourceSerializer(read_only=True)
+    source_obj = SourceSerializer(read_only=True, source="source")
 
     class Meta:
         model = UserSourceConnection
@@ -169,10 +166,10 @@ class UserSourceConnectionSerializer(SourceSerializer):
             "pk",
             "user",
             "source",
+            "source_obj",
             "created",
         ]
         extra_kwargs = {
-            "user": {"read_only": True},
             "created": {"read_only": True},
         }
 
@@ -189,17 +186,16 @@ class UserSourceConnectionViewSet(
 
     queryset = UserSourceConnection.objects.all()
     serializer_class = UserSourceConnectionSerializer
-    permission_classes = [OwnerSuperuserPermissions]
     filterset_fields = ["user", "source__slug"]
     search_fields = ["source__slug"]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
     ordering = ["source__slug", "pk"]
+    owner_field = "user"
 
 
 class GroupSourceConnectionSerializer(SourceSerializer):
-    """Group Source Connection Serializer"""
+    """Group Source Connection"""
 
-    source = SourceSerializer(read_only=True)
+    source_obj = SourceSerializer(read_only=True)
 
     class Meta:
         model = GroupSourceConnection
@@ -207,12 +203,11 @@ class GroupSourceConnectionSerializer(SourceSerializer):
             "pk",
             "group",
             "source",
+            "source_obj",
             "identifier",
             "created",
         ]
         extra_kwargs = {
-            "group": {"read_only": True},
-            "identifier": {"read_only": True},
             "created": {"read_only": True},
         }
 
@@ -229,8 +224,7 @@ class GroupSourceConnectionViewSet(
 
     queryset = GroupSourceConnection.objects.all()
     serializer_class = GroupSourceConnectionSerializer
-    permission_classes = [OwnerSuperuserPermissions]
     filterset_fields = ["group", "source__slug"]
     search_fields = ["source__slug"]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
     ordering = ["source__slug", "pk"]
+    owner_field = "user"

authentik/core/api/tokens.py

@@ -3,18 +3,15 @@
 from typing import Any
 
 from django.utils.timezone import now
-from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
 from guardian.shortcuts import assign_perm, get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
-from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 
-from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
@@ -138,8 +135,8 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
         "managed",
     ]
     ordering = ["identifier", "expires"]
-    permission_classes = [OwnerSuperuserPermissions]
-    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
+    owner_field = "user"
+    rbac_allow_create_without_perm = True
 
     def get_queryset(self):
         user = self.request.user if self.request else get_anonymous_user()

authentik/core/api/transactional_applications.py

@@ -22,7 +22,7 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.importer import Importer
 from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
-from authentik.core.models import Provider
+from authentik.core.models import Application, Provider
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.bindings import PolicyBindingSerializer
 
@@ -51,6 +51,13 @@ class TransactionProviderField(DictField):
 class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
     """PolicyBindingSerializer which does not require target as target is set implicitly"""
 
+    def validate(self, attrs):
+        # As the PolicyBindingSerializer checks that the correct things can be bound to a target
+        # but we don't have a target here as that's set by the blueprint, pass in an empty app
+        # which will have the correct allowed combination of group/user/policy.
+        attrs["target"] = Application()
+        return super().validate(attrs)
+
     class Meta(PolicyBindingSerializer.Meta):
         fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
 

authentik/core/api/users.py

@@ -1,11 +1,12 @@
 """User API Views"""
 
-from datetime import timedelta
+from datetime import datetime, timedelta
+from hashlib import sha256
 from json import loads
 from typing import Any
 
 from django.contrib.auth import update_session_auth_hash
-from django.contrib.auth.models import Permission
+from django.contrib.auth.models import AnonymousUser, Permission
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.db.models.functions import ExtractHour
@@ -84,6 +85,7 @@ from authentik.flows.models import FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
+from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.models import get_permission_choices
 from authentik.stages.email.models import EmailStage
@@ -236,9 +238,11 @@ class UserSerializer(ModelSerializer):
             "path",
             "type",
             "uuid",
+            "password_change_date",
         ]
         extra_kwargs = {
             "name": {"allow_blank": True},
+            "password_change_date": {"read_only": True},
         }
 
 
@@ -427,7 +431,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     queryset = User.objects.none()
     ordering = ["username"]
     serializer_class = UserSerializer
-    search_fields = ["username", "name", "is_active", "email", "uuid"]
+    search_fields = ["username", "name", "is_active", "email", "uuid", "attributes"]
     filterset_class = UsersFilter
 
     def get_queryset(self):
@@ -444,15 +448,19 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     def list(self, request, *args, **kwargs):
         return super().list(request, *args, **kwargs)
 
-    def _create_recovery_link(self) -> tuple[str, Token]:
+    def _create_recovery_link(self, expires: datetime) -> tuple[str, Token]:
         """Create a recovery link (when the current brand has a recovery flow set),
         that can either be shown to an admin or sent to the user directly"""
         brand: Brand = self.request._request.brand
         # Check that there is a recovery flow, if not return an error
         flow = brand.flow_recovery
         if not flow:
-            raise ValidationError({"non_field_errors": "No recovery flow set."})
+            raise ValidationError(
+                {"non_field_errors": [_("Recovery flow is not set for this brand.")]}
+            )
+        # Mimic an unauthenticated user navigating the recovery flow
         user: User = self.get_object()
+        self.request._request.user = AnonymousUser()
         planner = FlowPlanner(flow)
         planner.allow_empty_flows = True
         try:
@@ -464,16 +472,16 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             )
         except FlowNonApplicableException:
             raise ValidationError(
-                {"non_field_errors": "Recovery flow not applicable to user"}
+                {"non_field_errors": [_("Recovery flow is not applicable to this user.")]}
             ) from None
-        token, __ = FlowToken.objects.update_or_create(
-            identifier=f"{user.uid}-password-reset",
-            defaults={
-                "user": user,
-                "flow": flow,
-                "_plan": FlowToken.pickle(plan),
-            },
+        token = FlowToken.objects.create(
+            identifier=f"{user.uid}-password-reset-{sha256(str(datetime.now()).encode('UTF-8')).hexdigest()[:8]}",
+            user=user,
+            flow=flow,
+            _plan=FlowToken.pickle(plan),
+            expires=expires,
         )
+
         querystring = urlencode({QS_KEY_TOKEN: token.key})
         link = self.request.build_absolute_uri(
             reverse_lazy("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
@@ -585,7 +593,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         """Set password for user"""
         user: User = self.get_object()
         try:
-            user.set_password(request.data.get("password"))
+            user.set_password(request.data.get("password"), request=request)
             user.save()
         except (ValidationError, IntegrityError) as exc:
             LOGGER.debug("Failed to set password", exc=exc)
@@ -608,61 +616,68 @@ class UserViewSet(UsedByMixin, ModelViewSet):
 
     @permission_required("authentik_core.reset_user_password")
     @extend_schema(
+        parameters=[
+            OpenApiParameter(
+                name="email_stage",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.STR,
+            ),
+            OpenApiParameter(
+                name="token_duration",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.STR,
+                required=True,
+            ),
+        ],
         responses={
             "200": LinkSerializer(many=False),
         },
         request=None,
     )
     @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
-    def recovery(self, request: Request, pk: int) -> Response:
+    def recovery_link(self, request: Request, pk: int) -> Response:
         """Create a temporary link that a user can use to recover their accounts"""
-        link, _ = self._create_recovery_link()
-        return Response({"link": link})
+        token_duration = request.query_params.get("token_duration", "")
+        timedelta_string_validator(token_duration)
+        expires = now() + timedelta_from_string(token_duration)
+        link, token = self._create_recovery_link(expires)
 
-    @permission_required("authentik_core.reset_user_password")
-    @extend_schema(
-        parameters=[
-            OpenApiParameter(
-                name="email_stage",
-                location=OpenApiParameter.QUERY,
-                type=OpenApiTypes.STR,
-                required=True,
+        if email_stage := request.query_params.get("email_stage"):
+            for_user: User = self.get_object()
+            if for_user.email == "":
+                LOGGER.debug("User doesn't have an email address")
+                raise ValidationError(
+                    {"non_field_errors": [_("User does not have an email address set.")]}
+                )
+
+            # Lookup the email stage to assure the current user can access it
+            stages = get_objects_for_user(
+                request.user, "authentik_stages_email.view_emailstage"
+            ).filter(pk=email_stage)
+            if not stages.exists():
+                if stages := EmailStage.objects.filter(pk=email_stage).exists():
+                    raise ValidationError(
+                        {"non_field_errors": [_("User has no permissions to this Email stage.")]}
+                    )
+                else:
+                    raise ValidationError(
+                        {"non_field_errors": [_("The given Email stage does not exist.")]}
+                    )
+            email_stage: EmailStage = stages.first()
+            message = TemplateEmailMessage(
+                subject=_(email_stage.subject),
+                to=[(for_user.name, for_user.email)],
+                template_name=email_stage.template,
+                language=for_user.locale(request),
+                template_context={
+                    "url": link,
+                    "user": for_user,
+                    "expires": token.expires,
+                },
             )
-        ],
-        responses={
-            "204": OpenApiResponse(description="Successfully sent recover email"),
-        },
-        request=None,
-    )
-    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
-    def recovery_email(self, request: Request, pk: int) -> Response:
-        """Create a temporary link that a user can use to recover their accounts"""
-        for_user: User = self.get_object()
-        if for_user.email == "":
-            LOGGER.debug("User doesn't have an email address")
-            raise ValidationError({"non_field_errors": "User does not have an email address set."})
-        link, token = self._create_recovery_link()
-        # Lookup the email stage to assure the current user can access it
-        stages = get_objects_for_user(
-            request.user, "authentik_stages_email.view_emailstage"
-        ).filter(pk=request.query_params.get("email_stage"))
-        if not stages.exists():
-            LOGGER.debug("Email stage does not exist/user has no permissions")
-            raise ValidationError({"non_field_errors": "Email stage does not exist."})
-        email_stage: EmailStage = stages.first()
-        message = TemplateEmailMessage(
-            subject=_(email_stage.subject),
-            to=[(for_user.name, for_user.email)],
-            template_name=email_stage.template,
-            language=for_user.locale(request),
-            template_context={
-                "url": link,
-                "user": for_user,
-                "expires": token.expires,
-            },
-        )
-        send_mails(email_stage, message)
-        return Response(status=204)
+            send_mails(email_stage, message)
+
+        return Response({"link": link})
 
     @permission_required("authentik_core.impersonate")
     @extend_schema(

authentik/core/auth.py

@@ -44,13 +44,12 @@ class TokenBackend(InbuiltBackend):
         self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
     ) -> User | None:
         try:
-
             user = User._default_manager.get_by_natural_key(username)
 
         except User.DoesNotExist:
             # Run the default password hasher once to reduce the timing
             # difference between an existing and a nonexistent user (#20760).
-            User().set_password(password)
+            User().set_password(password, request=request)
             return None
 
         tokens = Token.filter_not_expired(

authentik/core/expression/evaluator.py

@@ -58,6 +58,7 @@ class PropertyMappingEvaluator(BaseEvaluator):
             self._context["user"] = user
         if request:
             req.http_request = request
+            self._context["http_request"] = request
         req.context.update(**kwargs)
         self._context["request"] = req
         self._context.update(**kwargs)

authentik/core/management/commands/dev_server.py

@@ -5,6 +5,7 @@ from typing import TextIO
 from daphne.management.commands.runserver import Command as RunServer
 from daphne.server import Server
 
+from authentik.lib.debug import start_debug_server
 from authentik.root.signals import post_startup, pre_startup, startup
 
 
@@ -13,6 +14,7 @@ class SignalServer(Server):
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
+        start_debug_server()
 
         def ready_callable():
             pre_startup.send(sender=self)

authentik/core/management/commands/shell.py

@@ -17,7 +17,9 @@ from authentik.events.middleware import should_log_model
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import model_to_dict
 
-BANNER_TEXT = f"""### authentik shell ({get_full_version()})
+
+def get_banner_text(shell_type="shell") -> str:
+    return f"""### authentik {shell_type} ({get_full_version()})
 ### Node {platform.node()} | Arch {platform.machine()} | Python {platform.python_version()} """
 
 
@@ -114,4 +116,4 @@ class Command(BaseCommand):
             readline.parse_and_bind("tab: complete")
 
         # Run interactive shell
-        code.interact(banner=BANNER_TEXT, local=namespace)
+        code.interact(banner=get_banner_text(), local=namespace)

authentik/core/management/commands/worker.py

@@ -9,6 +9,7 @@ from django.db import close_old_connections
 from structlog.stdlib import get_logger
 
 from authentik.lib.config import CONFIG
+from authentik.lib.debug import start_debug_server
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
@@ -28,10 +29,7 @@ class Command(BaseCommand):
     def handle(self, **options):
         LOGGER.debug("Celery options", **options)
         close_old_connections()
-        if CONFIG.get_bool("remote_debug"):
-            import debugpy
-
-            debugpy.listen(("0.0.0.0", 6900))  # nosec
+        start_debug_server()
         worker: Worker = CELERY_APP.Worker(
             no_color=False,
             quiet=True,

authentik/core/migrations/0041_applicationentitlement.py

@@ -0,0 +1,45 @@
+# Generated by Django 5.0.9 on 2024-11-20 15:16
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0040_provider_invalidation_flow"),
+        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="ApplicationEntitlement",
+            fields=[
+                (
+                    "policybindingmodel_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_policies.policybindingmodel",
+                    ),
+                ),
+                ("attributes", models.JSONField(blank=True, default=dict)),
+                ("name", models.TextField()),
+                (
+                    "app",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.application"
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Application Entitlement",
+                "verbose_name_plural": "Application Entitlements",
+                "unique_together": {("app", "name")},
+            },
+            bases=("authentik_policies.policybindingmodel", models.Model),
+        ),
+    ]

authentik/core/migrations/0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more.py

@@ -0,0 +1,45 @@
+# Generated by Django 5.0.10 on 2025-01-13 18:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0041_applicationentitlement"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="authenticatedsession",
+            index=models.Index(fields=["expires"], name="authentik_c_expires_08251d_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="authenticatedsession",
+            index=models.Index(fields=["expiring"], name="authentik_c_expirin_9cd839_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="authenticatedsession",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_c_expirin_195a84_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="authenticatedsession",
+            index=models.Index(fields=["session_key"], name="authentik_c_session_d0f005_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="token",
+            index=models.Index(fields=["expires"], name="authentik_c_expires_a62b4b_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="token",
+            index=models.Index(fields=["expiring"], name="authentik_c_expirin_a1b838_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="token",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_c_expirin_ba04d9_idx"
+            ),
+        ),
+    ]

authentik/core/migrations/0043_alter_group_options.py

@@ -0,0 +1,26 @@
+# Generated by Django 5.0.11 on 2025-01-30 23:55
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="group",
+            options={
+                "permissions": [
+                    ("add_user_to_group", "Add user to group"),
+                    ("remove_user_from_group", "Remove user from group"),
+                    ("enable_group_superuser", "Enable superuser status"),
+                    ("disable_group_superuser", "Disable superuser status"),
+                ],
+                "verbose_name": "Group",
+                "verbose_name_plural": "Groups",
+            },
+        ),
+    ]

authentik/core/models.py

@@ -204,6 +204,8 @@ class Group(SerializerModel, AttributesMixin):
         permissions = [
             ("add_user_to_group", _("Add user to group")),
             ("remove_user_from_group", _("Remove user from group")),
+            ("enable_group_superuser", _("Enable superuser status")),
+            ("disable_group_superuser", _("Disable superuser status")),
         ]
 
     def __str__(self):
@@ -314,6 +316,32 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
         always_merger.merge(final_attributes, self.attributes)
         return final_attributes
 
+    def app_entitlements(self, app: "Application | None") -> QuerySet["ApplicationEntitlement"]:
+        """Get all entitlements this user has for `app`."""
+        if not app:
+            return []
+        all_groups = self.all_groups()
+        qs = app.applicationentitlement_set.filter(
+            Q(
+                Q(bindings__user=self) | Q(bindings__group__in=all_groups),
+                bindings__negate=False,
+            )
+            | Q(
+                Q(~Q(bindings__user=self), bindings__user__isnull=False)
+                | Q(~Q(bindings__group__in=all_groups), bindings__group__isnull=False),
+                bindings__negate=True,
+            ),
+            bindings__enabled=True,
+        ).order_by("name")
+        return qs
+
+    def app_entitlements_attributes(self, app: "Application | None") -> dict:
+        """Get a dictionary containing all merged attributes from app entitlements for `app`."""
+        final_attributes = {}
+        for attrs in self.app_entitlements(app).values_list("attributes", flat=True):
+            always_merger.merge(final_attributes, attrs)
+        return final_attributes
+
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.users import UserSerializer
@@ -330,13 +358,13 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
         """superuser == staff user"""
         return self.is_superuser  # type: ignore
 
-    def set_password(self, raw_password, signal=True, sender=None):
+    def set_password(self, raw_password, signal=True, sender=None, request=None):
         if self.pk and signal:
             from authentik.core.signals import password_changed
 
             if not sender:
                 sender = self
-            password_changed.send(sender=sender, user=self, password=raw_password)
+            password_changed.send(sender=sender, user=self, password=raw_password, request=request)
         self.password_change_date = now()
         return super().set_password(raw_password)
 
@@ -573,6 +601,14 @@ class Application(SerializerModel, PolicyBindingModel):
             return None
         return candidates[-1]
 
+    def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
+        """Get Backchannel provider for a specific type"""
+        providers = self.backchannel_providers.filter(
+            **{f"{provider_type._meta.model_name}__isnull": False},
+            **kwargs,
+        )
+        return getattr(providers.first(), provider_type._meta.model_name)
+
     def __str__(self):
         return str(self.name)
 
@@ -581,6 +617,31 @@ class Application(SerializerModel, PolicyBindingModel):
         verbose_name_plural = _("Applications")
 
 
+class ApplicationEntitlement(AttributesMixin, SerializerModel, PolicyBindingModel):
+    """Application-scoped entitlement to control authorization in an application"""
+
+    name = models.TextField()
+
+    app = models.ForeignKey(Application, on_delete=models.CASCADE)
+
+    class Meta:
+        verbose_name = _("Application Entitlement")
+        verbose_name_plural = _("Application Entitlements")
+        unique_together = (("app", "name"),)
+
+    def __str__(self):
+        return f"Application Entitlement {self.name} for app {self.app_id}"
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.core.api.application_entitlements import ApplicationEntitlementSerializer
+
+        return ApplicationEntitlementSerializer
+
+    def supported_policy_binding_targets(self):
+        return ["group", "user"]
+
+
 class SourceUserMatchingModes(models.TextChoices):
     """Different modes a source can handle new/returning users"""
 
@@ -795,6 +856,11 @@ class ExpiringModel(models.Model):
 
     class Meta:
         abstract = True
+        indexes = [
+            models.Index(fields=["expires"]),
+            models.Index(fields=["expiring"]),
+            models.Index(fields=["expiring", "expires"]),
+        ]
 
     def expire_action(self, *args, **kwargs):
         """Handler which is called when this object is expired. By
@@ -850,7 +916,7 @@ class Token(SerializerModel, ManagedModel, ExpiringModel):
     class Meta:
         verbose_name = _("Token")
         verbose_name_plural = _("Tokens")
-        indexes = [
+        indexes = ExpiringModel.Meta.indexes + [
             models.Index(fields=["identifier"]),
             models.Index(fields=["key"]),
         ]
@@ -950,6 +1016,9 @@ class AuthenticatedSession(ExpiringModel):
     class Meta:
         verbose_name = _("Authenticated Session")
         verbose_name_plural = _("Authenticated Sessions")
+        indexes = ExpiringModel.Meta.indexes + [
+            models.Index(fields=["session_key"]),
+        ]
 
     def __str__(self) -> str:
         return f"Authenticated Session {self.session_key[:10]}"

authentik/core/sources/flow_manager.py

@@ -238,13 +238,7 @@ class SourceFlowManager:
                 self.request.GET,
                 flow_slug=flow_slug,
             )
-        # Ensure redirect is carried through when user was trying to
-        # authorize application
-        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
-            NEXT_ARG_NAME, "authentik_core:if-user"
-        )
-        if PLAN_CONTEXT_REDIRECT not in flow_context:
-            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect
+        flow_context.setdefault(PLAN_CONTEXT_REDIRECT, final_redirect)
 
         if not flow:
             return bad_request_message(

authentik/core/tasks.py

@@ -67,6 +67,8 @@ def clean_expired_models(self: SystemTask):
                 raise ImproperlyConfigured(
                     "Invalid session_storage setting, allowed values are db and cache"
                 )
+    if CONFIG.get("session_storage", "cache") == "db":
+        DBSessionStore.clear_expired()
     LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)
 
     messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")

authentik/core/tests/test_application_entitlements.py

@@ -0,0 +1,153 @@
+"""Test Application Entitlements API"""
+
+from django.urls import reverse
+from guardian.shortcuts import assign_perm
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application, ApplicationEntitlement, Group
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
+from authentik.lib.generators import generate_id
+from authentik.policies.dummy.models import DummyPolicy
+from authentik.policies.models import PolicyBinding
+from authentik.providers.oauth2.models import OAuth2Provider
+
+
+class TestApplicationEntitlements(APITestCase):
+    """Test application entitlements"""
+
+    def setUp(self) -> None:
+        self.user = create_test_user()
+        self.other_user = create_test_user()
+        self.provider = OAuth2Provider.objects.create(
+            name="test",
+            authorization_flow=create_test_flow(),
+        )
+        self.app: Application = Application.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+            provider=self.provider,
+        )
+
+    def test_user(self):
+        """Test user-direct assignment"""
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        PolicyBinding.objects.create(target=ent, user=self.user, order=0)
+        ents = self.user.app_entitlements(self.app)
+        self.assertEqual(len(ents), 1)
+        self.assertEqual(ents[0].name, ent.name)
+
+    def test_group(self):
+        """Test direct group"""
+        group = Group.objects.create(name=generate_id())
+        self.user.ak_groups.add(group)
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        PolicyBinding.objects.create(target=ent, group=group, order=0)
+        ents = self.user.app_entitlements(self.app)
+        self.assertEqual(len(ents), 1)
+        self.assertEqual(ents[0].name, ent.name)
+
+    def test_group_indirect(self):
+        """Test indirect group"""
+        parent = Group.objects.create(name=generate_id())
+        group = Group.objects.create(name=generate_id(), parent=parent)
+        self.user.ak_groups.add(group)
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        PolicyBinding.objects.create(target=ent, group=parent, order=0)
+        ents = self.user.app_entitlements(self.app)
+        self.assertEqual(len(ents), 1)
+        self.assertEqual(ents[0].name, ent.name)
+
+    def test_negate_user(self):
+        """Test with negate flag"""
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        PolicyBinding.objects.create(target=ent, user=self.other_user, order=0, negate=True)
+        ents = self.user.app_entitlements(self.app)
+        self.assertEqual(len(ents), 1)
+        self.assertEqual(ents[0].name, ent.name)
+
+    def test_negate_group(self):
+        """Test with negate flag"""
+        other_group = Group.objects.create(name=generate_id())
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        PolicyBinding.objects.create(target=ent, group=other_group, order=0, negate=True)
+        ents = self.user.app_entitlements(self.app)
+        self.assertEqual(len(ents), 1)
+        self.assertEqual(ents[0].name, ent.name)
+
+    def test_api_perms_global(self):
+        """Test API creation with global permissions"""
+        assign_perm("authentik_core.add_applicationentitlement", self.user)
+        assign_perm("authentik_core.view_application", self.user)
+        self.client.force_login(self.user)
+        res = self.client.post(
+            reverse("authentik_api:applicationentitlement-list"),
+            data={
+                "name": generate_id(),
+                "app": self.app.pk,
+            },
+        )
+        self.assertEqual(res.status_code, 201)
+
+    def test_api_perms_scoped(self):
+        """Test API creation with scoped permissions"""
+        assign_perm("authentik_core.add_applicationentitlement", self.user)
+        assign_perm("authentik_core.view_application", self.user, self.app)
+        self.client.force_login(self.user)
+        res = self.client.post(
+            reverse("authentik_api:applicationentitlement-list"),
+            data={
+                "name": generate_id(),
+                "app": self.app.pk,
+            },
+        )
+        self.assertEqual(res.status_code, 201)
+
+    def test_api_perms_missing(self):
+        """Test API creation with no permissions"""
+        assign_perm("authentik_core.add_applicationentitlement", self.user)
+        self.client.force_login(self.user)
+        res = self.client.post(
+            reverse("authentik_api:applicationentitlement-list"),
+            data={
+                "name": generate_id(),
+                "app": self.app.pk,
+            },
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(res.content, {"app": ["User does not have access to application."]})
+
+    def test_api_bindings_policy(self):
+        """Test that API doesn't allow policies to be bound to this"""
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        policy = DummyPolicy.objects.create(name=generate_id())
+        admin = create_test_admin_user()
+        self.client.force_login(admin)
+        response = self.client.post(
+            reverse("authentik_api:policybinding-list"),
+            data={
+                "target": ent.pbm_uuid,
+                "policy": policy.pk,
+                "order": 0,
+            },
+        )
+        self.assertJSONEqual(
+            response.content.decode(),
+            {"non_field_errors": ["One of 'group', 'user' must be set."]},
+        )
+
+    def test_api_bindings_group(self):
+        """Test that API doesn't allow policies to be bound to this"""
+        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
+        group = Group.objects.create(name=generate_id())
+        admin = create_test_admin_user()
+        self.client.force_login(admin)
+        response = self.client.post(
+            reverse("authentik_api:policybinding-list"),
+            data={
+                "target": ent.pbm_uuid,
+                "group": group.pk,
+                "order": 0,
+            },
+        )
+        self.assertEqual(response.status_code, 201)
+        self.assertTrue(PolicyBinding.objects.filter(target=ent.pbm_uuid).exists())

authentik/core/tests/test_groups_api.py

@@ -4,7 +4,7 @@ from django.urls.base import reverse
 from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Group, User
+from authentik.core.models import Group
 from authentik.core.tests.utils import create_test_admin_user, create_test_user
 from authentik.lib.generators import generate_id
 
@@ -14,7 +14,7 @@ class TestGroupsAPI(APITestCase):
 
     def setUp(self) -> None:
         self.login_user = create_test_user()
-        self.user = User.objects.create(username="test-user")
+        self.user = create_test_user()
 
     def test_list_with_users(self):
         """Test listing with users"""
@@ -109,3 +109,57 @@ class TestGroupsAPI(APITestCase):
             },
         )
         self.assertEqual(res.status_code, 400)
+
+    def test_superuser_no_perm(self):
+        """Test creating a superuser group without permission"""
+        assign_perm("authentik_core.add_group", self.login_user)
+        self.client.force_login(self.login_user)
+        res = self.client.post(
+            reverse("authentik_api:group-list"),
+            data={"name": generate_id(), "is_superuser": True},
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(
+            res.content,
+            {"is_superuser": ["User does not have permission to set superuser status to True."]},
+        )
+
+    def test_superuser_update_no_perm(self):
+        """Test updating a superuser group without permission"""
+        group = Group.objects.create(name=generate_id(), is_superuser=True)
+        assign_perm("view_group", self.login_user, group)
+        assign_perm("change_group", self.login_user, group)
+        self.client.force_login(self.login_user)
+        res = self.client.patch(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            data={"is_superuser": False},
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(
+            res.content,
+            {"is_superuser": ["User does not have permission to set superuser status to False."]},
+        )
+
+    def test_superuser_update_no_change(self):
+        """Test updating a superuser group without permission
+        and without changing the superuser status"""
+        group = Group.objects.create(name=generate_id(), is_superuser=True)
+        assign_perm("view_group", self.login_user, group)
+        assign_perm("change_group", self.login_user, group)
+        self.client.force_login(self.login_user)
+        res = self.client.patch(
+            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
+            data={"name": generate_id(), "is_superuser": True},
+        )
+        self.assertEqual(res.status_code, 200)
+
+    def test_superuser_create(self):
+        """Test creating a superuser group with permission"""
+        assign_perm("authentik_core.add_group", self.login_user)
+        assign_perm("authentik_core.enable_group_superuser", self.login_user)
+        self.client.force_login(self.login_user)
+        res = self.client.post(
+            reverse("authentik_api:group-list"),
+            data={"name": generate_id(), "is_superuser": True},
+        )
+        self.assertEqual(res.status_code, 201)

authentik/core/urls.py

@@ -6,6 +6,7 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 
+from authentik.core.api.application_entitlements import ApplicationEntitlementViewSet
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
 from authentik.core.api.devices import AdminDeviceViewSet, DeviceViewSet
@@ -69,6 +70,7 @@ urlpatterns = [
 api_urlpatterns = [
     ("core/authenticated_sessions", AuthenticatedSessionViewSet),
     ("core/applications", ApplicationViewSet),
+    ("core/application_entitlements", ApplicationEntitlementViewSet),
     path(
         "core/transactional/applications/",
         TransactionalApplicationView.as_view(),

authentik/crypto/api.py

@@ -28,7 +28,6 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
-from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
@@ -36,7 +35,7 @@ from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
-from authentik.rbac.filters import ObjectFilter
+from authentik.rbac.filters import ObjectFilter, SecretKeyFilter
 
 LOGGER = get_logger()
 

authentik/enterprise/audit/middleware.py

@@ -97,6 +97,8 @@ class EnterpriseAuditMiddleware(AuditMiddleware):
         thread_kwargs: dict | None = None,
         **_,
     ):
+        if not self.enabled:
+            return super().post_save_handler(request, sender, instance, created, thread_kwargs, **_)
         if not should_log_model(instance):
             return None
         thread_kwargs = {}
@@ -122,6 +124,8 @@ class EnterpriseAuditMiddleware(AuditMiddleware):
     ):
         thread_kwargs = {}
         m2m_field = None
+        if not self.enabled:
+            return super().m2m_changed_handler(request, sender, instance, action, thread_kwargs)
         # For the audit log we don't care about `pre_` or `post_` so we trim that part off
         _, _, action_direction = action.partition("_")
         # resolve the "through" model to an actual field

authentik/enterprise/migrations/0004_licenseusage_authentik_e_expires_3f2956_idx_and_more.py

@@ -0,0 +1,27 @@
+# Generated by Django 5.0.10 on 2025-01-13 18:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_enterprise", "0003_remove_licenseusage_within_limits_and_more"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="licenseusage",
+            index=models.Index(fields=["expires"], name="authentik_e_expires_3f2956_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="licenseusage",
+            index=models.Index(fields=["expiring"], name="authentik_e_expirin_11d3d7_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="licenseusage",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_e_expirin_4d558f_idx"
+            ),
+        ),
+    ]

authentik/enterprise/models.py

@@ -93,3 +93,4 @@ class LicenseUsage(ExpiringModel):
     class Meta:
         verbose_name = _("License Usage")
         verbose_name_plural = _("License Usage Records")
+        indexes = ExpiringModel.Meta.indexes

authentik/enterprise/providers/rac/apps.py

@@ -1,14 +0,0 @@
-"""RAC app config"""
-
-from authentik.enterprise.apps import EnterpriseConfig
-
-
-class AuthentikEnterpriseProviderRAC(EnterpriseConfig):
-    """authentik enterprise rac app config"""
-
-    name = "authentik.enterprise.providers.rac"
-    label = "authentik_providers_rac"
-    verbose_name = "authentik Enterprise.Providers.RAC"
-    default = True
-    mountpoint = ""
-    ws_mountpoint = "authentik.enterprise.providers.rac.urls"

authentik/enterprise/providers/ssf/api/providers.py

@@ -0,0 +1,64 @@
+"""SSF Provider API Views"""
+
+from django.urls import reverse
+from rest_framework.fields import SerializerMethodField
+from rest_framework.request import Request
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.providers import ProviderSerializer
+from authentik.core.api.tokens import TokenSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.providers.ssf.models import SSFProvider
+
+
+class SSFProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
+    """SSFProvider Serializer"""
+
+    ssf_url = SerializerMethodField()
+    token_obj = TokenSerializer(source="token", required=False, read_only=True)
+
+    def get_ssf_url(self, instance: SSFProvider) -> str | None:
+        request: Request = self._context.get("request")
+        if not request:
+            return None
+        if not instance.backchannel_application:
+            return None
+        return request.build_absolute_uri(
+            reverse(
+                "authentik_providers_ssf:configuration",
+                kwargs={
+                    "application_slug": instance.backchannel_application.slug,
+                },
+            )
+        )
+
+    class Meta:
+        model = SSFProvider
+        fields = [
+            "pk",
+            "name",
+            "component",
+            "verbose_name",
+            "verbose_name_plural",
+            "meta_model_name",
+            "signing_key",
+            "token_obj",
+            "oidc_auth_providers",
+            "ssf_url",
+            "event_retention",
+        ]
+        extra_kwargs = {}
+
+
+class SSFProviderViewSet(UsedByMixin, ModelViewSet):
+    """SSFProvider Viewset"""
+
+    queryset = SSFProvider.objects.all()
+    serializer_class = SSFProviderSerializer
+    filterset_fields = {
+        "application": ["isnull"],
+        "name": ["iexact"],
+    }
+    search_fields = ["name"]
+    ordering = ["name"]

authentik/enterprise/providers/ssf/api/streams.py

@@ -0,0 +1,37 @@
+"""SSF Stream API Views"""
+
+from rest_framework.viewsets import ReadOnlyModelViewSet
+
+from authentik.core.api.utils import ModelSerializer
+from authentik.enterprise.providers.ssf.api.providers import SSFProviderSerializer
+from authentik.enterprise.providers.ssf.models import Stream
+
+
+class SSFStreamSerializer(ModelSerializer):
+    """SSFStream Serializer"""
+
+    provider_obj = SSFProviderSerializer(source="provider", read_only=True)
+
+    class Meta:
+        model = Stream
+        fields = [
+            "pk",
+            "provider",
+            "provider_obj",
+            "delivery_method",
+            "endpoint_url",
+            "events_requested",
+            "format",
+            "aud",
+            "iss",
+        ]
+
+
+class SSFStreamViewSet(ReadOnlyModelViewSet):
+    """SSFStream Viewset"""
+
+    queryset = Stream.objects.all()
+    serializer_class = SSFStreamSerializer
+    filterset_fields = ["provider", "endpoint_url", "delivery_method"]
+    search_fields = ["provider__name", "endpoint_url"]
+    ordering = ["provider", "uuid"]

authentik/enterprise/providers/ssf/apps.py

@@ -0,0 +1,13 @@
+"""SSF app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseProviderSSF(EnterpriseConfig):
+    """authentik enterprise ssf app config"""
+
+    name = "authentik.enterprise.providers.ssf"
+    label = "authentik_providers_ssf"
+    verbose_name = "authentik Enterprise.Providers.SSF"
+    default = True
+    mountpoint = ""

authentik/enterprise/providers/ssf/migrations/0001_initial.py

@@ -0,0 +1,201 @@
+# Generated by Django 5.0.11 on 2025-02-05 16:20
+
+import authentik.lib.utils.time
+import django.contrib.postgres.fields
+import django.db.models.deletion
+import uuid
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
+        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
+        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="SSFProvider",
+            fields=[
+                (
+                    "provider_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.provider",
+                    ),
+                ),
+                (
+                    "event_retention",
+                    models.TextField(
+                        default="days=30",
+                        validators=[authentik.lib.utils.time.timedelta_string_validator],
+                    ),
+                ),
+                (
+                    "oidc_auth_providers",
+                    models.ManyToManyField(
+                        blank=True, default=None, to="authentik_providers_oauth2.oauth2provider"
+                    ),
+                ),
+                (
+                    "signing_key",
+                    models.ForeignKey(
+                        help_text="Key used to sign the SSF Events.",
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_crypto.certificatekeypair",
+                        verbose_name="Signing Key",
+                    ),
+                ),
+                (
+                    "token",
+                    models.ForeignKey(
+                        default=None,
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_core.token",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Shared Signals Framework Provider",
+                "verbose_name_plural": "Shared Signals Framework Providers",
+                "permissions": [("add_stream", "Add stream to SSF provider")],
+            },
+            bases=("authentik_core.provider",),
+        ),
+        migrations.CreateModel(
+            name="Stream",
+            fields=[
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
+                    ),
+                ),
+                (
+                    "delivery_method",
+                    models.TextField(
+                        choices=[
+                            (
+                                "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                                "Risc Push",
+                            ),
+                            (
+                                "https://schemas.openid.net/secevent/risc/delivery-method/poll",
+                                "Risc Poll",
+                            ),
+                        ]
+                    ),
+                ),
+                ("endpoint_url", models.TextField(null=True)),
+                (
+                    "events_requested",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.TextField(
+                            choices=[
+                                (
+                                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                                    "Caep Session Revoked",
+                                ),
+                                (
+                                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                                    "Caep Credential Change",
+                                ),
+                                (
+                                    "https://schemas.openid.net/secevent/ssf/event-type/verification",
+                                    "Set Verification",
+                                ),
+                            ]
+                        ),
+                        default=list,
+                        size=None,
+                    ),
+                ),
+                ("format", models.TextField()),
+                (
+                    "aud",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.TextField(), default=list, size=None
+                    ),
+                ),
+                ("iss", models.TextField()),
+                (
+                    "provider",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_ssf.ssfprovider",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SSF Stream",
+                "verbose_name_plural": "SSF Streams",
+                "default_permissions": ["change", "delete", "view"],
+            },
+        ),
+        migrations.CreateModel(
+            name="StreamEvent",
+            fields=[
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                ("expires", models.DateTimeField(default=None, null=True)),
+                ("expiring", models.BooleanField(default=True)),
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
+                    ),
+                ),
+                (
+                    "status",
+                    models.TextField(
+                        choices=[
+                            ("pending_new", "Pending New"),
+                            ("pending_failed", "Pending Failed"),
+                            ("sent", "Sent"),
+                        ]
+                    ),
+                ),
+                (
+                    "type",
+                    models.TextField(
+                        choices=[
+                            (
+                                "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                                "Caep Session Revoked",
+                            ),
+                            (
+                                "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                                "Caep Credential Change",
+                            ),
+                            (
+                                "https://schemas.openid.net/secevent/ssf/event-type/verification",
+                                "Set Verification",
+                            ),
+                        ]
+                    ),
+                ),
+                ("payload", models.JSONField(default=dict)),
+                (
+                    "stream",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_ssf.stream",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SSF Stream Event",
+                "verbose_name_plural": "SSF Stream Events",
+                "ordering": ("-created",),
+            },
+        ),
+    ]

authentik/enterprise/providers/ssf/models.py

@@ -0,0 +1,178 @@
+from datetime import datetime
+from functools import cached_property
+from uuid import uuid4
+
+from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
+from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
+from django.contrib.postgres.fields import ArrayField
+from django.db import models
+from django.templatetags.static import static
+from django.utils.timezone import now
+from django.utils.translation import gettext_lazy as _
+from jwt import encode
+
+from authentik.core.models import BackchannelProvider, ExpiringModel, Token
+from authentik.crypto.models import CertificateKeyPair
+from authentik.lib.models import CreatedUpdatedModel
+from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
+from authentik.providers.oauth2.models import JWTAlgorithms, OAuth2Provider
+
+
+class EventTypes(models.TextChoices):
+    """SSF Event types supported by authentik"""
+
+    CAEP_SESSION_REVOKED = "https://schemas.openid.net/secevent/caep/event-type/session-revoked"
+    CAEP_CREDENTIAL_CHANGE = "https://schemas.openid.net/secevent/caep/event-type/credential-change"
+    SET_VERIFICATION = "https://schemas.openid.net/secevent/ssf/event-type/verification"
+
+
+class DeliveryMethods(models.TextChoices):
+    """SSF Delivery methods"""
+
+    RISC_PUSH = "https://schemas.openid.net/secevent/risc/delivery-method/push"
+    RISC_POLL = "https://schemas.openid.net/secevent/risc/delivery-method/poll"
+
+
+class SSFEventStatus(models.TextChoices):
+    """SSF Event status"""
+
+    PENDING_NEW = "pending_new"
+    PENDING_FAILED = "pending_failed"
+    SENT = "sent"
+
+
+class SSFProvider(BackchannelProvider):
+    """Shared Signals Framework provider to allow applications to
+    receive user events from authentik."""
+
+    signing_key = models.ForeignKey(
+        CertificateKeyPair,
+        verbose_name=_("Signing Key"),
+        on_delete=models.CASCADE,
+        help_text=_("Key used to sign the SSF Events."),
+    )
+
+    oidc_auth_providers = models.ManyToManyField(OAuth2Provider, blank=True, default=None)
+
+    token = models.ForeignKey(Token, on_delete=models.CASCADE, null=True, default=None)
+
+    event_retention = models.TextField(
+        default="days=30",
+        validators=[timedelta_string_validator],
+    )
+
+    @cached_property
+    def jwt_key(self) -> tuple[PrivateKeyTypes, str]:
+        """Get either the configured certificate or the client secret"""
+        key: CertificateKeyPair = self.signing_key
+        private_key = key.private_key
+        if isinstance(private_key, RSAPrivateKey):
+            return private_key, JWTAlgorithms.RS256
+        if isinstance(private_key, EllipticCurvePrivateKey):
+            return private_key, JWTAlgorithms.ES256
+        raise ValueError(f"Invalid private key type: {type(private_key)}")
+
+    @property
+    def service_account_identifier(self) -> str:
+        return f"ak-providers-ssf-{self.pk}"
+
+    @property
+    def serializer(self):
+        from authentik.enterprise.providers.ssf.api.providers import SSFProviderSerializer
+
+        return SSFProviderSerializer
+
+    @property
+    def icon_url(self) -> str | None:
+        return static("authentik/sources/ssf.svg")
+
+    @property
+    def component(self) -> str:
+        return "ak-provider-ssf-form"
+
+    class Meta:
+        verbose_name = _("Shared Signals Framework Provider")
+        verbose_name_plural = _("Shared Signals Framework Providers")
+        permissions = [
+            # This overrides the default "add_stream" permission of the Stream object,
+            # as the user requesting to add a stream must have the permission on the provider
+            ("add_stream", _("Add stream to SSF provider")),
+        ]
+
+
+class Stream(models.Model):
+    """SSF Stream"""
+
+    uuid = models.UUIDField(default=uuid4, primary_key=True, editable=False)
+    provider = models.ForeignKey(SSFProvider, on_delete=models.CASCADE)
+
+    delivery_method = models.TextField(choices=DeliveryMethods.choices)
+    endpoint_url = models.TextField(null=True)
+
+    events_requested = ArrayField(models.TextField(choices=EventTypes.choices), default=list)
+    format = models.TextField()
+    aud = ArrayField(models.TextField(), default=list)
+
+    iss = models.TextField()
+
+    class Meta:
+        verbose_name = _("SSF Stream")
+        verbose_name_plural = _("SSF Streams")
+        default_permissions = ["change", "delete", "view"]
+
+    def __str__(self) -> str:
+        return "SSF Stream"
+
+    def prepare_event_payload(self, type: EventTypes, event_data: dict, **kwargs) -> dict:
+        jti = uuid4()
+        _now = now()
+        return {
+            "uuid": jti,
+            "stream_id": str(self.pk),
+            "type": type,
+            "expiring": True,
+            "status": SSFEventStatus.PENDING_NEW,
+            "expires": _now + timedelta_from_string(self.provider.event_retention),
+            "payload": {
+                "jti": jti.hex,
+                "aud": self.aud,
+                "iat": int(datetime.now().timestamp()),
+                "iss": self.iss,
+                "events": {type: event_data},
+                **kwargs,
+            },
+        }
+
+    def encode(self, data: dict) -> str:
+        headers = {}
+        if self.provider.signing_key:
+            headers["kid"] = self.provider.signing_key.kid
+        key, alg = self.provider.jwt_key
+        return encode(data, key, algorithm=alg, headers=headers)
+
+
+class StreamEvent(CreatedUpdatedModel, ExpiringModel):
+    """Single stream event to be sent"""
+
+    uuid = models.UUIDField(default=uuid4, primary_key=True, editable=False)
+
+    stream = models.ForeignKey(Stream, on_delete=models.CASCADE)
+    status = models.TextField(choices=SSFEventStatus.choices)
+
+    type = models.TextField(choices=EventTypes.choices)
+    payload = models.JSONField(default=dict)
+
+    def expire_action(self, *args, **kwargs):
+        """Only allow automatic cleanup of successfully sent event"""
+        if self.status != SSFEventStatus.SENT:
+            return
+        return super().expire_action(*args, **kwargs)
+
+    def __str__(self):
+        return f"Stream event {self.type}"
+
+    class Meta:
+        verbose_name = _("SSF Stream Event")
+        verbose_name_plural = _("SSF Stream Events")
+        ordering = ("-created",)

authentik/enterprise/providers/ssf/signals.py

@@ -0,0 +1,193 @@
+from hashlib import sha256
+
+from django.contrib.auth.signals import user_logged_out
+from django.db.models import Model
+from django.db.models.signals import post_delete, post_save, pre_delete
+from django.dispatch import receiver
+from django.http.request import HttpRequest
+from guardian.shortcuts import assign_perm
+
+from authentik.core.models import (
+    USER_PATH_SYSTEM_PREFIX,
+    AuthenticatedSession,
+    Token,
+    TokenIntents,
+    User,
+    UserTypes,
+)
+from authentik.core.signals import password_changed
+from authentik.enterprise.providers.ssf.models import (
+    EventTypes,
+    SSFProvider,
+)
+from authentik.enterprise.providers.ssf.tasks import send_ssf_event
+from authentik.events.middleware import audit_ignore
+from authentik.stages.authenticator.models import Device
+from authentik.stages.authenticator_duo.models import DuoDevice
+from authentik.stages.authenticator_static.models import StaticDevice
+from authentik.stages.authenticator_totp.models import TOTPDevice
+from authentik.stages.authenticator_webauthn.models import (
+    UNKNOWN_DEVICE_TYPE_AAGUID,
+    WebAuthnDevice,
+)
+
+USER_PATH_PROVIDERS_SSF = USER_PATH_SYSTEM_PREFIX + "/providers/ssf"
+
+
+@receiver(post_save, sender=SSFProvider)
+def ssf_providers_post_save(sender: type[Model], instance: SSFProvider, created: bool, **_):
+    """Create service account before provider is saved"""
+    identifier = instance.service_account_identifier
+    user, _ = User.objects.update_or_create(
+        username=identifier,
+        defaults={
+            "name": f"SSF Provider {instance.name} Service-Account",
+            "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
+            "path": USER_PATH_PROVIDERS_SSF,
+        },
+    )
+    assign_perm("add_stream", user, instance)
+    token, token_created = Token.objects.update_or_create(
+        identifier=identifier,
+        defaults={
+            "user": user,
+            "intent": TokenIntents.INTENT_API,
+            "expiring": False,
+            "managed": f"goauthentik.io/providers/ssf/{instance.pk}",
+        },
+    )
+    if created or token_created:
+        with audit_ignore():
+            instance.token = token
+            instance.save()
+
+
+@receiver(user_logged_out)
+def ssf_user_logged_out_session_revoked(sender, request: HttpRequest, user: User, **_):
+    """Session revoked trigger (user logged out)"""
+    if not request.session or not request.session.session_key or not user:
+        return
+    send_ssf_event(
+        EventTypes.CAEP_SESSION_REVOKED,
+        {
+            "initiating_entity": "user",
+        },
+        sub_id={
+            "format": "complex",
+            "session": {
+                "format": "opaque",
+                "id": sha256(request.session.session_key.encode("ascii")).hexdigest(),
+            },
+            "user": {
+                "format": "email",
+                "email": user.email,
+            },
+        },
+        request=request,
+    )
+
+
+@receiver(pre_delete, sender=AuthenticatedSession)
+def ssf_user_session_delete_session_revoked(sender, instance: AuthenticatedSession, **_):
+    """Session revoked trigger (users' session has been deleted)
+
+    As this signal is also triggered with a regular logout, we can't be sure
+    if the session has been deleted by an admin or by the user themselves."""
+    send_ssf_event(
+        EventTypes.CAEP_SESSION_REVOKED,
+        {
+            "initiating_entity": "user",
+        },
+        sub_id={
+            "format": "complex",
+            "session": {
+                "format": "opaque",
+                "id": sha256(instance.session_key.encode("ascii")).hexdigest(),
+            },
+            "user": {
+                "format": "email",
+                "email": instance.user.email,
+            },
+        },
+    )
+
+
+@receiver(password_changed)
+def ssf_password_changed_cred_change(sender, user: User, password: str | None, **_):
+    """Credential change trigger (password changed)"""
+    send_ssf_event(
+        EventTypes.CAEP_CREDENTIAL_CHANGE,
+        {
+            "credential_type": "password",
+            "change_type": "revoke" if password is None else "update",
+        },
+        sub_id={
+            "format": "complex",
+            "user": {
+                "format": "email",
+                "email": user.email,
+            },
+        },
+    )
+
+
+device_type_map = {
+    StaticDevice: "pin",
+    TOTPDevice: "pin",
+    WebAuthnDevice: "fido-u2f",
+    DuoDevice: "app",
+}
+
+
+@receiver(post_save)
+def ssf_device_post_save(sender: type[Model], instance: Device, created: bool, **_):
+    if not isinstance(instance, Device):
+        return
+    if not instance.confirmed:
+        return
+    device_type = device_type_map.get(instance.__class__)
+    data = {
+        "credential_type": device_type,
+        "change_type": "create" if created else "update",
+        "friendly_name": instance.name,
+    }
+    if isinstance(instance, WebAuthnDevice) and instance.aaguid != UNKNOWN_DEVICE_TYPE_AAGUID:
+        data["fido2_aaguid"] = instance.aaguid
+    send_ssf_event(
+        EventTypes.CAEP_CREDENTIAL_CHANGE,
+        data,
+        sub_id={
+            "format": "complex",
+            "user": {
+                "format": "email",
+                "email": instance.user.email,
+            },
+        },
+    )
+
+
+@receiver(post_delete)
+def ssf_device_post_delete(sender: type[Model], instance: Device, **_):
+    if not isinstance(instance, Device):
+        return
+    if not instance.confirmed:
+        return
+    device_type = device_type_map.get(instance.__class__)
+    data = {
+        "credential_type": device_type,
+        "change_type": "delete",
+        "friendly_name": instance.name,
+    }
+    if isinstance(instance, WebAuthnDevice) and instance.aaguid != UNKNOWN_DEVICE_TYPE_AAGUID:
+        data["fido2_aaguid"] = instance.aaguid
+    send_ssf_event(
+        EventTypes.CAEP_CREDENTIAL_CHANGE,
+        data,
+        sub_id={
+            "format": "complex",
+            "user": {
+                "format": "email",
+                "email": instance.user.email,
+            },
+        },
+    )

authentik/enterprise/providers/ssf/tasks.py

@@ -0,0 +1,136 @@
+from celery import group
+from django.http import HttpRequest
+from django.utils.timezone import now
+from django.utils.translation import gettext_lazy as _
+from requests.exceptions import RequestException
+from structlog.stdlib import get_logger
+
+from authentik.core.models import User
+from authentik.enterprise.providers.ssf.models import (
+    DeliveryMethods,
+    EventTypes,
+    SSFEventStatus,
+    Stream,
+    StreamEvent,
+)
+from authentik.events.logs import LogEvent
+from authentik.events.models import TaskStatus
+from authentik.events.system_tasks import SystemTask
+from authentik.lib.utils.http import get_http_session
+from authentik.lib.utils.time import timedelta_from_string
+from authentik.policies.engine import PolicyEngine
+from authentik.root.celery import CELERY_APP
+
+session = get_http_session()
+LOGGER = get_logger()
+
+
+def send_ssf_event(
+    event_type: EventTypes,
+    data: dict,
+    stream_filter: dict | None = None,
+    request: HttpRequest | None = None,
+    **extra_data,
+):
+    """Wrapper to send an SSF event to multiple streams"""
+    payload = []
+    if not stream_filter:
+        stream_filter = {}
+    stream_filter["events_requested__contains"] = [event_type]
+    if request and hasattr(request, "request_id"):
+        extra_data.setdefault("txn", request.request_id)
+    for stream in Stream.objects.filter(**stream_filter):
+        event_data = stream.prepare_event_payload(event_type, data, **extra_data)
+        payload.append((str(stream.uuid), event_data))
+    return _send_ssf_event.delay(payload)
+
+
+def _check_app_access(stream_uuid: str, event_data: dict) -> bool:
+    """Check if event is related to user and if so, check
+    if the user has access to the application"""
+    stream = Stream.objects.filter(pk=stream_uuid).first()
+    if not stream:
+        return False
+    # `event_data` is a dict version of a StreamEvent
+    sub_id = event_data.get("payload", {}).get("sub_id", {})
+    email = sub_id.get("user", {}).get("email", None)
+    if not email:
+        return True
+    user = User.objects.filter(email=email).first()
+    if not user:
+        return True
+    engine = PolicyEngine(stream.provider.backchannel_application, user)
+    engine.use_cache = False
+    engine.build()
+    return engine.passing
+
+
+@CELERY_APP.task()
+def _send_ssf_event(event_data: list[tuple[str, dict]]):
+    tasks = []
+    for stream, data in event_data:
+        if not _check_app_access(stream, data):
+            continue
+        event = StreamEvent.objects.create(**data)
+        tasks.extend(send_single_ssf_event(stream, str(event.uuid)))
+    main_task = group(*tasks)
+    main_task()
+
+
+def send_single_ssf_event(stream_id: str, evt_id: str):
+    stream = Stream.objects.filter(pk=stream_id).first()
+    if not stream:
+        return
+    event = StreamEvent.objects.filter(pk=evt_id).first()
+    if not event:
+        return
+    if event.status == SSFEventStatus.SENT:
+        return
+    if stream.delivery_method == DeliveryMethods.RISC_PUSH:
+        return [ssf_push_event.si(str(event.pk))]
+    return []
+
+
+@CELERY_APP.task(bind=True, base=SystemTask)
+def ssf_push_event(self: SystemTask, event_id: str):
+    self.save_on_success = False
+    event = StreamEvent.objects.filter(pk=event_id).first()
+    if not event:
+        return
+    self.set_uid(event_id)
+    if event.status == SSFEventStatus.SENT:
+        self.set_status(TaskStatus.SUCCESSFUL)
+        return
+    try:
+        response = session.post(
+            event.stream.endpoint_url,
+            data=event.stream.encode(event.payload),
+            headers={"Content-Type": "application/secevent+jwt", "Accept": "application/json"},
+        )
+        response.raise_for_status()
+        event.status = SSFEventStatus.SENT
+        event.save()
+        self.set_status(TaskStatus.SUCCESSFUL)
+        return
+    except RequestException as exc:
+        LOGGER.warning("Failed to send SSF event", exc=exc)
+        self.set_status(TaskStatus.ERROR)
+        attrs = {}
+        if exc.response:
+            attrs["response"] = {
+                "content": exc.response.text,
+                "status": exc.response.status_code,
+            }
+        self.set_error(
+            exc,
+            LogEvent(
+                _("Failed to send request"),
+                log_level="warning",
+                logger=self.__name__,
+                attributes=attrs,
+            ),
+        )
+        # Re-up the expiry of the stream event
+        event.expires = now() + timedelta_from_string(event.stream.provider.event_retention)
+        event.status = SSFEventStatus.PENDING_FAILED
+        event.save()

authentik/enterprise/providers/ssf/tests/test_config.py

@@ -0,0 +1,46 @@
+import json
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_cert
+from authentik.enterprise.providers.ssf.models import (
+    SSFProvider,
+)
+from authentik.lib.generators import generate_id
+
+
+class TestConfiguration(APITestCase):
+    def setUp(self):
+        self.application = Application.objects.create(name=generate_id(), slug=generate_id())
+        self.provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+            backchannel_application=self.application,
+        )
+
+    def test_config_fetch(self):
+        """test SSF configuration (unauthenticated)"""
+        res = self.client.get(
+            reverse(
+                "authentik_providers_ssf:configuration",
+                kwargs={"application_slug": self.application.slug},
+            ),
+        )
+        self.assertEqual(res.status_code, 200)
+        content = json.loads(res.content)
+        self.assertEqual(content["spec_version"], "1_0-ID2")
+
+    def test_config_fetch_authenticated(self):
+        """test SSF configuration (authenticated)"""
+        res = self.client.get(
+            reverse(
+                "authentik_providers_ssf:configuration",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 200)
+        content = json.loads(res.content)
+        self.assertEqual(content["spec_version"], "1_0-ID2")

authentik/enterprise/providers/ssf/tests/test_jwks.py

@@ -0,0 +1,51 @@
+"""JWKS tests"""
+
+import base64
+import json
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.x509 import load_der_x509_certificate
+from django.test import TestCase
+from django.urls.base import reverse
+from jwt import PyJWKSet
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_cert
+from authentik.enterprise.providers.ssf.models import SSFProvider
+from authentik.lib.generators import generate_id
+
+
+class TestJWKS(TestCase):
+    """Test JWKS view"""
+
+    def test_rs256(self):
+        """Test JWKS request with RS256"""
+        provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
+        app.backchannel_providers.add(provider)
+        response = self.client.get(
+            reverse("authentik_providers_ssf:jwks", kwargs={"application_slug": app.slug})
+        )
+        body = json.loads(response.content.decode())
+        self.assertEqual(len(body["keys"]), 1)
+        PyJWKSet.from_dict(body)
+        key = body["keys"][0]
+        load_der_x509_certificate(base64.b64decode(key["x5c"][0]), default_backend()).public_key()
+
+    def test_es256(self):
+        """Test JWKS request with ES256"""
+        provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
+        app.backchannel_providers.add(provider)
+        response = self.client.get(
+            reverse("authentik_providers_ssf:jwks", kwargs={"application_slug": app.slug})
+        )
+        body = json.loads(response.content.decode())
+        self.assertEqual(len(body["keys"]), 1)
+        PyJWKSet.from_dict(body)

authentik/enterprise/providers/ssf/tests/test_signals.py

@@ -0,0 +1,168 @@
+from uuid import uuid4
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application, Group
+from authentik.core.tests.utils import (
+    create_test_cert,
+    create_test_user,
+)
+from authentik.enterprise.providers.ssf.models import (
+    EventTypes,
+    SSFEventStatus,
+    SSFProvider,
+    Stream,
+    StreamEvent,
+)
+from authentik.lib.generators import generate_id
+from authentik.policies.models import PolicyBinding
+from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
+
+
+class TestSignals(APITestCase):
+    """Test individual SSF Signals"""
+
+    def setUp(self):
+        self.application = Application.objects.create(name=generate_id(), slug=generate_id())
+        self.provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+            backchannel_application=self.application,
+        )
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 201, res.content)
+
+    def test_signal_logout(self):
+        """Test user logout"""
+        user = create_test_user()
+        self.client.force_login(user)
+        self.client.logout()
+
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        event_payload = event.payload["events"][
+            "https://schemas.openid.net/secevent/caep/event-type/session-revoked"
+        ]
+        self.assertEqual(event_payload["initiating_entity"], "user")
+        self.assertEqual(event.payload["sub_id"]["format"], "complex")
+        self.assertEqual(event.payload["sub_id"]["session"]["format"], "opaque")
+        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
+        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
+
+    def test_signal_password_change(self):
+        """Test user password change"""
+        user = create_test_user()
+        self.client.force_login(user)
+        user.set_password(generate_id())
+        user.save()
+
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        event_payload = event.payload["events"][
+            "https://schemas.openid.net/secevent/caep/event-type/credential-change"
+        ]
+        self.assertEqual(event_payload["change_type"], "update")
+        self.assertEqual(event_payload["credential_type"], "password")
+        self.assertEqual(event.payload["sub_id"]["format"], "complex")
+        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
+        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
+
+    def test_signal_authenticator_added(self):
+        """Test authenticator creation signal"""
+        user = create_test_user()
+        self.client.force_login(user)
+        dev = WebAuthnDevice.objects.create(
+            user=user,
+            name=generate_id(),
+            credential_id=generate_id(),
+            public_key=generate_id(),
+            aaguid=str(uuid4()),
+        )
+
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).exclude().first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        event_payload = event.payload["events"][
+            "https://schemas.openid.net/secevent/caep/event-type/credential-change"
+        ]
+        self.assertEqual(event_payload["change_type"], "create")
+        self.assertEqual(event_payload["fido2_aaguid"], dev.aaguid)
+        self.assertEqual(event_payload["friendly_name"], dev.name)
+        self.assertEqual(event_payload["credential_type"], "fido-u2f")
+        self.assertEqual(event.payload["sub_id"]["format"], "complex")
+        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
+        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
+
+    def test_signal_authenticator_deleted(self):
+        """Test authenticator deletion signal"""
+        user = create_test_user()
+        self.client.force_login(user)
+        dev = WebAuthnDevice.objects.create(
+            user=user,
+            name=generate_id(),
+            credential_id=generate_id(),
+            public_key=generate_id(),
+            aaguid=str(uuid4()),
+        )
+        dev.delete()
+
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).exclude().first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        event_payload = event.payload["events"][
+            "https://schemas.openid.net/secevent/caep/event-type/credential-change"
+        ]
+        self.assertEqual(event_payload["change_type"], "delete")
+        self.assertEqual(event_payload["fido2_aaguid"], dev.aaguid)
+        self.assertEqual(event_payload["friendly_name"], dev.name)
+        self.assertEqual(event_payload["credential_type"], "fido-u2f")
+        self.assertEqual(event.payload["sub_id"]["format"], "complex")
+        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
+        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
+
+    def test_signal_policy_ignore(self):
+        """Test event not being created for user that doesn't have access to the application"""
+        PolicyBinding.objects.create(
+            target=self.application, group=Group.objects.create(name=generate_id()), order=0
+        )
+        user = create_test_user()
+        self.client.force_login(user)
+        user.set_password(generate_id())
+        user.save()
+
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(
+            stream=stream, type=EventTypes.CAEP_CREDENTIAL_CHANGE
+        ).first()
+        self.assertIsNone(event)

authentik/enterprise/providers/ssf/tests/test_stream.py

@@ -0,0 +1,154 @@
+import json
+from dataclasses import asdict
+
+from django.urls import reverse
+from django.utils import timezone
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
+from authentik.enterprise.providers.ssf.models import (
+    SSFEventStatus,
+    SSFProvider,
+    Stream,
+    StreamEvent,
+)
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.id_token import IDToken
+from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
+
+
+class TestStream(APITestCase):
+    def setUp(self):
+        self.application = Application.objects.create(name=generate_id(), slug=generate_id())
+        self.provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+            backchannel_application=self.application,
+        )
+
+    def test_stream_add_token(self):
+        """test stream add (token auth)"""
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 201)
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        self.assertEqual(
+            event.payload["events"],
+            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
+        )
+
+    def test_stream_add_poll(self):
+        """test stream add - poll method"""
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/poll",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(
+            res.content,
+            {"delivery": {"method": ["Polling for SSF events is not currently supported."]}},
+        )
+
+    def test_stream_add_oidc(self):
+        """test stream add (oidc auth)"""
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+        )
+        self.application.provider = provider
+        self.application.save()
+        user = create_test_admin_user()
+        token = AccessToken.objects.create(
+            provider=provider,
+            user=user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {token.token}",
+        )
+        self.assertEqual(res.status_code, 201)
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        self.assertEqual(
+            event.payload["events"],
+            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
+        )
+
+    def test_stream_delete(self):
+        """delete stream"""
+        stream = Stream.objects.create(provider=self.provider)
+        res = self.client.delete(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 204)
+        self.assertFalse(Stream.objects.filter(pk=stream.pk).exists())

authentik/enterprise/providers/ssf/urls.py

@@ -0,0 +1,32 @@
+"""SSF provider URLs"""
+
+from django.urls import path
+
+from authentik.enterprise.providers.ssf.api.providers import SSFProviderViewSet
+from authentik.enterprise.providers.ssf.api.streams import SSFStreamViewSet
+from authentik.enterprise.providers.ssf.views.configuration import ConfigurationView
+from authentik.enterprise.providers.ssf.views.jwks import JWKSview
+from authentik.enterprise.providers.ssf.views.stream import StreamView
+
+urlpatterns = [
+    path(
+        "application/ssf/<slug:application_slug>/ssf-jwks/",
+        JWKSview.as_view(),
+        name="jwks",
+    ),
+    path(
+        ".well-known/ssf-configuration/<slug:application_slug>",
+        ConfigurationView.as_view(),
+        name="configuration",
+    ),
+    path(
+        "application/ssf/<slug:application_slug>/stream/",
+        StreamView.as_view(),
+        name="stream",
+    ),
+]
+
+api_urlpatterns = [
+    ("providers/ssf", SSFProviderViewSet),
+    ("ssf/streams", SSFStreamViewSet),
+]

authentik/enterprise/providers/ssf/views/auth.py

@@ -0,0 +1,66 @@
+"""SSF Token auth"""
+
+from typing import TYPE_CHECKING, Any
+
+from django.db.models import Q
+from rest_framework.authentication import BaseAuthentication, get_authorization_header
+from rest_framework.request import Request
+
+from authentik.core.models import Token, TokenIntents, User
+from authentik.enterprise.providers.ssf.models import SSFProvider
+from authentik.providers.oauth2.models import AccessToken
+
+if TYPE_CHECKING:
+    from authentik.enterprise.providers.ssf.views.base import SSFView
+
+
+class SSFTokenAuth(BaseAuthentication):
+    """SSF Token auth"""
+
+    view: "SSFView"
+
+    def __init__(self, view: "SSFView") -> None:
+        super().__init__()
+        self.view = view
+
+    def check_token(self, key: str) -> Token | None:
+        """Check that a token exists, is not expired, and is assigned to the correct provider"""
+        token = Token.filter_not_expired(key=key, intent=TokenIntents.INTENT_API).first()
+        if not token:
+            return None
+        provider: SSFProvider = token.ssfprovider_set.first()
+        if not provider:
+            return None
+        self.view.application = provider.backchannel_application
+        self.view.provider = provider
+        return token
+
+    def check_jwt(self, jwt: str) -> AccessToken | None:
+        """Check JWT-based authentication, this supports tokens issued either by providers
+        configured directly in the provider, and by providers assigned to the application
+        that the SSF provider is a backchannel provider of."""
+        token = AccessToken.filter_not_expired(token=jwt, revoked=False).first()
+        if not token:
+            return None
+        ssf_provider = SSFProvider.objects.filter(
+            Q(oidc_auth_providers__in=[token.provider])
+            | Q(backchannel_application__provider__in=[token.provider]),
+        ).first()
+        if not ssf_provider:
+            return None
+        self.view.application = ssf_provider.backchannel_application
+        self.view.provider = ssf_provider
+        return token
+
+    def authenticate(self, request: Request) -> tuple[User, Any] | None:
+        auth = get_authorization_header(request).decode()
+        auth_type, _, key = auth.partition(" ")
+        if auth_type != "Bearer":
+            return None
+        token = self.check_token(key)
+        if token:
+            return (token.user, token)
+        jwt_token = self.check_jwt(key)
+        if jwt_token:
+            return (jwt_token.user, token)
+        return None

authentik/enterprise/providers/ssf/views/base.py

@@ -0,0 +1,23 @@
+from django.http import HttpRequest
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.views import APIView
+from structlog.stdlib import BoundLogger, get_logger
+
+from authentik.core.models import Application
+from authentik.enterprise.providers.ssf.models import SSFProvider
+from authentik.enterprise.providers.ssf.views.auth import SSFTokenAuth
+
+
+class SSFView(APIView):
+    application: Application
+    provider: SSFProvider
+    logger: BoundLogger
+
+    permission_classes = [IsAuthenticated]
+
+    def setup(self, request: HttpRequest, *args, **kwargs) -> None:
+        self.logger = get_logger().bind()
+        super().setup(request, *args, **kwargs)
+
+    def get_authenticators(self):
+        return [SSFTokenAuth(self)]

authentik/enterprise/providers/ssf/views/configuration.py

@@ -0,0 +1,55 @@
+from django.http import Http404, HttpRequest, HttpResponse, JsonResponse
+from django.shortcuts import get_object_or_404
+from django.urls import reverse
+from rest_framework.permissions import AllowAny
+
+from authentik.core.models import Application
+from authentik.enterprise.providers.ssf.models import DeliveryMethods, SSFProvider
+from authentik.enterprise.providers.ssf.views.base import SSFView
+
+
+class ConfigurationView(SSFView):
+    """SSF configuration endpoint"""
+
+    permission_classes = [AllowAny]
+
+    def get_authenticators(self):
+        return []
+
+    def get(self, request: HttpRequest, application_slug: str, *args, **kwargs) -> HttpResponse:
+        application = get_object_or_404(Application, slug=application_slug)
+        provider = application.backchannel_provider_for(SSFProvider)
+        if not provider:
+            raise Http404
+        data = {
+            "spec_version": "1_0-ID2",
+            "issuer": self.request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_ssf:configuration",
+                    kwargs={
+                        "application_slug": application.slug,
+                    },
+                )
+            ),
+            "jwks_uri": self.request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_ssf:jwks",
+                    kwargs={
+                        "application_slug": application.slug,
+                    },
+                )
+            ),
+            "configuration_endpoint": self.request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_ssf:stream",
+                    kwargs={
+                        "application_slug": application.slug,
+                    },
+                )
+            ),
+            "delivery_methods_supported": [
+                DeliveryMethods.RISC_PUSH,
+            ],
+            "authorization_schemes": [{"spec_urn": "urn:ietf:rfc:6749"}],
+        }
+        return JsonResponse(data)

authentik/enterprise/providers/ssf/views/jwks.py

@@ -0,0 +1,31 @@
+from django.http import Http404, HttpRequest, HttpResponse, JsonResponse
+from django.shortcuts import get_object_or_404
+from django.views import View
+
+from authentik.core.models import Application
+from authentik.crypto.models import CertificateKeyPair
+from authentik.enterprise.providers.ssf.models import SSFProvider
+from authentik.providers.oauth2.views.jwks import JWKSView as OAuthJWKSView
+
+
+class JWKSview(View):
+    """SSF JWKS endpoint, similar to the OAuth2 provider's endpoint"""
+
+    def get(self, request: HttpRequest, application_slug: str) -> HttpResponse:
+        """Show JWK Key data for Provider"""
+        application = get_object_or_404(Application, slug=application_slug)
+        provider = application.backchannel_provider_for(SSFProvider)
+        if not provider:
+            raise Http404
+        signing_key: CertificateKeyPair = provider.signing_key
+
+        response_data = {}
+
+        jwk = OAuthJWKSView.get_jwk_for_key(signing_key, "sig")
+        if jwk:
+            response_data["keys"] = [jwk]
+
+        response = JsonResponse(response_data)
+        response["Access-Control-Allow-Origin"] = "*"
+
+        return response

authentik/enterprise/providers/ssf/views/stream.py

@@ -0,0 +1,130 @@
+from django.http import HttpRequest
+from django.urls import reverse
+from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.fields import CharField, ChoiceField, ListField, SerializerMethodField
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
+from structlog.stdlib import get_logger
+
+from authentik.core.api.utils import PassiveSerializer
+from authentik.enterprise.providers.ssf.models import (
+    DeliveryMethods,
+    EventTypes,
+    SSFProvider,
+    Stream,
+)
+from authentik.enterprise.providers.ssf.tasks import send_ssf_event
+from authentik.enterprise.providers.ssf.views.base import SSFView
+
+LOGGER = get_logger()
+
+
+class StreamDeliverySerializer(PassiveSerializer):
+    method = ChoiceField(choices=[(x.value, x.value) for x in DeliveryMethods])
+    endpoint_url = CharField(required=False)
+
+    def validate_method(self, method: DeliveryMethods):
+        """Currently only push is supported"""
+        if method == DeliveryMethods.RISC_POLL:
+            raise ValidationError("Polling for SSF events is not currently supported.")
+        return method
+
+    def validate(self, attrs: dict) -> dict:
+        if attrs["method"] == DeliveryMethods.RISC_PUSH:
+            if not attrs.get("endpoint_url"):
+                raise ValidationError("Endpoint URL is required when using push.")
+        return attrs
+
+
+class StreamSerializer(ModelSerializer):
+    delivery = StreamDeliverySerializer()
+    events_requested = ListField(
+        child=ChoiceField(choices=[(x.value, x.value) for x in EventTypes])
+    )
+    format = CharField()
+    aud = ListField(child=CharField())
+
+    def create(self, validated_data):
+        provider: SSFProvider = validated_data["provider"]
+        request: HttpRequest = self.context["request"]
+        iss = request.build_absolute_uri(
+            reverse(
+                "authentik_providers_ssf:configuration",
+                kwargs={
+                    "application_slug": provider.backchannel_application.slug,
+                },
+            )
+        )
+        # Ensure that streams always get SET verification events sent to them
+        validated_data["events_requested"].append(EventTypes.SET_VERIFICATION)
+        return super().create(
+            {
+                "delivery_method": validated_data["delivery"]["method"],
+                "endpoint_url": validated_data["delivery"].get("endpoint_url"),
+                "format": validated_data["format"],
+                "provider": validated_data["provider"],
+                "events_requested": validated_data["events_requested"],
+                "aud": validated_data["aud"],
+                "iss": iss,
+            }
+        )
+
+    class Meta:
+        model = Stream
+        fields = [
+            "delivery",
+            "events_requested",
+            "format",
+            "aud",
+        ]
+
+
+class StreamResponseSerializer(PassiveSerializer):
+    stream_id = CharField(source="pk")
+    iss = CharField()
+    aud = ListField(child=CharField())
+    delivery = SerializerMethodField()
+    format = CharField()
+
+    events_requested = ListField(child=CharField())
+    events_supported = SerializerMethodField()
+    events_delivered = ListField(child=CharField(), source="events_requested")
+
+    def get_delivery(self, instance: Stream) -> StreamDeliverySerializer:
+        return {
+            "method": instance.delivery_method,
+            "endpoint_url": instance.endpoint_url,
+        }
+
+    def get_events_supported(self, instance: Stream) -> list[str]:
+        return [x.value for x in EventTypes]
+
+
+class StreamView(SSFView):
+    def post(self, request: Request, *args, **kwargs) -> Response:
+        stream = StreamSerializer(data=request.data, context={"request": request})
+        stream.is_valid(raise_exception=True)
+        if not request.user.has_perm("authentik_providers_ssf.add_stream", self.provider):
+            raise PermissionDenied(
+                "User does not have permission to create stream for this provider."
+            )
+        instance: Stream = stream.save(provider=self.provider)
+        send_ssf_event(
+            EventTypes.SET_VERIFICATION,
+            {
+                "state": None,
+            },
+            stream_filter={"pk": instance.uuid},
+            sub_id={"format": "opaque", "id": str(instance.uuid)},
+        )
+        response = StreamResponseSerializer(instance=instance, context={"request": request}).data
+        return Response(response, status=201)
+
+    def delete(self, request: Request, *args, **kwargs) -> Response:
+        streams = Stream.objects.filter(provider=self.provider)
+        # Technically this parameter is required by the spec...
+        if "stream_id" in request.query_params:
+            streams = streams.filter(stream_id=request.query_params["stream_id"])
+        streams.delete()
+        return Response(status=204)

authentik/enterprise/settings.py

@@ -16,7 +16,7 @@ TENANT_APPS = [
     "authentik.enterprise.audit",
     "authentik.enterprise.providers.google_workspace",
     "authentik.enterprise.providers.microsoft_entra",
-    "authentik.enterprise.providers.rac",
+    "authentik.enterprise.providers.ssf",
     "authentik.enterprise.stages.authenticator_endpoint_gdtc",
     "authentik.enterprise.stages.source",
 ]

authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py

@@ -1,14 +1,11 @@
 """AuthenticatorEndpointGDTCStage API Views"""
 
-from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
-from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAdminUser
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 from structlog.stdlib import get_logger
 
-from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
@@ -67,8 +64,7 @@ class EndpointDeviceViewSet(
     search_fields = ["name"]
     filterset_fields = ["name"]
     ordering = ["name"]
-    permission_classes = [OwnerPermissions]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    owner_field = "user"
 
 
 class EndpointAdminDeviceViewSet(ModelViewSet):

authentik/events/api/notifications.py

@@ -1,17 +1,15 @@
 """Notification API Views"""
 
-from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
-from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
 
-from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.events.api.events import EventSerializer
@@ -57,8 +55,7 @@ class NotificationViewSet(
         "seen",
         "user",
     ]
-    permission_classes = [OwnerPermissions]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    owner_field = "user"
 
     @extend_schema(
         request=OpenApiTypes.NONE,
@@ -66,7 +63,7 @@ class NotificationViewSet(
             204: OpenApiResponse(description="Marked tasks as read successfully."),
         },
     )
-    @action(detail=False, methods=["post"])
+    @action(detail=False, methods=["post"], permission_classes=[IsAuthenticated])
     def mark_all_seen(self, request: Request) -> Response:
         """Mark all the user's notifications as seen"""
         Notification.objects.filter(user=request.user, seen=False).update(seen=True)

authentik/events/migrations/0008_event_authentik_e_expires_8c73a8_idx_and_more.py

@@ -0,0 +1,41 @@
+# Generated by Django 5.0.10 on 2025-01-13 18:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0007_event_authentik_e_action_9a9dd9_idx_and_more"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="event",
+            index=models.Index(fields=["expires"], name="authentik_e_expires_8c73a8_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="event",
+            index=models.Index(fields=["expiring"], name="authentik_e_expirin_b5cb5e_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="event",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_e_expirin_e37180_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="systemtask",
+            index=models.Index(fields=["expires"], name="authentik_e_expires_4d3985_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="systemtask",
+            index=models.Index(fields=["expiring"], name="authentik_e_expirin_81d649_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="systemtask",
+            index=models.Index(
+                fields=["expiring", "expires"], name="authentik_e_expirin_eb3598_idx"
+            ),
+        ),
+    ]

authentik/events/models.py

@@ -306,7 +306,7 @@ class Event(SerializerModel, ExpiringModel):
     class Meta:
         verbose_name = _("Event")
         verbose_name_plural = _("Events")
-        indexes = [
+        indexes = ExpiringModel.Meta.indexes + [
             models.Index(fields=["action"]),
             models.Index(fields=["user"]),
             models.Index(fields=["app"]),
@@ -694,3 +694,4 @@ class SystemTask(SerializerModel, ExpiringModel):
         permissions = [("run_task", _("Run task"))]
         verbose_name = _("System Task")
         verbose_name_plural = _("System Tasks")
+        indexes = ExpiringModel.Meta.indexes

authentik/events/signals.py

@@ -106,9 +106,9 @@ def on_invitation_used(sender, request: HttpRequest, invitation: Invitation, **_
 
 
 @receiver(password_changed)
-def on_password_changed(sender, user: User, password: str, **_):
+def on_password_changed(sender, user: User, password: str, request: HttpRequest | None, **_):
     """Log password change"""
-    Event.new(EventAction.PASSWORD_SET).from_http(None, user=user)
+    Event.new(EventAction.PASSWORD_SET).from_http(request, user=user)
 
 
 @receiver(post_save, sender=Event)

authentik/events/system_tasks.py

@@ -53,12 +53,13 @@ class SystemTask(TenantTask):
             if not isinstance(msg, LogEvent):
                 self._messages[idx] = LogEvent(msg, logger=self.__name__, log_level="info")
 
-    def set_error(self, exception: Exception):
+    def set_error(self, exception: Exception, *messages: LogEvent):
         """Set result to error and save exception"""
         self._status = TaskStatus.ERROR
-        self._messages = [
-            LogEvent(exception_to_string(exception), logger=self.__name__, log_level="error")
-        ]
+        self._messages = list(messages)
+        self._messages.extend(
+            [LogEvent(exception_to_string(exception), logger=self.__name__, log_level="error")]
+        )
 
     def before_start(self, task_id, args, kwargs):
         self._start_precise = perf_counter()

authentik/events/tasks.py

@@ -138,7 +138,6 @@ def notification_cleanup(self: SystemTask):
     """Cleanup seen notifications and notifications whose event expired."""
     notifications = Notification.objects.filter(Q(event=None) | Q(seen=True))
     amount = notifications.count()
-    for notification in notifications:
-        notification.delete()
+    notifications.delete()
     LOGGER.debug("Expired notifications", amount=amount)
     self.set_status(TaskStatus.SUCCESSFUL, f"Expired {amount} Notifications")

authentik/flows/api/stages.py

@@ -1,5 +1,7 @@
 """Flow Stage API Views"""
 
+from uuid import uuid4
+
 from django.urls.base import reverse
 from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
@@ -27,6 +29,11 @@ class StageSerializer(ModelSerializer, MetaNameSerializer):
     component = SerializerMethodField()
     flow_set = FlowSetSerializer(many=True, required=False)
 
+    def to_representation(self, instance: Stage):
+        if isinstance(instance, Stage) and instance.is_in_memory:
+            instance.stage_uuid = uuid4()
+        return super().to_representation(instance)
+
     def get_component(self, obj: Stage) -> str:
         """Get object type so that we know how to edit the object"""
         if obj.__class__ == Stage:

authentik/flows/markers.py

@@ -3,6 +3,7 @@
 from dataclasses import dataclass
 from typing import TYPE_CHECKING
 
+from django.contrib.messages import INFO, add_message
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
 
@@ -61,6 +62,8 @@ class ReevaluateMarker(StageMarker):
         engine.request.context.update(plan.context)
         engine.build()
         result = engine.result
+        for message in result.messages:
+            add_message(http_request, INFO, message)
         if result.passing:
             return binding
         LOGGER.warning(

authentik/flows/migrations/0012_auto_20200908_1542_squashed_0017_auto_20210329_1334.py

@@ -88,7 +88,8 @@ class Migration(migrations.Migration):
             model_name="flowstagebinding",
             name="re_evaluate_policies",
             field=models.BooleanField(
-                default=False, help_text="Evaluate policies when the Stage is present to the user."
+                default=False,
+                help_text="Evaluate policies when the Stage is presented to the user.",
             ),
         ),
         migrations.AddField(

authentik/flows/migrations/0025_alter_flowstagebinding_evaluate_on_plan_and_more.py

@@ -20,7 +20,7 @@ class Migration(migrations.Migration):
             model_name="flowstagebinding",
             name="re_evaluate_policies",
             field=models.BooleanField(
-                default=True, help_text="Evaluate policies when the Stage is present to the user."
+                default=True, help_text="Evaluate policies when the Stage is presented to the user."
             ),
         ),
     ]

authentik/flows/models.py

@@ -36,6 +36,15 @@ class FlowAuthenticationRequirement(models.TextChoices):
     REQUIRE_REDIRECT = "require_redirect"
     REQUIRE_OUTPOST = "require_outpost"
 
+    @property
+    def possibly_unauthenticated(self) -> bool:
+        """Check if unauthenticated users can run this flow. Flows like this may require additional
+        hardening."""
+        return self in [
+            FlowAuthenticationRequirement.NONE,
+            FlowAuthenticationRequirement.REQUIRE_UNAUTHENTICATED,
+        ]
+
 
 class NotConfiguredAction(models.TextChoices):
     """Decides how the FlowExecutor should proceed when a stage isn't configured"""
@@ -102,8 +111,12 @@ class Stage(SerializerModel):
         user settings are available, or a challenge."""
         return None
 
+    @property
+    def is_in_memory(self):
+        return hasattr(self, "__in_memory_type")
+
     def __str__(self):
-        if hasattr(self, "__in_memory_type"):
+        if self.is_in_memory:
             return f"In-memory Stage {getattr(self, '__in_memory_type')}"
         return f"Stage {self.name}"
 
@@ -227,7 +240,7 @@ class FlowStageBinding(SerializerModel, PolicyBindingModel):
     )
     re_evaluate_policies = models.BooleanField(
         default=True,
-        help_text=_("Evaluate policies when the Stage is present to the user."),
+        help_text=_("Evaluate policies when the Stage is presented to the user."),
     )
 
     invalid_response_action = models.TextField(

authentik/flows/planner.py

@@ -109,6 +109,8 @@ class FlowPlan:
 
     def pop(self):
         """Pop next pending stage from bottom of list"""
+        if not self.markers and not self.bindings:
+            return
         self.markers.pop(0)
         self.bindings.pop(0)
 
@@ -156,12 +158,25 @@ class FlowPlan:
             final_stage: type[StageView] = self.bindings[-1].stage.view
             temp_exec = FlowExecutorView(flow=flow, request=request, plan=self)
             temp_exec.current_stage = self.bindings[-1].stage
+            temp_exec.current_stage_view = final_stage
+            temp_exec.setup(request, flow.slug)
             stage = final_stage(request=request, executor=temp_exec)
-            return stage.dispatch(request)
+            response = stage.dispatch(request)
+            # Ensure we clean the flow state we have in the session before we redirect away
+            temp_exec.stage_ok()
+            return response
+
+        get_qs = request.GET.copy()
+        if request.user.is_authenticated and (
+            # Object-scoped permission or global permission
+            request.user.has_perm("authentik_flows.inspect_flow", flow)
+            or request.user.has_perm("authentik_flows.inspect_flow")
+        ):
+            get_qs["inspector"] = "available"
 
         return redirect_with_qs(
             "authentik_core:if-flow",
-            request.GET,
+            get_qs,
             flow_slug=flow.slug,
         )