wip

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
wip
2025-03-07 19:23:34 +01:00 · 2025-03-07 16:24:55 +01:00 · 2025-03-07 14:04:21 +01:00 · 2025-03-07 12:58:28 +01:00 · 2025-03-07 12:46:15 +01:00 · 2025-03-07 12:46:08 +01:00
930 changed files with 75948 additions and 26604 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.10.5
+current_version = 2025.2.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -31,4 +31,4 @@ optional_value = final
 [bumpversion:file:web/src/common/constants.ts]
-[bumpversion:file:website/docs/install-config/install/aws/template.yaml]
+[bumpversion:file:lifecycle/aws/template.yaml]
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -28,7 +28,11 @@ Output of docker-compose logs or kubectl logs respectively
 **Version and Deployment (please complete the following information):**
-   authentik version: [e.g. 2021.8.5]
+<!--
 Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
 -->
 -   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]
 **Additional context**
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -20,7 +20,12 @@ Output of docker-compose logs or kubectl logs respectively
 **Version and Deployment (please complete the following information):**
-   authentik version: [e.g. 2021.8.5]
+<!--
 Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
 -->
 -   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]
 **Additional context**
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@ -35,14 +35,6 @@ runs:
            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            ```
            For arm64, use these values:
            ```shell
            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            ```
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
          <details>
@ -60,18 +52,6 @@ runs:
                    tag: ${{ inputs.tag }}
            ```
            For arm64, use these values:
            ```yaml
            authentik:
                outposts:
                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            global:
                image:
                    repository: ghcr.io/goauthentik/dev-server
                    tag: ${{ inputs.tag }}-arm64
            ```
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
        edit-mode: replace
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -9,6 +9,9 @@ inputs:
  image-arch:
    required: false
    description: "Docker image arch"
  release:
    required: true
    description: "True if this is a release build, false if this is a dev/PR build"
 outputs:
  shouldPush:
@ -29,15 +32,24 @@ outputs:
  imageTags:
    description: "Docker image tags"
    value: ${{ steps.ev.outputs.imageTags }}
  imageTagsJSON:
    description: "Docker image tags, as a JSON array"
    value: ${{ steps.ev.outputs.imageTagsJSON }}
  attestImageNames:
    description: "Docker image names used for attestation"
    value: ${{ steps.ev.outputs.attestImageNames }}
  cacheTo:
    description: "cache-to value for the docker build step"
    value: ${{ steps.ev.outputs.cacheTo }}
  imageMainTag:
    description: "Docker image main tag"
    value: ${{ steps.ev.outputs.imageMainTag }}
  imageMainName:
    description: "Docker image main name"
    value: ${{ steps.ev.outputs.imageMainName }}
  imageBuildArgs:
    description: "Docker image build args"
    value: ${{ steps.ev.outputs.imageBuildArgs }}
 runs:
  using: "composite"
@ -48,6 +60,8 @@ runs:
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        IMAGE_ARCH: ${{ inputs.image-arch }}
        RELEASE: ${{ inputs.release }}
        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        REF: ${{ github.ref }}
      run: |
        python3 ${{ github.action_path }}/push_vars.py
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -2,6 +2,7 @@
 import configparser
 import os
 from json import dumps
 from time import time
 parser = configparser.ConfigParser()
@ -48,7 +49,7 @@ if is_release:
            ]
 else:
    suffix = ""
-    if image_arch and image_arch != "amd64":
+    if image_arch:
        suffix = f"-{image_arch}"
    for name in image_names:
        image_tags += [
@ -70,12 +71,31 @@ def get_attest_image_names(image_with_tags: list[str]):
    return ",".join(set(image_tags))
 # Generate `cache-to` param
 cache_to = ""
 if should_push:
    _cache_tag = "buildcache"
    if image_arch:
        _cache_tag += f"-{image_arch}"
    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
 image_build_args = []
 if os.getenv("RELEASE", "false").lower() == "true":
    image_build_args = [f"VERSION={os.getenv('REF')}"]
 else:
    image_build_args = [f"GIT_BUILD_HASH={sha}"]
 image_build_args = "\n".join(image_build_args)
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
    print(f"shouldPush={str(should_push).lower()}", file=_output)
    print(f"sha={sha}", file=_output)
    print(f"version={version}", file=_output)
    print(f"prerelease={prerelease}", file=_output)
    print(f"imageTags={','.join(image_tags)}", file=_output)
    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
    print(f"imageMainTag={image_main_tag}", file=_output)
    print(f"imageMainName={image_tags[0]}", file=_output)
    print(f"cacheTo={cache_to}", file=_output)
    print(f"imageBuildArgs={image_build_args}", file=_output)
--- a/.github/actions/docker-push-variables/test.sh
+++ b/.github/actions/docker-push-variables/test.sh
@ -1,7 +1,18 @@
 #!/bin/bash -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 # Non-pushing PR
 GITHUB_OUTPUT=/dev/stdout \
    GITHUB_REF=ref \
    GITHUB_SHA=sha \
    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
    GITHUB_REPOSITORY=goauthentik/authentik \
    python $SCRIPT_DIR/push_vars.py
 # Pushing PR/main
 GITHUB_OUTPUT=/dev/stdout \
    GITHUB_REF=ref \
    GITHUB_SHA=sha \
    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
    GITHUB_REPOSITORY=goauthentik/authentik \
    DOCKER_USERNAME=foo \
    python $SCRIPT_DIR/push_vars.py
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -30,12 +30,16 @@ runs:
      uses: actions/setup-go@v5
      with:
        go-version-file: "go.mod"
    - name: Setup docker cache
      uses: ScribeMD/docker-cache@0.5.0
      with:
        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
    - name: Setup dependencies
      shell: bash
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install --sync
+        poetry sync
        cd web && npm ci
    - name: Generate config
      shell: poetry run python {0}
--- a/.github/actions/setup/docker-compose.yml
+++ b/.github/actions/setup/docker-compose.yml
@ -11,7 +11,7 @@ services:
      - 5432:5432
    restart: always
  redis:
-    image: docker.io/library/redis
+    image: docker.io/library/redis:7
    ports:
      - 6379:6379
    restart: always
--- a/.github/codespell-words.txt
+++ b/.github/codespell-words.txt
@ -1,7 +1,32 @@
 akadmin
 asgi
 assertIn
 authentik
 authn
 crate
 docstrings
 entra
 goauthentik
 gunicorn
 hass
 jwe
 jwks
 keypair
 keypairs
-hass
+kubernetes
-warmup
+oidc
 ontext
 openid
 passwordless
 plex
 saml
 scim
 singed
-assertIn
+slo
 sso
 totp
 traefik
 # https://github.com/codespell-project/codespell/issues/1224
 upToDate
 warmup
 webauthn
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -82,6 +82,22 @@ updates:
      docusaurus:
        patterns:
          - "@docusaurus/*"
      build:
        patterns:
          - "@swc/*"
          - "swc-*"
          - "lightningcss*"
          - "@rspack/binding*"
  - package-ecosystem: npm
    directory: "/lifecycle/aws"
    schedule:
      interval: daily
      time: "04:00"
    open-pull-requests-limit: 10
    commit-message:
      prefix: "lifecycle/aws:"
    labels:
      - dependencies
  - package-ecosystem: pip
    directory: "/"
    schedule:
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@ -0,0 +1,96 @@
 # Re-usable workflow for a single-architecture build
 name: Single-arch Container build
 on:
  workflow_call:
    inputs:
      image_name:
        required: true
        type: string
      image_arch:
        required: true
        type: string
      runs-on:
        required: true
        type: string
      registry_dockerhub:
        default: false
        type: boolean
      registry_ghcr:
        default: false
        type: boolean
      release:
        default: false
        type: boolean
    outputs:
      image-digest:
        value: ${{ jobs.build.outputs.image-digest }}
 jobs:
  build:
    name: Build ${{ inputs.image_arch }}
    runs-on: ${{ inputs.runs-on }}
    outputs:
      image-digest: ${{ steps.push.outputs.digest }}
    permissions:
      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-qemu-action@v3.6.0
      - uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ${{ inputs.image_name }}
          image-arch: ${{ inputs.image_arch }}
          release: ${{ inputs.release }}
      - name: Login to Docker Hub
        if: ${{ inputs.registry_dockerhub }}
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: make empty clients
        if: ${{ inputs.release }}
        run: |
          mkdir -p ./gen-ts-api
          mkdir -p ./gen-go-api
      - name: generate ts client
        if: ${{ !inputs.release }}
        run: make gen-client-ts
      - name: Build Docker Image
        uses: docker/build-push-action@v6
        id: push
        with:
          context: .
          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          build-args: |
            ${{ steps.ev.outputs.imageBuildArgs }}
          tags: ${{ steps.ev.outputs.imageTags }}
          platforms: linux/${{ inputs.image_arch }}
          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
          cache-to: ${{ steps.ev.outputs.cacheTo }}
      - uses: actions/attest-build-provenance@v2
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
--- a/.github/workflows/_reusable-docker-build.yaml
+++ b/.github/workflows/_reusable-docker-build.yaml
@ -0,0 +1,104 @@
 # Re-usable workflow for a multi-architecture build
 name: Multi-arch container build
 on:
  workflow_call:
    inputs:
      image_name:
        required: true
        type: string
      registry_dockerhub:
        default: false
        type: boolean
      registry_ghcr:
        default: true
        type: boolean
      release:
        default: false
        type: boolean
    outputs: {}
 jobs:
  build-server-amd64:
    uses: ./.github/workflows/_reusable-docker-build-single.yaml
    secrets: inherit
    with:
      image_name: ${{ inputs.image_name }}
      image_arch: amd64
      runs-on: ubuntu-latest
      registry_dockerhub: ${{ inputs.registry_dockerhub }}
      registry_ghcr: ${{ inputs.registry_ghcr }}
      release: ${{ inputs.release }}
  build-server-arm64:
    uses: ./.github/workflows/_reusable-docker-build-single.yaml
    secrets: inherit
    with:
      image_name: ${{ inputs.image_name }}
      image_arch: arm64
      runs-on: ubuntu-22.04-arm
      registry_dockerhub: ${{ inputs.registry_dockerhub }}
      registry_ghcr: ${{ inputs.registry_ghcr }}
      release: ${{ inputs.release }}
  get-tags:
    runs-on: ubuntu-latest
    needs:
      - build-server-amd64
      - build-server-arm64
    outputs:
      tags: ${{ steps.ev.outputs.imageTagsJSON }}
      shouldPush: ${{ steps.ev.outputs.shouldPush }}
    steps:
      - uses: actions/checkout@v4
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ${{ inputs.image_name }}
  merge-server:
    runs-on: ubuntu-latest
    if: ${{ needs.get-tags.outputs.shouldPush == 'true' }}
    needs:
      - get-tags
      - build-server-amd64
      - build-server-arm64
    strategy:
      fail-fast: false
      matrix:
        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
    steps:
      - uses: actions/checkout@v4
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ${{ inputs.image_name }}
      - name: Login to Docker Hub
        if: ${{ inputs.registry_dockerhub }}
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: int128/docker-manifest-create-action@v2
        id: build
        with:
          tags: ${{ matrix.tag }}
          sources: |
            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
      - uses: actions/attest-build-provenance@v2
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.build.outputs.digest }}
          push-to-registry: true
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@ -25,10 +25,10 @@ jobs:
        uses: ./.github/actions/setup
      - uses: actions/setup-node@v4
        with:
-          node-version-file: website/package.json
+          node-version-file: lifecycle/aws/package.json
          cache: "npm"
-          cache-dependency-path: website/package-lock.json
+          cache-dependency-path: lifecycle/aws/package-lock.json
-      - working-directory: website/
+      - working-directory: lifecycle/aws/
        run: |
          npm ci
      - name: Check changes have been applied
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@ -0,0 +1,28 @@
 ---
 name: authentik-ci-main-daily
 on:
  workflow_dispatch:
  schedule:
    # Every night at 3am
    - cron: "0 3 * * *"
 jobs:
  test-container:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        version:
          - docs
          - version-2025-2
          - version-2024-12
    steps:
      - uses: actions/checkout@v4
      - run: |
          current="$(pwd)"
          dir="/tmp/authentik/${{ matrix.version }}"
          mkdir -p $dir
          cd $dir
          wget https://${{ matrix.version }}.goauthentik.io/docker-compose.yml
          ${current}/scripts/test_docker.sh
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -43,15 +43,26 @@ jobs:
        uses: ./.github/actions/setup
      - name: run migrations
        run: poetry run python -m lifecycle.migrate
-  test-migrations-from-stable:
+  test-make-seed:
    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
    runs-on: ubuntu-latest
    steps:
      - id: seed
        run: |
          echo "seed=$(printf "%d\n" "0x$(openssl rand -hex 4)")" >> "$GITHUB_OUTPUT"
    outputs:
      seed: ${{ steps.seed.outputs.seed }}
  test-migrations-from-stable:
    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
    runs-on: ubuntu-latest
    timeout-minutes: 20
    needs: test-make-seed
    strategy:
      fail-fast: false
      matrix:
        psql:
          - 15-alpine
          - 16-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
        with:
@ -93,18 +104,23 @@ jobs:
        env:
          # Test in the main database that we just migrated from the previous stable version
          AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          poetry run make test
+          poetry run make ci-test
  test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }}
+    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
    runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 20
    needs: test-make-seed
    strategy:
      fail-fast: false
      matrix:
        psql:
          - 15-alpine
          - 16-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
      - name: Setup authentik env
@ -112,9 +128,12 @@ jobs:
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: run unittest
        env:
          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
          CI_RUN_ID: ${{ matrix.run_id }}
          CI_TOTAL_RUNS: "5"
        run: |
-          poetry run make test
+          poetry run make ci-test
          poetry run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@ -134,7 +153,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.11.0
+        uses: helm/kind-action@v1.12.0
      - name: run integration
        run: |
          poetry run coverage run manage.py test tests/integration
@ -223,68 +242,18 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  build:
    strategy:
      fail-fast: false
      matrix:
        arch:
          - amd64
          - arm64
    needs: ci-core-mark
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
-    timeout-minutes: 120
+    needs: ci-core-mark
-    steps:
+    uses: ./.github/workflows/_reusable-docker-build.yaml
-      - uses: actions/checkout@v4
+    secrets: inherit
-        with:
+    with:
-          ref: ${{ github.event.pull_request.head.sha }}
+      image_name: ghcr.io/goauthentik/dev-server
-      - name: Set up QEMU
+      release: false
        uses: docker/setup-qemu-action@v3.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/dev-server
          image-arch: ${{ matrix.arch }}
      - name: Login to Container Registry
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: generate ts client
        run: make gen-client-ts
      - name: Build Docker Image
        uses: docker/build-push-action@v6
        id: push
        with:
          context: .
          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          tags: ${{ steps.ev.outputs.imageTags }}
          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
          platforms: linux/${{ matrix.arch }}
      - uses: actions/attest-build-provenance@v2
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  pr-comment:
    needs:
      - build
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -72,7 +72,7 @@ jobs:
          - rac
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
@ -82,7 +82,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.6.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -7,64 +7,23 @@ on:
 jobs:
  build-server:
-    runs-on: ubuntu-latest
+    uses: ./.github/workflows/_reusable-docker-build.yaml
    secrets: inherit
    permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
-    steps:
+    with:
-      - uses: actions/checkout@v4
+      image_name: ghcr.io/goauthentik/server,beryju/authentik
-      - name: Set up QEMU
+      release: true
-        uses: docker/setup-qemu-action@v3.2.0
+      registry_dockerhub: true
-      - name: Set up Docker Buildx
+      registry_ghcr: true
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/server,beryju/authentik
      - name: Docker Login Registry
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: make empty clients
        run: |
          mkdir -p ./gen-ts-api
          mkdir -p ./gen-go-api
      - name: Build Docker Image
        uses: docker/build-push-action@v6
        id: push
        with:
          context: .
          push: true
          secrets: |
            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
          build-args: |
            VERSION=${{ github.ref }}
          tags: ${{ steps.ev.outputs.imageTags }}
          platforms: linux/amd64,linux/arm64
      - uses: actions/attest-build-provenance@v2
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
          subject-digest: ${{ steps.push.outputs.digest }}
          push-to-registry: true
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
@ -83,7 +42,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.6.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -188,8 +147,8 @@ jobs:
          aws-region: ${{ env.AWS_REGION }}
      - name: Upload template
        run: |
-          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
+          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
-          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
+          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
  test-release:
    needs:
      - build-server
@ -227,7 +186,7 @@ jobs:
          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
-        uses: getsentry/action-release@v1
+        uses: getsentry/action-release@v3
        continue-on-error: true
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -14,16 +14,7 @@ jobs:
      - uses: actions/checkout@v4
      - name: Pre-release test
        run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
+          make test-docker
          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
          docker buildx install
          mkdir -p ./gen-ts-api
          docker build -t testing:latest .
          echo "AUTHENTIK_IMAGE=testing" >> .env
          echo "AUTHENTIK_TAG=latest" >> .env
          docker compose up --no-start
          docker compose start postgresql redis
          docker compose run -u root server test-all
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@ -1,8 +1,8 @@
-name: 'authentik-repo-stale'
+name: "authentik-repo-stale"
 on:
  schedule:
-    - cron: '30 1 * * *'
+    - cron: "30 1 * * *"
  workflow_dispatch:
 permissions:
@ -25,7 +25,7 @@ jobs:
          days-before-stale: 60
          days-before-close: 7
          exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question,status/reviewing
-          stale-issue-label: wontfix
+          stale-issue-label: status/stale
          stale-issue-message: >
            This issue has been automatically marked as stale because it has not had
            recent activity. It will be closed if no further activity occurs. Thank you
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -1,9 +1,13 @@
 ---
-name: authentik-backend-translate-extract-compile
+name: authentik-translate-extract-compile
 on:
  schedule:
    - cron: "0 0 * * *" # every day at midnight
  workflow_dispatch:
  pull_request:
    branches:
      - main
      - version-*
 env:
  POSTGRES_DB: authentik
@ -15,15 +19,21 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
        if: ${{ github.event_name != 'pull_request' }}
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - uses: actions/checkout@v4
        if: ${{ github.event_name != 'pull_request' }}
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - uses: actions/checkout@v4
        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Generate API
        run: make gen-client-ts
      - name: run extract
        run: |
          poetry run make i18n-extract
@ -32,6 +42,7 @@ jobs:
          poetry run ak compilemessages
          make web-check-compile
      - name: Create Pull Request
        if: ${{ github.event_name != 'pull_request' }}
        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.gitignore
+++ b/.gitignore
@ -209,3 +209,6 @@ source_docs/
 ### Golang ###
 /vendor/
 ### Docker ###
 docker-compose.override.yml
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -2,6 +2,7 @@
    "recommendations": [
        "bashmish.es6-string-css",
        "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
        "charliermarsh.ruff",
        "dbaeumer.vscode-eslint",
        "EditorConfig.EditorConfig",
        "esbenp.prettier-vscode",
@ -10,12 +11,12 @@
        "Gruntfuggly.todo-tree",
        "mechatroner.rainbow-csv",
        "ms-python.black-formatter",
-        "charliermarsh.ruff",
+        "ms-python.black-formatter",
        "ms-python.debugpy",
        "ms-python.python",
        "ms-python.vscode-pylance",
        "ms-python.black-formatter",
        "redhat.vscode-yaml",
        "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx"
+        "unifiedjs.vscode-mdx",
    ]
 }
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@ -2,26 +2,76 @@
    "version": "0.2.0",
    "configurations": [
        {
-            "name": "Python: PDB attach Server",
+            "name": "Debug: Attach Server Core",
-            "type": "python",
+            "type": "debugpy",
            "request": "attach",
            "connect": {
                "host": "localhost",
-                "port": 6800
+                "port": 9901
            },
-            "justMyCode": true,
+            "pathMappings": [
                {
                    "localRoot": "${workspaceFolder}",
                    "remoteRoot": "."
                }
            ],
            "django": true
        },
        {
-            "name": "Python: PDB attach Worker",
+            "name": "Debug: Attach Worker",
-            "type": "python",
+            "type": "debugpy",
            "request": "attach",
            "connect": {
                "host": "localhost",
-                "port": 6900
+                "port": 9901
            },
-            "justMyCode": true,
+            "pathMappings": [
                {
                    "localRoot": "${workspaceFolder}",
                    "remoteRoot": "."
                }
            ],
            "django": true
        },
        {
            "name": "Debug: Start Server Router",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program": "${workspaceFolder}/cmd/server",
            "cwd": "${workspaceFolder}"
        },
        {
            "name": "Debug: Start LDAP Outpost",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program": "${workspaceFolder}/cmd/ldap",
            "cwd": "${workspaceFolder}"
        },
        {
            "name": "Debug: Start Proxy Outpost",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program": "${workspaceFolder}/cmd/proxy",
            "cwd": "${workspaceFolder}"
        },
        {
            "name": "Debug: Start RAC Outpost",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program": "${workspaceFolder}/cmd/rac",
            "cwd": "${workspaceFolder}"
        },
        {
            "name": "Debug: Start Radius Outpost",
            "type": "go",
            "request": "launch",
            "mode": "auto",
            "program": "${workspaceFolder}/cmd/radius",
            "cwd": "${workspaceFolder}"
        }
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,26 +1,4 @@
 {
    "cSpell.words": [
        "akadmin",
        "asgi",
        "authentik",
        "authn",
        "entra",
        "goauthentik",
        "jwe",
        "jwks",
        "kubernetes",
        "oidc",
        "openid",
        "passwordless",
        "plex",
        "saml",
        "scim",
        "slo",
        "sso",
        "totp",
        "traefik",
        "webauthn"
    ],
    "todo-tree.tree.showCountsInTree": true,
    "todo-tree.tree.showBadges": true,
    "yaml.customTags": [
@ -33,7 +11,8 @@
        "!If sequence",
        "!Index scalar",
        "!KeyOf scalar",
-        "!Value scalar"
+        "!Value scalar",
        "!AtIndex scalar"
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
--- a/4
+++ b/4
@ -15,6 +15,7 @@ go.mod                          @goauthentik/backend
 go.sum                          @goauthentik/backend
 # Infrastructure
 .github/                        @goauthentik/infrastructure
 lifecycle/aws/                  @goauthentik/infrastructure
 Dockerfile                      @goauthentik/infrastructure
 *Dockerfile                     @goauthentik/infrastructure
 .dockerignore                   @goauthentik/infrastructure
@ -25,6 +26,9 @@ CODEOWNERS                      @goauthentik/infrastructure
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
 # Locale
 locale/                         @goauthentik/backend @goauthentik/frontend
 web/xliff/                      @goauthentik/backend @goauthentik/frontend
 # Docs & Website
 website/                        @goauthentik/docs
 CODE_OF_CONDUCT.md              @goauthentik/docs
--- a/34
+++ b/34
@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-deps
 ARG TARGETARCH
 ARG TARGETVARIANT
@ -116,15 +116,30 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
    --mount=type=cache,target=/root/.cache/pip \
    --mount=type=cache,target=/root/.cache/pypoetry \
    pip install --no-cache cffi && \
    apt-get update && \
    apt-get install -y --no-install-recommends \
        build-essential libffi-dev \
        # Required for cryptography
        curl pkg-config \
        # Required for lxml
        libxslt-dev zlib1g-dev \
        # Required for xmlsec
        libltdl-dev \
        # Required for kadmin
        sccache clang && \
    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
    . "$HOME/.cargo/env" && \
    python -m venv /ak-root/venv/ && \
    bash -c "source ${VENV_PATH}/bin/activate && \
-    pip3 install --upgrade pip && \
+    pip3 install --upgrade pip poetry && \
-    pip3 install poetry && \
+    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
    poetry install --only=main --no-ansi --no-interaction --no-root && \
-    pip install --force-reinstall /wheels/*"
+    pip uninstall cryptography -y && \
    poetry install --only=main --no-ansi --no-interaction --no-root"
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS final-image
 ARG VERSION
 ARG GIT_BUILD_HASH
@ -140,10 +155,12 @@ WORKDIR /
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
    apt-get upgrade -y && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
    pip3 install --no-cache-dir --upgrade pip && \
    apt-get clean && \
    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
@ -176,9 +193,8 @@ ENV TMPDIR=/dev/shm/ \
    PYTHONUNBUFFERED=1 \
    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
    VENV_PATH="/ak-root/venv" \
-    POETRY_VIRTUALENVS_CREATE=false
+    POETRY_VIRTUALENVS_CREATE=false \
-
+    GOFIPS=1
 ENV GOFIPS=1
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
--- a/83
+++ b/83
@ -4,31 +4,17 @@
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.npm_version)
+NPM_VERSION = $(shell poetry run python -m scripts.generate_semver)
-PY_SOURCES = authentik tests scripts lifecycle .github website/docs/install-config/install/aws
+PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
 GEN_API_TS = "gen-ts-api"
 GEN_API_PY = "gen-py-api"
 GEN_API_GO = "gen-go-api"
-pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_user := $(shell poetry run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_host := $(shell poetry run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
+pg_name := $(shell poetry run python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
 		-S 'website/docs/developer-docs/api/reference/**' \
 		authentik \
 		internal \
 		cmd \
 		web/src \
 		website/src \
 		website/blog \
 		website/docs \
 		website/integrations \
 		website/src
 all: lint-fix lint test gen web  ## Lint, build, and test everything
@ -45,41 +31,35 @@ help:  ## Show this help
 go-test:
 	go test -timeout 0 -v -race -cover ./...
 test-docker:  ## Run all tests in a docker-compose
 	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
 	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
 	docker compose pull -q
 	docker compose up --no-start
 	docker compose start postgresql redis
 	docker compose run -u root server test-all
 	rm -f .env
 test: ## Run the server tests and produce a coverage report (locally)
-	coverage run manage.py test --keepdb authentik
+	poetry run coverage run manage.py test --keepdb authentik
-	coverage html
+	poetry run coverage html
-	coverage report
+	poetry run coverage report
 lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	black $(PY_SOURCES)
+	poetry run black $(PY_SOURCES)
-	ruff check --fix $(PY_SOURCES)
+	poetry run ruff check --fix $(PY_SOURCES)
 lint-codespell:  ## Reports spelling errors.
-	codespell -w $(CODESPELL_ARGS)
+	poetry run codespell -w
 lint: ## Lint the python and golang sources
-	bandit -r $(PY_SOURCES) -x web/node_modules -x tests/wdio/node_modules -x website/node_modules
+	poetry run bandit -c pyproject.toml -r $(PY_SOURCES)
 	golangci-lint run -v
 core-install:
 	poetry install
 migrate: ## Run the Authentik Django server's migrations
-	python -m lifecycle.migrate
+	poetry run python -m lifecycle.migrate
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 aws-cfn:
 	cd lifecycle/aws && npm run aws-cfn
 core-i18n-extract:
-	ak makemessages \
+	poetry run ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@ -110,11 +90,11 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		ak make_blueprint_schema > blueprints/schema.json
+		poetry run ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		ak spectacular --file schema.yml
+		poetry run ak spectacular --file schema.yml
 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@ -149,7 +129,7 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \
@ -193,7 +173,7 @@ gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
 	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
 gen-dev-config:  ## Generate a local development config file
-	python -m scripts.generate_config
+	poetry run scripts/generate_config.py
 gen: gen-build gen-client-ts
@ -252,9 +232,6 @@ website-build:
 website-watch:  ## Build and watch the documentation website, updating automatically
 	cd website && npm run watch
 aws-cfn:
 	cd website && npm run aws-cfn
 #########################
 ## Docker
 #########################
@ -263,6 +240,9 @@ docker:  ## Build a docker image of the current source tree
 	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
 test-docker:
 	BUILD=true ./scripts/test_docker.sh
 #########################
 ## CI
 #########################
@ -274,16 +254,21 @@ ci--meta-debug:
 	node --version
 ci-black: ci--meta-debug
-	black --check $(PY_SOURCES)
+	poetry run black --check $(PY_SOURCES)
 ci-ruff: ci--meta-debug
-	ruff check $(PY_SOURCES)
+	poetry run ruff check $(PY_SOURCES)
 ci-codespell: ci--meta-debug
-	codespell $(CODESPELL_ARGS) -s
+	poetry run codespell -s
 ci-bandit: ci--meta-debug
-	bandit -r $(PY_SOURCES)
+	poetry run bandit -r $(PY_SOURCES)
 ci-pending-migrations: ci--meta-debug
-	ak makemigrations --check
+	poetry run ak makemigrations --check
 ci-test: ci--meta-debug
 	poetry run coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
 	poetry run coverage report
 	poetry run coverage xml
--- a/SECURITY.md
+++ b/SECURITY.md
@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 ## Independent audits and pentests
-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specific audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
 ## What authentik classifies as a CVE
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 | Version   | Supported |
 | --------- | --------- |
-| 2024.8.x  | ✅        |
+| 2024.12.x | ✅        |
-| 2024.10.x | ✅        |
+| 2025.2.x  | ✅        |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2024.10.5"
+__version__ = "2025.2.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
@ -16,5 +16,5 @@ def get_full_version() -> str:
    """Get full version, with build hash appended"""
    version = __version__
    if (build_hash := get_build_hash()) != "":
-        version += "." + build_hash
+        return f"{version}+{build_hash}"
    return version
--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -7,7 +7,9 @@ from sys import version as python_version
 from typing import TypedDict
 from cryptography.hazmat.backends.openssl.backend import backend
 from django.conf import settings
 from django.utils.timezone import now
 from django.views.debug import SafeExceptionReporterFilter
 from drf_spectacular.utils import extend_schema
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
@ -52,10 +54,16 @@ class SystemInfoSerializer(PassiveSerializer):
    def get_http_headers(self, request: Request) -> dict[str, str]:
        """Get HTTP Request headers"""
        headers = {}
        raw_session = request._request.COOKIES.get(settings.SESSION_COOKIE_NAME)
        for key, value in request.META.items():
            if not isinstance(value, str):
                continue
-            headers[key] = value
+            actual_value = value
            if raw_session in actual_value:
                actual_value = actual_value.replace(
                    raw_session, SafeExceptionReporterFilter.cleansed_substitute
                )
            headers[key] = actual_value
        return headers
    def get_http_host(self, request: Request) -> str:
--- a/authentik/admin/api/workers.py
+++ b/authentik/admin/api/workers.py
@ -1,12 +1,16 @@
 """authentik administration overview"""
 from socket import gethostname
 from django.conf import settings
 from drf_spectacular.utils import extend_schema, inline_serializer
-from rest_framework.fields import IntegerField
+from packaging.version import parse
 from rest_framework.fields import BooleanField, CharField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from authentik import get_full_version
 from authentik.rbac.permissions import HasPermission
 from authentik.root.celery import CELERY_APP
@ -16,11 +20,38 @@ class WorkerView(APIView):
    permission_classes = [HasPermission("authentik_rbac.view_system_info")]
-    @extend_schema(responses=inline_serializer("Workers", fields={"count": IntegerField()}))
+    @extend_schema(
        responses=inline_serializer(
            "Worker",
            fields={
                "worker_id": CharField(),
                "version": CharField(),
                "version_matching": BooleanField(),
            },
            many=True,
        )
    )
    def get(self, request: Request) -> Response:
        """Get currently connected worker count."""
-        count = len(CELERY_APP.control.ping(timeout=0.5))
+        raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
        our_version = parse(get_full_version())
        response = []
        for worker in raw:
            key = list(worker.keys())[0]
            version = worker[key].get("version")
            version_matching = False
            if version:
                version_matching = parse(version) == our_version
            response.append(
                {"worker_id": key, "version": version, "version_matching": version_matching}
            )
        # In debug we run with `task_always_eager`, so tasks are ran on the main process
        if settings.DEBUG:  # pragma: no cover
-            count += 1
+            response.append(
-        return Response({"count": count})
+                {
                    "worker_id": f"authentik-debug@{gethostname()}",
                    "version": get_full_version(),
                    "version_matching": True,
                }
            )
        return Response(response)
--- a/authentik/admin/apps.py
+++ b/authentik/admin/apps.py
@ -1,11 +1,10 @@
 """authentik admin app config"""
-from prometheus_client import Gauge, Info
+from prometheus_client import Info
 from authentik.blueprints.apps import ManagedAppConfig
 PROM_INFO = Info("authentik_version", "Currently running authentik version")
 GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
 class AuthentikAdminConfig(ManagedAppConfig):
--- a/authentik/admin/signals.py
+++ b/authentik/admin/signals.py
@ -1,14 +1,35 @@
 """admin signals"""
 from django.dispatch import receiver
 from packaging.version import parse
 from prometheus_client import Gauge
-from authentik.admin.apps import GAUGE_WORKERS
+from authentik import get_full_version
 from authentik.root.celery import CELERY_APP
 from authentik.root.monitoring import monitoring_set
 GAUGE_WORKERS = Gauge(
    "authentik_admin_workers",
    "Currently connected workers, their versions and if they are the same version as authentik",
    ["version", "version_matched"],
 )
 _version = parse(get_full_version())
@receiver(monitoring_set)
 def monitoring_set_workers(sender, **kwargs):
    """Set worker gauge"""
-    count = len(CELERY_APP.control.ping(timeout=0.5))
+    raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
-    GAUGE_WORKERS.set(count)
+    worker_version_count = {}
    for worker in raw:
        key = list(worker.keys())[0]
        version = worker[key].get("version")
        version_matching = False
        if version:
            version_matching = parse(version) == _version
        worker_version_count.setdefault(version, {"count": 0, "matching": version_matching})
        worker_version_count[version]["count"] += 1
    for version, stats in worker_version_count.items():
        GAUGE_WORKERS.labels(version, stats["matching"]).set(stats["count"])
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -34,7 +34,7 @@ class TestAdminAPI(TestCase):
        response = self.client.get(reverse("authentik_api:admin_workers"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
-        self.assertEqual(body["count"], 0)
+        self.assertEqual(len(body), 0)
    def test_metrics(self):
        """Test metrics API"""
--- a/authentik/api/authorization.py
+++ b/authentik/api/authorization.py
@ -1,67 +0,0 @@
 """API Authorization"""
 from django.conf import settings
 from django.db.models import Model
 from django.db.models.query import QuerySet
 from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework.authentication import get_authorization_header
 from rest_framework.filters import BaseFilterBackend
 from rest_framework.permissions import BasePermission
 from rest_framework.request import Request
 from authentik.api.authentication import validate_auth
 from authentik.rbac.filters import ObjectFilter
 class OwnerFilter(BaseFilterBackend):
    """Filter objects by their owner"""
    owner_key = "user"
    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
        if request.user.is_superuser:
            return queryset
        return queryset.filter(**{self.owner_key: request.user})
 class SecretKeyFilter(DjangoFilterBackend):
    """Allow access to all objects when authenticated with secret key as token.
    Replaces both DjangoFilterBackend and ObjectFilter"""
    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
        auth_header = get_authorization_header(request)
        token = validate_auth(auth_header)
        if token and token == settings.SECRET_KEY:
            return queryset
        queryset = ObjectFilter().filter_queryset(request, queryset, view)
        return super().filter_queryset(request, queryset, view)
 class OwnerPermissions(BasePermission):
    """Authorize requests by an object's owner matching the requesting user"""
    owner_key = "user"
    def has_permission(self, request: Request, view) -> bool:
        """If the user is authenticated, we allow all requests here. For listing, the
        object-level permissions are done by the filter backend"""
        return request.user.is_authenticated
    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
        """Check if the object's owner matches the currently logged in user"""
        if not hasattr(obj, self.owner_key):
            return False
        owner = getattr(obj, self.owner_key)
        if owner != request.user:
            return False
        return True
 class OwnerSuperuserPermissions(OwnerPermissions):
    """Similar to OwnerPermissions, except always allow access for superusers"""
    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
        if request.user.is_superuser:
            return True
        return super().has_object_permission(request, view, obj)
--- a/authentik/blueprints/management/commands/blueprint_shell.py
+++ b/authentik/blueprints/management/commands/blueprint_shell.py
@ -0,0 +1,68 @@
 """Test and debug Blueprints"""
 import atexit
 import readline
 from pathlib import Path
 from pprint import pformat
 from sys import exit as sysexit
 from textwrap import indent
 from django.core.management.base import BaseCommand, no_translations
 from structlog.stdlib import get_logger
 from yaml import load
 from authentik.blueprints.v1.common import BlueprintLoader, EntryInvalidError
 from authentik.core.management.commands.shell import get_banner_text
 from authentik.lib.utils.errors import exception_to_string
 LOGGER = get_logger()
 class Command(BaseCommand):
    """Test and debug Blueprints"""
    lines = []
    def __init__(self, *args, **kwargs) -> None:
        super().__init__(*args, **kwargs)
        histfolder = Path("~").expanduser() / Path(".local/share/authentik")
        histfolder.mkdir(parents=True, exist_ok=True)
        histfile = histfolder / Path("blueprint_shell_history")
        readline.parse_and_bind("tab: complete")
        readline.parse_and_bind("set editing-mode vi")
        try:
            readline.read_history_file(str(histfile))
        except FileNotFoundError:
            pass
        atexit.register(readline.write_history_file, str(histfile))
    @no_translations
    def handle(self, *args, **options):
        """Interactively debug blueprint files"""
        self.stdout.write(get_banner_text("Blueprint shell"))
        self.stdout.write("Type '.eval' to evaluate previously entered statement(s).")
        def do_eval():
            yaml_input = "\n".join([line for line in self.lines if line])
            data = load(yaml_input, BlueprintLoader)
            self.stdout.write(pformat(data))
            self.lines = []
        while True:
            try:
                line = input("> ")
                if line == ".eval":
                    do_eval()
                else:
                    self.lines.append(line)
            except EntryInvalidError as exc:
                self.stdout.write("Failed to evaluate expression:")
                self.stdout.write(indent(exception_to_string(exc), prefix="  "))
            except EOFError:
                break
            except KeyboardInterrupt:
                self.stdout.write()
                sysexit(0)
        self.stdout.write()
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -126,7 +126,7 @@ class Command(BaseCommand):
        def_name_perm = f"model_{model_path}_permissions"
        def_path_perm = f"#/$defs/{def_name_perm}"
        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
-        return {
+        template = {
            "type": "object",
            "required": ["model", "identifiers"],
            "properties": {
@ -143,6 +143,11 @@ class Command(BaseCommand):
                "identifiers": {"$ref": def_path},
            },
        }
        # Meta models don't require identifiers, as there's no matching database model to find
        if issubclass(model, BaseMetaModel):
            del template["properties"]["identifiers"]
            template["required"].remove("identifiers")
        return template
    def field_to_jsonschema(self, field: Field) -> dict:
        """Convert a single field to json schema"""
--- a/authentik/blueprints/tests/fixtures/tags.yaml
+++ b/authentik/blueprints/tests/fixtures/tags.yaml
@ -146,6 +146,10 @@ entries:
                  ]
              ]
              nested_context: !Context context2
              at_index_sequence: !AtIndex [!Context sequence, 0]
              at_index_sequence_default: !AtIndex [!Context sequence, 100, "non existent"]
              at_index_mapping: !AtIndex [!Context mapping, "key2"]
              at_index_mapping_default: !AtIndex [!Context mapping, "invalid", "non existent"]
      identifiers:
          name: test
      conditions:
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -215,6 +215,10 @@ class TestBlueprintsV1(TransactionTestCase):
                    },
                    "nested_context": "context-nested-value",
                    "env_null": None,
                    "at_index_sequence": "foo",
                    "at_index_sequence_default": "non existent",
                    "at_index_mapping": 2,
                    "at_index_mapping_default": "non existent",
                }
            ).exists()
        )
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -24,6 +24,10 @@ from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.models import PolicyBindingModel
 class UNSET:
    """Used to test whether a key has not been set."""
 def get_attrs(obj: SerializerModel) -> dict[str, Any]:
    """Get object's attributes via their serializer, and convert it to a normal dict"""
    serializer: Serializer = obj.serializer(obj)
@ -198,6 +202,9 @@ class Blueprint:
 class YAMLTag:
    """Base class for all YAML Tags"""
    def __repr__(self) -> str:
        return str(self.resolve(BlueprintEntry(""), Blueprint()))
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        """Implement yaml tag logic"""
        raise NotImplementedError
@ -556,6 +563,53 @@ class Value(EnumeratedItem):
            raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry) from exc
 class AtIndex(YAMLTag):
    """Get value at index of a sequence or mapping"""
    obj: YAMLTag | dict | list | tuple
    attribute: int | str | YAMLTag
    default: Any | UNSET
    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
        super().__init__()
        self.obj = loader.construct_object(node.value[0])
        self.attribute = loader.construct_object(node.value[1])
        if len(node.value) == 2:  # noqa: PLR2004
            self.default = UNSET
        else:
            self.default = loader.construct_object(node.value[2])
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        if isinstance(self.obj, YAMLTag):
            obj = self.obj.resolve(entry, blueprint)
        else:
            obj = self.obj
        if isinstance(self.attribute, YAMLTag):
            attribute = self.attribute.resolve(entry, blueprint)
        else:
            attribute = self.attribute
        if isinstance(obj, list | tuple):
            try:
                return obj[attribute]
            except TypeError as exc:
                raise EntryInvalidError.from_entry(
                    f"Invalid index for list: {attribute}", entry
                ) from exc
            except IndexError as exc:
                if self.default is UNSET:
                    raise EntryInvalidError.from_entry(
                        f"Index out of range: {attribute}", entry
                    ) from exc
                return self.default
        if attribute in obj:
            return obj[attribute]
        else:
            if self.default is UNSET:
                raise EntryInvalidError.from_entry(f"Key does not exist: {attribute}", entry)
            return self.default
 class BlueprintDumper(SafeDumper):
    """Dump dataclasses to yaml"""
@ -606,6 +660,7 @@ class BlueprintLoader(SafeLoader):
        self.add_constructor("!Enumerate", Enumerate)
        self.add_constructor("!Value", Value)
        self.add_constructor("!Index", Index)
        self.add_constructor("!AtIndex", AtIndex)
 class EntryInvalidError(SentryIgnoredException):
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -50,7 +50,7 @@ from authentik.enterprise.providers.microsoft_entra.models import (
    MicrosoftEntraProviderGroup,
    MicrosoftEntraProviderUser,
 )
-from authentik.enterprise.providers.rac.models import ConnectionToken
+from authentik.enterprise.providers.ssf.models import StreamEvent
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    EndpointDevice,
    EndpointDeviceConnection,
@ -71,6 +71,7 @@ from authentik.providers.oauth2.models import (
    DeviceToken,
    RefreshToken,
 )
 from authentik.providers.rac.models import ConnectionToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
@ -131,6 +132,7 @@ def excluded_models() -> list[type[Model]]:
        EndpointDevice,
        EndpointDeviceConnection,
        DeviceToken,
        StreamEvent,
    )
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@ -14,10 +14,10 @@ from rest_framework.response import Response
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.rbac.filters import SecretKeyFilter
 from authentik.tenants.utils import get_current_tenant
--- a/authentik/core/api/application_entitlements.py
+++ b/authentik/core/api/application_entitlements.py
@ -0,0 +1,58 @@
 """Application Roles API Viewset"""
 from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from rest_framework.exceptions import ValidationError
 from rest_framework.viewsets import ModelViewSet
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import (
    Application,
    ApplicationEntitlement,
 )
 class ApplicationEntitlementSerializer(ModelSerializer):
    """ApplicationEntitlement Serializer"""
    def validate_app(self, app: Application) -> Application:
        """Ensure user has permission to view"""
        request: HttpRequest = self.context.get("request")
        if not request and SERIALIZER_CONTEXT_BLUEPRINT in self.context:
            return app
        user = request.user
        if user.has_perm("view_application", app) or user.has_perm(
            "authentik_core.view_application"
        ):
            return app
        raise ValidationError(_("User does not have access to application."), code="invalid")
    class Meta:
        model = ApplicationEntitlement
        fields = [
            "pbm_uuid",
            "name",
            "app",
            "attributes",
        ]
 class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
    """ApplicationEntitlement Viewset"""
    queryset = ApplicationEntitlement.objects.all()
    serializer_class = ApplicationEntitlementSerializer
    search_fields = [
        "pbm_uuid",
        "name",
        "app",
        "attributes",
    ]
    filterset_fields = [
        "pbm_uuid",
        "name",
        "app",
    ]
    ordering = ["name"]
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -2,16 +2,12 @@
 from typing import TypedDict
 from django_filters.rest_framework import DjangoFilterBackend
 from guardian.utils import get_anonymous_user
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
@ -110,11 +106,4 @@ class AuthenticatedSessionViewSet(
    search_fields = ["user__username", "last_ip", "last_user_agent"]
    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
    ordering = ["user__username"]
-    permission_classes = [OwnerSuperuserPermissions]
+    owner_field = "user"
    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
    def get_queryset(self):
        user = self.request.user if self.request else get_anonymous_user()
        if user.is_superuser:
            return super().get_queryset()
        return super().get_queryset().filter(user=user.pk)
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@ -3,6 +3,7 @@
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import (
    BooleanField,
    CharField,
@ -16,7 +17,6 @@ from rest_framework.viewsets import ViewSet
 from authentik.core.api.utils import MetaNameSerializer
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
 from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
@ -73,7 +73,9 @@ class AdminDeviceViewSet(ViewSet):
    def get_devices(self, **kwargs):
        """Get all devices in all child classes"""
        for model in device_classes():
-            device_set = model.objects.filter(**kwargs)
+            device_set = get_objects_for_user(
                self.request.user, f"{model._meta.app_label}.view_{model._meta.model_name}", model
            ).filter(**kwargs)
            yield from device_set
    @extend_schema(
@ -86,10 +88,6 @@ class AdminDeviceViewSet(ViewSet):
        ],
        responses={200: DeviceSerializer(many=True)},
    )
    @permission_required(
        None,
        [f"{model._meta.app_label}.view_{model._meta.model_name}" for model in device_classes()],
    )
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
        kwargs = {}
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -4,6 +4,7 @@ from json import loads
 from django.db.models import Prefetch
 from django.http import Http404
 from django.utils.translation import gettext as _
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.utils import (
@ -81,9 +82,37 @@ class GroupSerializer(ModelSerializer):
        if not self.instance or not parent:
            return parent
        if str(parent.group_uuid) == str(self.instance.group_uuid):
-            raise ValidationError("Cannot set group as parent of itself.")
+            raise ValidationError(_("Cannot set group as parent of itself."))
        return parent
    def validate_is_superuser(self, superuser: bool):
        """Ensure that the user creating this group has permissions to set the superuser flag"""
        request: Request = self.context.get("request", None)
        if not request:
            return superuser
        # If we're updating an instance, and the state hasn't changed, we don't need to check perms
        if self.instance and superuser == self.instance.is_superuser:
            return superuser
        user: User = request.user
        perm = (
            "authentik_core.enable_group_superuser"
            if superuser
            else "authentik_core.disable_group_superuser"
        )
        has_perm = user.has_perm(perm)
        if self.instance and not has_perm:
            has_perm = user.has_perm(perm, self.instance)
        if not has_perm:
            raise ValidationError(
                _(
                    (
                        "User does not have permission to set "
                        "superuser status to {superuser_status}."
                    ).format_map({"superuser_status": superuser})
                )
            )
        return superuser
    class Meta:
        model = Group
        fields = [
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -2,19 +2,16 @@
 from collections.abc import Iterable
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
@ -88,7 +85,7 @@ class SourceViewSet(
    serializer_class = SourceSerializer
    lookup_field = "slug"
    search_fields = ["slug", "name"]
-    filterset_fields = ["slug", "name", "managed"]
+    filterset_fields = ["slug", "name", "managed", "pbm_uuid"]
    def get_queryset(self):  # pragma: no cover
        return Source.objects.select_subclasses()
@ -159,9 +156,9 @@ class SourceViewSet(
 class UserSourceConnectionSerializer(SourceSerializer):
-    """OAuth Source Serializer"""
+    """User source connection"""
-    source = SourceSerializer(read_only=True)
+    source_obj = SourceSerializer(read_only=True, source="source")
    class Meta:
        model = UserSourceConnection
@ -169,10 +166,10 @@ class UserSourceConnectionSerializer(SourceSerializer):
            "pk",
            "user",
            "source",
            "source_obj",
            "created",
        ]
        extra_kwargs = {
            "user": {"read_only": True},
            "created": {"read_only": True},
        }
@ -189,17 +186,16 @@ class UserSourceConnectionViewSet(
    queryset = UserSourceConnection.objects.all()
    serializer_class = UserSourceConnectionSerializer
    permission_classes = [OwnerSuperuserPermissions]
    filterset_fields = ["user", "source__slug"]
    search_fields = ["source__slug"]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
    ordering = ["source__slug", "pk"]
    owner_field = "user"
 class GroupSourceConnectionSerializer(SourceSerializer):
-    """Group Source Connection Serializer"""
+    """Group Source Connection"""
-    source = SourceSerializer(read_only=True)
+    source_obj = SourceSerializer(read_only=True)
    class Meta:
        model = GroupSourceConnection
@ -207,12 +203,11 @@ class GroupSourceConnectionSerializer(SourceSerializer):
            "pk",
            "group",
            "source",
            "source_obj",
            "identifier",
            "created",
        ]
        extra_kwargs = {
            "group": {"read_only": True},
            "identifier": {"read_only": True},
            "created": {"read_only": True},
        }
@ -229,8 +224,7 @@ class GroupSourceConnectionViewSet(
    queryset = GroupSourceConnection.objects.all()
    serializer_class = GroupSourceConnectionSerializer
    permission_classes = [OwnerSuperuserPermissions]
    filterset_fields = ["group", "source__slug"]
    search_fields = ["source__slug"]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
    ordering = ["source__slug", "pk"]
    owner_field = "user"
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -3,18 +3,15 @@
 from typing import Any
 from django.utils.timezone import now
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
 from guardian.shortcuts import assign_perm, get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
@ -138,8 +135,8 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
        "managed",
    ]
    ordering = ["identifier", "expires"]
-    permission_classes = [OwnerSuperuserPermissions]
+    owner_field = "user"
-    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
+    rbac_allow_create_without_perm = True
    def get_queryset(self):
        user = self.request.user if self.request else get_anonymous_user()
--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@ -22,7 +22,7 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.importer import Importer
 from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
-from authentik.core.models import Provider
+from authentik.core.models import Application, Provider
 from authentik.lib.utils.reflection import all_subclasses
 from authentik.policies.api.bindings import PolicyBindingSerializer
@ -51,6 +51,13 @@ class TransactionProviderField(DictField):
 class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
    """PolicyBindingSerializer which does not require target as target is set implicitly"""
    def validate(self, attrs):
        # As the PolicyBindingSerializer checks that the correct things can be bound to a target
        # but we don't have a target here as that's set by the blueprint, pass in an empty app
        # which will have the correct allowed combination of group/user/policy.
        attrs["target"] = Application()
        return super().validate(attrs)
    class Meta(PolicyBindingSerializer.Meta):
        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -236,9 +236,11 @@ class UserSerializer(ModelSerializer):
            "path",
            "type",
            "uuid",
            "password_change_date",
        ]
        extra_kwargs = {
            "name": {"allow_blank": True},
            "password_change_date": {"read_only": True},
        }
@ -427,7 +429,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    queryset = User.objects.none()
    ordering = ["username"]
    serializer_class = UserSerializer
-    search_fields = ["username", "name", "is_active", "email", "uuid"]
+    search_fields = ["username", "name", "is_active", "email", "uuid", "attributes"]
    filterset_class = UsersFilter
    def get_queryset(self):
@ -585,7 +587,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        """Set password for user"""
        user: User = self.get_object()
        try:
-            user.set_password(request.data.get("password"))
+            user.set_password(request.data.get("password"), request=request)
            user.save()
        except (ValidationError, IntegrityError) as exc:
            LOGGER.debug("Failed to set password", exc=exc)
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@ -44,13 +44,12 @@ class TokenBackend(InbuiltBackend):
        self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
    ) -> User | None:
        try:
            user = User._default_manager.get_by_natural_key(username)
        except User.DoesNotExist:
            # Run the default password hasher once to reduce the timing
            # difference between an existing and a nonexistent user (#20760).
-            User().set_password(password)
+            User().set_password(password, request=request)
            return None
        tokens = Token.filter_not_expired(
--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@ -58,6 +58,7 @@ class PropertyMappingEvaluator(BaseEvaluator):
            self._context["user"] = user
        if request:
            req.http_request = request
            self._context["http_request"] = request
        req.context.update(**kwargs)
        self._context["request"] = req
        self._context.update(**kwargs)
--- a/authentik/core/management/commands/dev_server.py
+++ b/authentik/core/management/commands/dev_server.py
@ -5,6 +5,7 @@ from typing import TextIO
 from daphne.management.commands.runserver import Command as RunServer
 from daphne.server import Server
 from authentik.lib.debug import start_debug_server
 from authentik.root.signals import post_startup, pre_startup, startup
@ -13,6 +14,7 @@ class SignalServer(Server):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        start_debug_server()
        def ready_callable():
            pre_startup.send(sender=self)
--- a/authentik/core/management/commands/shell.py
+++ b/authentik/core/management/commands/shell.py
@ -17,7 +17,9 @@ from authentik.events.middleware import should_log_model
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import model_to_dict
-BANNER_TEXT = f"""### authentik shell ({get_full_version()})
+
 def get_banner_text(shell_type="shell") -> str:
    return f"""### authentik {shell_type} ({get_full_version()})
 ### Node {platform.node()} | Arch {platform.machine()} | Python {platform.python_version()} """
@ -114,4 +116,4 @@ class Command(BaseCommand):
            readline.parse_and_bind("tab: complete")
        # Run interactive shell
-        code.interact(banner=BANNER_TEXT, local=namespace)
+        code.interact(banner=get_banner_text(), local=namespace)
--- a/authentik/core/management/commands/worker.py
+++ b/authentik/core/management/commands/worker.py
@ -9,6 +9,7 @@ from django.db import close_old_connections
 from structlog.stdlib import get_logger
 from authentik.lib.config import CONFIG
 from authentik.lib.debug import start_debug_server
 from authentik.root.celery import CELERY_APP
 LOGGER = get_logger()
@ -28,10 +29,7 @@ class Command(BaseCommand):
    def handle(self, **options):
        LOGGER.debug("Celery options", **options)
        close_old_connections()
-        if CONFIG.get_bool("remote_debug"):
+        start_debug_server()
            import debugpy
            debugpy.listen(("0.0.0.0", 6900))  # nosec
        worker: Worker = CELERY_APP.Worker(
            no_color=False,
            quiet=True,
--- a/authentik/core/migrations/0041_applicationentitlement.py
+++ b/authentik/core/migrations/0041_applicationentitlement.py
@ -0,0 +1,45 @@
 # Generated by Django 5.0.9 on 2024-11-20 15:16
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0040_provider_invalidation_flow"),
        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
    ]
    operations = [
        migrations.CreateModel(
            name="ApplicationEntitlement",
            fields=[
                (
                    "policybindingmodel_ptr",
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to="authentik_policies.policybindingmodel",
                    ),
                ),
                ("attributes", models.JSONField(blank=True, default=dict)),
                ("name", models.TextField()),
                (
                    "app",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.application"
                    ),
                ),
            ],
            options={
                "verbose_name": "Application Entitlement",
                "verbose_name_plural": "Application Entitlements",
                "unique_together": {("app", "name")},
            },
            bases=("authentik_policies.policybindingmodel", models.Model),
        ),
    ]
--- a/authentik/core/migrations/0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more.py
+++ b/authentik/core/migrations/0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more.py
@ -0,0 +1,45 @@
 # Generated by Django 5.0.10 on 2025-01-13 18:05
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0041_applicationentitlement"),
    ]
    operations = [
        migrations.AddIndex(
            model_name="authenticatedsession",
            index=models.Index(fields=["expires"], name="authentik_c_expires_08251d_idx"),
        ),
        migrations.AddIndex(
            model_name="authenticatedsession",
            index=models.Index(fields=["expiring"], name="authentik_c_expirin_9cd839_idx"),
        ),
        migrations.AddIndex(
            model_name="authenticatedsession",
            index=models.Index(
                fields=["expiring", "expires"], name="authentik_c_expirin_195a84_idx"
            ),
        ),
        migrations.AddIndex(
            model_name="authenticatedsession",
            index=models.Index(fields=["session_key"], name="authentik_c_session_d0f005_idx"),
        ),
        migrations.AddIndex(
            model_name="token",
            index=models.Index(fields=["expires"], name="authentik_c_expires_a62b4b_idx"),
        ),
        migrations.AddIndex(
            model_name="token",
            index=models.Index(fields=["expiring"], name="authentik_c_expirin_a1b838_idx"),
        ),
        migrations.AddIndex(
            model_name="token",
            index=models.Index(
                fields=["expiring", "expires"], name="authentik_c_expirin_ba04d9_idx"
            ),
        ),
    ]
--- a/authentik/core/migrations/0043_alter_group_options.py
+++ b/authentik/core/migrations/0043_alter_group_options.py
@ -0,0 +1,26 @@
 # Generated by Django 5.0.11 on 2025-01-30 23:55
 from django.db import migrations
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
    ]
    operations = [
        migrations.AlterModelOptions(
            name="group",
            options={
                "permissions": [
                    ("add_user_to_group", "Add user to group"),
                    ("remove_user_from_group", "Remove user from group"),
                    ("enable_group_superuser", "Enable superuser status"),
                    ("disable_group_superuser", "Disable superuser status"),
                ],
                "verbose_name": "Group",
                "verbose_name_plural": "Groups",
            },
        ),
    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -204,6 +204,8 @@ class Group(SerializerModel, AttributesMixin):
        permissions = [
            ("add_user_to_group", _("Add user to group")),
            ("remove_user_from_group", _("Remove user from group")),
            ("enable_group_superuser", _("Enable superuser status")),
            ("disable_group_superuser", _("Disable superuser status")),
        ]
    def __str__(self):
@ -314,6 +316,32 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        always_merger.merge(final_attributes, self.attributes)
        return final_attributes
    def app_entitlements(self, app: "Application | None") -> QuerySet["ApplicationEntitlement"]:
        """Get all entitlements this user has for `app`."""
        if not app:
            return []
        all_groups = self.all_groups()
        qs = app.applicationentitlement_set.filter(
            Q(
                Q(bindings__user=self) | Q(bindings__group__in=all_groups),
                bindings__negate=False,
            )
            | Q(
                Q(~Q(bindings__user=self), bindings__user__isnull=False)
                | Q(~Q(bindings__group__in=all_groups), bindings__group__isnull=False),
                bindings__negate=True,
            ),
            bindings__enabled=True,
        ).order_by("name")
        return qs
    def app_entitlements_attributes(self, app: "Application | None") -> dict:
        """Get a dictionary containing all merged attributes from app entitlements for `app`."""
        final_attributes = {}
        for attrs in self.app_entitlements(app).values_list("attributes", flat=True):
            always_merger.merge(final_attributes, attrs)
        return final_attributes
    @property
    def serializer(self) -> Serializer:
        from authentik.core.api.users import UserSerializer
@ -330,13 +358,13 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
        """superuser == staff user"""
        return self.is_superuser  # type: ignore
-    def set_password(self, raw_password, signal=True, sender=None):
+    def set_password(self, raw_password, signal=True, sender=None, request=None):
        if self.pk and signal:
            from authentik.core.signals import password_changed
            if not sender:
                sender = self
-            password_changed.send(sender=sender, user=self, password=raw_password)
+            password_changed.send(sender=sender, user=self, password=raw_password, request=request)
        self.password_change_date = now()
        return super().set_password(raw_password)
@ -573,6 +601,14 @@ class Application(SerializerModel, PolicyBindingModel):
            return None
        return candidates[-1]
    def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
        """Get Backchannel provider for a specific type"""
        providers = self.backchannel_providers.filter(
            **{f"{provider_type._meta.model_name}__isnull": False},
            **kwargs,
        )
        return getattr(providers.first(), provider_type._meta.model_name)
    def __str__(self):
        return str(self.name)
@ -581,6 +617,31 @@ class Application(SerializerModel, PolicyBindingModel):
        verbose_name_plural = _("Applications")
 class ApplicationEntitlement(AttributesMixin, SerializerModel, PolicyBindingModel):
    """Application-scoped entitlement to control authorization in an application"""
    name = models.TextField()
    app = models.ForeignKey(Application, on_delete=models.CASCADE)
    class Meta:
        verbose_name = _("Application Entitlement")
        verbose_name_plural = _("Application Entitlements")
        unique_together = (("app", "name"),)
    def __str__(self):
        return f"Application Entitlement {self.name} for app {self.app_id}"
    @property
    def serializer(self) -> type[Serializer]:
        from authentik.core.api.application_entitlements import ApplicationEntitlementSerializer
        return ApplicationEntitlementSerializer
    def supported_policy_binding_targets(self):
        return ["group", "user"]
 class SourceUserMatchingModes(models.TextChoices):
    """Different modes a source can handle new/returning users"""
@ -795,6 +856,11 @@ class ExpiringModel(models.Model):
    class Meta:
        abstract = True
        indexes = [
            models.Index(fields=["expires"]),
            models.Index(fields=["expiring"]),
            models.Index(fields=["expiring", "expires"]),
        ]
    def expire_action(self, *args, **kwargs):
        """Handler which is called when this object is expired. By
@ -850,7 +916,7 @@ class Token(SerializerModel, ManagedModel, ExpiringModel):
    class Meta:
        verbose_name = _("Token")
        verbose_name_plural = _("Tokens")
-        indexes = [
+        indexes = ExpiringModel.Meta.indexes + [
            models.Index(fields=["identifier"]),
            models.Index(fields=["key"]),
        ]
@ -950,6 +1016,9 @@ class AuthenticatedSession(ExpiringModel):
    class Meta:
        verbose_name = _("Authenticated Session")
        verbose_name_plural = _("Authenticated Sessions")
        indexes = ExpiringModel.Meta.indexes + [
            models.Index(fields=["session_key"]),
        ]
    def __str__(self) -> str:
        return f"Authenticated Session {self.session_key[:10]}"
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -35,8 +35,7 @@ from authentik.flows.planner import (
    FlowPlanner,
 )
 from authentik.flows.stage import StageView
-from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
+from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.utils import delete_none_values
@ -47,8 +46,9 @@ from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 LOGGER = get_logger()
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
 PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 SESSION_KEY_SOURCE_FLOW_STAGES = "authentik/flows/source_flow_stages"
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
 class MessageStage(StageView):
@ -219,34 +219,28 @@ class SourceFlowManager:
            }
        )
        flow_context.update(self.policy_context)
-        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
+        flow_context.setdefault(PLAN_CONTEXT_REDIRECT, final_redirect)
            token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
            self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
            plan = token.plan
            plan.context[PLAN_CONTEXT_IS_RESTORED] = token
            plan.context.update(flow_context)
            for stage in self.get_stages_to_append(flow):
                plan.append_stage(stage)
            if stages:
                for stage in stages:
                    plan.append_stage(stage)
            self.request.session[SESSION_KEY_PLAN] = plan
            flow_slug = token.flow.slug
            token.delete()
            return redirect_with_qs(
                "authentik_core:if-flow",
                self.request.GET,
                flow_slug=flow_slug,
            )
        # Ensure redirect is carried through when user was trying to
        # authorize application
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
            NEXT_ARG_NAME, "authentik_core:if-user"
        )
        if PLAN_CONTEXT_REDIRECT not in flow_context:
            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect
        if not flow:
            # We only check for the flow token here if we don't have a flow, otherwise we rely on
            # SESSION_KEY_SOURCE_FLOW_STAGES to delegate the usage of this token and dynamically add
            # stages that deal with this token to return to another flow
            if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
                token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
                self._logger.info(
                    "Replacing source flow with overridden flow", flow=token.flow.slug
                )
                plan = token.plan
                plan.context[PLAN_CONTEXT_IS_RESTORED] = token
                plan.context.update(flow_context)
                for stage in self.get_stages_to_append(flow):
                    plan.append_stage(stage)
                if stages:
                    for stage in stages:
                        plan.append_stage(stage)
                redirect = plan.to_redirect(self.request, token.flow)
                token.delete()
                return redirect
            return bad_request_message(
                self.request,
                _("Configured flow does not exist."),
@ -265,6 +259,8 @@ class SourceFlowManager:
        if stages:
            for stage in stages:
                plan.append_stage(stage)
        for stage in self.request.session.get(SESSION_KEY_SOURCE_FLOW_STAGES, []):
            plan.append_stage(stage)
        return plan.to_redirect(self.request, flow)
    def handle_auth(
@ -301,6 +297,8 @@ class SourceFlowManager:
        # When request isn't authenticated we jump straight to auth
        if not self.request.user.is_authenticated:
            return self.handle_auth(connection)
        # When an override flow token exists we actually still use a flow for link
        # to continue the existing flow we came from
        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
            return self._prepare_flow(None, connection)
        connection.save()
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -67,6 +67,8 @@ def clean_expired_models(self: SystemTask):
                raise ImproperlyConfigured(
                    "Invalid session_storage setting, allowed values are db and cache"
                )
    if CONFIG.get("session_storage", "cache") == "db":
        DBSessionStore.clear_expired()
    LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)
    messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -11,6 +11,7 @@
        build: "{{ build }}",
        api: {
            base: "{{ base_url }}",
            relBase: "{{ base_url_rel }}",
        },
    };
    window.addEventListener("DOMContentLoaded", function () {
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -8,6 +8,8 @@
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
        {# Darkreader breaks the site regardless of theme as its not compatible with webcomponents, and we default to a dark theme based on preferred colour-scheme #}
        <meta name="darkreader-lock">
        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
        <link rel="icon" href="{{ brand.branding_favicon_url }}">
        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
--- a/authentik/core/tests/test_application_entitlements.py
+++ b/authentik/core/tests/test_application_entitlements.py
@ -0,0 +1,153 @@
 """Test Application Entitlements API"""
 from django.urls import reverse
 from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 from authentik.core.models import Application, ApplicationEntitlement, Group
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
 class TestApplicationEntitlements(APITestCase):
    """Test application entitlements"""
    def setUp(self) -> None:
        self.user = create_test_user()
        self.other_user = create_test_user()
        self.provider = OAuth2Provider.objects.create(
            name="test",
            authorization_flow=create_test_flow(),
        )
        self.app: Application = Application.objects.create(
            name=generate_id(),
            slug=generate_id(),
            provider=self.provider,
        )
    def test_user(self):
        """Test user-direct assignment"""
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        PolicyBinding.objects.create(target=ent, user=self.user, order=0)
        ents = self.user.app_entitlements(self.app)
        self.assertEqual(len(ents), 1)
        self.assertEqual(ents[0].name, ent.name)
    def test_group(self):
        """Test direct group"""
        group = Group.objects.create(name=generate_id())
        self.user.ak_groups.add(group)
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        PolicyBinding.objects.create(target=ent, group=group, order=0)
        ents = self.user.app_entitlements(self.app)
        self.assertEqual(len(ents), 1)
        self.assertEqual(ents[0].name, ent.name)
    def test_group_indirect(self):
        """Test indirect group"""
        parent = Group.objects.create(name=generate_id())
        group = Group.objects.create(name=generate_id(), parent=parent)
        self.user.ak_groups.add(group)
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        PolicyBinding.objects.create(target=ent, group=parent, order=0)
        ents = self.user.app_entitlements(self.app)
        self.assertEqual(len(ents), 1)
        self.assertEqual(ents[0].name, ent.name)
    def test_negate_user(self):
        """Test with negate flag"""
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        PolicyBinding.objects.create(target=ent, user=self.other_user, order=0, negate=True)
        ents = self.user.app_entitlements(self.app)
        self.assertEqual(len(ents), 1)
        self.assertEqual(ents[0].name, ent.name)
    def test_negate_group(self):
        """Test with negate flag"""
        other_group = Group.objects.create(name=generate_id())
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        PolicyBinding.objects.create(target=ent, group=other_group, order=0, negate=True)
        ents = self.user.app_entitlements(self.app)
        self.assertEqual(len(ents), 1)
        self.assertEqual(ents[0].name, ent.name)
    def test_api_perms_global(self):
        """Test API creation with global permissions"""
        assign_perm("authentik_core.add_applicationentitlement", self.user)
        assign_perm("authentik_core.view_application", self.user)
        self.client.force_login(self.user)
        res = self.client.post(
            reverse("authentik_api:applicationentitlement-list"),
            data={
                "name": generate_id(),
                "app": self.app.pk,
            },
        )
        self.assertEqual(res.status_code, 201)
    def test_api_perms_scoped(self):
        """Test API creation with scoped permissions"""
        assign_perm("authentik_core.add_applicationentitlement", self.user)
        assign_perm("authentik_core.view_application", self.user, self.app)
        self.client.force_login(self.user)
        res = self.client.post(
            reverse("authentik_api:applicationentitlement-list"),
            data={
                "name": generate_id(),
                "app": self.app.pk,
            },
        )
        self.assertEqual(res.status_code, 201)
    def test_api_perms_missing(self):
        """Test API creation with no permissions"""
        assign_perm("authentik_core.add_applicationentitlement", self.user)
        self.client.force_login(self.user)
        res = self.client.post(
            reverse("authentik_api:applicationentitlement-list"),
            data={
                "name": generate_id(),
                "app": self.app.pk,
            },
        )
        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(res.content, {"app": ["User does not have access to application."]})
    def test_api_bindings_policy(self):
        """Test that API doesn't allow policies to be bound to this"""
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        policy = DummyPolicy.objects.create(name=generate_id())
        admin = create_test_admin_user()
        self.client.force_login(admin)
        response = self.client.post(
            reverse("authentik_api:policybinding-list"),
            data={
                "target": ent.pbm_uuid,
                "policy": policy.pk,
                "order": 0,
            },
        )
        self.assertJSONEqual(
            response.content.decode(),
            {"non_field_errors": ["One of 'group', 'user' must be set."]},
        )
    def test_api_bindings_group(self):
        """Test that API doesn't allow policies to be bound to this"""
        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
        group = Group.objects.create(name=generate_id())
        admin = create_test_admin_user()
        self.client.force_login(admin)
        response = self.client.post(
            reverse("authentik_api:policybinding-list"),
            data={
                "target": ent.pbm_uuid,
                "group": group.pk,
                "order": 0,
            },
        )
        self.assertEqual(response.status_code, 201)
        self.assertTrue(PolicyBinding.objects.filter(target=ent.pbm_uuid).exists())
--- a/authentik/core/tests/test_groups_api.py
+++ b/authentik/core/tests/test_groups_api.py
@ -4,7 +4,7 @@ from django.urls.base import reverse
 from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
-from authentik.core.models import Group, User
+from authentik.core.models import Group
 from authentik.core.tests.utils import create_test_admin_user, create_test_user
 from authentik.lib.generators import generate_id
@ -14,7 +14,7 @@ class TestGroupsAPI(APITestCase):
    def setUp(self) -> None:
        self.login_user = create_test_user()
-        self.user = User.objects.create(username="test-user")
+        self.user = create_test_user()
    def test_list_with_users(self):
        """Test listing with users"""
@ -109,3 +109,57 @@ class TestGroupsAPI(APITestCase):
            },
        )
        self.assertEqual(res.status_code, 400)
    def test_superuser_no_perm(self):
        """Test creating a superuser group without permission"""
        assign_perm("authentik_core.add_group", self.login_user)
        self.client.force_login(self.login_user)
        res = self.client.post(
            reverse("authentik_api:group-list"),
            data={"name": generate_id(), "is_superuser": True},
        )
        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(
            res.content,
            {"is_superuser": ["User does not have permission to set superuser status to True."]},
        )
    def test_superuser_update_no_perm(self):
        """Test updating a superuser group without permission"""
        group = Group.objects.create(name=generate_id(), is_superuser=True)
        assign_perm("view_group", self.login_user, group)
        assign_perm("change_group", self.login_user, group)
        self.client.force_login(self.login_user)
        res = self.client.patch(
            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
            data={"is_superuser": False},
        )
        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(
            res.content,
            {"is_superuser": ["User does not have permission to set superuser status to False."]},
        )
    def test_superuser_update_no_change(self):
        """Test updating a superuser group without permission
        and without changing the superuser status"""
        group = Group.objects.create(name=generate_id(), is_superuser=True)
        assign_perm("view_group", self.login_user, group)
        assign_perm("change_group", self.login_user, group)
        self.client.force_login(self.login_user)
        res = self.client.patch(
            reverse("authentik_api:group-detail", kwargs={"pk": group.pk}),
            data={"name": generate_id(), "is_superuser": True},
        )
        self.assertEqual(res.status_code, 200)
    def test_superuser_create(self):
        """Test creating a superuser group with permission"""
        assign_perm("authentik_core.add_group", self.login_user)
        assign_perm("authentik_core.enable_group_superuser", self.login_user)
        self.client.force_login(self.login_user)
        res = self.client.post(
            reverse("authentik_api:group-list"),
            data={"name": generate_id(), "is_superuser": True},
        )
        self.assertEqual(res.status_code, 201)
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -6,6 +6,7 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 from authentik.core.api.application_entitlements import ApplicationEntitlementViewSet
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
 from authentik.core.api.devices import AdminDeviceViewSet, DeviceViewSet
@ -69,6 +70,7 @@ urlpatterns = [
 api_urlpatterns = [
    ("core/authenticated_sessions", AuthenticatedSessionViewSet),
    ("core/applications", ApplicationViewSet),
    ("core/application_entitlements", ApplicationEntitlementViewSet),
    path(
        "core/transactional/applications/",
        TransactionalApplicationView.as_view(),
--- a/authentik/core/views/apps.py
+++ b/authentik/core/views/apps.py
@ -55,7 +55,7 @@ class RedirectToAppLaunch(View):
            )
        except FlowNonApplicableException:
            raise Http404 from None
-        plan.insert_stage(in_memory_stage(RedirectToAppStage))
+        plan.append_stage(in_memory_stage(RedirectToAppStage))
        return plan.to_redirect(request, flow)
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -53,6 +53,7 @@ class InterfaceView(TemplateView):
        kwargs["build"] = get_build_hash()
        kwargs["url_kwargs"] = self.kwargs
        kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
        kwargs["base_url_rel"] = CONFIG.get("web.path", "/")
        return super().get_context_data(**kwargs)
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -28,7 +28,6 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
@ -36,7 +35,7 @@ from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
-from authentik.rbac.filters import ObjectFilter
+from authentik.rbac.filters import ObjectFilter, SecretKeyFilter
 LOGGER = get_logger()
--- a/authentik/enterprise/audit/apps.py
+++ b/authentik/enterprise/audit/apps.py
@ -9,7 +9,7 @@ class AuthentikEnterpriseAuditConfig(EnterpriseConfig):
    """Enterprise app config"""
    name = "authentik.enterprise.audit"
-    label = "authentik_enterprise_audit"
+    label = "authentik_audit"
    verbose_name = "authentik Enterprise.Audit"
    default = True
--- a/authentik/enterprise/audit/middleware.py
+++ b/authentik/enterprise/audit/middleware.py
@ -97,6 +97,8 @@ class EnterpriseAuditMiddleware(AuditMiddleware):
        thread_kwargs: dict | None = None,
        **_,
    ):
        if not self.enabled:
            return super().post_save_handler(request, sender, instance, created, thread_kwargs, **_)
        if not should_log_model(instance):
            return None
        thread_kwargs = {}
@ -122,6 +124,8 @@ class EnterpriseAuditMiddleware(AuditMiddleware):
    ):
        thread_kwargs = {}
        m2m_field = None
        if not self.enabled:
            return super().m2m_changed_handler(request, sender, instance, action, thread_kwargs)
        # For the audit log we don't care about `pre_` or `post_` so we trim that part off
        _, _, action_direction = action.partition("_")
        # resolve the "through" model to an actual field
--- a/authentik/enterprise/audit/models.py
+++ b/authentik/enterprise/audit/models.py
@ -0,0 +1,107 @@
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.contenttypes.fields import GenericForeignKey
 from authentik.lib.models import SerializerModel
 from django.db import models
 from uuid import uuid4
 from authentik.core.models import Group, User
 # # Names
 # Lifecycle
 # Access reviews
 # Access lifecycle
 # Governance
 # Audit
 # Compliance
 # Lifecycle
 # Lifecycle review
 # Review
 # Access review
 # Compliance review
 # X Scheduled review
 # Only some objects supported?
 #
 # For disabling support:
 # Application
 # Provider
 # Outpost (simply setting the list of providers to empty in the outpost itself)
 # Flow
 # Users
 # Groups <- will get tricky
 # Roles
 # Sources
 # Tokens (api, app_pass)
 # Brands
 # Outpost integrations
 #
 # w/o disabling support
 # System Settings
 # everything else
 #   would need to show in an audit dashboard cause not all have pages to get details
 # "default" policy for objects, by default, everlasting
 class AuditPolicyFailAction(models.TextChoices):
    # For preview
    NOTHING = "nothing"
    # Disable the thing failing, HOW
    DISABLE = "disable"
    # Emit events
    WARN = "warn"
 class LifecycleRule(SerializerModel):
    pass
 class ReviewRule(SerializerModel):
    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
    # Check every 6 months, allow for daily/weekly/first of month, etc.
    interval = models.TextField()  # timedelta
    # Preventive notification
    reminder_interval = models.TextField()  # timedelta
    # Must be checked by these
    groups = models.ManyToManyField(Group)
    users = models.ManyToManyField(User)
    # How many of the above must approve
    required_approvals = models.IntegerField(default=1)
    # How long to wait before executing fail action
    grace_period = models.TextField()  # timedelta
    # What to do if not reviewed in time
    fail_action = models.CharField(choices=AuditPolicyFailAction)
 class AuditPolicyBinding(SerializerModel):
    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
    # Many to many ? Bind users/groups here instead of on the policy ?
    policy = models.ForeignKey(AuditPolicy, on_delete=models.PROTECT)
    content_type = models.ForeignKey(ContentType, on_delete=models.CASCADE)
    object_id = models.TextField(blank=True)  # optional to apply on all objects of specific type
    content_object = GenericForeignKey("content_type", "object_id")
    # valid -> waiting review -> valid
    # valid -> waiting review -> review overdue -> valid
    # valid -> waiting review -> review overdue -> failed -> valid
    # look at django-fsm or django-viewflow
    status = models.TextField()
    class Meta:
        indexes = (
            models.Index(fields=["content_type"]),
            models.Index(fields=["content_type", "object_id"]),
        )
 class AuditHistory:
    pass
--- a/authentik/enterprise/migrations/0004_licenseusage_authentik_e_expires_3f2956_idx_and_more.py
+++ b/authentik/enterprise/migrations/0004_licenseusage_authentik_e_expires_3f2956_idx_and_more.py
@ -0,0 +1,27 @@
 # Generated by Django 5.0.10 on 2025-01-13 18:05
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_enterprise", "0003_remove_licenseusage_within_limits_and_more"),
    ]
    operations = [
        migrations.AddIndex(
            model_name="licenseusage",
            index=models.Index(fields=["expires"], name="authentik_e_expires_3f2956_idx"),
        ),
        migrations.AddIndex(
            model_name="licenseusage",
            index=models.Index(fields=["expiring"], name="authentik_e_expirin_11d3d7_idx"),
        ),
        migrations.AddIndex(
            model_name="licenseusage",
            index=models.Index(
                fields=["expiring", "expires"], name="authentik_e_expirin_4d558f_idx"
            ),
        ),
    ]
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@ -93,3 +93,4 @@ class LicenseUsage(ExpiringModel):
    class Meta:
        verbose_name = _("License Usage")
        verbose_name_plural = _("License Usage Records")
        indexes = ExpiringModel.Meta.indexes
--- a/authentik/enterprise/providers/google_workspace/api/providers.py
+++ b/authentik/enterprise/providers/google_workspace/api/providers.py
@ -37,6 +37,7 @@ class GoogleWorkspaceProviderSerializer(EnterpriseRequiredMixin, ProviderSeriali
            "user_delete_action",
            "group_delete_action",
            "default_group_email_domain",
            "dry_run",
        ]
        extra_kwargs = {}
--- a/authentik/enterprise/providers/google_workspace/clients/base.py
+++ b/authentik/enterprise/providers/google_workspace/clients/base.py
@ -8,9 +8,10 @@ from httplib2 import HttpLib2Error, HttpLib2ErrorWithResponse
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProvider
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
-from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
    BadRequestSyncException,
    DryRunRejected,
    NotFoundSyncException,
    ObjectExistsSyncException,
    StopSync,
@ -43,6 +44,8 @@ class GoogleWorkspaceSyncClient[TModel: Model, TConnection: Model, TSchema: dict
            self.domains.append(domain_name)
    def _request(self, request: HttpRequest):
        if self.provider.dry_run and request.method.upper() not in SAFE_METHODS:
            raise DryRunRejected(request.uri, request.method, request.body)
        try:
            response = request.execute()
        except GoogleAuthError as exc:
--- a/authentik/enterprise/providers/google_workspace/migrations/0004_googleworkspaceprovider_dry_run.py
+++ b/authentik/enterprise/providers/google_workspace/migrations/0004_googleworkspaceprovider_dry_run.py
@ -0,0 +1,24 @@
 # Generated by Django 5.0.12 on 2025-02-24 19:43
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        (
            "authentik_providers_google_workspace",
            "0003_googleworkspaceprovidergroup_attributes_and_more",
        ),
    ]
    operations = [
        migrations.AddField(
            model_name="googleworkspaceprovider",
            name="dry_run",
            field=models.BooleanField(
                default=False,
                help_text="When enabled, provider will not modify or create objects in the remote system.",
            ),
        ),
    ]
--- a/authentik/enterprise/providers/microsoft_entra/api/providers.py
+++ b/authentik/enterprise/providers/microsoft_entra/api/providers.py
@ -36,6 +36,7 @@ class MicrosoftEntraProviderSerializer(EnterpriseRequiredMixin, ProviderSerializ
            "filter_group",
            "user_delete_action",
            "group_delete_action",
            "dry_run",
        ]
        extra_kwargs = {}
--- a/authentik/enterprise/providers/microsoft_entra/clients/base.py
+++ b/authentik/enterprise/providers/microsoft_entra/clients/base.py
@ -3,6 +3,7 @@ from collections.abc import Coroutine
 from dataclasses import asdict
 from typing import Any
 import httpx
 from azure.core.exceptions import (
    ClientAuthenticationError,
    ServiceRequestError,
@ -12,6 +13,7 @@ from azure.identity.aio import ClientSecretCredential
 from django.db.models import Model
 from django.http import HttpResponseBadRequest, HttpResponseNotFound
 from kiota_abstractions.api_error import APIError
 from kiota_abstractions.request_information import RequestInformation
 from kiota_authentication_azure.azure_identity_authentication_provider import (
    AzureIdentityAuthenticationProvider,
 )
@ -21,13 +23,15 @@ from msgraph.generated.models.o_data_errors.o_data_error import ODataError
 from msgraph.graph_request_adapter import GraphRequestAdapter, options
 from msgraph.graph_service_client import GraphServiceClient
 from msgraph_core import GraphClientFactory
 from opentelemetry import trace
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProvider
 from authentik.events.utils import sanitize_item
 from authentik.lib.sync.outgoing import HTTP_CONFLICT
-from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
+from authentik.lib.sync.outgoing.base import SAFE_METHODS, BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.exceptions import (
    BadRequestSyncException,
    DryRunRejected,
    NotFoundSyncException,
    ObjectExistsSyncException,
    StopSync,
@ -35,20 +39,24 @@ from authentik.lib.sync.outgoing.exceptions import (
 )
-def get_request_adapter(
+class AuthentikRequestAdapter(GraphRequestAdapter):
-    credentials: ClientSecretCredential, scopes: list[str] | None = None
+    def __init__(self, auth_provider, provider: MicrosoftEntraProvider, client=None):
-) -> GraphRequestAdapter:
+        super().__init__(auth_provider, client)
-    if scopes:
+        self._provider = provider
        auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials, scopes=scopes)
    else:
        auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials)
-    return GraphRequestAdapter(
+    async def get_http_response_message(
-        auth_provider=auth_provider,
+        self,
-        client=GraphClientFactory.create_with_default_middleware(
+        request_info: RequestInformation,
-            options=options, client=KiotaClientFactory.get_default_client()
+        parent_span: trace.Span,
-        ),
+        claims: str = "",
-    )
+    ) -> httpx.Response:
        if self._provider.dry_run and request_info.http_method.value.upper() not in SAFE_METHODS:
            raise DryRunRejected(
                url=request_info.url,
                method=request_info.http_method.value,
                body=request_info.content.decode("utf-8"),
            )
        return await super().get_http_response_message(request_info, parent_span, claims=claims)
 class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict](
@ -63,9 +71,27 @@ class MicrosoftEntraSyncClient[TModel: Model, TConnection: Model, TSchema: dict]
        self.credentials = provider.microsoft_credentials()
        self.__prefetch_domains()
    def get_request_adapter(
        self, credentials: ClientSecretCredential, scopes: list[str] | None = None
    ) -> AuthentikRequestAdapter:
        if scopes:
            auth_provider = AzureIdentityAuthenticationProvider(
                credentials=credentials, scopes=scopes
            )
        else:
            auth_provider = AzureIdentityAuthenticationProvider(credentials=credentials)
        return AuthentikRequestAdapter(
            auth_provider=auth_provider,
            provider=self.provider,
            client=GraphClientFactory.create_with_default_middleware(
                options=options, client=KiotaClientFactory.get_default_client()
            ),
        )
    @property
    def client(self):
-        return GraphServiceClient(request_adapter=get_request_adapter(**self.credentials))
+        return GraphServiceClient(request_adapter=self.get_request_adapter(**self.credentials))
    def _request[T](self, request: Coroutine[Any, Any, T]) -> T:
        try:
--- a/authentik/enterprise/providers/microsoft_entra/migrations/0003_microsoftentraprovider_dry_run.py
+++ b/authentik/enterprise/providers/microsoft_entra/migrations/0003_microsoftentraprovider_dry_run.py
@ -0,0 +1,24 @@
 # Generated by Django 5.0.12 on 2025-02-24 19:43
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        (
            "authentik_providers_microsoft_entra",
            "0002_microsoftentraprovidergroup_attributes_and_more",
        ),
    ]
    operations = [
        migrations.AddField(
            model_name="microsoftentraprovider",
            name="dry_run",
            field=models.BooleanField(
                default=False,
                help_text="When enabled, provider will not modify or create objects in the remote system.",
            ),
        ),
    ]
--- a/authentik/enterprise/providers/microsoft_entra/tests/test_users.py
+++ b/authentik/enterprise/providers/microsoft_entra/tests/test_users.py
@ -32,7 +32,6 @@ class MicrosoftEntraUserTests(APITestCase):
    @apply_blueprint("system/providers-microsoft-entra.yaml")
    def setUp(self) -> None:
        # Delete all users and groups as the mocked HTTP responses only return one ID
        # which will cause errors with multiple users
        Tenant.objects.update(avatars="none")
@ -97,6 +96,38 @@ class MicrosoftEntraUserTests(APITestCase):
            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
            user_create.assert_called_once()
    def test_user_create_dry_run(self):
        """Test user creation (dry run)"""
        self.provider.dry_run = True
        self.provider.save()
        uid = generate_id()
        with (
            patch(
                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
                MagicMock(return_value={"credentials": self.creds}),
            ),
            patch(
                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
                AsyncMock(
                    return_value=OrganizationCollectionResponse(
                        value=[
                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
                        ]
                    )
                ),
            ),
        ):
            user = User.objects.create(
                username=uid,
                name=f"{uid} {uid}",
                email=f"{uid}@goauthentik.io",
            )
            microsoft_user = MicrosoftEntraProviderUser.objects.filter(
                provider=self.provider, user=user
            ).first()
            self.assertIsNone(microsoft_user)
            self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
    def test_user_not_created(self):
        """Test without property mappings, no group is created"""
        self.provider.property_mappings.clear()
--- a/authentik/enterprise/providers/rac/apps.py
+++ b/authentik/enterprise/providers/rac/apps.py
@ -1,14 +0,0 @@
 """RAC app config"""
 from authentik.enterprise.apps import EnterpriseConfig
 class AuthentikEnterpriseProviderRAC(EnterpriseConfig):
    """authentik enterprise rac app config"""
    name = "authentik.enterprise.providers.rac"
    label = "authentik_providers_rac"
    verbose_name = "authentik Enterprise.Providers.RAC"
    default = True
    mountpoint = ""
    ws_mountpoint = "authentik.enterprise.providers.rac.urls"
--- a/authentik/enterprise/providers/ssf/init.py
+++ b/authentik/enterprise/providers/ssf/init.py
--- a/authentik/enterprise/providers/ssf/api/init.py
+++ b/authentik/enterprise/providers/ssf/api/init.py
--- a/authentik/enterprise/providers/ssf/api/providers.py
+++ b/authentik/enterprise/providers/ssf/api/providers.py
@ -0,0 +1,64 @@
 """SSF Provider API Views"""
 from django.urls import reverse
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.tokens import TokenSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.ssf.models import SSFProvider
 class SSFProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
    """SSFProvider Serializer"""
    ssf_url = SerializerMethodField()
    token_obj = TokenSerializer(source="token", required=False, read_only=True)
    def get_ssf_url(self, instance: SSFProvider) -> str | None:
        request: Request = self._context.get("request")
        if not request:
            return None
        if not instance.backchannel_application:
            return None
        return request.build_absolute_uri(
            reverse(
                "authentik_providers_ssf:configuration",
                kwargs={
                    "application_slug": instance.backchannel_application.slug,
                },
            )
        )
    class Meta:
        model = SSFProvider
        fields = [
            "pk",
            "name",
            "component",
            "verbose_name",
            "verbose_name_plural",
            "meta_model_name",
            "signing_key",
            "token_obj",
            "oidc_auth_providers",
            "ssf_url",
            "event_retention",
        ]
        extra_kwargs = {}
 class SSFProviderViewSet(UsedByMixin, ModelViewSet):
    """SSFProvider Viewset"""
    queryset = SSFProvider.objects.all()
    serializer_class = SSFProviderSerializer
    filterset_fields = {
        "application": ["isnull"],
        "name": ["iexact"],
    }
    search_fields = ["name"]
    ordering = ["name"]
--- a/authentik/enterprise/providers/ssf/api/streams.py
+++ b/authentik/enterprise/providers/ssf/api/streams.py
@ -0,0 +1,37 @@
 """SSF Stream API Views"""
 from rest_framework.viewsets import ReadOnlyModelViewSet
 from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.ssf.api.providers import SSFProviderSerializer
 from authentik.enterprise.providers.ssf.models import Stream
 class SSFStreamSerializer(ModelSerializer):
    """SSFStream Serializer"""
    provider_obj = SSFProviderSerializer(source="provider", read_only=True)
    class Meta:
        model = Stream
        fields = [
            "pk",
            "provider",
            "provider_obj",
            "delivery_method",
            "endpoint_url",
            "events_requested",
            "format",
            "aud",
            "iss",
        ]
 class SSFStreamViewSet(ReadOnlyModelViewSet):
    """SSFStream Viewset"""
    queryset = Stream.objects.all()
    serializer_class = SSFStreamSerializer
    filterset_fields = ["provider", "endpoint_url", "delivery_method"]
    search_fields = ["provider__name", "endpoint_url"]
    ordering = ["provider", "uuid"]
--- a/authentik/enterprise/providers/ssf/apps.py
+++ b/authentik/enterprise/providers/ssf/apps.py
@ -0,0 +1,13 @@
 """SSF app config"""
 from authentik.enterprise.apps import EnterpriseConfig
 class AuthentikEnterpriseProviderSSF(EnterpriseConfig):
    """authentik enterprise ssf app config"""
    name = "authentik.enterprise.providers.ssf"
    label = "authentik_providers_ssf"
    verbose_name = "authentik Enterprise.Providers.SSF"
    default = True
    mountpoint = ""
--- a/authentik/enterprise/providers/ssf/migrations/0001_initial.py
+++ b/authentik/enterprise/providers/ssf/migrations/0001_initial.py
@ -0,0 +1,201 @@
 # Generated by Django 5.0.11 on 2025-02-05 16:20
 import authentik.lib.utils.time
 import django.contrib.postgres.fields
 import django.db.models.deletion
 import uuid
 from django.db import migrations, models
 class Migration(migrations.Migration):
    initial = True
    dependencies = [
        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
    ]
    operations = [
        migrations.CreateModel(
            name="SSFProvider",
            fields=[
                (
                    "provider_ptr",
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to="authentik_core.provider",
                    ),
                ),
                (
                    "event_retention",
                    models.TextField(
                        default="days=30",
                        validators=[authentik.lib.utils.time.timedelta_string_validator],
                    ),
                ),
                (
                    "oidc_auth_providers",
                    models.ManyToManyField(
                        blank=True, default=None, to="authentik_providers_oauth2.oauth2provider"
                    ),
                ),
                (
                    "signing_key",
                    models.ForeignKey(
                        help_text="Key used to sign the SSF Events.",
                        on_delete=django.db.models.deletion.CASCADE,
                        to="authentik_crypto.certificatekeypair",
                        verbose_name="Signing Key",
                    ),
                ),
                (
                    "token",
                    models.ForeignKey(
                        default=None,
                        null=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        to="authentik_core.token",
                    ),
                ),
            ],
            options={
                "verbose_name": "Shared Signals Framework Provider",
                "verbose_name_plural": "Shared Signals Framework Providers",
                "permissions": [("add_stream", "Add stream to SSF provider")],
            },
            bases=("authentik_core.provider",),
        ),
        migrations.CreateModel(
            name="Stream",
            fields=[
                (
                    "uuid",
                    models.UUIDField(
                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
                    ),
                ),
                (
                    "delivery_method",
                    models.TextField(
                        choices=[
                            (
                                "https://schemas.openid.net/secevent/risc/delivery-method/push",
                                "Risc Push",
                            ),
                            (
                                "https://schemas.openid.net/secevent/risc/delivery-method/poll",
                                "Risc Poll",
                            ),
                        ]
                    ),
                ),
                ("endpoint_url", models.TextField(null=True)),
                (
                    "events_requested",
                    django.contrib.postgres.fields.ArrayField(
                        base_field=models.TextField(
                            choices=[
                                (
                                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
                                    "Caep Session Revoked",
                                ),
                                (
                                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
                                    "Caep Credential Change",
                                ),
                                (
                                    "https://schemas.openid.net/secevent/ssf/event-type/verification",
                                    "Set Verification",
                                ),
                            ]
                        ),
                        default=list,
                        size=None,
                    ),
                ),
                ("format", models.TextField()),
                (
                    "aud",
                    django.contrib.postgres.fields.ArrayField(
                        base_field=models.TextField(), default=list, size=None
                    ),
                ),
                ("iss", models.TextField()),
                (
                    "provider",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE,
                        to="authentik_providers_ssf.ssfprovider",
                    ),
                ),
            ],
            options={
                "verbose_name": "SSF Stream",
                "verbose_name_plural": "SSF Streams",
                "default_permissions": ["change", "delete", "view"],
            },
        ),
        migrations.CreateModel(
            name="StreamEvent",
            fields=[
                ("created", models.DateTimeField(auto_now_add=True)),
                ("last_updated", models.DateTimeField(auto_now=True)),
                ("expires", models.DateTimeField(default=None, null=True)),
                ("expiring", models.BooleanField(default=True)),
                (
                    "uuid",
                    models.UUIDField(
                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
                    ),
                ),
                (
                    "status",
                    models.TextField(
                        choices=[
                            ("pending_new", "Pending New"),
                            ("pending_failed", "Pending Failed"),
                            ("sent", "Sent"),
                        ]
                    ),
                ),
                (
                    "type",
                    models.TextField(
                        choices=[
                            (
                                "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
                                "Caep Session Revoked",
                            ),
                            (
                                "https://schemas.openid.net/secevent/caep/event-type/credential-change",
                                "Caep Credential Change",
                            ),
                            (
                                "https://schemas.openid.net/secevent/ssf/event-type/verification",
                                "Set Verification",
                            ),
                        ]
                    ),
                ),
                ("payload", models.JSONField(default=dict)),
                (
                    "stream",
                    models.ForeignKey(
                        on_delete=django.db.models.deletion.CASCADE,
                        to="authentik_providers_ssf.stream",
                    ),
                ),
            ],
            options={
                "verbose_name": "SSF Stream Event",
                "verbose_name_plural": "SSF Stream Events",
                "ordering": ("-created",),
            },
        ),
    ]
--- a/authentik/enterprise/providers/rac/controllers/init.py
+++ b/authentik/enterprise/providers/rac/controllers/init.py
--- a/authentik/enterprise/providers/ssf/models.py
+++ b/authentik/enterprise/providers/ssf/models.py
@ -0,0 +1,178 @@
 from datetime import datetime
 from functools import cached_property
 from uuid import uuid4
 from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
 from django.contrib.postgres.fields import ArrayField
 from django.db import models
 from django.templatetags.static import static
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from jwt import encode
 from authentik.core.models import BackchannelProvider, ExpiringModel, Token
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.models import CreatedUpdatedModel
 from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.providers.oauth2.models import JWTAlgorithms, OAuth2Provider
 class EventTypes(models.TextChoices):
    """SSF Event types supported by authentik"""
    CAEP_SESSION_REVOKED = "https://schemas.openid.net/secevent/caep/event-type/session-revoked"
    CAEP_CREDENTIAL_CHANGE = "https://schemas.openid.net/secevent/caep/event-type/credential-change"
    SET_VERIFICATION = "https://schemas.openid.net/secevent/ssf/event-type/verification"
 class DeliveryMethods(models.TextChoices):
    """SSF Delivery methods"""
    RISC_PUSH = "https://schemas.openid.net/secevent/risc/delivery-method/push"
    RISC_POLL = "https://schemas.openid.net/secevent/risc/delivery-method/poll"
 class SSFEventStatus(models.TextChoices):
    """SSF Event status"""
    PENDING_NEW = "pending_new"
    PENDING_FAILED = "pending_failed"
    SENT = "sent"
 class SSFProvider(BackchannelProvider):
    """Shared Signals Framework provider to allow applications to
    receive user events from authentik."""
    signing_key = models.ForeignKey(
        CertificateKeyPair,
        verbose_name=_("Signing Key"),
        on_delete=models.CASCADE,
        help_text=_("Key used to sign the SSF Events."),
    )
    oidc_auth_providers = models.ManyToManyField(OAuth2Provider, blank=True, default=None)
    token = models.ForeignKey(Token, on_delete=models.CASCADE, null=True, default=None)
    event_retention = models.TextField(
        default="days=30",
        validators=[timedelta_string_validator],
    )
    @cached_property
    def jwt_key(self) -> tuple[PrivateKeyTypes, str]:
        """Get either the configured certificate or the client secret"""
        key: CertificateKeyPair = self.signing_key
        private_key = key.private_key
        if isinstance(private_key, RSAPrivateKey):
            return private_key, JWTAlgorithms.RS256
        if isinstance(private_key, EllipticCurvePrivateKey):
            return private_key, JWTAlgorithms.ES256
        raise ValueError(f"Invalid private key type: {type(private_key)}")
    @property
    def service_account_identifier(self) -> str:
        return f"ak-providers-ssf-{self.pk}"
    @property
    def serializer(self):
        from authentik.enterprise.providers.ssf.api.providers import SSFProviderSerializer
        return SSFProviderSerializer
    @property
    def icon_url(self) -> str | None:
        return static("authentik/sources/ssf.svg")
    @property
    def component(self) -> str:
        return "ak-provider-ssf-form"
    class Meta:
        verbose_name = _("Shared Signals Framework Provider")
        verbose_name_plural = _("Shared Signals Framework Providers")
        permissions = [
            # This overrides the default "add_stream" permission of the Stream object,
            # as the user requesting to add a stream must have the permission on the provider
            ("add_stream", _("Add stream to SSF provider")),
        ]
 class Stream(models.Model):
    """SSF Stream"""
    uuid = models.UUIDField(default=uuid4, primary_key=True, editable=False)
    provider = models.ForeignKey(SSFProvider, on_delete=models.CASCADE)
    delivery_method = models.TextField(choices=DeliveryMethods.choices)
    endpoint_url = models.TextField(null=True)
    events_requested = ArrayField(models.TextField(choices=EventTypes.choices), default=list)
    format = models.TextField()
    aud = ArrayField(models.TextField(), default=list)
    iss = models.TextField()
    class Meta:
        verbose_name = _("SSF Stream")
        verbose_name_plural = _("SSF Streams")
        default_permissions = ["change", "delete", "view"]
    def __str__(self) -> str:
        return "SSF Stream"
    def prepare_event_payload(self, type: EventTypes, event_data: dict, **kwargs) -> dict:
        jti = uuid4()
        _now = now()
        return {
            "uuid": jti,
            "stream_id": str(self.pk),
            "type": type,
            "expiring": True,
            "status": SSFEventStatus.PENDING_NEW,
            "expires": _now + timedelta_from_string(self.provider.event_retention),
            "payload": {
                "jti": jti.hex,
                "aud": self.aud,
                "iat": int(datetime.now().timestamp()),
                "iss": self.iss,
                "events": {type: event_data},
                **kwargs,
            },
        }
    def encode(self, data: dict) -> str:
        headers = {}
        if self.provider.signing_key:
            headers["kid"] = self.provider.signing_key.kid
        key, alg = self.provider.jwt_key
        return encode(data, key, algorithm=alg, headers=headers)
 class StreamEvent(CreatedUpdatedModel, ExpiringModel):
    """Single stream event to be sent"""
    uuid = models.UUIDField(default=uuid4, primary_key=True, editable=False)
    stream = models.ForeignKey(Stream, on_delete=models.CASCADE)
    status = models.TextField(choices=SSFEventStatus.choices)
    type = models.TextField(choices=EventTypes.choices)
    payload = models.JSONField(default=dict)
    def expire_action(self, *args, **kwargs):
        """Only allow automatic cleanup of successfully sent event"""
        if self.status != SSFEventStatus.SENT:
            return
        return super().expire_action(*args, **kwargs)
    def __str__(self):
        return f"Stream event {self.type}"
    class Meta:
        verbose_name = _("SSF Stream Event")
        verbose_name_plural = _("SSF Stream Events")
        ordering = ("-created",)
--- a/authentik/enterprise/providers/ssf/signals.py
+++ b/authentik/enterprise/providers/ssf/signals.py
@ -0,0 +1,193 @@
 from hashlib import sha256
 from django.contrib.auth.signals import user_logged_out
 from django.db.models import Model
 from django.db.models.signals import post_delete, post_save, pre_delete
 from django.dispatch import receiver
 from django.http.request import HttpRequest
 from guardian.shortcuts import assign_perm
 from authentik.core.models import (
    USER_PATH_SYSTEM_PREFIX,
    AuthenticatedSession,
    Token,
    TokenIntents,
    User,
    UserTypes,
 )
 from authentik.core.signals import password_changed
 from authentik.enterprise.providers.ssf.models import (
    EventTypes,
    SSFProvider,
 )
 from authentik.enterprise.providers.ssf.tasks import send_ssf_event
 from authentik.events.middleware import audit_ignore
 from authentik.stages.authenticator.models import Device
 from authentik.stages.authenticator_duo.models import DuoDevice
 from authentik.stages.authenticator_static.models import StaticDevice
 from authentik.stages.authenticator_totp.models import TOTPDevice
 from authentik.stages.authenticator_webauthn.models import (
    UNKNOWN_DEVICE_TYPE_AAGUID,
    WebAuthnDevice,
 )
 USER_PATH_PROVIDERS_SSF = USER_PATH_SYSTEM_PREFIX + "/providers/ssf"
@receiver(post_save, sender=SSFProvider)
 def ssf_providers_post_save(sender: type[Model], instance: SSFProvider, created: bool, **_):
    """Create service account before provider is saved"""
    identifier = instance.service_account_identifier
    user, _ = User.objects.update_or_create(
        username=identifier,
        defaults={
            "name": f"SSF Provider {instance.name} Service-Account",
            "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
            "path": USER_PATH_PROVIDERS_SSF,
        },
    )
    assign_perm("add_stream", user, instance)
    token, token_created = Token.objects.update_or_create(
        identifier=identifier,
        defaults={
            "user": user,
            "intent": TokenIntents.INTENT_API,
            "expiring": False,
            "managed": f"goauthentik.io/providers/ssf/{instance.pk}",
        },
    )
    if created or token_created:
        with audit_ignore():
            instance.token = token
            instance.save()
@receiver(user_logged_out)
 def ssf_user_logged_out_session_revoked(sender, request: HttpRequest, user: User, **_):
    """Session revoked trigger (user logged out)"""
    if not request.session or not request.session.session_key or not user:
        return
    send_ssf_event(
        EventTypes.CAEP_SESSION_REVOKED,
        {
            "initiating_entity": "user",
        },
        sub_id={
            "format": "complex",
            "session": {
                "format": "opaque",
                "id": sha256(request.session.session_key.encode("ascii")).hexdigest(),
            },
            "user": {
                "format": "email",
                "email": user.email,
            },
        },
        request=request,
    )
@receiver(pre_delete, sender=AuthenticatedSession)
 def ssf_user_session_delete_session_revoked(sender, instance: AuthenticatedSession, **_):
    """Session revoked trigger (users' session has been deleted)
    As this signal is also triggered with a regular logout, we can't be sure
    if the session has been deleted by an admin or by the user themselves."""
    send_ssf_event(
        EventTypes.CAEP_SESSION_REVOKED,
        {
            "initiating_entity": "user",
        },
        sub_id={
            "format": "complex",
            "session": {
                "format": "opaque",
                "id": sha256(instance.session_key.encode("ascii")).hexdigest(),
            },
            "user": {
                "format": "email",
                "email": instance.user.email,
            },
        },
    )
@receiver(password_changed)
 def ssf_password_changed_cred_change(sender, user: User, password: str | None, **_):
    """Credential change trigger (password changed)"""
    send_ssf_event(
        EventTypes.CAEP_CREDENTIAL_CHANGE,
        {
            "credential_type": "password",
            "change_type": "revoke" if password is None else "update",
        },
        sub_id={
            "format": "complex",
            "user": {
                "format": "email",
                "email": user.email,
            },
        },
    )
 device_type_map = {
    StaticDevice: "pin",
    TOTPDevice: "pin",
    WebAuthnDevice: "fido-u2f",
    DuoDevice: "app",
 }
@receiver(post_save)
 def ssf_device_post_save(sender: type[Model], instance: Device, created: bool, **_):
    if not isinstance(instance, Device):
        return
    if not instance.confirmed:
        return
    device_type = device_type_map.get(instance.__class__)
    data = {
        "credential_type": device_type,
        "change_type": "create" if created else "update",
        "friendly_name": instance.name,
    }
    if isinstance(instance, WebAuthnDevice) and instance.aaguid != UNKNOWN_DEVICE_TYPE_AAGUID:
        data["fido2_aaguid"] = instance.aaguid
    send_ssf_event(
        EventTypes.CAEP_CREDENTIAL_CHANGE,
        data,
        sub_id={
            "format": "complex",
            "user": {
                "format": "email",
                "email": instance.user.email,
            },
        },
    )
@receiver(post_delete)
 def ssf_device_post_delete(sender: type[Model], instance: Device, **_):
    if not isinstance(instance, Device):
        return
    if not instance.confirmed:
        return
    device_type = device_type_map.get(instance.__class__)
    data = {
        "credential_type": device_type,
        "change_type": "delete",
        "friendly_name": instance.name,
    }
    if isinstance(instance, WebAuthnDevice) and instance.aaguid != UNKNOWN_DEVICE_TYPE_AAGUID:
        data["fido2_aaguid"] = instance.aaguid
    send_ssf_event(
        EventTypes.CAEP_CREDENTIAL_CHANGE,
        data,
        sub_id={
            "format": "complex",
            "user": {
                "format": "email",
                "email": instance.user.email,
            },
        },
    )
--- a/authentik/enterprise/providers/ssf/tasks.py
+++ b/authentik/enterprise/providers/ssf/tasks.py
@ -0,0 +1,136 @@
 from celery import group
 from django.http import HttpRequest
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from requests.exceptions import RequestException
 from structlog.stdlib import get_logger
 from authentik.core.models import User
 from authentik.enterprise.providers.ssf.models import (
    DeliveryMethods,
    EventTypes,
    SSFEventStatus,
    Stream,
    StreamEvent,
 )
 from authentik.events.logs import LogEvent
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask
 from authentik.lib.utils.http import get_http_session
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
 from authentik.root.celery import CELERY_APP
 session = get_http_session()
 LOGGER = get_logger()
 def send_ssf_event(
    event_type: EventTypes,
    data: dict,
    stream_filter: dict | None = None,
    request: HttpRequest | None = None,
    **extra_data,
 ):
    """Wrapper to send an SSF event to multiple streams"""
    payload = []
    if not stream_filter:
        stream_filter = {}
    stream_filter["events_requested__contains"] = [event_type]
    if request and hasattr(request, "request_id"):
        extra_data.setdefault("txn", request.request_id)
    for stream in Stream.objects.filter(**stream_filter):
        event_data = stream.prepare_event_payload(event_type, data, **extra_data)
        payload.append((str(stream.uuid), event_data))
    return _send_ssf_event.delay(payload)
 def _check_app_access(stream_uuid: str, event_data: dict) -> bool:
    """Check if event is related to user and if so, check
    if the user has access to the application"""
    stream = Stream.objects.filter(pk=stream_uuid).first()
    if not stream:
        return False
    # `event_data` is a dict version of a StreamEvent
    sub_id = event_data.get("payload", {}).get("sub_id", {})
    email = sub_id.get("user", {}).get("email", None)
    if not email:
        return True
    user = User.objects.filter(email=email).first()
    if not user:
        return True
    engine = PolicyEngine(stream.provider.backchannel_application, user)
    engine.use_cache = False
    engine.build()
    return engine.passing
@CELERY_APP.task()
 def _send_ssf_event(event_data: list[tuple[str, dict]]):
    tasks = []
    for stream, data in event_data:
        if not _check_app_access(stream, data):
            continue
        event = StreamEvent.objects.create(**data)
        tasks.extend(send_single_ssf_event(stream, str(event.uuid)))
    main_task = group(*tasks)
    main_task()
 def send_single_ssf_event(stream_id: str, evt_id: str):
    stream = Stream.objects.filter(pk=stream_id).first()
    if not stream:
        return
    event = StreamEvent.objects.filter(pk=evt_id).first()
    if not event:
        return
    if event.status == SSFEventStatus.SENT:
        return
    if stream.delivery_method == DeliveryMethods.RISC_PUSH:
        return [ssf_push_event.si(str(event.pk))]
    return []
@CELERY_APP.task(bind=True, base=SystemTask)
 def ssf_push_event(self: SystemTask, event_id: str):
    self.save_on_success = False
    event = StreamEvent.objects.filter(pk=event_id).first()
    if not event:
        return
    self.set_uid(event_id)
    if event.status == SSFEventStatus.SENT:
        self.set_status(TaskStatus.SUCCESSFUL)
        return
    try:
        response = session.post(
            event.stream.endpoint_url,
            data=event.stream.encode(event.payload),
            headers={"Content-Type": "application/secevent+jwt", "Accept": "application/json"},
        )
        response.raise_for_status()
        event.status = SSFEventStatus.SENT
        event.save()
        self.set_status(TaskStatus.SUCCESSFUL)
        return
    except RequestException as exc:
        LOGGER.warning("Failed to send SSF event", exc=exc)
        self.set_status(TaskStatus.ERROR)
        attrs = {}
        if exc.response:
            attrs["response"] = {
                "content": exc.response.text,
                "status": exc.response.status_code,
            }
        self.set_error(
            exc,
            LogEvent(
                _("Failed to send request"),
                log_level="warning",
                logger=self.__name__,
                attributes=attrs,
            ),
        )
        # Re-up the expiry of the stream event
        event.expires = now() + timedelta_from_string(event.stream.provider.event_retention)
        event.status = SSFEventStatus.PENDING_FAILED
        event.save()
--- a/authentik/enterprise/providers/rac/migrations/init.py
+++ b/authentik/enterprise/providers/rac/migrations/init.py
--- a/authentik/enterprise/providers/ssf/tests/test_config.py
+++ b/authentik/enterprise/providers/ssf/tests/test_config.py
@ -0,0 +1,46 @@
 import json
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert
 from authentik.enterprise.providers.ssf.models import (
    SSFProvider,
 )
 from authentik.lib.generators import generate_id
 class TestConfiguration(APITestCase):
    def setUp(self):
        self.application = Application.objects.create(name=generate_id(), slug=generate_id())
        self.provider = SSFProvider.objects.create(
            name=generate_id(),
            signing_key=create_test_cert(),
            backchannel_application=self.application,
        )
    def test_config_fetch(self):
        """test SSF configuration (unauthenticated)"""
        res = self.client.get(
            reverse(
                "authentik_providers_ssf:configuration",
                kwargs={"application_slug": self.application.slug},
            ),
        )
        self.assertEqual(res.status_code, 200)
        content = json.loads(res.content)
        self.assertEqual(content["spec_version"], "1_0-ID2")
    def test_config_fetch_authenticated(self):
        """test SSF configuration (authenticated)"""
        res = self.client.get(
            reverse(
                "authentik_providers_ssf:configuration",
                kwargs={"application_slug": self.application.slug},
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
        )
        self.assertEqual(res.status_code, 200)
        content = json.loads(res.content)
        self.assertEqual(content["spec_version"], "1_0-ID2")
--- a/authentik/enterprise/providers/ssf/tests/test_jwks.py
+++ b/authentik/enterprise/providers/ssf/tests/test_jwks.py
@ -0,0 +1,51 @@
 """JWKS tests"""
 import base64
 import json
 from cryptography.hazmat.backends import default_backend
 from cryptography.x509 import load_der_x509_certificate
 from django.test import TestCase
 from django.urls.base import reverse
 from jwt import PyJWKSet
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert
 from authentik.enterprise.providers.ssf.models import SSFProvider
 from authentik.lib.generators import generate_id
 class TestJWKS(TestCase):
    """Test JWKS view"""
    def test_rs256(self):
        """Test JWKS request with RS256"""
        provider = SSFProvider.objects.create(
            name=generate_id(),
            signing_key=create_test_cert(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id())
        app.backchannel_providers.add(provider)
        response = self.client.get(
            reverse("authentik_providers_ssf:jwks", kwargs={"application_slug": app.slug})
        )
        body = json.loads(response.content.decode())
        self.assertEqual(len(body["keys"]), 1)
        PyJWKSet.from_dict(body)
        key = body["keys"][0]
        load_der_x509_certificate(base64.b64decode(key["x5c"][0]), default_backend()).public_key()
    def test_es256(self):
        """Test JWKS request with ES256"""
        provider = SSFProvider.objects.create(
            name=generate_id(),
            signing_key=create_test_cert(),
        )
        app = Application.objects.create(name=generate_id(), slug=generate_id())
        app.backchannel_providers.add(provider)
        response = self.client.get(
            reverse("authentik_providers_ssf:jwks", kwargs={"application_slug": app.slug})
        )
        body = json.loads(response.content.decode())
        self.assertEqual(len(body["keys"]), 1)
        PyJWKSet.from_dict(body)
--- a/authentik/enterprise/providers/ssf/tests/test_signals.py
+++ b/authentik/enterprise/providers/ssf/tests/test_signals.py
@ -0,0 +1,168 @@
 from uuid import uuid4
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import Application, Group
 from authentik.core.tests.utils import (
    create_test_cert,
    create_test_user,
 )
 from authentik.enterprise.providers.ssf.models import (
    EventTypes,
    SSFEventStatus,
    SSFProvider,
    Stream,
    StreamEvent,
 )
 from authentik.lib.generators import generate_id
 from authentik.policies.models import PolicyBinding
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
 class TestSignals(APITestCase):
    """Test individual SSF Signals"""
    def setUp(self):
        self.application = Application.objects.create(name=generate_id(), slug=generate_id())
        self.provider = SSFProvider.objects.create(
            name=generate_id(),
            signing_key=create_test_cert(),
            backchannel_application=self.application,
        )
        res = self.client.post(
            reverse(
                "authentik_providers_ssf:stream",
                kwargs={"application_slug": self.application.slug},
            ),
            data={
                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
                "aud": ["https://app.authentik.company"],
                "delivery": {
                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
                    "endpoint_url": "https://app.authentik.company",
                },
                "events_requested": [
                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
                ],
                "format": "iss_sub",
            },
            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
        )
        self.assertEqual(res.status_code, 201, res.content)
    def test_signal_logout(self):
        """Test user logout"""
        user = create_test_user()
        self.client.force_login(user)
        self.client.logout()
        stream = Stream.objects.filter(provider=self.provider).first()
        self.assertIsNotNone(stream)
        event = StreamEvent.objects.filter(stream=stream).first()
        self.assertIsNotNone(event)
        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
        event_payload = event.payload["events"][
            "https://schemas.openid.net/secevent/caep/event-type/session-revoked"
        ]
        self.assertEqual(event_payload["initiating_entity"], "user")
        self.assertEqual(event.payload["sub_id"]["format"], "complex")
        self.assertEqual(event.payload["sub_id"]["session"]["format"], "opaque")
        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
    def test_signal_password_change(self):
        """Test user password change"""
        user = create_test_user()
        self.client.force_login(user)
        user.set_password(generate_id())
        user.save()
        stream = Stream.objects.filter(provider=self.provider).first()
        self.assertIsNotNone(stream)
        event = StreamEvent.objects.filter(stream=stream).first()
        self.assertIsNotNone(event)
        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
        event_payload = event.payload["events"][
            "https://schemas.openid.net/secevent/caep/event-type/credential-change"
        ]
        self.assertEqual(event_payload["change_type"], "update")
        self.assertEqual(event_payload["credential_type"], "password")
        self.assertEqual(event.payload["sub_id"]["format"], "complex")
        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
    def test_signal_authenticator_added(self):
        """Test authenticator creation signal"""
        user = create_test_user()
        self.client.force_login(user)
        dev = WebAuthnDevice.objects.create(
            user=user,
            name=generate_id(),
            credential_id=generate_id(),
            public_key=generate_id(),
            aaguid=str(uuid4()),
        )
        stream = Stream.objects.filter(provider=self.provider).first()
        self.assertIsNotNone(stream)
        event = StreamEvent.objects.filter(stream=stream).exclude().first()
        self.assertIsNotNone(event)
        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
        event_payload = event.payload["events"][
            "https://schemas.openid.net/secevent/caep/event-type/credential-change"
        ]
        self.assertEqual(event_payload["change_type"], "create")
        self.assertEqual(event_payload["fido2_aaguid"], dev.aaguid)
        self.assertEqual(event_payload["friendly_name"], dev.name)
        self.assertEqual(event_payload["credential_type"], "fido-u2f")
        self.assertEqual(event.payload["sub_id"]["format"], "complex")
        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
    def test_signal_authenticator_deleted(self):
        """Test authenticator deletion signal"""
        user = create_test_user()
        self.client.force_login(user)
        dev = WebAuthnDevice.objects.create(
            user=user,
            name=generate_id(),
            credential_id=generate_id(),
            public_key=generate_id(),
            aaguid=str(uuid4()),
        )
        dev.delete()
        stream = Stream.objects.filter(provider=self.provider).first()
        self.assertIsNotNone(stream)
        event = StreamEvent.objects.filter(stream=stream).exclude().first()
        self.assertIsNotNone(event)
        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
        event_payload = event.payload["events"][
            "https://schemas.openid.net/secevent/caep/event-type/credential-change"
        ]
        self.assertEqual(event_payload["change_type"], "delete")
        self.assertEqual(event_payload["fido2_aaguid"], dev.aaguid)
        self.assertEqual(event_payload["friendly_name"], dev.name)
        self.assertEqual(event_payload["credential_type"], "fido-u2f")
        self.assertEqual(event.payload["sub_id"]["format"], "complex")
        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
    def test_signal_policy_ignore(self):
        """Test event not being created for user that doesn't have access to the application"""
        PolicyBinding.objects.create(
            target=self.application, group=Group.objects.create(name=generate_id()), order=0
        )
        user = create_test_user()
        self.client.force_login(user)
        user.set_password(generate_id())
        user.save()
        stream = Stream.objects.filter(provider=self.provider).first()
        self.assertIsNotNone(stream)
        event = StreamEvent.objects.filter(
            stream=stream, type=EventTypes.CAEP_CREDENTIAL_CHANGE
        ).first()
        self.assertIsNone(event)
--- a/authentik/enterprise/providers/ssf/tests/test_stream.py
+++ b/authentik/enterprise/providers/ssf/tests/test_stream.py
@ -0,0 +1,154 @@
 import json
 from dataclasses import asdict
 from django.urls import reverse
 from django.utils import timezone
 from rest_framework.test import APITestCase
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
 from authentik.enterprise.providers.ssf.models import (
    SSFEventStatus,
    SSFProvider,
    Stream,
    StreamEvent,
 )
 from authentik.lib.generators import generate_id
 from authentik.providers.oauth2.id_token import IDToken
 from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
 class TestStream(APITestCase):
    def setUp(self):
        self.application = Application.objects.create(name=generate_id(), slug=generate_id())
        self.provider = SSFProvider.objects.create(
            name=generate_id(),
            signing_key=create_test_cert(),
            backchannel_application=self.application,
        )
    def test_stream_add_token(self):
        """test stream add (token auth)"""
        res = self.client.post(
            reverse(
                "authentik_providers_ssf:stream",
                kwargs={"application_slug": self.application.slug},
            ),
            data={
                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
                "aud": ["https://app.authentik.company"],
                "delivery": {
                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
                    "endpoint_url": "https://app.authentik.company",
                },
                "events_requested": [
                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
                ],
                "format": "iss_sub",
            },
            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
        )
        self.assertEqual(res.status_code, 201)
        stream = Stream.objects.filter(provider=self.provider).first()
        self.assertIsNotNone(stream)
        event = StreamEvent.objects.filter(stream=stream).first()
        self.assertIsNotNone(event)
        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
        self.assertEqual(
            event.payload["events"],
            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
        )
    def test_stream_add_poll(self):
        """test stream add - poll method"""
        res = self.client.post(
            reverse(
                "authentik_providers_ssf:stream",
                kwargs={"application_slug": self.application.slug},
            ),
            data={
                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
                "aud": ["https://app.authentik.company"],
                "delivery": {
                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/poll",
                },
                "events_requested": [
                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
                ],
                "format": "iss_sub",
            },
            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
        )
        self.assertEqual(res.status_code, 400)
        self.assertJSONEqual(
            res.content,
            {"delivery": {"method": ["Polling for SSF events is not currently supported."]}},
        )
    def test_stream_add_oidc(self):
        """test stream add (oidc auth)"""
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            authorization_flow=create_test_flow(),
        )
        self.application.provider = provider
        self.application.save()
        user = create_test_admin_user()
        token = AccessToken.objects.create(
            provider=provider,
            user=user,
            token=generate_id(),
            auth_time=timezone.now(),
            _scope="openid user profile",
            _id_token=json.dumps(
                asdict(
                    IDToken("foo", "bar"),
                )
            ),
        )
        res = self.client.post(
            reverse(
                "authentik_providers_ssf:stream",
                kwargs={"application_slug": self.application.slug},
            ),
            data={
                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
                "aud": ["https://app.authentik.company"],
                "delivery": {
                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
                    "endpoint_url": "https://app.authentik.company",
                },
                "events_requested": [
                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
                ],
                "format": "iss_sub",
            },
            HTTP_AUTHORIZATION=f"Bearer {token.token}",
        )
        self.assertEqual(res.status_code, 201)
        stream = Stream.objects.filter(provider=self.provider).first()
        self.assertIsNotNone(stream)
        event = StreamEvent.objects.filter(stream=stream).first()
        self.assertIsNotNone(event)
        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
        self.assertEqual(
            event.payload["events"],
            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
        )
    def test_stream_delete(self):
        """delete stream"""
        stream = Stream.objects.create(provider=self.provider)
        res = self.client.delete(
            reverse(
                "authentik_providers_ssf:stream",
                kwargs={"application_slug": self.application.slug},
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
        )
        self.assertEqual(res.status_code, 204)
        self.assertFalse(Stream.objects.filter(pk=stream.pk).exists())
--- a/authentik/enterprise/providers/ssf/urls.py
+++ b/authentik/enterprise/providers/ssf/urls.py
@ -0,0 +1,32 @@
 """SSF provider URLs"""
 from django.urls import path
 from authentik.enterprise.providers.ssf.api.providers import SSFProviderViewSet
 from authentik.enterprise.providers.ssf.api.streams import SSFStreamViewSet
 from authentik.enterprise.providers.ssf.views.configuration import ConfigurationView
 from authentik.enterprise.providers.ssf.views.jwks import JWKSview
 from authentik.enterprise.providers.ssf.views.stream import StreamView
 urlpatterns = [
    path(
        "application/ssf/<slug:application_slug>/ssf-jwks/",
        JWKSview.as_view(),
        name="jwks",
    ),
    path(
        ".well-known/ssf-configuration/<slug:application_slug>",
        ConfigurationView.as_view(),
        name="configuration",
    ),
    path(
        "application/ssf/<slug:application_slug>/stream/",
        StreamView.as_view(),
        name="stream",
    ),
 ]
 api_urlpatterns = [
    ("providers/ssf", SSFProviderViewSet),
    ("ssf/streams", SSFStreamViewSet),
 ]
--- a/authentik/enterprise/providers/ssf/views/init.py
+++ b/authentik/enterprise/providers/ssf/views/init.py
--- a/Show More
+++ b/Show More