core, events: reduce memory usage when batch deleting objects

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

.bumpversion.cfg

@@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2024.10.5
+current_version = 2024.12.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize = 
+serialize =
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:rc_t]
-values = 
+values =
 	rc
 	final
 optional_value = final

.github/workflows/release-publish.yml

@@ -26,17 +26,12 @@ jobs:
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
-          image-name: ghcr.io/goauthentik/server,beryju/authentik,authentik/server
-      - name: Login to Docker Registry (legacy)
+          image-name: ghcr.io/goauthentik/server,beryju/authentik
+      - name: Docker Login Registry
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to Docker Registry (org)
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_CORP_USERNAME }}
-          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -97,21 +92,16 @@ jobs:
         env:
           DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
-          image-name: ghcr.io/goauthentik/${{ matrix.type }},beryju/authentik-${{ matrix.type }},authentik/${{ matrix.type }}
+          image-name: ghcr.io/goauthentik/${{ matrix.type }},beryju/authentik-${{ matrix.type }}
       - name: make empty clients
         run: |
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
-      - name: Login to Docker Registry (legacy)
+      - name: Docker Login Registry
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to Docker Registry (org)
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_CORP_USERNAME }}
-          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:

SECURITY.md

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
-| 2024.8.x  | ✅        |
 | 2024.10.x | ✅        |
+| 2024.12.x | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.10.5"
+__version__ = "2024.12.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -126,7 +126,7 @@ class Command(BaseCommand):
         def_name_perm = f"model_{model_path}_permissions"
         def_path_perm = f"#/$defs/{def_name_perm}"
         self.schema["$defs"][def_name_perm] = self.model_permissions(model)
-        return {
+        template = {
             "type": "object",
             "required": ["model", "identifiers"],
             "properties": {
@@ -143,6 +143,11 @@ class Command(BaseCommand):
                 "identifiers": {"$ref": def_path},
             },
         }
+        # Meta models don't require identifiers, as there's no matching database model to find
+        if issubclass(model, BaseMetaModel):
+            del template["properties"]["identifiers"]
+            template["required"].remove("identifiers")
+        return template
 
     def field_to_jsonschema(self, field: Field) -> dict:
         """Convert a single field to json schema"""

authentik/core/tasks.py

@@ -18,6 +18,7 @@ from authentik.core.models import (
 )
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
+from authentik.lib.utils.db import qs_batch_iter
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
@@ -34,14 +35,14 @@ def clean_expired_models(self: SystemTask):
             cls.objects.all().exclude(expiring=False).exclude(expiring=True, expires__gt=now())
         )
         amount = objects.count()
-        for obj in objects:
+        for obj in qs_batch_iter(objects):
             obj.expire_action()
         LOGGER.debug("Expired models", model=cls, amount=amount)
         messages.append(f"Expired {amount} {cls._meta.verbose_name_plural}")
     # Special case
     amount = 0
 
-    for session in AuthenticatedSession.objects.all():
+    for session in qs_batch_iter(AuthenticatedSession.objects.all()):
         match CONFIG.get("session_storage", "cache"):
             case "cache":
                 cache_key = f"{KEY_PREFIX}{session.session_key}"

authentik/events/tasks.py

@@ -15,6 +15,7 @@ from authentik.events.models import (
     TaskStatus,
 )
 from authentik.events.system_tasks import SystemTask, prefill_task
+from authentik.lib.utils.db import qs_batch_iter
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.models import PolicyBinding, PolicyEngineMode
 from authentik.root.celery import CELERY_APP
@@ -129,7 +130,8 @@ def gdpr_cleanup(user_pk: int):
     """cleanup events from gdpr_compliance"""
     events = Event.objects.filter(user__pk=user_pk)
     LOGGER.debug("GDPR cleanup, removing events from user", events=events.count())
-    events.delete()
+    for event in qs_batch_iter(events):
+        event.delete()
 
 
 @CELERY_APP.task(bind=True, base=SystemTask)
@@ -138,7 +140,7 @@ def notification_cleanup(self: SystemTask):
     """Cleanup seen notifications and notifications whose event expired."""
     notifications = Notification.objects.filter(Q(event=None) | Q(seen=True))
     amount = notifications.count()
-    for notification in notifications:
+    for notification in qs_batch_iter(notifications):
         notification.delete()
     LOGGER.debug("Expired notifications", amount=amount)
     self.set_status(TaskStatus.SUCCESSFUL, f"Expired {amount} Notifications")

authentik/lib/config.py

@@ -280,9 +280,24 @@ class ConfigLoader:
             self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
             return default
 
+    def get_optional_int(self, path: str, default=None) -> int | None:
+        """Wrapper for get that converts value into int or None if set"""
+        value = self.get(path, default)
+
+        try:
+            return int(value)
+        except (ValueError, TypeError) as exc:
+            if value is None or (isinstance(value, str) and value.lower() == "null"):
+                return None
+            self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
+            return default
+
     def get_bool(self, path: str, default=False) -> bool:
         """Wrapper for get that converts value into boolean"""
-        return str(self.get(path, default)).lower() == "true"
+        value = self.get(path, UNSET)
+        if value is UNSET:
+            return default
+        return str(self.get(path)).lower() == "true"
 
     def get_keys(self, path: str, sep=".") -> list[str]:
         """List attribute keys by using yaml path"""
@@ -354,20 +369,33 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
                 "sslcert": config.get("postgresql.sslcert"),
                 "sslkey": config.get("postgresql.sslkey"),
             },
+            "CONN_MAX_AGE": CONFIG.get_optional_int("postgresql.conn_max_age", 0),
+            "CONN_HEALTH_CHECKS": CONFIG.get_bool("postgresql.conn_health_checks", False),
+            "DISABLE_SERVER_SIDE_CURSORS": CONFIG.get_bool(
+                "postgresql.disable_server_side_cursors", False
+            ),
             "TEST": {
                 "NAME": config.get("postgresql.test.name"),
             },
         }
     }
 
+    conn_max_age = CONFIG.get_optional_int("postgresql.conn_max_age", UNSET)
+    disable_server_side_cursors = CONFIG.get_bool("postgresql.disable_server_side_cursors", UNSET)
     if config.get_bool("postgresql.use_pgpool", False):
         db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
+        if disable_server_side_cursors is not UNSET:
+            db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = disable_server_side_cursors
 
     if config.get_bool("postgresql.use_pgbouncer", False):
         # https://docs.djangoproject.com/en/4.0/ref/databases/#transaction-pooling-server-side-cursors
         db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = True
         # https://docs.djangoproject.com/en/4.0/ref/databases/#persistent-connections
         db["default"]["CONN_MAX_AGE"] = None  # persistent
+        if disable_server_side_cursors is not UNSET:
+            db["default"]["DISABLE_SERVER_SIDE_CURSORS"] = disable_server_side_cursors
+        if conn_max_age is not UNSET:
+            db["default"]["CONN_MAX_AGE"] = conn_max_age
 
     for replica in config.get_keys("postgresql.read_replicas"):
         _database = deepcopy(db["default"])

authentik/lib/default.yml

@@ -6,8 +6,6 @@ postgresql:
   user: authentik
   port: 5432
   password: "env://POSTGRES_PASSWORD"
-  use_pgbouncer: false
-  use_pgpool: false
   test:
     name: test_authentik
   read_replicas: {}

authentik/lib/tests/test_config.py

@@ -214,6 +214,9 @@ class TestConfig(TestCase):
                     "PORT": "foo",
                     "TEST": {"NAME": "foo"},
                     "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
                 }
             },
         )
@@ -251,6 +254,9 @@ class TestConfig(TestCase):
                     "PORT": "foo",
                     "TEST": {"NAME": "foo"},
                     "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
                 },
                 "replica_0": {
                     "ENGINE": "authentik.root.db",
@@ -266,6 +272,72 @@ class TestConfig(TestCase):
                     "PORT": "foo",
                     "TEST": {"NAME": "foo"},
                     "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                },
+            },
+        )
+
+    def test_db_read_replicas_pgbouncer(self):
+        """Test read replicas"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.sslmode", "foo")
+        config.set("postgresql.sslrootcert", "foo")
+        config.set("postgresql.sslcert", "foo")
+        config.set("postgresql.sslkey", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pgbouncer", True)
+        # Read replica
+        config.set("postgresql.read_replicas.0.host", "bar")
+        # Override conn_max_age
+        config.set("postgresql.read_replicas.0.conn_max_age", 10)
+        # This isn't supported
+        config.set("postgresql.read_replicas.0.use_pgbouncer", False)
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "DISABLE_SERVER_SIDE_CURSORS": True,
+                    "CONN_MAX_AGE": None,
+                    "CONN_HEALTH_CHECKS": False,
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "sslcert": "foo",
+                        "sslkey": "foo",
+                        "sslmode": "foo",
+                        "sslrootcert": "foo",
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                },
+                "replica_0": {
+                    "DISABLE_SERVER_SIDE_CURSORS": True,
+                    "CONN_MAX_AGE": 10,
+                    "CONN_HEALTH_CHECKS": False,
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "bar",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "sslcert": "foo",
+                        "sslkey": "foo",
+                        "sslmode": "foo",
+                        "sslrootcert": "foo",
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
                 },
             },
         )
@@ -294,6 +366,8 @@ class TestConfig(TestCase):
             {
                 "default": {
                     "DISABLE_SERVER_SIDE_CURSORS": True,
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
                     "ENGINE": "authentik.root.db",
                     "HOST": "foo",
                     "NAME": "foo",
@@ -310,6 +384,8 @@ class TestConfig(TestCase):
                 },
                 "replica_0": {
                     "DISABLE_SERVER_SIDE_CURSORS": True,
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
                     "ENGINE": "authentik.root.db",
                     "HOST": "bar",
                     "NAME": "foo",
@@ -362,6 +438,9 @@ class TestConfig(TestCase):
                     "PORT": "foo",
                     "TEST": {"NAME": "foo"},
                     "USER": "foo",
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
                 },
                 "replica_0": {
                     "ENGINE": "authentik.root.db",
@@ -377,6 +456,9 @@ class TestConfig(TestCase):
                     "PORT": "foo",
                     "TEST": {"NAME": "foo"},
                     "USER": "foo",
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
                 },
             },
         )

authentik/lib/utils/db.py

@@ -0,0 +1,22 @@
+"""authentik database utilities"""
+
+import gc
+
+from django.db.models import QuerySet
+
+
+def qs_batch_iter(qs: QuerySet, batch_size: int = 10_000, gc_collect: bool = True):
+    pk_iter = qs.values_list("pk", flat=True).order_by("pk").distinct().iterator()
+    eof = False
+    while not eof:
+        pk_buffer = []
+        i = 0
+        try:
+            while i < batch_size:
+                pk_buffer.append(pk_iter.next())
+                i += 1
+        except StopIteration:
+            eof = True
+        yield from qs.filter(pk__in=pk_buffer).order_by("pk").iterator()
+        if gc_collect:
+            gc.collect()

authentik/providers/saml/api/providers.py

@@ -54,9 +54,23 @@ class SAMLProviderSerializer(ProviderSerializer):
         if "request" not in self._context:
             return ""
         request: HttpRequest = self._context["request"]._request
-        return request.build_absolute_uri(
-            reverse("authentik_api:samlprovider-metadata", kwargs={"pk": instance.pk}) + "?download"
-        )
+        try:
+            return request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:metadata-download",
+                    kwargs={"application_slug": instance.application.slug},
+                )
+            )
+        except Provider.application.RelatedObjectDoesNotExist:
+            return request.build_absolute_uri(
+                reverse(
+                    "authentik_api:samlprovider-metadata",
+                    kwargs={
+                        "pk": instance.pk,
+                    },
+                )
+                + "?download"
+            )
 
     def get_url_sso_post(self, instance: SAMLProvider) -> str:
         """Get SSO Post URL"""

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.10.5 Blueprint schema",
+    "title": "authentik 2024.12.0 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -3884,8 +3884,7 @@
                     {
                         "type": "object",
                         "required": [
-                            "model",
-                            "identifiers"
+                            "model"
                         ],
                         "properties": {
                             "model": {
@@ -3915,9 +3914,6 @@
                             },
                             "attrs": {
                                 "$ref": "#/$defs/model_authentik_blueprints.metaapplyblueprint"
-                            },
-                            "identifiers": {
-                                "$ref": "#/$defs/model_authentik_blueprints.metaapplyblueprint"
                             }
                         }
                     }

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.0}
     restart: unless-stopped
     command: server
     environment:
@@ -54,7 +54,7 @@ services:
       redis:
         condition: service_healthy
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.0}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024105.3
+	goauthentik.io/api/v3 v3.2024105.5
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.24.0
 	golang.org/x/sync v0.10.0

go.sum

@@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024105.3 h1:Vl1vwPkCtA8hChsxwO3NUI8nupFC7r93jUHvqM+kYVw=
-goauthentik.io/api/v3 v3.2024105.3/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024105.5 h1:zBDqIjWN5QNuL6iBLL4o9QwBsSkFQdAnyTjASsyE/fw=
+goauthentik.io/api/v3 v3.2024105.5/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.10.5"
+const VERSION = "2024.12.0"

locale/en/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-12-18 13:31+0000\n"
+"POT-Creation-Date: 2024-12-20 00:08+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -101,6 +101,10 @@ msgstr ""
 msgid "Brands"
 msgstr ""
 
+#: authentik/core/api/application_entitlements.py
+msgid "User does not have access to application."
+msgstr ""
+
 #: authentik/core/api/devices.py
 msgid "Extra description not available"
 msgstr ""
@@ -225,6 +229,14 @@ msgstr ""
 msgid "Applications"
 msgstr ""
 
+#: authentik/core/models.py
+msgid "Application Entitlement"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Application Entitlements"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Use the source-specific identifier"
 msgstr ""

locale/zh-Hans/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-26 00:09+0000\n"
+"POT-Creation-Date: 2024-12-18 13:31+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@@ -1898,6 +1898,10 @@ msgstr "Kerberos 领域"
 msgid "Custom krb5.conf to use. Uses the system one by default"
 msgstr "要使用的自定义 krb5.conf。默认使用系统自带"
 
+#: authentik/sources/kerberos/models.py
+msgid "KAdmin server type"
+msgstr "KAdmin 服务器类型"
+
 #: authentik/sources/kerberos/models.py
 msgid "Sync users from Kerberos into authentik"
 msgstr "从 Kerberos 同步用户到 authentik"
@@ -2858,7 +2862,7 @@ msgstr ""
 #, python-format
 msgid ""
 "\n"
-"    If you did not request a password change, please ignore this Email. The link above is valid for %(expires)s.\n"
+"    If you did not request a password change, please ignore this email. The link above is valid for %(expires)s.\n"
 "    "
 msgstr ""
 "\n"
@@ -2882,7 +2886,7 @@ msgstr ""
 #, python-format
 msgid ""
 "\n"
-"If you did not request a password change, please ignore this Email. The link above is valid for %(expires)s.\n"
+"If you did not request a password change, please ignore this email. The link above is valid for %(expires)s.\n"
 msgstr ""
 "\n"
 "如果您没有请求更改密码，请忽略此电子邮件。上面的链接在 %(expires)s 内有效。\n"
@@ -3151,6 +3155,22 @@ msgstr "输入阶段"
 msgid "Passwords don't match."
 msgstr "密码不匹配。"
 
+#: authentik/stages/redirect/api.py
+msgid "Target URL should be present when mode is Static."
+msgstr "当模式为静态时，目标 URL 应存在。"
+
+#: authentik/stages/redirect/api.py
+msgid "Target Flow should be present when mode is Flow."
+msgstr "当模式为流程时，目标流程应存在。"
+
+#: authentik/stages/redirect/models.py
+msgid "Redirect Stage"
+msgstr "重定向阶段"
+
+#: authentik/stages/redirect/models.py
+msgid "Redirect Stages"
+msgstr "重定向阶段"
+
 #: authentik/stages/user_delete/models.py
 msgid "User Delete Stage"
 msgstr "用户删除阶段"

locale/zh_CN/LC_MESSAGES/django.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-11-26 00:09+0000\n"
+"POT-Creation-Date: 2024-12-18 13:31+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2024\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@@ -1897,6 +1897,10 @@ msgstr "Kerberos 领域"
 msgid "Custom krb5.conf to use. Uses the system one by default"
 msgstr "要使用的自定义 krb5.conf。默认使用系统自带"
 
+#: authentik/sources/kerberos/models.py
+msgid "KAdmin server type"
+msgstr "KAdmin 服务器类型"
+
 #: authentik/sources/kerberos/models.py
 msgid "Sync users from Kerberos into authentik"
 msgstr "从 Kerberos 同步用户到 authentik"
@@ -2857,7 +2861,7 @@ msgstr ""
 #, python-format
 msgid ""
 "\n"
-"    If you did not request a password change, please ignore this Email. The link above is valid for %(expires)s.\n"
+"    If you did not request a password change, please ignore this email. The link above is valid for %(expires)s.\n"
 "    "
 msgstr ""
 "\n"
@@ -2881,7 +2885,7 @@ msgstr ""
 #, python-format
 msgid ""
 "\n"
-"If you did not request a password change, please ignore this Email. The link above is valid for %(expires)s.\n"
+"If you did not request a password change, please ignore this email. The link above is valid for %(expires)s.\n"
 msgstr ""
 "\n"
 "如果您没有请求更改密码，请忽略此电子邮件。上面的链接在 %(expires)s 内有效。\n"
@@ -3150,6 +3154,22 @@ msgstr "输入阶段"
 msgid "Passwords don't match."
 msgstr "密码不匹配。"
 
+#: authentik/stages/redirect/api.py
+msgid "Target URL should be present when mode is Static."
+msgstr "当模式为静态时，目标 URL 应存在。"
+
+#: authentik/stages/redirect/api.py
+msgid "Target Flow should be present when mode is Flow."
+msgstr "当模式为流程时，目标流程应存在。"
+
+#: authentik/stages/redirect/models.py
+msgid "Redirect Stage"
+msgstr "重定向阶段"
+
+#: authentik/stages/redirect/models.py
+msgid "Redirect Stages"
+msgstr "重定向阶段"
+
 #: authentik/stages/user_delete/models.py
 msgid "User Delete Stage"
 msgstr "用户删除阶段"

package.json

@@ -1,5 +1,5 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2024.10.5",
+    "version": "2024.12.0",
     "private": true
 }

poetry.lock

@@ -1922,13 +1922,13 @@ grpcio-gcp = ["grpcio-gcp (>=0.2.2,<1.0.dev0)"]
 
 [[package]]
 name = "google-api-python-client"
-version = "2.155.0"
+version = "2.156.0"
 description = "Google API Client Library for Python"
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "google_api_python_client-2.155.0-py2.py3-none-any.whl", hash = "sha256:83fe9b5aa4160899079d7c93a37be306546a17e6686e2549bcc9584f1a229747"},
-    {file = "google_api_python_client-2.155.0.tar.gz", hash = "sha256:25529f89f0d13abcf3c05c089c423fb2858ac16e0b3727543393468d0d7af67c"},
+    {file = "google_api_python_client-2.156.0-py2.py3-none-any.whl", hash = "sha256:6352185c505e1f311f11b0b96c1b636dcb0fec82cd04b80ac5a671ac4dcab339"},
+    {file = "google_api_python_client-2.156.0.tar.gz", hash = "sha256:b809c111ded61716a9c1c7936e6899053f13bae3defcdfda904bd2ca68065b9c"},
 ]
 
 [package.dependencies]
@@ -3107,13 +3107,13 @@ dev = ["bumpver", "isort", "mypy", "pylint", "pytest", "yapf"]
 
 [[package]]
 name = "msgraph-sdk"
-version = "1.14.0"
+version = "1.15.0"
 description = "The Microsoft Graph Python SDK"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "msgraph_sdk-1.14.0-py3-none-any.whl", hash = "sha256:1a2f327dc8fbe5a5e6d0d84cf71d605e7b118b3066b1e16f011ccd8fd927bb03"},
-    {file = "msgraph_sdk-1.14.0.tar.gz", hash = "sha256:5bbda80941c5d1794682753b8b291bd2ebed719a43d6de949fd0cd613b6dfbbd"},
+    {file = "msgraph_sdk-1.15.0-py3-none-any.whl", hash = "sha256:85332db7ee19eb3d65a2493de83994ce3f5e4d9a084b3643ff6dea797cda81a7"},
+    {file = "msgraph_sdk-1.15.0.tar.gz", hash = "sha256:c920e72cc9de2218f9f9f71682db22ea544d9b440a5f088892bfca686c546b91"},
 ]
 
 [package.dependencies]
@@ -3881,19 +3881,19 @@ files = [
 
 [[package]]
 name = "pydantic"
-version = "2.10.3"
+version = "2.10.4"
 description = "Data validation using Python type hints"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pydantic-2.10.3-py3-none-any.whl", hash = "sha256:be04d85bbc7b65651c5f8e6b9976ed9c6f41782a55524cef079a34a0bb82144d"},
-    {file = "pydantic-2.10.3.tar.gz", hash = "sha256:cb5ac360ce894ceacd69c403187900a02c4b20b693a9dd1d643e1effab9eadf9"},
+    {file = "pydantic-2.10.4-py3-none-any.whl", hash = "sha256:597e135ea68be3a37552fb524bc7d0d66dcf93d395acd93a00682f1efcb8ee3d"},
+    {file = "pydantic-2.10.4.tar.gz", hash = "sha256:82f12e9723da6de4fe2ba888b5971157b3be7ad914267dea8f05f82b28254f06"},
 ]
 
 [package.dependencies]
 annotated-types = ">=0.6.0"
 email-validator = {version = ">=2.0.0", optional = true, markers = "extra == \"email\""}
-pydantic-core = "2.27.1"
+pydantic-core = "2.27.2"
 typing-extensions = ">=4.12.2"
 
 [package.extras]
@@ -3902,111 +3902,111 @@ timezone = ["tzdata"]
 
 [[package]]
 name = "pydantic-core"
-version = "2.27.1"
+version = "2.27.2"
 description = "Core functionality for Pydantic validation and serialization"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "pydantic_core-2.27.1-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:71a5e35c75c021aaf400ac048dacc855f000bdfed91614b4a726f7432f1f3d6a"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:f82d068a2d6ecfc6e054726080af69a6764a10015467d7d7b9f66d6ed5afa23b"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:121ceb0e822f79163dd4699e4c54f5ad38b157084d97b34de8b232bcaad70278"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:4603137322c18eaf2e06a4495f426aa8d8388940f3c457e7548145011bb68e05"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a33cd6ad9017bbeaa9ed78a2e0752c5e250eafb9534f308e7a5f7849b0b1bfb4"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:15cc53a3179ba0fcefe1e3ae50beb2784dede4003ad2dfd24f81bba4b23a454f"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:45d9c5eb9273aa50999ad6adc6be5e0ecea7e09dbd0d31bd0c65a55a2592ca08"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:8bf7b66ce12a2ac52d16f776b31d16d91033150266eb796967a7e4621707e4f6"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:655d7dd86f26cb15ce8a431036f66ce0318648f8853d709b4167786ec2fa4807"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-musllinux_1_1_armv7l.whl", hash = "sha256:5556470f1a2157031e676f776c2bc20acd34c1990ca5f7e56f1ebf938b9ab57c"},
-    {file = "pydantic_core-2.27.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:f69ed81ab24d5a3bd93861c8c4436f54afdf8e8cc421562b0c7504cf3be58206"},
-    {file = "pydantic_core-2.27.1-cp310-none-win32.whl", hash = "sha256:f5a823165e6d04ccea61a9f0576f345f8ce40ed533013580e087bd4d7442b52c"},
-    {file = "pydantic_core-2.27.1-cp310-none-win_amd64.whl", hash = "sha256:57866a76e0b3823e0b56692d1a0bf722bffb324839bb5b7226a7dbd6c9a40b17"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:ac3b20653bdbe160febbea8aa6c079d3df19310d50ac314911ed8cc4eb7f8cb8"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:a5a8e19d7c707c4cadb8c18f5f60c843052ae83c20fa7d44f41594c644a1d330"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7f7059ca8d64fea7f238994c97d91f75965216bcbe5f695bb44f354893f11d52"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:bed0f8a0eeea9fb72937ba118f9db0cb7e90773462af7962d382445f3005e5a4"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a3cb37038123447cf0f3ea4c74751f6a9d7afef0eb71aa07bf5f652b5e6a132c"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:84286494f6c5d05243456e04223d5a9417d7f443c3b76065e75001beb26f88de"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:acc07b2cfc5b835444b44a9956846b578d27beeacd4b52e45489e93276241025"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:4fefee876e07a6e9aad7a8c8c9f85b0cdbe7df52b8a9552307b09050f7512c7e"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:258c57abf1188926c774a4c94dd29237e77eda19462e5bb901d88adcab6af919"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:35c14ac45fcfdf7167ca76cc80b2001205a8d5d16d80524e13508371fb8cdd9c"},
-    {file = "pydantic_core-2.27.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:d1b26e1dff225c31897696cab7d4f0a315d4c0d9e8666dbffdb28216f3b17fdc"},
-    {file = "pydantic_core-2.27.1-cp311-none-win32.whl", hash = "sha256:2cdf7d86886bc6982354862204ae3b2f7f96f21a3eb0ba5ca0ac42c7b38598b9"},
-    {file = "pydantic_core-2.27.1-cp311-none-win_amd64.whl", hash = "sha256:3af385b0cee8df3746c3f406f38bcbfdc9041b5c2d5ce3e5fc6637256e60bbc5"},
-    {file = "pydantic_core-2.27.1-cp311-none-win_arm64.whl", hash = "sha256:81f2ec23ddc1b476ff96563f2e8d723830b06dceae348ce02914a37cb4e74b89"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:9cbd94fc661d2bab2bc702cddd2d3370bbdcc4cd0f8f57488a81bcce90c7a54f"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:5f8c4718cd44ec1580e180cb739713ecda2bdee1341084c1467802a417fe0f02"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:15aae984e46de8d376df515f00450d1522077254ef6b7ce189b38ecee7c9677c"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:1ba5e3963344ff25fc8c40da90f44b0afca8cfd89d12964feb79ac1411a260ac"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:992cea5f4f3b29d6b4f7f1726ed8ee46c8331c6b4eed6db5b40134c6fe1768bb"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0325336f348dbee6550d129b1627cb8f5351a9dc91aad141ffb96d4937bd9529"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7597c07fbd11515f654d6ece3d0e4e5093edc30a436c63142d9a4b8e22f19c35"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:3bbd5d8cc692616d5ef6fbbbd50dbec142c7e6ad9beb66b78a96e9c16729b089"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:dc61505e73298a84a2f317255fcc72b710b72980f3a1f670447a21efc88f8381"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-musllinux_1_1_armv7l.whl", hash = "sha256:e1f735dc43da318cad19b4173dd1ffce1d84aafd6c9b782b3abc04a0d5a6f5bb"},
-    {file = "pydantic_core-2.27.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:f4e5658dbffe8843a0f12366a4c2d1c316dbe09bb4dfbdc9d2d9cd6031de8aae"},
-    {file = "pydantic_core-2.27.1-cp312-none-win32.whl", hash = "sha256:672ebbe820bb37988c4d136eca2652ee114992d5d41c7e4858cdd90ea94ffe5c"},
-    {file = "pydantic_core-2.27.1-cp312-none-win_amd64.whl", hash = "sha256:66ff044fd0bb1768688aecbe28b6190f6e799349221fb0de0e6f4048eca14c16"},
-    {file = "pydantic_core-2.27.1-cp312-none-win_arm64.whl", hash = "sha256:9a3b0793b1bbfd4146304e23d90045f2a9b5fd5823aa682665fbdaf2a6c28f3e"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:f216dbce0e60e4d03e0c4353c7023b202d95cbaeff12e5fd2e82ea0a66905073"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:a2e02889071850bbfd36b56fd6bc98945e23670773bc7a76657e90e6b6603c08"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:42b0e23f119b2b456d07ca91b307ae167cc3f6c846a7b169fca5326e32fdc6cf"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:764be71193f87d460a03f1f7385a82e226639732214b402f9aa61f0d025f0737"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1c00666a3bd2f84920a4e94434f5974d7bbc57e461318d6bb34ce9cdbbc1f6b2"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3ccaa88b24eebc0f849ce0a4d09e8a408ec5a94afff395eb69baf868f5183107"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c65af9088ac534313e1963443d0ec360bb2b9cba6c2909478d22c2e363d98a51"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:206b5cf6f0c513baffaeae7bd817717140770c74528f3e4c3e1cec7871ddd61a"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:062f60e512fc7fff8b8a9d680ff0ddaaef0193dba9fa83e679c0c5f5fbd018bc"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-musllinux_1_1_armv7l.whl", hash = "sha256:a0697803ed7d4af5e4c1adf1670af078f8fcab7a86350e969f454daf598c4960"},
-    {file = "pydantic_core-2.27.1-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:58ca98a950171f3151c603aeea9303ef6c235f692fe555e883591103da709b23"},
-    {file = "pydantic_core-2.27.1-cp313-none-win32.whl", hash = "sha256:8065914ff79f7eab1599bd80406681f0ad08f8e47c880f17b416c9f8f7a26d05"},
-    {file = "pydantic_core-2.27.1-cp313-none-win_amd64.whl", hash = "sha256:ba630d5e3db74c79300d9a5bdaaf6200172b107f263c98a0539eeecb857b2337"},
-    {file = "pydantic_core-2.27.1-cp313-none-win_arm64.whl", hash = "sha256:45cf8588c066860b623cd11c4ba687f8d7175d5f7ef65f7129df8a394c502de5"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-macosx_10_12_x86_64.whl", hash = "sha256:5897bec80a09b4084aee23f9b73a9477a46c3304ad1d2d07acca19723fb1de62"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:d0165ab2914379bd56908c02294ed8405c252250668ebcb438a55494c69f44ab"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6b9af86e1d8e4cfc82c2022bfaa6f459381a50b94a29e95dcdda8442d6d83864"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:5f6c8a66741c5f5447e047ab0ba7a1c61d1e95580d64bce852e3df1f895c4067"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9a42d6a8156ff78981f8aa56eb6394114e0dedb217cf8b729f438f643608cbcd"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:64c65f40b4cd8b0e049a8edde07e38b476da7e3aaebe63287c899d2cff253fa5"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9fdcf339322a3fae5cbd504edcefddd5a50d9ee00d968696846f089b4432cf78"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:bf99c8404f008750c846cb4ac4667b798a9f7de673ff719d705d9b2d6de49c5f"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:8f1edcea27918d748c7e5e4d917297b2a0ab80cad10f86631e488b7cddf76a36"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-musllinux_1_1_armv7l.whl", hash = "sha256:159cac0a3d096f79ab6a44d77a961917219707e2a130739c64d4dd46281f5c2a"},
-    {file = "pydantic_core-2.27.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:029d9757eb621cc6e1848fa0b0310310de7301057f623985698ed7ebb014391b"},
-    {file = "pydantic_core-2.27.1-cp38-none-win32.whl", hash = "sha256:a28af0695a45f7060e6f9b7092558a928a28553366519f64083c63a44f70e618"},
-    {file = "pydantic_core-2.27.1-cp38-none-win_amd64.whl", hash = "sha256:2d4567c850905d5eaaed2f7a404e61012a51caf288292e016360aa2b96ff38d4"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:e9386266798d64eeb19dd3677051f5705bf873e98e15897ddb7d76f477131967"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:4228b5b646caa73f119b1ae756216b59cc6e2267201c27d3912b592c5e323b60"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0b3dfe500de26c52abe0477dde16192ac39c98f05bf2d80e76102d394bd13854"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:aee66be87825cdf72ac64cb03ad4c15ffef4143dbf5c113f64a5ff4f81477bf9"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3b748c44bb9f53031c8cbc99a8a061bc181c1000c60a30f55393b6e9c45cc5bd"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:5ca038c7f6a0afd0b2448941b6ef9d5e1949e999f9e5517692eb6da58e9d44be"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6e0bd57539da59a3e4671b90a502da9a28c72322a4f17866ba3ac63a82c4498e"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:ac6c2c45c847bbf8f91930d88716a0fb924b51e0c6dad329b793d670ec5db792"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:b94d4ba43739bbe8b0ce4262bcc3b7b9f31459ad120fb595627eaeb7f9b9ca01"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-musllinux_1_1_armv7l.whl", hash = "sha256:00e6424f4b26fe82d44577b4c842d7df97c20be6439e8e685d0d715feceb9fb9"},
-    {file = "pydantic_core-2.27.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:38de0a70160dd97540335b7ad3a74571b24f1dc3ed33f815f0880682e6880131"},
-    {file = "pydantic_core-2.27.1-cp39-none-win32.whl", hash = "sha256:7ccebf51efc61634f6c2344da73e366c75e735960b5654b63d7e6f69a5885fa3"},
-    {file = "pydantic_core-2.27.1-cp39-none-win_amd64.whl", hash = "sha256:a57847b090d7892f123726202b7daa20df6694cbd583b67a592e856bff603d6c"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:3fa80ac2bd5856580e242dbc202db873c60a01b20309c8319b5c5986fbe53ce6"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:d950caa237bb1954f1b8c9227b5065ba6875ac9771bb8ec790d956a699b78676"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0e4216e64d203e39c62df627aa882f02a2438d18a5f21d7f721621f7a5d3611d"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:02a3d637bd387c41d46b002f0e49c52642281edacd2740e5a42f7017feea3f2c"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:161c27ccce13b6b0c8689418da3885d3220ed2eae2ea5e9b2f7f3d48f1d52c27"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:19910754e4cc9c63bc1c7f6d73aa1cfee82f42007e407c0f413695c2f7ed777f"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:e173486019cc283dc9778315fa29a363579372fe67045e971e89b6365cc035ed"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:af52d26579b308921b73b956153066481f064875140ccd1dfd4e77db89dbb12f"},
-    {file = "pydantic_core-2.27.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:981fb88516bd1ae8b0cbbd2034678a39dedc98752f264ac9bc5839d3923fa04c"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:5fde892e6c697ce3e30c61b239330fc5d569a71fefd4eb6512fc6caec9dd9e2f"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:816f5aa087094099fff7edabb5e01cc370eb21aa1a1d44fe2d2aefdfb5599b31"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9c10c309e18e443ddb108f0ef64e8729363adbfd92d6d57beec680f6261556f3"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:98476c98b02c8e9b2eec76ac4156fd006628b1b2d0ef27e548ffa978393fd154"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:c3027001c28434e7ca5a6e1e527487051136aa81803ac812be51802150d880dd"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:7699b1df36a48169cdebda7ab5a2bac265204003f153b4bd17276153d997670a"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:1c39b07d90be6b48968ddc8c19e7585052088fd7ec8d568bb31ff64c70ae3c97"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:46ccfe3032b3915586e469d4972973f893c0a2bb65669194a5bdea9bacc088c2"},
-    {file = "pydantic_core-2.27.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:62ba45e21cf6571d7f716d903b5b7b6d2617e2d5d67c0923dc47b9d41369f840"},
-    {file = "pydantic_core-2.27.1.tar.gz", hash = "sha256:62a763352879b84aa31058fc931884055fd75089cccbd9d58bb6afd01141b235"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-macosx_10_12_x86_64.whl", hash = "sha256:2d367ca20b2f14095a8f4fa1210f5a7b78b8a20009ecced6b12818f455b1e9fa"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:491a2b73db93fab69731eaee494f320faa4e093dbed776be1a829c2eb222c34c"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7969e133a6f183be60e9f6f56bfae753585680f3b7307a8e555a948d443cc05a"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:3de9961f2a346257caf0aa508a4da705467f53778e9ef6fe744c038119737ef5"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e2bb4d3e5873c37bb3dd58714d4cd0b0e6238cebc4177ac8fe878f8b3aa8e74c"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:280d219beebb0752699480fe8f1dc61ab6615c2046d76b7ab7ee38858de0a4e7"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47956ae78b6422cbd46f772f1746799cbb862de838fd8d1fbd34a82e05b0983a"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:14d4a5c49d2f009d62a2a7140d3064f686d17a5d1a268bc641954ba181880236"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:337b443af21d488716f8d0b6164de833e788aa6bd7e3a39c005febc1284f4962"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-musllinux_1_1_armv7l.whl", hash = "sha256:03d0f86ea3184a12f41a2d23f7ccb79cdb5a18e06993f8a45baa8dfec746f0e9"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:7041c36f5680c6e0f08d922aed302e98b3745d97fe1589db0a3eebf6624523af"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-win32.whl", hash = "sha256:50a68f3e3819077be2c98110c1f9dcb3817e93f267ba80a2c05bb4f8799e2ff4"},
+    {file = "pydantic_core-2.27.2-cp310-cp310-win_amd64.whl", hash = "sha256:e0fd26b16394ead34a424eecf8a31a1f5137094cabe84a1bcb10fa6ba39d3d31"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-macosx_10_12_x86_64.whl", hash = "sha256:8e10c99ef58cfdf2a66fc15d66b16c4a04f62bca39db589ae8cba08bc55331bc"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:26f32e0adf166a84d0cb63be85c562ca8a6fa8de28e5f0d92250c6b7e9e2aff7"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8c19d1ea0673cd13cc2f872f6c9ab42acc4e4f492a7ca9d3795ce2b112dd7e15"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:5e68c4446fe0810e959cdff46ab0a41ce2f2c86d227d96dc3847af0ba7def306"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d9640b0059ff4f14d1f37321b94061c6db164fbe49b334b31643e0528d100d99"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:40d02e7d45c9f8af700f3452f329ead92da4c5f4317ca9b896de7ce7199ea459"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1c1fd185014191700554795c99b347d64f2bb637966c4cfc16998a0ca700d048"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d81d2068e1c1228a565af076598f9e7451712700b673de8f502f0334f281387d"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:1a4207639fb02ec2dbb76227d7c751a20b1a6b4bc52850568e52260cae64ca3b"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-musllinux_1_1_armv7l.whl", hash = "sha256:3de3ce3c9ddc8bbd88f6e0e304dea0e66d843ec9de1b0042b0911c1663ffd474"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:30c5f68ded0c36466acede341551106821043e9afaad516adfb6e8fa80a4e6a6"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-win32.whl", hash = "sha256:c70c26d2c99f78b125a3459f8afe1aed4d9687c24fd677c6a4436bc042e50d6c"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-win_amd64.whl", hash = "sha256:08e125dbdc505fa69ca7d9c499639ab6407cfa909214d500897d02afb816e7cc"},
+    {file = "pydantic_core-2.27.2-cp311-cp311-win_arm64.whl", hash = "sha256:26f0d68d4b235a2bae0c3fc585c585b4ecc51382db0e3ba402a22cbc440915e4"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-macosx_10_12_x86_64.whl", hash = "sha256:9e0c8cfefa0ef83b4da9588448b6d8d2a2bf1a53c3f1ae5fca39eb3061e2f0b0"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:83097677b8e3bd7eaa6775720ec8e0405f1575015a463285a92bfdfe254529ef"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:172fce187655fece0c90d90a678424b013f8fbb0ca8b036ac266749c09438cb7"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:519f29f5213271eeeeb3093f662ba2fd512b91c5f188f3bb7b27bc5973816934"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:05e3a55d124407fffba0dd6b0c0cd056d10e983ceb4e5dbd10dda135c31071d6"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9c3ed807c7b91de05e63930188f19e921d1fe90de6b4f5cd43ee7fcc3525cb8c"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6fb4aadc0b9a0c063206846d603b92030eb6f03069151a625667f982887153e2"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:28ccb213807e037460326424ceb8b5245acb88f32f3d2777427476e1b32c48c4"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:de3cd1899e2c279b140adde9357c4495ed9d47131b4a4eaff9052f23398076b3"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-musllinux_1_1_armv7l.whl", hash = "sha256:220f892729375e2d736b97d0e51466252ad84c51857d4d15f5e9692f9ef12be4"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:a0fcd29cd6b4e74fe8ddd2c90330fd8edf2e30cb52acda47f06dd615ae72da57"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-win32.whl", hash = "sha256:1e2cb691ed9834cd6a8be61228471d0a503731abfb42f82458ff27be7b2186fc"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-win_amd64.whl", hash = "sha256:cc3f1a99a4f4f9dd1de4fe0312c114e740b5ddead65bb4102884b384c15d8bc9"},
+    {file = "pydantic_core-2.27.2-cp312-cp312-win_arm64.whl", hash = "sha256:3911ac9284cd8a1792d3cb26a2da18f3ca26c6908cc434a18f730dc0db7bfa3b"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-macosx_10_12_x86_64.whl", hash = "sha256:7d14bd329640e63852364c306f4d23eb744e0f8193148d4044dd3dacdaacbd8b"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:82f91663004eb8ed30ff478d77c4d1179b3563df6cdb15c0817cd1cdaf34d154"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:71b24c7d61131bb83df10cc7e687433609963a944ccf45190cfc21e0887b08c9"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:fa8e459d4954f608fa26116118bb67f56b93b209c39b008277ace29937453dc9"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ce8918cbebc8da707ba805b7fd0b382816858728ae7fe19a942080c24e5b7cd1"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:eda3f5c2a021bbc5d976107bb302e0131351c2ba54343f8a496dc8783d3d3a6a"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bd8086fa684c4775c27f03f062cbb9eaa6e17f064307e86b21b9e0abc9c0f02e"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:8d9b3388db186ba0c099a6d20f0604a44eabdeef1777ddd94786cdae158729e4"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:7a66efda2387de898c8f38c0cf7f14fca0b51a8ef0b24bfea5849f1b3c95af27"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-musllinux_1_1_armv7l.whl", hash = "sha256:18a101c168e4e092ab40dbc2503bdc0f62010e95d292b27827871dc85450d7ee"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:ba5dd002f88b78a4215ed2f8ddbdf85e8513382820ba15ad5ad8955ce0ca19a1"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-win32.whl", hash = "sha256:1ebaf1d0481914d004a573394f4be3a7616334be70261007e47c2a6fe7e50130"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-win_amd64.whl", hash = "sha256:953101387ecf2f5652883208769a79e48db18c6df442568a0b5ccd8c2723abee"},
+    {file = "pydantic_core-2.27.2-cp313-cp313-win_arm64.whl", hash = "sha256:ac4dbfd1691affb8f48c2c13241a2e3b60ff23247cbcf981759c768b6633cf8b"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-macosx_10_12_x86_64.whl", hash = "sha256:d3e8d504bdd3f10835468f29008d72fc8359d95c9c415ce6e767203db6127506"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:521eb9b7f036c9b6187f0b47318ab0d7ca14bd87f776240b90b21c1f4f149320"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:85210c4d99a0114f5a9481b44560d7d1e35e32cc5634c656bc48e590b669b145"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:d716e2e30c6f140d7560ef1538953a5cd1a87264c737643d481f2779fc247fe1"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f66d89ba397d92f840f8654756196d93804278457b5fbede59598a1f9f90b228"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:669e193c1c576a58f132e3158f9dfa9662969edb1a250c54d8fa52590045f046"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9fdbe7629b996647b99c01b37f11170a57ae675375b14b8c13b8518b8320ced5"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d262606bf386a5ba0b0af3b97f37c83d7011439e3dc1a9298f21efb292e42f1a"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:cabb9bcb7e0d97f74df8646f34fc76fbf793b7f6dc2438517d7a9e50eee4f14d"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-musllinux_1_1_armv7l.whl", hash = "sha256:d2d63f1215638d28221f664596b1ccb3944f6e25dd18cd3b86b0a4c408d5ebb9"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:bca101c00bff0adb45a833f8451b9105d9df18accb8743b08107d7ada14bd7da"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-win32.whl", hash = "sha256:f6f8e111843bbb0dee4cb6594cdc73e79b3329b526037ec242a3e49012495b3b"},
+    {file = "pydantic_core-2.27.2-cp38-cp38-win_amd64.whl", hash = "sha256:fd1aea04935a508f62e0d0ef1f5ae968774a32afc306fb8545e06f5ff5cdf3ad"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-macosx_10_12_x86_64.whl", hash = "sha256:c10eb4f1659290b523af58fa7cffb452a61ad6ae5613404519aee4bfbf1df993"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:ef592d4bad47296fb11f96cd7dc898b92e795032b4894dfb4076cfccd43a9308"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c61709a844acc6bf0b7dce7daae75195a10aac96a596ea1b776996414791ede4"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:42c5f762659e47fdb7b16956c71598292f60a03aa92f8b6351504359dbdba6cf"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:4c9775e339e42e79ec99c441d9730fccf07414af63eac2f0e48e08fd38a64d76"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:57762139821c31847cfb2df63c12f725788bd9f04bc2fb392790959b8f70f118"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0d1e85068e818c73e048fe28cfc769040bb1f475524f4745a5dc621f75ac7630"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:097830ed52fd9e427942ff3b9bc17fab52913b2f50f2880dc4a5611446606a54"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:044a50963a614ecfae59bb1eaf7ea7efc4bc62f49ed594e18fa1e5d953c40e9f"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-musllinux_1_1_armv7l.whl", hash = "sha256:4e0b4220ba5b40d727c7f879eac379b822eee5d8fff418e9d3381ee45b3b0362"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:5e4f4bb20d75e9325cc9696c6802657b58bc1dbbe3022f32cc2b2b632c3fbb96"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-win32.whl", hash = "sha256:cca63613e90d001b9f2f9a9ceb276c308bfa2a43fafb75c8031c4f66039e8c6e"},
+    {file = "pydantic_core-2.27.2-cp39-cp39-win_amd64.whl", hash = "sha256:77d1bca19b0f7021b3a982e6f903dcd5b2b06076def36a652e3907f596e29f67"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-macosx_10_12_x86_64.whl", hash = "sha256:2bf14caea37e91198329b828eae1618c068dfb8ef17bb33287a7ad4b61ac314e"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:b0cb791f5b45307caae8810c2023a184c74605ec3bcbb67d13846c28ff731ff8"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:688d3fd9fcb71f41c4c015c023d12a79d1c4c0732ec9eb35d96e3388a120dcf3"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3d591580c34f4d731592f0e9fe40f9cc1b430d297eecc70b962e93c5c668f15f"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:82f986faf4e644ffc189a7f1aafc86e46ef70372bb153e7001e8afccc6e54133"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:bec317a27290e2537f922639cafd54990551725fc844249e64c523301d0822fc"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:0296abcb83a797db256b773f45773da397da75a08f5fcaef41f2044adec05f50"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:0d75070718e369e452075a6017fbf187f788e17ed67a3abd47fa934d001863d9"},
+    {file = "pydantic_core-2.27.2-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:7e17b560be3c98a8e3aa66ce828bdebb9e9ac6ad5466fba92eb74c4c95cb1151"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-macosx_10_12_x86_64.whl", hash = "sha256:c33939a82924da9ed65dab5a65d427205a73181d8098e79b6b426bdf8ad4e656"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:00bad2484fa6bda1e216e7345a798bd37c68fb2d97558edd584942aa41b7d278"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c817e2b40aba42bac6f457498dacabc568c3b7a986fc9ba7c8d9d260b71485fb"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:251136cdad0cb722e93732cb45ca5299fb56e1344a833640bf93b2803f8d1bfd"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:d2088237af596f0a524d3afc39ab3b036e8adb054ee57cbb1dcf8e09da5b29cc"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-musllinux_1_1_aarch64.whl", hash = "sha256:d4041c0b966a84b4ae7a09832eb691a35aec90910cd2dbe7a208de59be77965b"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-musllinux_1_1_armv7l.whl", hash = "sha256:8083d4e875ebe0b864ffef72a4304827015cff328a1be6e22cc850753bfb122b"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-musllinux_1_1_x86_64.whl", hash = "sha256:f141ee28a0ad2123b6611b6ceff018039df17f32ada8b534e6aa039545a3efb2"},
+    {file = "pydantic_core-2.27.2-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:7d0c8399fcc1848491f00e0314bd59fb34a9c008761bcb422a057670c3f65e35"},
+    {file = "pydantic_core-2.27.2.tar.gz", hash = "sha256:eb026e5a4c1fee05726072337ff51d1efb6f59090b7da90d30ea58625b1ffb39"},
 ]
 
 [package.dependencies]

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.10.5"
+version = "2024.12.0"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2024.10.5
+  version: 2024.12.0
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io

web/eslint.config.mjs

@@ -41,6 +41,7 @@ export default [
         },
         files: ["src/**"],
         rules: {
+            "lit/attribute-names": "off",
             // "lit/attribute-names": "error",
             "lit/no-private-properties": "error",
             // "lit/prefer-nothing": "warn",

web/package.json

@@ -11,7 +11,7 @@
         "@floating-ui/dom": "^1.6.11",
         "@formatjs/intl-listformat": "^7.5.7",
         "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2024.10.5-1734528783",
+        "@goauthentik/api": "^2024.12.0-1734640050",
         "@lit-labs/ssr": "^3.2.2",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.2",
@@ -68,8 +68,8 @@
         "@types/showdown": "^2.0.6",
         "@typescript-eslint/eslint-plugin": "^8.8.0",
         "@typescript-eslint/parser": "^8.8.0",
-        "@wdio/browser-runner": "^9.1.2",
-        "@wdio/cli": "^9.1.2",
+        "@wdio/browser-runner": "9.4",
+        "@wdio/cli": "9.4",
         "@wdio/spec-reporter": "^9.1.2",
         "chokidar": "^4.0.1",
         "chromedriver": "^131.0.1",

web/scripts/eslint.nightmare.mjs

@@ -9,6 +9,9 @@ const MAX_DEPTH = 4;
 const MAX_NESTED_CALLBACKS = 4;
 const MAX_PARAMS = 5;
 
+// Waiting for SonarJS to be compatible
+// const MAX_COGNITIVE_COMPLEXITY = 9;
+
 const rules = {
     "accessor-pairs": "error",
     "array-callback-return": "error",
@@ -126,6 +129,11 @@ const rules = {
 
     "no-unused-vars": "off",
     "no-console": ["error", { allow: ["debug", "warn", "error"] }],
+    // SonarJS is not yet compatible with ESLint 9.  Commenting these out
+    // until it is.
+    //    "sonarjs/cognitive-complexity": ["off", MAX_COGNITIVE_COMPLEXITY],
+    //    "sonarjs/no-duplicate-string": "off",
+    //    "sonarjs/no-nested-template-literals": "off",
     "@typescript-eslint/ban-ts-comment": "off",
     "@typescript-eslint/no-unused-vars": [
         "error",
@@ -162,6 +170,7 @@ export default [
     wcconf.configs["flat/recommended"],
     litconf.configs["flat/recommended"],
     ...tseslint.configs.recommended,
+    //     sonar.configs.recommended,
     {
         languageOptions: {
             parser: tsparser,

web/scripts/eslint.precommit.mjs

@@ -29,6 +29,7 @@ export default [
     wcconf.configs["flat/recommended"],
     litconf.configs["flat/recommended"],
     ...tseslint.configs.recommended,
+    //    sonar.configs.recommended,
     {
         languageOptions: {
             parser: tsparser,
@@ -41,6 +42,11 @@ export default [
         rules: {
             "no-unused-vars": "off",
             "no-console": ["error", { allow: ["debug", "warn", "error"] }],
+            // SonarJS is not yet compatible with ESLint 9.  Commenting these out
+            // until it is.
+            //    "sonarjs/cognitive-complexity": ["off", 9],
+            //    "sonarjs/no-duplicate-string": "off",
+            //    "sonarjs/no-nested-template-literals": "off",
             "@typescript-eslint/ban-ts-comment": "off",
             "@typescript-eslint/no-unused-vars": [
                 "error",

web/src/admin/applications/ApplicationForm.ts

@@ -25,25 +25,12 @@ import { TemplateResult, html } from "lit";
 import { customElement, property, state } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
-import { Application, CoreApi, PolicyEngineMode, Provider } from "@goauthentik/api";
+import { Application, CoreApi, Provider } from "@goauthentik/api";
 
+import { policyOptions } from "./PolicyOptions.js";
 import "./components/ak-backchannel-input";
 import "./components/ak-provider-search-input";
 
-export const policyOptions = [
-    {
-        label: "any",
-        value: PolicyEngineMode.Any,
-        default: true,
-        description: html`${msg("Any policy must match to grant access")}`,
-    },
-    {
-        label: "all",
-        value: PolicyEngineMode.All,
-        description: html`${msg("All policies must match to grant access")}`,
-    },
-];
-
 @customElement("ak-application-form")
 export class ApplicationForm extends WithCapabilitiesConfig(ModelForm<Application, string>) {
     constructor() {

web/src/admin/applications/ApplicationWizardHint.ts

@@ -18,6 +18,7 @@ import { styleMap } from "lit/directives/style-map.js";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFLabel from "@patternfly/patternfly/components/Label/label.css";
 import PFPage from "@patternfly/patternfly/components/Page/page.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
 const closeButtonIcon = html`<svg
     fill="currentColor"
@@ -37,6 +38,7 @@ const closeButtonIcon = html`<svg
 export class AkApplicationWizardHint extends AKElement implements ShowHintControllerHost {
     static get styles() {
         return [
+            PFBase,
             PFButton,
             PFPage,
             PFLabel,
@@ -45,6 +47,9 @@ export class AkApplicationWizardHint extends AKElement implements ShowHintContro
                     padding-top: 0;
                     padding-bottom: 0;
                 }
+                .ak-hint-text {
+                    padding-bottom: var(--pf-global--spacer--md);
+                }
             `,
         ];
     }
@@ -101,16 +106,20 @@ export class AkApplicationWizardHint extends AKElement implements ShowHintContro
         return html` <section class="pf-c-page__main-section pf-m-no-padding-mobile">
             <ak-hint>
                 <ak-hint-body>
-                    <p>
+                    <p class="ak-hint-text">
                         You can now configure both an application and its authentication provider at
                         the same time with our new Application Wizard.
                         <!-- <a href="(link to docs)">Learn more about the wizard here.</a> -->
                     </p>
-
-                    <ak-application-wizard
-                        .open=${getURLParam("createWizard", false)}
-                        .showButton=${false}
-                    ></ak-application-wizard>
+                    <ak-application-wizard .open=${getURLParam("createWizard", false)}>
+                        <button
+                            slot="trigger"
+                            class="pf-c-button pf-m-primary"
+                            data-ouia-component-id="start-application-wizard"
+                        >
+                            ${msg("Create with wizard")}
+                        </button>
+                    </ak-application-wizard>
                 </ak-hint-body>
                 ${this.showHintController.render()}
             </ak-hint>

web/src/admin/applications/PolicyOptions.ts

@@ -0,0 +1,18 @@
+import { msg } from "@lit/localize";
+import { html } from "lit";
+
+import { PolicyEngineMode } from "@goauthentik/api";
+
+export const policyOptions = [
+    {
+        label: "any",
+        value: PolicyEngineMode.Any,
+        default: true,
+        description: html`${msg("Any policy must match to grant access")}`,
+    },
+    {
+        label: "all",
+        value: PolicyEngineMode.All,
+        description: html`${msg("All policies must match to grant access")}`,
+    },
+];

web/src/admin/applications/wizard/ApplicationWizardFormStepStyles.css.ts

@@ -8,6 +8,7 @@ import PFFormControl from "@patternfly/patternfly/components/FormControl/form-co
 import PFInputGroup from "@patternfly/patternfly/components/InputGroup/input-group.css";
 import PFRadio from "@patternfly/patternfly/components/Radio/radio.css";
 import PFSwitch from "@patternfly/patternfly/components/Switch/switch.css";
+import PFWizard from "@patternfly/patternfly/components/Wizard/wizard.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
 export const styles = [
@@ -20,6 +21,7 @@ export const styles = [
     PFInputGroup,
     PFFormControl,
     PFSwitch,
+    PFWizard,
     css`
         select[multiple] {
             height: 15em;

web/src/admin/applications/wizard/ApplicationWizardStep.ts

@@ -0,0 +1,86 @@
+import { styles } from "@goauthentik/admin/applications/wizard/ApplicationWizardFormStepStyles.css.js";
+import { WizardStep } from "@goauthentik/components/ak-wizard/WizardStep.js";
+import {
+    NavigationUpdate,
+    WizardNavigationEvent,
+    WizardUpdateEvent,
+} from "@goauthentik/components/ak-wizard/events";
+import { KeyUnknown, serializeForm } from "@goauthentik/elements/forms/Form";
+import { HorizontalFormElement } from "@goauthentik/elements/forms/HorizontalFormElement";
+
+import { msg } from "@lit/localize";
+import { property, query } from "lit/decorators.js";
+
+import { ValidationError } from "@goauthentik/api";
+
+import {
+    type ApplicationWizardState,
+    type ApplicationWizardStateUpdate,
+    ExtendedValidationError,
+} from "./types";
+
+export class ApplicationWizardStep extends WizardStep {
+    static get styles() {
+        return [...WizardStep.styles, ...styles];
+    }
+
+    @property({ type: Object, attribute: false })
+    wizard!: ApplicationWizardState;
+
+    // As recommended in [WizardStep](../../../components/ak-wizard/WizardStep.ts), we override
+    // these fields and provide them to all the child classes.
+    wizardTitle = msg("New application");
+    wizardDescription = msg("Create a new application");
+    canCancel = true;
+
+    // This should be overridden in the children for more precise targeting.
+    @query("form")
+    form!: HTMLFormElement;
+
+    get formValues(): KeyUnknown | undefined {
+        const elements = [
+            ...Array.from(
+                this.form.querySelectorAll<HorizontalFormElement>("ak-form-element-horizontal"),
+            ),
+            ...Array.from(this.form.querySelectorAll<HTMLElement>("[data-ak-control=true]")),
+        ];
+        return serializeForm(elements as unknown as NodeListOf<HorizontalFormElement>);
+    }
+
+    protected removeErrors(
+        keyToDelete: keyof ExtendedValidationError,
+    ): ValidationError | undefined {
+        if (!this.wizard.errors) {
+            return undefined;
+        }
+        const empty = {};
+        const errors = Object.entries(this.wizard.errors).reduce(
+            (acc, [key, value]) =>
+                key === keyToDelete ||
+                value === undefined ||
+                (Array.isArray(this.wizard?.errors?.[key]) && this.wizard.errors[key].length === 0)
+                    ? acc
+                    : { ...acc, [key]: value },
+            empty,
+        );
+        return errors;
+    }
+
+    // This pattern became visible during development, and the order is important: wizard updating
+    // and validation must complete before navigation is attempted.
+    public handleUpdate(
+        update?: ApplicationWizardStateUpdate,
+        destination?: string,
+        enable?: NavigationUpdate,
+    ) {
+        // Inform ApplicationWizard of content state
+        if (update) {
+            this.dispatchEvent(new WizardUpdateEvent(update));
+        }
+
+        // Inform WizardStepManager of steps state
+        if (destination || enable) {
+            this.dispatchEvent(new WizardNavigationEvent(destination, enable));
+        }
+    }
+}

web/src/admin/applications/wizard/BasePanel.ts

@@ -1,72 +0,0 @@
-import { WizardPanel } from "@goauthentik/components/ak-wizard-main/types";
-import { AKElement } from "@goauthentik/elements/Base";
-import { KeyUnknown, serializeForm } from "@goauthentik/elements/forms/Form";
-import { HorizontalFormElement } from "@goauthentik/elements/forms/HorizontalFormElement";
-import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
-
-import { consume } from "@lit/context";
-import { query } from "@lit/reactive-element/decorators.js";
-
-import { styles as AwadStyles } from "./BasePanel.css";
-
-import { applicationWizardContext } from "./ContextIdentity";
-import type { ApplicationWizardState, ApplicationWizardStateUpdate } from "./types";
-
-/**
- * Application Wizard Base Panel
- *
- * All of the displays in our system inherit from this object, which supplies the basic CSS for all
- * the inputs we display, as well as the values and validity state for the form currently being
- * displayed.
- *
- */
-
-export class ApplicationWizardPageBase
-    extends CustomEmitterElement(AKElement)
-    implements WizardPanel
-{
-    static get styles() {
-        return AwadStyles;
-    }
-
-    @consume({ context: applicationWizardContext })
-    public wizard!: ApplicationWizardState;
-
-    @query("form")
-    form!: HTMLFormElement;
-
-    /**
-     * Provide access to the values on the current form. Child implementations use this to craft the
-     * update that will be sent using `dispatchWizardUpdate` below.
-     */
-    get formValues(): KeyUnknown | undefined {
-        const elements = [
-            ...Array.from(
-                this.form.querySelectorAll<HorizontalFormElement>("ak-form-element-horizontal"),
-            ),
-            ...Array.from(this.form.querySelectorAll<HTMLElement>("[data-ak-control=true]")),
-        ];
-        return serializeForm(elements as unknown as NodeListOf<HorizontalFormElement>);
-    }
-
-    /**
-     * Provide access to the validity of the current form. Child implementations use this to craft
-     * the update that will be sent using `dispatchWizardUpdate` below.
-     */
-    get valid() {
-        return this.form.checkValidity();
-    }
-
-    rendered = false;
-
-    /**
-     * Provide a single source of truth for the token used to notify the orchestrator that an event
-     * happens. The token `ak-wizard-update` is used by the Wizard framework's reactive controller
-     * to route "data on the current step has changed" events to the orchestrator.
-     */
-    dispatchWizardUpdate(update: ApplicationWizardStateUpdate) {
-        this.dispatchCustomEvent("ak-wizard-update", update);
-    }
-}
-
-export default ApplicationWizardPageBase;

web/src/admin/applications/wizard/ContextIdentity.ts

@@ -1,7 +1,7 @@
 import { createContext } from "@lit/context";
 
-import { ApplicationWizardState } from "./types";
+import { LocalTypeCreate } from "./steps/ProviderChoices.js";
 
-export const applicationWizardContext = createContext<ApplicationWizardState>(
-    Symbol("ak-application-wizard-state-context"),
+export const applicationWizardProvidersContext = createContext<LocalTypeCreate[]>(
+    Symbol("ak-application-wizard-providers-context"),
 );

web/src/admin/applications/wizard/ak-application-wizard-main.ts

@@ -0,0 +1,109 @@
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import "@goauthentik/components/ak-wizard/ak-wizard-steps.js";
+import { WizardUpdateEvent } from "@goauthentik/components/ak-wizard/events";
+import { AKElement } from "@goauthentik/elements/Base.js";
+
+import { ContextProvider } from "@lit/context";
+import { html } from "lit";
+import { customElement, state } from "lit/decorators.js";
+
+import { ProvidersApi, ProxyMode } from "@goauthentik/api";
+
+import { applicationWizardProvidersContext } from "./ContextIdentity";
+import { providerTypeRenderers } from "./steps/ProviderChoices.js";
+import "./steps/ak-application-wizard-application-step.js";
+import "./steps/ak-application-wizard-bindings-step.js";
+import "./steps/ak-application-wizard-edit-binding-step.js";
+import "./steps/ak-application-wizard-provider-choice-step.js";
+import "./steps/ak-application-wizard-provider-step.js";
+import "./steps/ak-application-wizard-submit-step.js";
+import { type ApplicationWizardState, type ApplicationWizardStateUpdate } from "./types";
+
+const freshWizardState = (): ApplicationWizardState => ({
+    providerModel: "",
+    currentBinding: -1,
+    app: {},
+    provider: {},
+    proxyMode: ProxyMode.Proxy,
+    bindings: [],
+    errors: {},
+});
+
+@customElement("ak-application-wizard-main")
+export class AkApplicationWizardMain extends AKElement {
+    @state()
+    wizard: ApplicationWizardState = freshWizardState();
+
+    wizardProviderProvider = new ContextProvider(this, {
+        context: applicationWizardProvidersContext,
+        initialValue: [],
+    });
+
+    constructor() {
+        super();
+        this.addEventListener(WizardUpdateEvent.eventName, this.handleUpdate);
+    }
+
+    connectedCallback() {
+        super.connectedCallback();
+        new ProvidersApi(DEFAULT_CONFIG).providersAllTypesList().then((providerTypes) => {
+            const wizardReadyProviders = Object.keys(providerTypeRenderers);
+            this.wizardProviderProvider.setValue(
+                providerTypes
+                    .filter((providerType) => wizardReadyProviders.includes(providerType.modelName))
+                    .map((providerType) => ({
+                        ...providerType,
+                        renderer: providerTypeRenderers[providerType.modelName].render,
+                    }))
+                    .sort(
+                        (a, b) =>
+                            providerTypeRenderers[a.modelName].order -
+                            providerTypeRenderers[b.modelName].order,
+                    )
+                    .reverse(),
+            );
+        });
+    }
+
+    // This is the actual top of the Wizard; so this is where we accept the update information and
+    // incorporate it into the wizard.
+    handleUpdate(ev: WizardUpdateEvent<ApplicationWizardStateUpdate>) {
+        ev.stopPropagation();
+        const update = ev.content;
+        if (update !== undefined) {
+            this.wizard = {
+                ...this.wizard,
+                ...update,
+            };
+        }
+    }
+
+    render() {
+        return html`<ak-wizard-steps>
+            <ak-application-wizard-application-step
+                slot="application"
+                .wizard=${this.wizard}
+            ></ak-application-wizard-application-step>
+            <ak-application-wizard-provider-choice-step
+                slot="provider-choice"
+                .wizard=${this.wizard}
+            ></ak-application-wizard-provider-choice-step>
+            <ak-application-wizard-provider-step
+                slot="provider"
+                .wizard=${this.wizard}
+            ></ak-application-wizard-provider-step>
+            <ak-application-wizard-bindings-step
+                slot="bindings"
+                .wizard=${this.wizard}
+            ></ak-application-wizard-bindings-step>
+            <ak-application-wizard-edit-binding-step
+                slot="edit-binding"
+                .wizard=${this.wizard}
+            ></ak-application-wizard-edit-binding-step>
+            <ak-application-wizard-submit-step
+                slot="submit"
+                .wizard=${this.wizard}
+            ></ak-application-wizard-submit-step>
+        </ak-wizard-steps>`;
+    }
+}

web/src/admin/applications/wizard/ak-application-wizard.ts

@@ -1,117 +1,32 @@
-import { AkWizard } from "@goauthentik/components/ak-wizard-main/AkWizard";
-import { CustomListenerElement } from "@goauthentik/elements/utils/eventEmitter";
+import { WizardCloseEvent } from "@goauthentik/components/ak-wizard/events.js";
+import { ModalButton } from "@goauthentik/elements/buttons/ModalButton";
+import { bound } from "@goauthentik/elements/decorators/bound.js";
 
-import { ContextProvider } from "@lit/context";
-import { msg } from "@lit/localize";
-import { customElement, state } from "lit/decorators.js";
+import { html } from "lit";
+import { customElement } from "lit/decorators.js";
 
-import { applicationWizardContext } from "./ContextIdentity";
-import { newSteps } from "./steps";
-import {
-    ApplicationStep,
-    ApplicationWizardState,
-    ApplicationWizardStateUpdate,
-    OneOfProvider,
-} from "./types";
-
-const freshWizardState = (): ApplicationWizardState => ({
-    providerModel: "",
-    app: {},
-    provider: {},
-    errors: {},
-});
+import "./ak-application-wizard-main.js";
 
 @customElement("ak-application-wizard")
-export class ApplicationWizard extends CustomListenerElement(
-    AkWizard<ApplicationWizardStateUpdate, ApplicationStep>,
-) {
+export class AkApplicationWizard extends ModalButton {
     constructor() {
-        super(msg("Create With Wizard"), msg("New application"), msg("Create a new application"));
-        this.steps = newSteps();
+        super();
+        this.addEventListener(WizardCloseEvent.eventName, this.onCloseEvent);
     }
 
-    /**
-     * We're going to be managing the content of the forms by percolating all of the data up to this
-     * class, which will ultimately transmit all of it to the server as a transaction. The
-     * WizardFramework doesn't know anything about the nature of the data itself; it just forwards
-     * valid updates to us. So here we maintain a state object *and* update it so all child
-     * components can access the wizard state.
-     *
-     */
-    @state()
-    wizardState: ApplicationWizardState = freshWizardState();
-
-    wizardStateProvider = new ContextProvider(this, {
-        context: applicationWizardContext,
-        initialValue: this.wizardState,
-    });
-
-    /**
-     * One of our steps has multiple display variants, one for each type of service provider. We
-     * want to *preserve* a customer's decisions about different providers; never make someone "go
-     * back and type it all back in," even if it's probably rare that someone will chose one
-     * provider, realize it's the wrong one, and go back to chose a different one, *and then go
-     * back*. Nonetheless, strive to *never* lose customer input.
-     *
-     */
-    providerCache: Map<string, OneOfProvider> = new Map();
-
-    // And this is where all the special cases go...
-    handleUpdate(detail: ApplicationWizardStateUpdate) {
-        if (detail.status === "submitted") {
-            this.step.valid = true;
-            this.requestUpdate();
-            return;
-        }
-
-        this.step.valid = this.step.valid || detail.status === "valid";
-        const update = detail.update;
-
-        if (!update) {
-            return;
-        }
-
-        // When the providerModel enum changes, retrieve the customer's prior work for *this* wizard
-        // session (and only this wizard session) or provide an empty model with a default provider
-        // name.
-        if (update.providerModel && update.providerModel !== this.wizardState.providerModel) {
-            const requestedProvider = this.providerCache.get(update.providerModel) ?? {
-                name: `Provider for ${this.wizardState.app.name}`,
-            };
-            if (this.wizardState.providerModel) {
-                this.providerCache.set(this.wizardState.providerModel, this.wizardState.provider);
-            }
-            update.provider = requestedProvider;
-        }
-
-        this.wizardState = update as ApplicationWizardState;
-        this.wizardStateProvider.setValue(this.wizardState);
-        this.requestUpdate();
+    @bound
+    onCloseEvent(ev: WizardCloseEvent) {
+        ev.stopPropagation();
+        this.open = false;
     }
 
-    close() {
-        this.steps = newSteps();
-        this.currentStep = 0;
-        this.wizardState = freshWizardState();
-        this.providerCache = new Map();
-        this.wizardStateProvider.setValue(this.wizardState);
-        this.frame.value!.open = false;
-    }
-
-    handleNav(stepId: number | undefined) {
-        if (stepId === undefined || this.steps[stepId] === undefined) {
-            throw new Error(`Attempt to navigate to undefined step: ${stepId}`);
-        }
-        if (stepId > this.currentStep && !this.step.valid) {
-            return;
-        }
-        this.currentStep = stepId;
-        this.requestUpdate();
+    renderModalInner() {
+        return html` <ak-application-wizard-main> </ak-application-wizard-main>`;
     }
 }
 
 declare global {
     interface HTMLElementTagNameMap {
-        "ak-application-wizard": ApplicationWizard;
+        "ak-application-wizard": AkApplicationWizard;
     }
 }

web/src/admin/applications/wizard/application/ak-application-wizard-application-details.ts

@@ -1,103 +0,0 @@
-import { policyOptions } from "@goauthentik/admin/applications/ApplicationForm";
-import { first } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-radio-input";
-import "@goauthentik/components/ak-slug-input";
-import "@goauthentik/components/ak-switch-input";
-import "@goauthentik/components/ak-text-input";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-
-import { msg } from "@lit/localize";
-import { customElement } from "@lit/reactive-element/decorators/custom-element.js";
-import { TemplateResult, html } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import BasePanel from "../BasePanel";
-
-@customElement("ak-application-wizard-application-details")
-export class ApplicationWizardApplicationDetails extends BasePanel {
-    handleChange(_ev: Event) {
-        const formValues = this.formValues;
-        if (!formValues) {
-            throw new Error("No application values on form?");
-        }
-        this.dispatchWizardUpdate({
-            update: {
-                ...this.wizard,
-                app: formValues,
-            },
-            status: this.valid ? "valid" : "invalid",
-        });
-    }
-
-    render(): TemplateResult {
-        return html` <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-            <ak-text-input
-                name="name"
-                value=${ifDefined(this.wizard.app?.name)}
-                label=${msg("Name")}
-                required
-                help=${msg("Application's display Name.")}
-                id="ak-application-wizard-details-name"
-                .errorMessages=${this.wizard.errors.app?.name ?? []}
-            ></ak-text-input>
-            <ak-slug-input
-                name="slug"
-                value=${ifDefined(this.wizard.app?.slug)}
-                label=${msg("Slug")}
-                source="#ak-application-wizard-details-name"
-                required
-                help=${msg("Internal application name used in URLs.")}
-                .errorMessages=${this.wizard.errors.app?.slug ?? []}
-            ></ak-slug-input>
-            <ak-text-input
-                name="group"
-                value=${ifDefined(this.wizard.app?.group)}
-                label=${msg("Group")}
-                .errorMessages=${this.wizard.errors.app?.group ?? []}
-                help=${msg(
-                    "Optionally enter a group name. Applications with identical groups are shown grouped together.",
-                )}
-            ></ak-text-input>
-            <ak-radio-input
-                label=${msg("Policy engine mode")}
-                required
-                name="policyEngineMode"
-                .options=${policyOptions}
-                .value=${this.wizard.app?.policyEngineMode}
-                .errorMessages=${this.wizard.errors.app?.policyEngineMode ?? []}
-            ></ak-radio-input>
-            <ak-form-group aria-label=${msg("UI Settings")}>
-                <span slot="header"> ${msg("UI Settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-text-input
-                        name="metaLaunchUrl"
-                        label=${msg("Launch URL")}
-                        value=${ifDefined(this.wizard.app?.metaLaunchUrl)}
-                        help=${msg(
-                            "If left empty, authentik will try to extract the launch URL based on the selected provider.",
-                        )}
-                        .errorMessages=${this.wizard.errors.app?.metaLaunchUrl ?? []}
-                    ></ak-text-input>
-                    <ak-switch-input
-                        name="openInNewTab"
-                        ?checked=${first(this.wizard.app?.openInNewTab, false)}
-                        label=${msg("Open in new tab")}
-                        help=${msg(
-                            "If checked, the launch URL will open in a new browser tab or window from the user's application library.",
-                        )}
-                    >
-                    </ak-switch-input>
-                </div>
-            </ak-form-group>
-        </form>`;
-    }
-}
-
-export default ApplicationWizardApplicationDetails;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-wizard-application-details": ApplicationWizardApplicationDetails;
-    }
-}

web/src/admin/applications/wizard/auth-method-choice/ak-application-wizard-authentication-method-choice.choices.ts

@@ -1,176 +0,0 @@
-import "@goauthentik/admin/common/ak-license-notice";
-
-import { msg } from "@lit/localize";
-import { TemplateResult, html } from "lit";
-
-import type { ProviderModelEnum as ProviderModelEnumType, TypeCreate } from "@goauthentik/api";
-import { ProviderModelEnum, ProxyMode } from "@goauthentik/api";
-import type {
-    LDAPProviderRequest,
-    ModelRequest,
-    OAuth2ProviderRequest,
-    ProxyProviderRequest,
-    RACProviderRequest,
-    RadiusProviderRequest,
-    SAMLProviderRequest,
-    SCIMProviderRequest,
-} from "@goauthentik/api";
-
-import { OneOfProvider } from "../types";
-
-type ProviderRenderer = () => TemplateResult;
-
-type ModelConverter = (provider: OneOfProvider) => ModelRequest;
-
-type ProviderNoteProvider = () => TemplateResult | undefined;
-type ProviderNote = ProviderNoteProvider | undefined;
-
-export type LocalTypeCreate = TypeCreate & {
-    formName: string;
-    modelName: ProviderModelEnumType;
-    converter: ModelConverter;
-    note?: ProviderNote;
-    renderer: ProviderRenderer;
-};
-
-export const providerModelsList: LocalTypeCreate[] = [
-    {
-        formName: "oauth2provider",
-        name: msg("OAuth2/OIDC (Open Authorization/OpenID Connect)"),
-        description: msg("Modern applications, APIs and Single-page applications."),
-        renderer: () =>
-            html`<ak-application-wizard-authentication-by-oauth></ak-application-wizard-authentication-by-oauth>`,
-        modelName: ProviderModelEnum.Oauth2Oauth2provider,
-        converter: (provider: OneOfProvider) => ({
-            providerModel: ProviderModelEnum.Oauth2Oauth2provider,
-            ...(provider as OAuth2ProviderRequest),
-        }),
-        component: "",
-        iconUrl: "/static/authentik/sources/openidconnect.svg",
-    },
-    {
-        formName: "ldapprovider",
-        name: msg("LDAP (Lightweight Directory Access Protocol)"),
-        description: msg(
-            "Provide an LDAP interface for applications and users to authenticate against.",
-        ),
-        renderer: () =>
-            html`<ak-application-wizard-authentication-by-ldap></ak-application-wizard-authentication-by-ldap>`,
-        modelName: ProviderModelEnum.LdapLdapprovider,
-        converter: (provider: OneOfProvider) => ({
-            providerModel: ProviderModelEnum.LdapLdapprovider,
-            ...(provider as LDAPProviderRequest),
-        }),
-        component: "",
-        iconUrl: "/static/authentik/sources/ldap.png",
-    },
-    {
-        formName: "proxyprovider-proxy",
-        name: msg("Transparent Reverse Proxy"),
-        description: msg("For transparent reverse proxies with required authentication"),
-        renderer: () =>
-            html`<ak-application-wizard-authentication-for-reverse-proxy></ak-application-wizard-authentication-for-reverse-proxy>`,
-        modelName: ProviderModelEnum.ProxyProxyprovider,
-        converter: (provider: OneOfProvider) => ({
-            providerModel: ProviderModelEnum.ProxyProxyprovider,
-            ...(provider as ProxyProviderRequest),
-            mode: ProxyMode.Proxy,
-        }),
-        component: "",
-        iconUrl: "/static/authentik/sources/proxy.svg",
-    },
-    {
-        formName: "proxyprovider-forwardsingle",
-        name: msg("Forward Auth (Single Application)"),
-        description: msg("For nginx's auth_request or traefik's forwardAuth"),
-        renderer: () =>
-            html`<ak-application-wizard-authentication-for-single-forward-proxy></ak-application-wizard-authentication-for-single-forward-proxy>`,
-        modelName: ProviderModelEnum.ProxyProxyprovider,
-        converter: (provider: OneOfProvider) => ({
-            providerModel: ProviderModelEnum.ProxyProxyprovider,
-            ...(provider as ProxyProviderRequest),
-            mode: ProxyMode.ForwardSingle,
-        }),
-        component: "",
-        iconUrl: "/static/authentik/sources/proxy.svg",
-    },
-    {
-        formName: "proxyprovider-forwarddomain",
-        name: msg("Forward Auth (Domain Level)"),
-        description: msg("For nginx's auth_request or traefik's forwardAuth per root domain"),
-        renderer: () =>
-            html`<ak-application-wizard-authentication-for-forward-proxy-domain></ak-application-wizard-authentication-for-forward-proxy-domain>`,
-        modelName: ProviderModelEnum.ProxyProxyprovider,
-        converter: (provider: OneOfProvider) => ({
-            providerModel: ProviderModelEnum.ProxyProxyprovider,
-            ...(provider as ProxyProviderRequest),
-            mode: ProxyMode.ForwardDomain,
-        }),
-        component: "",
-        iconUrl: "/static/authentik/sources/proxy.svg",
-    },
-    {
-        formName: "racprovider",
-        name: msg("Remote Access Provider"),
-        description: msg("Remotely access computers/servers via RDP/SSH/VNC"),
-        renderer: () =>
-            html`<ak-application-wizard-authentication-for-rac></ak-application-wizard-authentication-for-rac>`,
-        modelName: ProviderModelEnum.RacRacprovider,
-        converter: (provider: OneOfProvider) => ({
-            providerModel: ProviderModelEnum.RacRacprovider,
-            ...(provider as RACProviderRequest),
-        }),
-        note: () => html`<ak-license-notice></ak-license-notice>`,
-        requiresEnterprise: true,
-        component: "",
-        iconUrl: "/static/authentik/sources/rac.svg",
-    },
-    {
-        formName: "samlprovider",
-        name: msg("SAML (Security Assertion Markup Language)"),
-        description: msg("Configure SAML provider manually"),
-        renderer: () =>
-            html`<ak-application-wizard-authentication-by-saml-configuration></ak-application-wizard-authentication-by-saml-configuration>`,
-        modelName: ProviderModelEnum.SamlSamlprovider,
-        converter: (provider: OneOfProvider) => ({
-            providerModel: ProviderModelEnum.SamlSamlprovider,
-            ...(provider as SAMLProviderRequest),
-        }),
-        component: "",
-        iconUrl: "/static/authentik/sources/saml.png",
-    },
-    {
-        formName: "radiusprovider",
-        name: msg("RADIUS (Remote Authentication Dial-In User Service)"),
-        description: msg("Configure RADIUS provider manually"),
-        renderer: () =>
-            html`<ak-application-wizard-authentication-by-radius></ak-application-wizard-authentication-by-radius>`,
-        modelName: ProviderModelEnum.RadiusRadiusprovider,
-        converter: (provider: OneOfProvider) => ({
-            providerModel: ProviderModelEnum.RadiusRadiusprovider,
-            ...(provider as RadiusProviderRequest),
-        }),
-        component: "",
-        iconUrl: "/static/authentik/sources/radius.svg",
-    },
-    {
-        formName: "scimprovider",
-        name: msg("SCIM (System for Cross-domain Identity Management)"),
-        description: msg("Configure SCIM provider manually"),
-        renderer: () =>
-            html`<ak-application-wizard-authentication-by-scim></ak-application-wizard-authentication-by-scim>`,
-        modelName: ProviderModelEnum.ScimScimprovider,
-        converter: (provider: OneOfProvider) => ({
-            providerModel: ProviderModelEnum.ScimScimprovider,
-            ...(provider as SCIMProviderRequest),
-        }),
-        component: "",
-        iconUrl: "/static/authentik/sources/scim.png",
-    },
-];
-
-export const providerRendererList = new Map<string, ProviderRenderer>(
-    providerModelsList.map((tc) => [tc.formName, tc.renderer]),
-);
-
-export default providerModelsList;

web/src/admin/applications/wizard/auth-method-choice/ak-application-wizard-authentication-method-choice.ts

@@ -1,62 +0,0 @@
-import "@goauthentik/components/ak-radio-input";
-import "@goauthentik/components/ak-switch-input";
-import "@goauthentik/components/ak-text-input";
-import { WithLicenseSummary } from "@goauthentik/elements/Interface/licenseSummaryProvider";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/wizard/TypeCreateWizardPage";
-import { TypeCreateWizardPageLayouts } from "@goauthentik/elements/wizard/TypeCreateWizardPage";
-
-import { msg } from "@lit/localize";
-import { customElement } from "@lit/reactive-element/decorators/custom-element.js";
-import { html } from "lit";
-
-import BasePanel from "../BasePanel";
-import type { LocalTypeCreate } from "./ak-application-wizard-authentication-method-choice.choices";
-import providerModelsList from "./ak-application-wizard-authentication-method-choice.choices";
-
-@customElement("ak-application-wizard-authentication-method-choice")
-export class ApplicationWizardAuthenticationMethodChoice extends WithLicenseSummary(BasePanel) {
-    render() {
-        const selectedTypes = providerModelsList.filter(
-            (t) => t.formName === this.wizard.providerModel,
-        );
-
-        // As a hack, the Application wizard has separate provider paths for our three types of
-        // proxy providers. This patch swaps the form we want to be directed to on page 3 from the
-        // modelName to the formName, so we get the right one.  This information isn't modified
-        // or forwarded, so the proxy-plus-subtype is correctly mapped on submission.
-        const typesForWizard = providerModelsList.map((provider) => ({
-            ...provider,
-            modelName: provider.formName,
-        }));
-
-        return providerModelsList.length > 0
-            ? html`<form class="pf-c-form pf-m-horizontal">
-                  <ak-wizard-page-type-create
-                      .types=${typesForWizard}
-                      layout=${TypeCreateWizardPageLayouts.grid}
-                      .selectedType=${selectedTypes.length > 0 ? selectedTypes[0] : undefined}
-                      @select=${(ev: CustomEvent<LocalTypeCreate>) => {
-                          this.dispatchWizardUpdate({
-                              update: {
-                                  ...this.wizard,
-                                  providerModel: ev.detail.formName,
-                                  errors: {},
-                              },
-                              status: this.valid ? "valid" : "invalid",
-                          });
-                      }}
-                  ></ak-wizard-page-type-create>
-              </form>`
-            : html`<ak-empty-state loading header=${msg("Loading")}></ak-empty-state>`;
-    }
-}
-
-export default ApplicationWizardAuthenticationMethodChoice;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-wizard-authentication-method-choice": ApplicationWizardAuthenticationMethodChoice;
-    }
-}

web/src/admin/applications/wizard/commit/ak-application-wizard-commit-application.ts

@@ -1,237 +0,0 @@
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { EVENT_REFRESH } from "@goauthentik/common/constants";
-import { parseAPIError } from "@goauthentik/common/errors";
-import "@goauthentik/components/ak-radio-input";
-import "@goauthentik/components/ak-switch-input";
-import "@goauthentik/components/ak-text-input";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-
-import { msg } from "@lit/localize";
-import { customElement, state } from "@lit/reactive-element/decorators.js";
-import { PropertyValues, TemplateResult, css, html, nothing } from "lit";
-import { classMap } from "lit/directives/class-map.js";
-
-import PFEmptyState from "@patternfly/patternfly/components/EmptyState/empty-state.css";
-import PFProgressStepper from "@patternfly/patternfly/components/ProgressStepper/progress-stepper.css";
-import PFTitle from "@patternfly/patternfly/components/Title/title.css";
-import PFBullseye from "@patternfly/patternfly/layouts/Bullseye/bullseye.css";
-
-import {
-    type ApplicationRequest,
-    CoreApi,
-    type ModelRequest,
-    type TransactionApplicationRequest,
-    type TransactionApplicationResponse,
-    ValidationError,
-    instanceOfValidationError,
-} from "@goauthentik/api";
-
-import BasePanel from "../BasePanel";
-import providerModelsList from "../auth-method-choice/ak-application-wizard-authentication-method-choice.choices";
-
-function cleanApplication(app: Partial<ApplicationRequest>): ApplicationRequest {
-    return {
-        name: "",
-        slug: "",
-        ...app,
-    };
-}
-
-type ProviderModelType = Exclude<ModelRequest["providerModel"], "11184809">;
-
-type State = {
-    state: "idle" | "running" | "error" | "success";
-    label: string | TemplateResult;
-    icon: string[];
-};
-
-const idleState: State = {
-    state: "idle",
-    label: "",
-    icon: ["fa-cogs", "pf-m-pending"],
-};
-
-const runningState: State = {
-    state: "running",
-    label: msg("Saving Application..."),
-    icon: ["fa-cogs", "pf-m-info"],
-};
-const errorState: State = {
-    state: "error",
-    label: msg("authentik was unable to save this application:"),
-    icon: ["fa-times-circle", "pf-m-danger"],
-};
-
-const successState: State = {
-    state: "success",
-    label: msg("Your application has been saved"),
-    icon: ["fa-check-circle", "pf-m-success"],
-};
-
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-const isValidationError = (v: any): v is ValidationError => instanceOfValidationError(v);
-
-@customElement("ak-application-wizard-commit-application")
-export class ApplicationWizardCommitApplication extends BasePanel {
-    static get styles() {
-        return [
-            ...super.styles,
-            PFBullseye,
-            PFEmptyState,
-            PFTitle,
-            PFProgressStepper,
-            css`
-                .pf-c-title {
-                    padding-bottom: var(--pf-global--spacer--md);
-                }
-            `,
-        ];
-    }
-
-    @state()
-    commitState: State = idleState;
-
-    @state()
-    errors?: ValidationError;
-
-    response?: TransactionApplicationResponse;
-
-    willUpdate(_changedProperties: PropertyValues<this>) {
-        if (this.commitState === idleState) {
-            this.response = undefined;
-            this.commitState = runningState;
-            const providerModel = providerModelsList.find(
-                ({ formName }) => formName === this.wizard.providerModel,
-            );
-            if (!providerModel) {
-                throw new Error(
-                    `Could not determine provider model from user request: ${JSON.stringify(this.wizard, null, 2)}`,
-                );
-            }
-
-            const request: TransactionApplicationRequest = {
-                providerModel: providerModel.modelName as ProviderModelType,
-                app: cleanApplication(this.wizard.app),
-                provider: providerModel.converter(this.wizard.provider),
-            };
-
-            this.send(request);
-        }
-    }
-
-    async send(
-        data: TransactionApplicationRequest,
-    ): Promise<TransactionApplicationResponse | void> {
-        this.errors = undefined;
-        new CoreApi(DEFAULT_CONFIG)
-            .coreTransactionalApplicationsUpdate({
-                transactionApplicationRequest: data,
-            })
-            .then((response: TransactionApplicationResponse) => {
-                this.response = response;
-                this.dispatchCustomEvent(EVENT_REFRESH);
-                this.dispatchWizardUpdate({ status: "submitted" });
-                this.commitState = successState;
-            })
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            .catch(async (resolution: any) => {
-                const errors = await parseAPIError(resolution);
-
-                // THIS is a really gross special case; if the user is duplicating the name of an
-                // existing provider, the error appears on the `app` (!) error object. We have to
-                // move that to the `provider.name` error field so it shows up in the right place.
-                if (isValidationError(errors) && Array.isArray(errors?.app?.provider)) {
-                    const providerError = errors.app.provider;
-                    errors.provider = errors.provider ?? {};
-                    errors.provider.name = providerError;
-                    delete errors.app.provider;
-                    if (Object.keys(errors.app).length === 0) {
-                        delete errors.app;
-                    }
-                }
-
-                this.errors = errors;
-                this.dispatchWizardUpdate({
-                    update: {
-                        ...this.wizard,
-                        errors: this.errors,
-                    },
-                    status: "failed",
-                });
-                this.commitState = errorState;
-            });
-    }
-
-    renderErrors(errors?: ValidationError) {
-        if (!errors) {
-            return nothing;
-        }
-
-        const navTo = (step: number) => () =>
-            this.dispatchCustomEvent("ak-wizard-nav", {
-                command: "goto",
-                step,
-            });
-
-        if (errors.app) {
-            return html`<p>${msg("There was an error in the application.")}</p>
-                <p><a @click=${navTo(0)}>${msg("Review the application.")}</a></p>`;
-        }
-        if (errors.provider) {
-            return html`<p>${msg("There was an error in the provider.")}</p>
-                <p><a @click=${navTo(2)}>${msg("Review the provider.")}</a></p>`;
-        }
-        if (errors.detail) {
-            return html`<p>${msg("There was an error")}: ${errors.detail}</p>`;
-        }
-        if ((errors?.nonFieldErrors ?? []).length > 0) {
-            return html`<p>$(msg("There was an error")}:</p>
-                <ul>
-                    ${(errors.nonFieldErrors ?? []).map((e: string) => html`<li>${e}</li>`)}
-                </ul>`;
-        }
-        return html`<p>
-            ${msg(
-                "There was an error creating the application, but no error message was sent. Please review the server logs.",
-            )}
-        </p>`;
-    }
-
-    render() {
-        const icon = classMap(
-            this.commitState.icon.reduce((acc, icon) => ({ ...acc, [icon]: true }), {}),
-        );
-
-        return html`
-            <div>
-                <div class="pf-l-bullseye">
-                    <div class="pf-c-empty-state pf-m-lg">
-                        <div class="pf-c-empty-state__content">
-                            <i
-                                class="fas fa- ${icon} pf-c-empty-state__icon"
-                                aria-hidden="true"
-                            ></i>
-                            <h1
-                                data-commit-state=${this.commitState.state}
-                                class="pf-c-title pf-m-lg"
-                            >
-                                ${this.commitState.label}
-                            </h1>
-                            ${this.renderErrors(this.errors)}
-                        </div>
-                    </div>
-                </div>
-            </div>
-        `;
-    }
-}
-
-export default ApplicationWizardCommitApplication;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-wizard-commit-application": ApplicationWizardCommitApplication;
-    }
-}

web/src/admin/applications/wizard/methods/BaseProviderPanel.ts

@@ -1,19 +0,0 @@
-import BasePanel from "../BasePanel";
-
-export class ApplicationWizardProviderPageBase extends BasePanel {
-    handleChange(_ev: InputEvent) {
-        const formValues = this.formValues;
-        if (!formValues) {
-            throw new Error("No provider values on form?");
-        }
-        this.dispatchWizardUpdate({
-            update: {
-                ...this.wizard,
-                provider: formValues,
-            },
-            status: this.valid ? "valid" : "invalid",
-        });
-    }
-}
-
-export default ApplicationWizardProviderPageBase;

web/src/admin/applications/wizard/methods/ak-application-wizard-authentication-method.ts

@@ -1,34 +0,0 @@
-import { customElement } from "@lit/reactive-element/decorators/custom-element.js";
-
-import BasePanel from "../BasePanel";
-import { providerRendererList } from "../auth-method-choice/ak-application-wizard-authentication-method-choice.choices";
-import "./ldap/ak-application-wizard-authentication-by-ldap";
-import "./oauth/ak-application-wizard-authentication-by-oauth";
-import "./proxy/ak-application-wizard-authentication-for-forward-domain-proxy";
-import "./proxy/ak-application-wizard-authentication-for-reverse-proxy";
-import "./proxy/ak-application-wizard-authentication-for-single-forward-proxy";
-import "./rac/ak-application-wizard-authentication-for-rac";
-import "./radius/ak-application-wizard-authentication-by-radius";
-import "./saml/ak-application-wizard-authentication-by-saml-configuration";
-import "./scim/ak-application-wizard-authentication-by-scim";
-
-@customElement("ak-application-wizard-authentication-method")
-export class ApplicationWizardApplicationDetails extends BasePanel {
-    render() {
-        const handler = providerRendererList.get(this.wizard.providerModel);
-        if (!handler) {
-            throw new Error(
-                "Unrecognized authentication method in ak-application-wizard-authentication-method",
-            );
-        }
-        return handler();
-    }
-}
-
-export default ApplicationWizardApplicationDetails;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-wizard-authentication-method": ApplicationWizardApplicationDetails;
-    }
-}

web/src/admin/applications/wizard/methods/ldap/ak-application-wizard-authentication-by-ldap.ts

@@ -1,173 +0,0 @@
-import "@goauthentik/admin/applications/wizard/ak-wizard-title";
-import "@goauthentik/admin/common/ak-crypto-certificate-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
-import { first } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-number-input";
-import "@goauthentik/components/ak-radio-input";
-import "@goauthentik/components/ak-switch-input";
-import "@goauthentik/components/ak-text-input";
-import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-
-import { msg } from "@lit/localize";
-import { customElement } from "@lit/reactive-element/decorators/custom-element.js";
-import { html, nothing } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import { FlowsInstancesListDesignationEnum } from "@goauthentik/api";
-import type { LDAPProvider } from "@goauthentik/api";
-
-import BaseProviderPanel from "../BaseProviderPanel";
-import {
-    bindModeOptions,
-    cryptoCertificateHelp,
-    gidStartNumberHelp,
-    mfaSupportHelp,
-    searchModeOptions,
-    tlsServerNameHelp,
-    uidStartNumberHelp,
-} from "./LDAPOptionsAndHelp";
-
-@customElement("ak-application-wizard-authentication-by-ldap")
-export class ApplicationWizardApplicationDetails extends WithBrandConfig(BaseProviderPanel) {
-    render() {
-        const provider = this.wizard.provider as LDAPProvider | undefined;
-        const errors = this.wizard.errors.provider;
-
-        return html` <ak-wizard-title>${msg("Configure LDAP Provider")}</ak-wizard-title>
-            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-                <ak-text-input
-                    name="name"
-                    value=${ifDefined(provider?.name)}
-                    label=${msg("Name")}
-                    .errorMessages=${errors?.name ?? []}
-                    required
-                    help=${msg("Method's display Name.")}
-                ></ak-text-input>
-
-                <ak-form-element-horizontal
-                    label=${msg("Bind flow")}
-                    ?required=${true}
-                    name="authorizationFlow"
-                    .errorMessages=${errors?.authorizationFlow ?? []}
-                >
-                    <ak-branded-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                        .currentFlow=${provider?.authorizationFlow}
-                        .brandFlow=${this.brand.flowAuthentication}
-                        required
-                    ></ak-branded-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Flow used for users to authenticate.")}
-                    </p>
-                </ak-form-element-horizontal>
-                <ak-form-element-horizontal
-                    label=${msg("Unbind flow")}
-                    name="invalidationFlow"
-                    required
-                >
-                    <ak-branded-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                        .currentFlow=${provider?.invalidationFlow}
-                        .brandFlow=${this.brand.flowInvalidation}
-                        defaultFlowSlug="default-invalidation-flow"
-                        required
-                    ></ak-branded-flow-search>
-                    <p class="pf-c-form__helper-text">${msg("Flow used for unbinding users.")}</p>
-                </ak-form-element-horizontal>
-
-                <ak-radio-input
-                    label=${msg("Bind mode")}
-                    name="bindMode"
-                    .options=${bindModeOptions}
-                    .value=${provider?.bindMode}
-                    help=${msg("Configure how the outpost authenticates requests.")}
-                >
-                </ak-radio-input>
-
-                <ak-radio-input
-                    label=${msg("Search mode")}
-                    name="searchMode"
-                    .options=${searchModeOptions}
-                    .value=${provider?.searchMode}
-                    help=${msg(
-                        "Configure how the outpost queries the core authentik server's users.",
-                    )}
-                >
-                </ak-radio-input>
-
-                <ak-switch-input
-                    name="mfaSupport"
-                    label=${msg("Code-based MFA Support")}
-                    ?checked=${provider?.mfaSupport ?? true}
-                    help=${mfaSupportHelp}
-                >
-                </ak-switch-input>
-
-                <ak-form-group .expanded=${true}>
-                    <span slot="header"> ${msg("Protocol settings")} </span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-text-input
-                            name="baseDn"
-                            label=${msg("Base DN")}
-                            required
-                            value="${first(provider?.baseDn, "DC=ldap,DC=goauthentik,DC=io")}"
-                            .errorMessages=${errors?.baseDn ?? []}
-                            help=${msg(
-                                "LDAP DN under which bind requests and search requests can be made.",
-                            )}
-                        >
-                        </ak-text-input>
-
-                        <ak-form-element-horizontal
-                            label=${msg("Certificate")}
-                            name="certificate"
-                            .errorMessages=${errors?.certificate ?? []}
-                        >
-                            <ak-crypto-certificate-search
-                                certificate=${ifDefined(provider?.certificate ?? nothing)}
-                                name="certificate"
-                            >
-                            </ak-crypto-certificate-search>
-                            <p class="pf-c-form__helper-text">${cryptoCertificateHelp}</p>
-                        </ak-form-element-horizontal>
-
-                        <ak-text-input
-                            label=${msg("TLS Server name")}
-                            name="tlsServerName"
-                            value="${first(provider?.tlsServerName, "")}"
-                            .errorMessages=${errors?.tlsServerName ?? []}
-                            help=${tlsServerNameHelp}
-                        ></ak-text-input>
-
-                        <ak-number-input
-                            label=${msg("UID start number")}
-                            required
-                            name="uidStartNumber"
-                            value="${first(provider?.uidStartNumber, 2000)}"
-                            .errorMessages=${errors?.uidStartNumber ?? []}
-                            help=${uidStartNumberHelp}
-                        ></ak-number-input>
-
-                        <ak-number-input
-                            label=${msg("GID start number")}
-                            required
-                            name="gidStartNumber"
-                            value="${first(provider?.gidStartNumber, 4000)}"
-                            .errorMessages=${errors?.gidStartNumber ?? []}
-                            help=${gidStartNumberHelp}
-                        ></ak-number-input>
-                    </div>
-                </ak-form-group>
-            </form>`;
-    }
-}
-
-export default ApplicationWizardApplicationDetails;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-wizard-authentication-by-ldap": ApplicationWizardApplicationDetails;
-    }
-}

web/src/admin/applications/wizard/methods/oauth/ak-application-wizard-authentication-by-oauth.ts

@@ -1,332 +0,0 @@
-import "@goauthentik/admin/applications/wizard/ak-wizard-title";
-import "@goauthentik/admin/common/ak-crypto-certificate-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
-import {
-    clientTypeOptions,
-    issuerModeOptions,
-    redirectUriHelp,
-    subjectModeOptions,
-} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderForm";
-import {
-    propertyMappingsProvider,
-    propertyMappingsSelector,
-} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderFormHelpers.js";
-import {
-    IRedirectURIInput,
-    akOAuthRedirectURIInput,
-} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
-import {
-    oauth2SourcesProvider,
-    oauth2SourcesSelector,
-} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-number-input";
-import "@goauthentik/components/ak-radio-input";
-import "@goauthentik/components/ak-switch-input";
-import "@goauthentik/components/ak-text-input";
-import "@goauthentik/components/ak-textarea-input";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-
-import { msg } from "@lit/localize";
-import { customElement, state } from "@lit/reactive-element/decorators.js";
-import { html, nothing } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import {
-    ClientTypeEnum,
-    FlowsInstancesListDesignationEnum,
-    MatchingModeEnum,
-    RedirectURI,
-    SourcesApi,
-} from "@goauthentik/api";
-import { type OAuth2Provider, type PaginatedOAuthSourceList } from "@goauthentik/api";
-
-import BaseProviderPanel from "../BaseProviderPanel";
-
-@customElement("ak-application-wizard-authentication-by-oauth")
-export class ApplicationWizardAuthenticationByOauth extends BaseProviderPanel {
-    @state()
-    showClientSecret = true;
-
-    @state()
-    oauthSources?: PaginatedOAuthSourceList;
-
-    constructor() {
-        super();
-        new SourcesApi(DEFAULT_CONFIG)
-            .sourcesOauthList({
-                ordering: "name",
-                hasJwks: true,
-            })
-            .then((oauthSources: PaginatedOAuthSourceList) => {
-                this.oauthSources = oauthSources;
-            });
-    }
-
-    render() {
-        const provider = this.wizard.provider as OAuth2Provider | undefined;
-        const errors = this.wizard.errors.provider;
-
-        return html`<ak-wizard-title>${msg("Configure OAuth2/OpenId Provider")}</ak-wizard-title>
-            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-                <ak-text-input
-                    name="name"
-                    label=${msg("Name")}
-                    value=${ifDefined(provider?.name)}
-                    .errorMessages=${errors?.name ?? []}
-                    required
-                ></ak-text-input>
-
-                <ak-form-element-horizontal
-                    name="authorizationFlow"
-                    label=${msg("Authorization flow")}
-                    .errorMessages=${errors?.authorizationFlow ?? []}
-                    ?required=${true}
-                >
-                    <ak-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Authorization}
-                        .currentFlow=${provider?.authorizationFlow}
-                        required
-                    ></ak-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Flow used when authorizing this provider.")}
-                    </p>
-                </ak-form-element-horizontal>
-
-                <ak-form-group .expanded=${true}>
-                    <span slot="header"> ${msg("Protocol settings")} </span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-radio-input
-                            name="clientType"
-                            label=${msg("Client type")}
-                            .value=${provider?.clientType}
-                            required
-                            @change=${(ev: CustomEvent<{ value: ClientTypeEnum }>) => {
-                                this.showClientSecret = ev.detail.value !== ClientTypeEnum.Public;
-                            }}
-                            .options=${clientTypeOptions}
-                        >
-                        </ak-radio-input>
-
-                        <ak-text-input
-                            name="clientId"
-                            label=${msg("Client ID")}
-                            value=${provider?.clientId ?? randomString(40, ascii_letters + digits)}
-                            .errorMessages=${errors?.clientId ?? []}
-                            required
-                        >
-                        </ak-text-input>
-
-                        <ak-text-input
-                            name="clientSecret"
-                            label=${msg("Client Secret")}
-                            value=${provider?.clientSecret ??
-                            randomString(128, ascii_letters + digits)}
-                            .errorMessages=${errors?.clientSecret ?? []}
-                            ?hidden=${!this.showClientSecret}
-                        >
-                        </ak-text-input>
-
-                        <ak-form-element-horizontal
-                            label=${msg("Redirect URIs/Origins")}
-                            required
-                            name="redirectUris"
-                        >
-                            <ak-array-input
-                                .items=${[]}
-                                .newItem=${() => ({
-                                    matchingMode: MatchingModeEnum.Strict,
-                                    url: "",
-                                })}
-                                .row=${(f?: RedirectURI) =>
-                                    akOAuthRedirectURIInput({
-                                        ".redirectURI": f,
-                                        "style": "width: 100%",
-                                        "name": "oauth2-redirect-uri",
-                                    } as unknown as IRedirectURIInput)}
-                            >
-                            </ak-array-input>
-                            ${redirectUriHelp}
-                        </ak-form-element-horizontal>
-
-                        <ak-form-element-horizontal
-                            label=${msg("Signing Key")}
-                            name="signingKey"
-                            .errorMessages=${errors?.signingKey ?? []}
-                        >
-                            <ak-crypto-certificate-search
-                                certificate=${ifDefined(provider?.signingKey ?? nothing)}
-                                name="certificate"
-                                singleton
-                            >
-                            </ak-crypto-certificate-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg("Key used to sign the tokens.")}
-                            </p>
-                        </ak-form-element-horizontal>
-                    </div>
-                </ak-form-group>
-
-                <ak-form-group>
-                    <span slot="header"> ${msg("Advanced flow settings")} </span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-form-element-horizontal
-                            name="authenticationFlow"
-                            label=${msg("Authentication flow")}
-                        >
-                            <ak-flow-search
-                                flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                                .currentFlow=${provider?.authenticationFlow}
-                            ></ak-flow-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg(
-                                    "Flow used when a user access this provider and is not authenticated.",
-                                )}
-                            </p>
-                        </ak-form-element-horizontal>
-                        <ak-form-element-horizontal
-                            label=${msg("Invalidation flow")}
-                            name="invalidationFlow"
-                            required
-                        >
-                            <ak-flow-search
-                                flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                                .currentFlow=${provider?.invalidationFlow}
-                                defaultFlowSlug="default-provider-invalidation-flow"
-                                required
-                            ></ak-flow-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg("Flow used when logging out of this provider.")}
-                            </p>
-                        </ak-form-element-horizontal>
-                    </div>
-                </ak-form-group>
-                <ak-form-group>
-                    <span slot="header"> ${msg("Advanced protocol settings")} </span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-text-input
-                            name="accessCodeValidity"
-                            label=${msg("Access code validity")}
-                            required
-                            value="${first(provider?.accessCodeValidity, "minutes=1")}"
-                            .errorMessages=${errors?.accessCodeValidity ?? []}
-                            .bighelp=${html`<p class="pf-c-form__helper-text">
-                                    ${msg("Configure how long access codes are valid for.")}
-                                </p>
-                                <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
-                        >
-                        </ak-text-input>
-
-                        <ak-text-input
-                            name="accessTokenValidity"
-                            label=${msg("Access Token validity")}
-                            value="${first(provider?.accessTokenValidity, "minutes=5")}"
-                            required
-                            .errorMessages=${errors?.accessTokenValidity ?? []}
-                            .bighelp=${html` <p class="pf-c-form__helper-text">
-                                    ${msg("Configure how long access tokens are valid for.")}
-                                </p>
-                                <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
-                        >
-                        </ak-text-input>
-
-                        <ak-text-input
-                            name="refreshTokenValidity"
-                            label=${msg("Refresh Token validity")}
-                            value="${first(provider?.refreshTokenValidity, "days=30")}"
-                            .errorMessages=${errors?.refreshTokenValidity ?? []}
-                            ?required=${true}
-                            .bighelp=${html` <p class="pf-c-form__helper-text">
-                                    ${msg("Configure how long refresh tokens are valid for.")}
-                                </p>
-                                <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
-                        >
-                        </ak-text-input>
-
-                        <ak-form-element-horizontal
-                            label=${msg("Scopes")}
-                            name="propertyMappings"
-                            .errorMessages=${errors?.propertyMappings ?? []}
-                        >
-                            <ak-dual-select-dynamic-selected
-                                .provider=${propertyMappingsProvider}
-                                .selector=${propertyMappingsSelector(provider?.propertyMappings)}
-                                available-label=${msg("Available Scopes")}
-                                selected-label=${msg("Selected Scopes")}
-                            ></ak-dual-select-dynamic-selected>
-                            <p class="pf-c-form__helper-text">
-                                ${msg(
-                                    "Select which scopes can be used by the client. The client still has to specify the scope to access the data.",
-                                )}
-                            </p>
-                        </ak-form-element-horizontal>
-
-                        <ak-radio-input
-                            name="subMode"
-                            label=${msg("Subject mode")}
-                            required
-                            .options=${subjectModeOptions}
-                            .value=${provider?.subMode}
-                            help=${msg(
-                                "Configure what data should be used as unique User Identifier. For most cases, the default should be fine.",
-                            )}
-                        >
-                        </ak-radio-input>
-                        <ak-switch-input
-                            name="includeClaimsInIdToken"
-                            label=${msg("Include claims in id_token")}
-                            ?checked=${first(provider?.includeClaimsInIdToken, true)}
-                            help=${msg(
-                                "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.",
-                            )}
-                        ></ak-switch-input>
-                        <ak-radio-input
-                            name="issuerMode"
-                            label=${msg("Issuer mode")}
-                            required
-                            .options=${issuerModeOptions}
-                            .value=${provider?.issuerMode}
-                            help=${msg(
-                                "Configure how the issuer field of the ID Token should be filled.",
-                            )}
-                        >
-                        </ak-radio-input>
-                    </div>
-                </ak-form-group>
-
-                <ak-form-group>
-                    <span slot="header">${msg("Machine-to-Machine authentication settings")}</span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-form-element-horizontal
-                            label=${msg("Trusted OIDC Sources")}
-                            name="jwksSources"
-                            .errorMessages=${errors?.jwksSources ?? []}
-                        >
-                            <ak-dual-select-dynamic-selected
-                                .provider=${oauth2SourcesProvider}
-                                .selector=${oauth2SourcesSelector(provider?.jwtFederationSources)}
-                                available-label=${msg("Available Sources")}
-                                selected-label=${msg("Selected Sources")}
-                            ></ak-dual-select-dynamic-selected>
-                            <p class="pf-c-form__helper-text">
-                                ${msg(
-                                    "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
-                                )}
-                            </p>
-                        </ak-form-element-horizontal>
-                    </div>
-                </ak-form-group>
-            </form>`;
-    }
-}
-
-export default ApplicationWizardAuthenticationByOauth;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-wizard-authentication-by-oauth": ApplicationWizardAuthenticationByOauth;
-    }
-}

web/src/admin/applications/wizard/methods/proxy/AuthenticationByProxyPage.ts

@@ -1,269 +0,0 @@
-import "@goauthentik/admin/applications/wizard/ak-wizard-title";
-import {
-    oauth2SourcesProvider,
-    oauth2SourcesSelector,
-} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
-import {
-    propertyMappingsProvider,
-    propertyMappingsSelector,
-} from "@goauthentik/admin/providers/proxy/ProxyProviderFormHelpers.js";
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-switch-input";
-import "@goauthentik/components/ak-text-input";
-import "@goauthentik/components/ak-textarea-input";
-import "@goauthentik/components/ak-toggle-group";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-
-import { msg } from "@lit/localize";
-import { state } from "@lit/reactive-element/decorators.js";
-import { TemplateResult, html, nothing } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import {
-    FlowsInstancesListDesignationEnum,
-    PaginatedOAuthSourceList,
-    PaginatedScopeMappingList,
-    ProxyMode,
-    ProxyProvider,
-    SourcesApi,
-} from "@goauthentik/api";
-
-import BaseProviderPanel from "../BaseProviderPanel";
-
-type MaybeTemplateResult = TemplateResult | typeof nothing;
-
-export class AkTypeProxyApplicationWizardPage extends BaseProviderPanel {
-    constructor() {
-        super();
-        new SourcesApi(DEFAULT_CONFIG)
-            .sourcesOauthList({
-                ordering: "name",
-                hasJwks: true,
-            })
-            .then((oauthSources: PaginatedOAuthSourceList) => {
-                this.oauthSources = oauthSources;
-            });
-    }
-
-    propertyMappings?: PaginatedScopeMappingList;
-    oauthSources?: PaginatedOAuthSourceList;
-
-    @state()
-    showHttpBasic = true;
-
-    @state()
-    mode: ProxyMode = ProxyMode.Proxy;
-
-    get instance(): ProxyProvider | undefined {
-        return this.wizard.provider as ProxyProvider;
-    }
-
-    renderModeDescription(): MaybeTemplateResult {
-        return nothing;
-    }
-
-    renderProxyMode(): TemplateResult {
-        throw new Error("Must be implemented in a child class.");
-    }
-
-    renderHttpBasic() {
-        return html`<ak-text-input
-                name="basicAuthUserAttribute"
-                label=${msg("HTTP-Basic Username Key")}
-                value="${ifDefined(this.instance?.basicAuthUserAttribute)}"
-                help=${msg(
-                    "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used.",
-                )}
-            >
-            </ak-text-input>
-
-            <ak-text-input
-                name="basicAuthPasswordAttribute"
-                label=${msg("HTTP-Basic Password Key")}
-                value="${ifDefined(this.instance?.basicAuthPasswordAttribute)}"
-                help=${msg(
-                    "User/Group Attribute used for the password part of the HTTP-Basic Header.",
-                )}
-            >
-            </ak-text-input>`;
-    }
-
-    render() {
-        const errors = this.wizard.errors.provider;
-
-        return html` <ak-wizard-title>${msg("Configure Proxy Provider")}</ak-wizard-title>
-            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-                ${this.renderModeDescription()}
-                <ak-text-input
-                    name="name"
-                    value=${ifDefined(this.instance?.name)}
-                    required
-                    .errorMessages=${errors?.name ?? []}
-                    label=${msg("Name")}
-                ></ak-text-input>
-
-                <ak-form-element-horizontal
-                    label=${msg("Authorization flow")}
-                    required
-                    name="authorizationFlow"
-                    .errorMessages=${errors?.authorizationFlow ?? []}
-                >
-                    <ak-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Authorization}
-                        .currentFlow=${this.instance?.authorizationFlow}
-                        required
-                    ></ak-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Flow used when authorizing this provider.")}
-                    </p>
-                </ak-form-element-horizontal>
-
-                ${this.renderProxyMode()}
-
-                <ak-text-input
-                    name="accessTokenValidity"
-                    value=${first(this.instance?.accessTokenValidity, "hours=24")}
-                    label=${msg("Token validity")}
-                    help=${msg("Configure how long tokens are valid for.")}
-                    .errorMessages=${errors?.accessTokenValidity ?? []}
-                ></ak-text-input>
-
-                <ak-form-group>
-                    <span slot="header">${msg("Advanced protocol settings")}</span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-form-element-horizontal
-                            label=${msg("Certificate")}
-                            name="certificate"
-                            .errorMessages=${errors?.certificate ?? []}
-                        >
-                            <ak-crypto-certificate-search
-                                certificate=${ifDefined(this.instance?.certificate ?? undefined)}
-                            ></ak-crypto-certificate-search>
-                        </ak-form-element-horizontal>
-                        <ak-form-element-horizontal
-                            label=${msg("Additional scopes")}
-                            name="propertyMappings"
-                        >
-                            <ak-dual-select-dynamic-selected
-                                .provider=${propertyMappingsProvider}
-                                .selector=${propertyMappingsSelector(
-                                    this.instance?.propertyMappings,
-                                )}
-                                available-label="${msg("Available Scopes")}"
-                                selected-label="${msg("Selected Scopes")}"
-                            ></ak-dual-select-dynamic-selected>
-                            <p class="pf-c-form__helper-text">
-                                ${msg("Additional scope mappings, which are passed to the proxy.")}
-                            </p>
-                        </ak-form-element-horizontal>
-
-                        <ak-textarea-input
-                            name="skipPathRegex"
-                            label=${this.mode === ProxyMode.ForwardDomain
-                                ? msg("Unauthenticated URLs")
-                                : msg("Unauthenticated Paths")}
-                            value=${ifDefined(this.instance?.skipPathRegex)}
-                            .errorMessages=${errors?.skipPathRegex ?? []}
-                            .bighelp=${html` <p class="pf-c-form__helper-text">
-                                    ${msg(
-                                        "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression.",
-                                    )}
-                                </p>
-                                <p class="pf-c-form__helper-text">
-                                    ${msg(
-                                        "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.",
-                                    )}
-                                </p>`}
-                        >
-                        </ak-textarea-input>
-                    </div>
-                </ak-form-group>
-                <ak-form-group>
-                    <span slot="header"> ${msg("Advanced flow settings")} </span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-form-element-horizontal
-                            name="authenticationFlow"
-                            label=${msg("Authentication flow")}
-                        >
-                            <ak-flow-search
-                                flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                                .currentFlow=${this.instance?.authenticationFlow}
-                            ></ak-flow-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg(
-                                    "Flow used when a user access this provider and is not authenticated.",
-                                )}
-                            </p>
-                        </ak-form-element-horizontal>
-                        <ak-form-element-horizontal
-                            label=${msg("Invalidation flow")}
-                            name="invalidationFlow"
-                            required
-                        >
-                            <ak-flow-search
-                                flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                                .currentFlow=${this.instance?.invalidationFlow}
-                                defaultFlowSlug="default-provider-invalidation-flow"
-                                required
-                            ></ak-flow-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg("Flow used when logging out of this provider.")}
-                            </p>
-                        </ak-form-element-horizontal>
-                    </div>
-                </ak-form-group>
-                <ak-form-group>
-                    <span slot="header">${msg("Authentication settings")}</span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-switch-input
-                            name="interceptHeaderAuth"
-                            ?checked=${first(this.instance?.interceptHeaderAuth, true)}
-                            label=${msg("Intercept header authentication")}
-                            help=${msg(
-                                "When enabled, authentik will intercept the Authorization header to authenticate the request.",
-                            )}
-                        ></ak-switch-input>
-
-                        <ak-switch-input
-                            name="basicAuthEnabled"
-                            ?checked=${first(this.instance?.basicAuthEnabled, false)}
-                            @change=${(ev: Event) => {
-                                const el = ev.target as HTMLInputElement;
-                                this.showHttpBasic = el.checked;
-                            }}
-                            label=${msg("Send HTTP-Basic Authentication")}
-                            help=${msg(
-                                "Send a custom HTTP-Basic Authentication header based on values from authentik.",
-                            )}
-                        ></ak-switch-input>
-
-                        ${this.showHttpBasic ? this.renderHttpBasic() : html``}
-
-                        <ak-form-element-horizontal
-                            label=${msg("Trusted OIDC Sources")}
-                            name="jwksSources"
-                            .errorMessages=${errors?.jwksSources ?? []}
-                        >
-                            <ak-dual-select-dynamic-selected
-                                .provider=${oauth2SourcesProvider}
-                                .selector=${oauth2SourcesSelector(
-                                    this.instance?.jwtFederationSources,
-                                )}
-                                available-label=${msg("Available Sources")}
-                                selected-label=${msg("Selected Sources")}
-                            ></ak-dual-select-dynamic-selected>
-                            <p class="pf-c-form__helper-text">
-                                ${msg(
-                                    "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
-                                )}
-                            </p>
-                        </ak-form-element-horizontal>
-                    </div>
-                </ak-form-group>
-            </form>`;
-    }
-}
-
-export default AkTypeProxyApplicationWizardPage;

web/src/admin/applications/wizard/methods/proxy/ak-application-wizard-authentication-for-forward-domain-proxy.ts

@@ -1,74 +0,0 @@
-import "@goauthentik/components/ak-text-input";
-
-import { msg } from "@lit/localize";
-import { customElement } from "@lit/reactive-element/decorators.js";
-import { html } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import PFList from "@patternfly/patternfly/components/List/list.css";
-
-import { ProxyProvider } from "@goauthentik/api";
-
-import AkTypeProxyApplicationWizardPage from "./AuthenticationByProxyPage";
-
-@customElement("ak-application-wizard-authentication-for-forward-proxy-domain")
-export class AkForwardDomainProxyApplicationWizardPage extends AkTypeProxyApplicationWizardPage {
-    static get styles() {
-        return super.styles.concat(PFList);
-    }
-
-    renderModeDescription() {
-        return html`<p>
-                ${msg(
-                    "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.",
-                )}
-            </p>
-            <div>
-                ${msg("An example setup can look like this:")}
-                <ul class="pf-c-list">
-                    <li>${msg("authentik running on auth.example.com")}</li>
-                    <li>${msg("app1 running on app1.example.com")}</li>
-                </ul>
-                ${msg(
-                    "In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com.",
-                )}
-            </div>`;
-    }
-
-    renderProxyMode() {
-        const provider = this.wizard.provider as ProxyProvider | undefined;
-        const errors = this.wizard.errors.provider;
-
-        return html`
-            <ak-text-input
-                name="externalHost"
-                label=${msg("External host")}
-                value=${ifDefined(provider?.externalHost)}
-                .errorMessages=${errors?.externalHost ?? []}
-                required
-                help=${msg(
-                    "The external URL you'll authenticate at. The authentik core server should be reachable under this URL.",
-                )}
-            >
-            </ak-text-input>
-            <ak-text-input
-                name="cookieDomain"
-                label=${msg("Cookie domain")}
-                value="${ifDefined(provider?.cookieDomain)}"
-                .errorMessages=${errors?.cookieDomain ?? []}
-                required
-                help=${msg(
-                    "Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'.",
-                )}
-            ></ak-text-input>
-        `;
-    }
-}
-
-export default AkForwardDomainProxyApplicationWizardPage;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-wizard-authentication-for-forward-proxy-domain": AkForwardDomainProxyApplicationWizardPage;
-    }
-}

web/src/admin/applications/wizard/methods/proxy/ak-application-wizard-authentication-for-reverse-proxy.ts

@@ -1,62 +0,0 @@
-import { first } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-switch-input";
-import "@goauthentik/components/ak-text-input";
-
-import { msg } from "@lit/localize";
-import { customElement } from "@lit/reactive-element/decorators.js";
-import { html } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import { ProxyProvider } from "@goauthentik/api";
-
-import AkTypeProxyApplicationWizardPage from "./AuthenticationByProxyPage";
-
-@customElement("ak-application-wizard-authentication-for-reverse-proxy")
-export class AkReverseProxyApplicationWizardPage extends AkTypeProxyApplicationWizardPage {
-    renderModeDescription() {
-        return html`<p class="pf-u-mb-xl">
-            ${msg(
-                "This provider will behave like a transparent reverse-proxy, except requests must be authenticated. If your upstream application uses HTTPS, make sure to connect to the outpost using HTTPS as well.",
-            )}
-        </p>`;
-    }
-
-    renderProxyMode() {
-        const provider = this.wizard.provider as ProxyProvider | undefined;
-        const errors = this.wizard.errors.provider;
-
-        return html` <ak-text-input
-                name="externalHost"
-                value=${ifDefined(provider?.externalHost)}
-                required
-                label=${msg("External host")}
-                .errorMessages=${errors?.externalHost ?? []}
-                help=${msg(
-                    "The external URL you'll access the application at. Include any non-standard port.",
-                )}
-            ></ak-text-input>
-            <ak-text-input
-                name="internalHost"
-                value=${ifDefined(provider?.internalHost)}
-                .errorMessages=${errors?.internalHost ?? []}
-                required
-                label=${msg("Internal host")}
-                help=${msg("Upstream host that the requests are forwarded to.")}
-            ></ak-text-input>
-            <ak-switch-input
-                name="internalHostSslValidation"
-                ?checked=${first(provider?.internalHostSslValidation, true)}
-                label=${msg("Internal host SSL Validation")}
-                help=${msg("Validate SSL Certificates of upstream servers.")}
-            >
-            </ak-switch-input>`;
-    }
-}
-
-export default AkReverseProxyApplicationWizardPage;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-wizard-authentication-for-reverse-proxy": AkReverseProxyApplicationWizardPage;
-    }
-}

web/src/admin/applications/wizard/methods/proxy/ak-application-wizard-authentication-for-single-forward-proxy.ts

@@ -1,48 +0,0 @@
-import "@goauthentik/components/ak-text-input";
-
-import { msg } from "@lit/localize";
-import { customElement } from "@lit/reactive-element/decorators.js";
-import { html } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import { ProxyProvider } from "@goauthentik/api";
-
-import AkTypeProxyApplicationWizardPage from "./AuthenticationByProxyPage";
-
-@customElement("ak-application-wizard-authentication-for-single-forward-proxy")
-export class AkForwardSingleProxyApplicationWizardPage extends AkTypeProxyApplicationWizardPage {
-    renderModeDescription() {
-        return html`<p class="pf-u-mb-xl">
-            ${msg(
-                html`Use this provider with nginx's <code>auth_request</code> or traefik's
-                    <code>forwardAuth</code>. Each application/domain needs its own provider.
-                    Additionally, on each domain, <code>/outpost.goauthentik.io</code> must be
-                    routed to the outpost (when using a managed outpost, this is done for you).`,
-            )}
-        </p>`;
-    }
-
-    renderProxyMode() {
-        const provider = this.wizard.provider as ProxyProvider | undefined;
-        const errors = this.wizard.errors.provider;
-
-        return html`<ak-text-input
-            name="externalHost"
-            value=${ifDefined(provider?.externalHost)}
-            required
-            label=${msg("External host")}
-            .errorMessages=${errors?.externalHost ?? []}
-            help=${msg(
-                "The external URL you'll access the application at. Include any non-standard port.",
-            )}
-        ></ak-text-input>`;
-    }
-}
-
-export default AkForwardSingleProxyApplicationWizardPage;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-wizard-authentication-for-single-forward-proxy": AkForwardSingleProxyApplicationWizardPage;
-    }
-}

web/src/admin/applications/wizard/methods/radius/ak-application-wizard-authentication-by-radius.ts

@@ -1,108 +0,0 @@
-import "@goauthentik/admin/applications/wizard/ak-wizard-title";
-import "@goauthentik/admin/common/ak-crypto-certificate-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
-import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-text-input";
-import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-
-import { msg } from "@lit/localize";
-import { customElement } from "@lit/reactive-element/decorators.js";
-import { html } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import { FlowsInstancesListDesignationEnum, RadiusProvider } from "@goauthentik/api";
-
-import BaseProviderPanel from "../BaseProviderPanel";
-
-@customElement("ak-application-wizard-authentication-by-radius")
-export class ApplicationWizardAuthenticationByRadius extends WithBrandConfig(BaseProviderPanel) {
-    render() {
-        const provider = this.wizard.provider as RadiusProvider | undefined;
-        const errors = this.wizard.errors.provider;
-
-        return html`<ak-wizard-title>${msg("Configure Radius Provider")}</ak-wizard-title>
-            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-                <ak-text-input
-                    name="name"
-                    label=${msg("Name")}
-                    value=${ifDefined(provider?.name)}
-                    .errorMessages=${errors?.name ?? []}
-                    required
-                >
-                </ak-text-input>
-
-                <ak-form-element-horizontal
-                    label=${msg("Authentication flow")}
-                    ?required=${true}
-                    name="authorizationFlow"
-                    .errorMessages=${errors?.authorizationFlow ?? []}
-                >
-                    <ak-branded-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                        .currentFlow=${provider?.authorizationFlow}
-                        .brandFlow=${this.brand.flowAuthentication}
-                        required
-                    ></ak-branded-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Flow used for users to authenticate.")}
-                    </p>
-                </ak-form-element-horizontal>
-
-                <ak-form-group expanded>
-                    <span slot="header"> ${msg("Protocol settings")} </span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-text-input
-                            name="sharedSecret"
-                            label=${msg("Shared secret")}
-                            .errorMessages=${errors?.sharedSecret ?? []}
-                            value=${first(
-                                provider?.sharedSecret,
-                                randomString(128, ascii_letters + digits),
-                            )}
-                            required
-                        ></ak-text-input>
-                        <ak-text-input
-                            name="clientNetworks"
-                            label=${msg("Client Networks")}
-                            value=${first(provider?.clientNetworks, "0.0.0.0/0, ::/0")}
-                            .errorMessages=${errors?.clientNetworks ?? []}
-                            required
-                            help=${msg(`List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.`)}
-                        ></ak-text-input>
-                    </div>
-                </ak-form-group>
-                <ak-form-group>
-                    <span slot="header"> ${msg("Advanced flow settings")} </span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-form-element-horizontal
-                            label=${msg("Invalidation flow")}
-                            name="invalidationFlow"
-                            required
-                        >
-                            <ak-flow-search
-                                flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                                .currentFlow=${provider?.invalidationFlow}
-                                defaultFlowSlug="default-invalidation-flow"
-                                required
-                            ></ak-flow-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg("Flow used when logging out of this provider.")}
-                            </p>
-                        </ak-form-element-horizontal>
-                    </div></ak-form-group
-                >
-            </form>`;
-    }
-}
-
-export default ApplicationWizardAuthenticationByRadius;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-wizard-authentication-by-radius": ApplicationWizardAuthenticationByRadius;
-    }
-}

web/src/admin/applications/wizard/methods/saml/ak-application-wizard-authentication-by-saml-configuration.ts

@@ -1,364 +0,0 @@
-import "@goauthentik/admin/applications/wizard/ak-wizard-title";
-import "@goauthentik/admin/applications/wizard/ak-wizard-title";
-import "@goauthentik/admin/common/ak-crypto-certificate-search";
-import AkCryptoCertificateSearch from "@goauthentik/admin/common/ak-crypto-certificate-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-multi-select";
-import "@goauthentik/components/ak-number-input";
-import "@goauthentik/components/ak-radio-input";
-import "@goauthentik/components/ak-switch-input";
-import "@goauthentik/components/ak-text-input";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-
-import { msg } from "@lit/localize";
-import { customElement, state } from "@lit/reactive-element/decorators.js";
-import { html, nothing } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import {
-    FlowsInstancesListDesignationEnum,
-    PaginatedSAMLPropertyMappingList,
-    PropertymappingsApi,
-    SAMLProvider,
-} from "@goauthentik/api";
-
-import BaseProviderPanel from "../BaseProviderPanel";
-import {
-    digestAlgorithmOptions,
-    signatureAlgorithmOptions,
-    spBindingOptions,
-} from "./SamlProviderOptions";
-import "./saml-property-mappings-search";
-
-@customElement("ak-application-wizard-authentication-by-saml-configuration")
-export class ApplicationWizardProviderSamlConfiguration extends BaseProviderPanel {
-    @state()
-    propertyMappings?: PaginatedSAMLPropertyMappingList;
-
-    @state()
-    hasSigningKp = false;
-
-    constructor() {
-        super();
-        new PropertymappingsApi(DEFAULT_CONFIG)
-            .propertymappingsProviderSamlList({
-                ordering: "saml_name",
-            })
-            .then((propertyMappings: PaginatedSAMLPropertyMappingList) => {
-                this.propertyMappings = propertyMappings;
-            });
-    }
-
-    propertyMappingConfiguration(provider?: SAMLProvider) {
-        const propertyMappings = this.propertyMappings?.results ?? [];
-
-        const configuredMappings = (providerMappings: string[]) =>
-            propertyMappings.map((pm) => pm.pk).filter((pmpk) => providerMappings.includes(pmpk));
-
-        const managedMappings = () =>
-            propertyMappings
-                .filter((pm) => (pm?.managed ?? "").startsWith("goauthentik.io/providers/saml"))
-                .map((pm) => pm.pk);
-
-        const pmValues = provider?.propertyMappings
-            ? configuredMappings(provider?.propertyMappings ?? [])
-            : managedMappings();
-
-        const propertyPairs = propertyMappings.map((pm) => [pm.pk, pm.name]);
-
-        return { pmValues, propertyPairs };
-    }
-
-    render() {
-        const provider = this.wizard.provider as SAMLProvider | undefined;
-        const errors = this.wizard.errors.provider;
-
-        const { pmValues, propertyPairs } = this.propertyMappingConfiguration(provider);
-
-        return html` <ak-wizard-title>${msg("Configure SAML Provider")}</ak-wizard-title>
-            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-                <ak-text-input
-                    name="name"
-                    value=${ifDefined(provider?.name)}
-                    required
-                    label=${msg("Name")}
-                    .errorMessages=${errors?.name ?? []}
-                ></ak-text-input>
-
-                <ak-form-element-horizontal
-                    label=${msg("Authorization flow")}
-                    ?required=${true}
-                    name="authorizationFlow"
-                    .errorMessages=${errors?.authorizationFlow ?? []}
-                >
-                    <ak-flow-search
-                        flowType=${FlowsInstancesListDesignationEnum.Authorization}
-                        .currentFlow=${provider?.authorizationFlow}
-                        required
-                    ></ak-flow-search>
-                    <p class="pf-c-form__helper-text">
-                        ${msg("Flow used when authorizing this provider.")}
-                    </p>
-                </ak-form-element-horizontal>
-
-                <ak-form-group .expanded=${true}>
-                    <span slot="header"> ${msg("Protocol settings")} </span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-text-input
-                            name="acsUrl"
-                            value=${ifDefined(provider?.acsUrl)}
-                            required
-                            label=${msg("ACS URL")}
-                            .errorMessages=${errors?.acsUrl ?? []}
-                        ></ak-text-input>
-
-                        <ak-text-input
-                            name="issuer"
-                            value=${provider?.issuer || "authentik"}
-                            required
-                            label=${msg("Issuer")}
-                            help=${msg("Also known as EntityID.")}
-                            .errorMessages=${errors?.issuer ?? []}
-                        ></ak-text-input>
-
-                        <ak-radio-input
-                            name="spBinding"
-                            label=${msg("Service Provider Binding")}
-                            required
-                            .options=${spBindingOptions}
-                            .value=${provider?.spBinding}
-                            help=${msg(
-                                "Determines how authentik sends the response back to the Service Provider.",
-                            )}
-                        >
-                        </ak-radio-input>
-
-                        <ak-text-input
-                            name="audience"
-                            value=${ifDefined(provider?.audience)}
-                            label=${msg("Audience")}
-                            .errorMessages=${errors?.audience ?? []}
-                        ></ak-text-input>
-                    </div>
-                </ak-form-group>
-
-                <ak-form-group>
-                    <span slot="header"> ${msg("Advanced flow settings")}</span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-form-element-horizontal
-                            name="authenticationFlow"
-                            label=${msg("Authentication flow")}
-                        >
-                            <ak-flow-search
-                                flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                                .currentFlow=${provider?.authenticationFlow}
-                            ></ak-flow-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg(
-                                    "Flow used when a user access this provider and is not authenticated.",
-                                )}
-                            </p>
-                        </ak-form-element-horizontal>
-                        <ak-form-element-horizontal
-                            label=${msg("Invalidation flow")}
-                            name="invalidationFlow"
-                            required
-                        >
-                            <ak-flow-search
-                                flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                                .currentFlow=${provider?.invalidationFlow}
-                                defaultFlowSlug="default-provider-invalidation-flow"
-                                required
-                            ></ak-flow-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg("Flow used when logging out of this provider.")}
-                            </p>
-                        </ak-form-element-horizontal>
-                    </div>
-                </ak-form-group>
-                <ak-form-group>
-                    <span slot="header"> ${msg("Advanced protocol settings")} </span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-form-element-horizontal
-                            label=${msg("Signing Certificate")}
-                            name="signingKp"
-                        >
-                            <ak-crypto-certificate-search
-                                certificate=${ifDefined(provider?.signingKp ?? undefined)}
-                                @input=${(ev: InputEvent) => {
-                                    const target = ev.target as AkCryptoCertificateSearch;
-                                    if (!target) return;
-                                    this.hasSigningKp = !!target.selectedKeypair;
-                                }}
-                            ></ak-crypto-certificate-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg(
-                                    "Certificate used to sign outgoing Responses going to the Service Provider.",
-                                )}
-                            </p>
-                        </ak-form-element-horizontal>
-                        ${this.hasSigningKp
-                            ? html` <ak-form-element-horizontal name="signAssertion">
-                                      <label class="pf-c-switch">
-                                          <input
-                                              class="pf-c-switch__input"
-                                              type="checkbox"
-                                              ?checked=${first(provider?.signAssertion, true)}
-                                          />
-                                          <span class="pf-c-switch__toggle">
-                                              <span class="pf-c-switch__toggle-icon">
-                                                  <i class="fas fa-check" aria-hidden="true"></i>
-                                              </span>
-                                          </span>
-                                          <span class="pf-c-switch__label"
-                                              >${msg("Sign assertions")}</span
-                                          >
-                                      </label>
-                                      <p class="pf-c-form__helper-text">
-                                          ${msg(
-                                              "When enabled, the assertion element of the SAML response will be signed.",
-                                          )}
-                                      </p>
-                                  </ak-form-element-horizontal>
-                                  <ak-form-element-horizontal name="signResponse">
-                                      <label class="pf-c-switch">
-                                          <input
-                                              class="pf-c-switch__input"
-                                              type="checkbox"
-                                              ?checked=${first(provider?.signResponse, false)}
-                                          />
-                                          <span class="pf-c-switch__toggle">
-                                              <span class="pf-c-switch__toggle-icon">
-                                                  <i class="fas fa-check" aria-hidden="true"></i>
-                                              </span>
-                                          </span>
-                                          <span class="pf-c-switch__label"
-                                              >${msg("Sign responses")}</span
-                                          >
-                                      </label>
-                                      <p class="pf-c-form__helper-text">
-                                          ${msg(
-                                              "When enabled, the assertion element of the SAML response will be signed.",
-                                          )}
-                                      </p>
-                                  </ak-form-element-horizontal>`
-                            : nothing}
-
-                        <ak-form-element-horizontal
-                            label=${msg("Verification Certificate")}
-                            name="verificationKp"
-                        >
-                            <ak-crypto-certificate-search
-                                certificate=${ifDefined(provider?.verificationKp ?? undefined)}
-                                nokey
-                            ></ak-crypto-certificate-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg(
-                                    "When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.",
-                                )}
-                            </p>
-                        </ak-form-element-horizontal>
-
-                        <ak-form-element-horizontal
-                            label=${msg("Encryption Certificate")}
-                            name="encryptionKp"
-                        >
-                            <ak-crypto-certificate-search
-                                certificate=${ifDefined(provider?.encryptionKp ?? undefined)}
-                            ></ak-crypto-certificate-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg(
-                                    "When selected, encrypted assertions will be decrypted using this keypair.",
-                                )}
-                            </p>
-                        </ak-form-element-horizontal>
-
-                        <ak-multi-select
-                            label=${msg("Property Mappings")}
-                            name="propertyMappings"
-                            .options=${propertyPairs}
-                            .values=${pmValues}
-                            .richhelp=${html` <p class="pf-c-form__helper-text">
-                                ${msg("Property mappings used for user mapping.")}
-                            </p>`}
-                        ></ak-multi-select>
-
-                        <ak-form-element-horizontal
-                            label=${msg("NameID Property Mapping")}
-                            name="nameIdMapping"
-                        >
-                            <ak-saml-property-mapping-search
-                                name="nameIdMapping"
-                                propertymapping=${ifDefined(provider?.nameIdMapping ?? undefined)}
-                            ></ak-saml-property-mapping-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg(
-                                    "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected.",
-                                )}
-                            </p>
-                        </ak-form-element-horizontal>
-
-                        <ak-text-input
-                            name="assertionValidNotBefore"
-                            value=${provider?.assertionValidNotBefore || "minutes=-5"}
-                            required
-                            label=${msg("Assertion valid not before")}
-                            help=${msg(
-                                "Configure the maximum allowed time drift for an assertion.",
-                            )}
-                            .errorMessages=${errors?.assertionValidNotBefore ?? []}
-                        ></ak-text-input>
-
-                        <ak-text-input
-                            name="assertionValidNotOnOrAfter"
-                            value=${provider?.assertionValidNotOnOrAfter || "minutes=5"}
-                            required
-                            label=${msg("Assertion valid not on or after")}
-                            help=${msg(
-                                "Assertion not valid on or after current time + this value.",
-                            )}
-                            .errorMessages=${errors?.assertionValidNotOnOrAfter ?? []}
-                        ></ak-text-input>
-
-                        <ak-text-input
-                            name="sessionValidNotOnOrAfter"
-                            value=${provider?.sessionValidNotOnOrAfter || "minutes=86400"}
-                            required
-                            label=${msg("Session valid not on or after")}
-                            help=${msg("Session not valid on or after current time + this value.")}
-                            .errorMessages=${errors?.sessionValidNotOnOrAfter ?? []}
-                        ></ak-text-input>
-
-                        <ak-radio-input
-                            name="digestAlgorithm"
-                            label=${msg("Digest algorithm")}
-                            required
-                            .options=${digestAlgorithmOptions}
-                            .value=${provider?.digestAlgorithm}
-                        >
-                        </ak-radio-input>
-
-                        <ak-radio-input
-                            name="signatureAlgorithm"
-                            label=${msg("Signature algorithm")}
-                            required
-                            .options=${signatureAlgorithmOptions}
-                            .value=${provider?.signatureAlgorithm}
-                        >
-                        </ak-radio-input>
-                    </div>
-                </ak-form-group>
-            </form>`;
-    }
-}
-
-export default ApplicationWizardProviderSamlConfiguration;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-wizard-authentication-by-saml-configuration": ApplicationWizardProviderSamlConfiguration;
-    }
-}

web/src/admin/applications/wizard/methods/saml/saml-property-mappings-search.ts

@@ -1,120 +0,0 @@
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { AKElement } from "@goauthentik/elements/Base";
-import { SearchSelect } from "@goauthentik/elements/forms/SearchSelect";
-import { CustomListenerElement } from "@goauthentik/elements/utils/eventEmitter";
-
-import { html } from "lit";
-import { customElement } from "lit/decorators.js";
-import { property, query } from "lit/decorators.js";
-
-import {
-    PropertymappingsApi,
-    PropertymappingsProviderSamlListRequest,
-    SAMLPropertyMapping,
-} from "@goauthentik/api";
-
-async function fetchObjects(query?: string): Promise<SAMLPropertyMapping[]> {
-    const args: PropertymappingsProviderSamlListRequest = {
-        ordering: "saml_name",
-    };
-    if (query !== undefined) {
-        args.search = query;
-    }
-    const items = await new PropertymappingsApi(DEFAULT_CONFIG).propertymappingsProviderSamlList(
-        args,
-    );
-    return items.results;
-}
-
-function renderElement(item: SAMLPropertyMapping): string {
-    return item.name;
-}
-
-function renderValue(item: SAMLPropertyMapping | undefined): string | undefined {
-    return item?.pk;
-}
-
-/**
- * SAML Property Mapping Search
- *
- * @element ak-saml-property-mapping-search
- *
- * A wrapper around SearchSelect for the SAML Property Search. It's a unique search, but for the
- * purpose of the form all you need to know is that it is being searched and selected. Let's put the
- * how somewhere else.
- *
- */
-
-@customElement("ak-saml-property-mapping-search")
-export class SAMLPropertyMappingSearch extends CustomListenerElement(AKElement) {
-    /**
-     * The current property mapping known to the caller.
-     *
-     * @attr
-     */
-    @property({ type: String, reflect: true, attribute: "propertymapping" })
-    propertyMapping?: string;
-
-    @query("ak-search-select")
-    search!: SearchSelect<SAMLPropertyMapping>;
-
-    @property({ type: String })
-    name: string | null | undefined;
-
-    selectedPropertyMapping?: SAMLPropertyMapping;
-
-    constructor() {
-        super();
-        this.selected = this.selected.bind(this);
-        this.handleSearchUpdate = this.handleSearchUpdate.bind(this);
-    }
-
-    get value() {
-        return this.selectedPropertyMapping ? renderValue(this.selectedPropertyMapping) : undefined;
-    }
-
-    connectedCallback() {
-        super.connectedCallback();
-        const horizontalContainer = this.closest("ak-form-element-horizontal[name]");
-        if (!horizontalContainer) {
-            throw new Error("This search can only be used in a named ak-form-element-horizontal");
-        }
-        const name = horizontalContainer.getAttribute("name");
-        const myName = this.getAttribute("name");
-        if (name !== null && name !== myName) {
-            this.setAttribute("name", name);
-        }
-    }
-
-    handleSearchUpdate(ev: CustomEvent) {
-        ev.stopPropagation();
-        this.selectedPropertyMapping = ev.detail.value;
-        this.dispatchEvent(new InputEvent("input", { bubbles: true, composed: true }));
-    }
-
-    selected(item: SAMLPropertyMapping): boolean {
-        return this.propertyMapping === item.pk;
-    }
-
-    render() {
-        return html`
-            <ak-search-select
-                .fetchObjects=${fetchObjects}
-                .renderElement=${renderElement}
-                .value=${renderValue}
-                .selected=${this.selected}
-                @ak-change=${this.handleSearchUpdate}
-                blankable
-            >
-            </ak-search-select>
-        `;
-    }
-}
-
-export default SAMLPropertyMappingSearch;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-saml-property-mapping-search": SAMLPropertyMappingSearch;
-    }
-}

web/src/admin/applications/wizard/methods/scim/ak-application-wizard-authentication-by-scim.ts

@@ -1,158 +0,0 @@
-import "@goauthentik/admin/applications/wizard/ak-wizard-title";
-import "@goauthentik/admin/common/ak-core-group-search";
-import "@goauthentik/admin/common/ak-crypto-certificate-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
-import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-multi-select";
-import "@goauthentik/components/ak-switch-input";
-import "@goauthentik/components/ak-text-input";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-
-import { msg } from "@lit/localize";
-import { customElement, state } from "@lit/reactive-element/decorators.js";
-import { html } from "lit";
-import { ifDefined } from "lit/directives/if-defined.js";
-
-import { PaginatedSCIMMappingList, PropertymappingsApi, type SCIMProvider } from "@goauthentik/api";
-
-import BaseProviderPanel from "../BaseProviderPanel";
-
-@customElement("ak-application-wizard-authentication-by-scim")
-export class ApplicationWizardAuthenticationBySCIM extends BaseProviderPanel {
-    @state()
-    propertyMappings?: PaginatedSCIMMappingList;
-
-    constructor() {
-        super();
-        new PropertymappingsApi(DEFAULT_CONFIG)
-            .propertymappingsProviderScimList({
-                ordering: "managed",
-            })
-            .then((propertyMappings: PaginatedSCIMMappingList) => {
-                this.propertyMappings = propertyMappings;
-            });
-    }
-
-    propertyMappingConfiguration(provider?: SCIMProvider) {
-        const propertyMappings = this.propertyMappings?.results ?? [];
-
-        const configuredMappings = (providerMappings: string[]) =>
-            propertyMappings.map((pm) => pm.pk).filter((pmpk) => providerMappings.includes(pmpk));
-
-        const managedMappings = (key: string) =>
-            propertyMappings
-                .filter((pm) => pm.managed === `goauthentik.io/providers/scim/${key}`)
-                .map((pm) => pm.pk);
-
-        const pmUserValues = provider?.propertyMappings
-            ? configuredMappings(provider?.propertyMappings ?? [])
-            : managedMappings("user");
-
-        const pmGroupValues = provider?.propertyMappingsGroup
-            ? configuredMappings(provider?.propertyMappingsGroup ?? [])
-            : managedMappings("group");
-
-        const propertyPairs = propertyMappings.map((pm) => [pm.pk, pm.name]);
-
-        return { pmUserValues, pmGroupValues, propertyPairs };
-    }
-
-    render() {
-        const provider = this.wizard.provider as SCIMProvider | undefined;
-        const errors = this.wizard.errors.provider;
-
-        const { pmUserValues, pmGroupValues, propertyPairs } =
-            this.propertyMappingConfiguration(provider);
-
-        return html`<ak-wizard-title>${msg("Configure SCIM Provider")}</ak-wizard-title>
-            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
-                <ak-text-input
-                    name="name"
-                    label=${msg("Name")}
-                    value=${ifDefined(provider?.name)}
-                    .errorMessages=${errors?.name ?? []}
-                    required
-                ></ak-text-input>
-                <ak-form-group expanded>
-                    <span slot="header"> ${msg("Protocol settings")} </span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-text-input
-                            name="url"
-                            label=${msg("URL")}
-                            value="${first(provider?.url, "")}"
-                            required
-                            help=${msg("SCIM base url, usually ends in /v2.")}
-                            .errorMessages=${errors?.url ?? []}
-                        >
-                        </ak-text-input>
-                        <ak-text-input
-                            name="token"
-                            label=${msg("Token")}
-                            value="${first(provider?.token, "")}"
-                            .errorMessages=${errors?.token ?? []}
-                            required
-                            help=${msg(
-                                "Token to authenticate with. Currently only bearer authentication is supported.",
-                            )}
-                        >
-                        </ak-text-input>
-                    </div>
-                </ak-form-group>
-                <ak-form-group expanded>
-                    <span slot="header">${msg("User filtering")}</span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-switch-input
-                            name="excludeUsersServiceAccount"
-                            ?checked=${first(provider?.excludeUsersServiceAccount, true)}
-                            label=${msg("Exclude service accounts")}
-                        ></ak-switch-input>
-                        <ak-form-element-horizontal label=${msg("Group")} name="filterGroup">
-                            <ak-core-group-search
-                                .group=${provider?.filterGroup}
-                            ></ak-core-group-search>
-                            <p class="pf-c-form__helper-text">
-                                ${msg("Only sync users within the selected group.")}
-                            </p>
-                        </ak-form-element-horizontal>
-                    </div>
-                </ak-form-group>
-                <ak-form-group ?expanded=${true}>
-                    <span slot="header"> ${msg("Attribute mapping")} </span>
-                    <div slot="body" class="pf-c-form">
-                        <ak-multi-select
-                            label=${msg("User Property Mappings")}
-                            name="propertyMappings"
-                            .options=${propertyPairs}
-                            .values=${pmUserValues}
-                            .richhelp=${html`
-                                <p class="pf-c-form__helper-text">
-                                    ${msg("Property mappings used for user mapping.")}
-                                </p>
-                            `}
-                        ></ak-multi-select>
-                        <ak-multi-select
-                            label=${msg("Group Property Mappings")}
-                            name="propertyMappingsGroup"
-                            .options=${propertyPairs}
-                            .values=${pmGroupValues}
-                            .richhelp=${html`
-                                <p class="pf-c-form__helper-text">
-                                    ${msg("Property mappings used for group creation.")}
-                                </p>
-                            `}
-                        ></ak-multi-select>
-                    </div>
-                </ak-form-group>
-            </form>`;
-    }
-}
-
-export default ApplicationWizardAuthenticationBySCIM;
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-wizard-authentication-by-scim": ApplicationWizardAuthenticationBySCIM;
-    }
-}

web/src/admin/applications/wizard/steps.ts

@@ -1,89 +0,0 @@
-import {
-    BackStep,
-    CancelWizard,
-    CloseWizard,
-    DisabledNextStep,
-    NextStep,
-    SubmitStep,
-} from "@goauthentik/components/ak-wizard-main/commonWizardButtons";
-
-import { msg } from "@lit/localize";
-import { html } from "lit";
-
-import "./application/ak-application-wizard-application-details";
-import "./auth-method-choice/ak-application-wizard-authentication-method-choice";
-import "./commit/ak-application-wizard-commit-application";
-import "./methods/ak-application-wizard-authentication-method";
-import { ApplicationStep as ApplicationStepType } from "./types";
-
-/**
- * In the current implementation, all of the child forms have access to the wizard's
- * global context, into which all data is written, and which is updated by events
- * flowing into the top-level orchestrator.
- */
-
-class ApplicationStep implements ApplicationStepType {
-    id = "application";
-    label = msg("Application Details");
-    disabled = false;
-    valid = false;
-    get buttons() {
-        return [this.valid ? NextStep : DisabledNextStep, CancelWizard];
-    }
-    render() {
-        return html`<ak-application-wizard-application-details></ak-application-wizard-application-details>`;
-    }
-}
-
-class ProviderMethodStep implements ApplicationStepType {
-    id = "provider-method";
-    label = msg("Provider Type");
-    disabled = false;
-    valid = false;
-
-    get buttons() {
-        return [this.valid ? NextStep : DisabledNextStep, BackStep, CancelWizard];
-    }
-
-    render() {
-        // prettier-ignore
-        return html`<ak-application-wizard-authentication-method-choice
-          ></ak-application-wizard-authentication-method-choice> `;
-    }
-}
-
-class ProviderStepDetails implements ApplicationStepType {
-    id = "provider-details";
-    label = msg("Provider Configuration");
-    disabled = true;
-    valid = false;
-    get buttons() {
-        return [this.valid ? SubmitStep : DisabledNextStep, BackStep, CancelWizard];
-    }
-
-    render() {
-        return html`<ak-application-wizard-authentication-method></ak-application-wizard-authentication-method>`;
-    }
-}
-
-class SubmitApplicationStep implements ApplicationStepType {
-    id = "submit";
-    label = msg("Submit Application");
-    disabled = true;
-    valid = false;
-
-    get buttons() {
-        return this.valid ? [CloseWizard] : [BackStep, CancelWizard];
-    }
-
-    render() {
-        return html`<ak-application-wizard-commit-application></ak-application-wizard-commit-application>`;
-    }
-}
-
-export const newSteps = (): ApplicationStep[] => [
-    new ApplicationStep(),
-    new ProviderMethodStep(),
-    new ProviderStepDetails(),
-    new SubmitApplicationStep(),
-];

web/src/admin/applications/wizard/steps/ProviderChoices.ts

@@ -0,0 +1,52 @@
+import "@goauthentik/admin/common/ak-license-notice";
+
+import { TemplateResult, html } from "lit";
+
+import type { TypeCreate } from "@goauthentik/api";
+
+type ProviderRenderer = () => TemplateResult;
+
+export type LocalTypeCreate = TypeCreate & {
+    renderer: ProviderRenderer;
+};
+
+export const providerTypeRenderers: Record<
+    string,
+    { render: () => TemplateResult; order: number }
+> = {
+    oauth2provider: {
+        render: () =>
+            html`<ak-application-wizard-authentication-by-oauth></ak-application-wizard-authentication-by-oauth>`,
+        order: 90,
+    },
+    ldapprovider: {
+        render: () =>
+            html`<ak-application-wizard-authentication-by-ldap></ak-application-wizard-authentication-by-ldap>`,
+        order: 70,
+    },
+    proxyprovider: {
+        render: () =>
+            html`<ak-application-wizard-authentication-for-reverse-proxy></ak-application-wizard-authentication-for-reverse-proxy>`,
+        order: 75,
+    },
+    racprovider: {
+        render: () =>
+            html`<ak-application-wizard-authentication-for-rac></ak-application-wizard-authentication-for-rac>`,
+        order: 80,
+    },
+    samlprovider: {
+        render: () =>
+            html`<ak-application-wizard-authentication-by-saml-configuration></ak-application-wizard-authentication-by-saml-configuration>`,
+        order: 80,
+    },
+    radiusprovider: {
+        render: () =>
+            html`<ak-application-wizard-authentication-by-radius></ak-application-wizard-authentication-by-radius>`,
+        order: 70,
+    },
+    scimprovider: {
+        render: () =>
+            html`<ak-application-wizard-authentication-by-scim></ak-application-wizard-authentication-by-scim>`,
+        order: 60,
+    },
+};

web/src/admin/applications/wizard/steps/SubmitStepOverviewRenderers.ts

@@ -0,0 +1,152 @@
+import {
+    type DescriptionPair,
+    renderDescriptionList,
+} from "@goauthentik/components/DescriptionList.js";
+import { match } from "ts-pattern";
+
+import { msg } from "@lit/localize";
+import { html } from "lit";
+
+import {
+    ClientTypeEnum,
+    LDAPProvider,
+    MatchingModeEnum,
+    OAuth2Provider,
+    ProviderModelEnum,
+    ProxyMode,
+    ProxyProvider,
+    RACProvider,
+    RadiusProvider,
+    RedirectURI,
+    SAMLProvider,
+    SCIMProvider,
+} from "@goauthentik/api";
+
+import { OneOfProvider } from "../types.js";
+
+const renderSummary = (type: string, name: string, fields: DescriptionPair[]) =>
+    renderDescriptionList([[msg("Type"), type], [msg("Name"), name], ...fields], {
+        threecolumn: true,
+    });
+
+function renderSAMLOverview(rawProvider: OneOfProvider) {
+    const provider = rawProvider as SAMLProvider;
+
+    return renderSummary("SAML", provider.name, [
+        [msg("ACS URL"), provider.acsUrl],
+        [msg("Audience"), provider.audience || "-"],
+        [msg("Issuer"), provider.issuer],
+    ]);
+}
+
+function renderSCIMOverview(rawProvider: OneOfProvider) {
+    const provider = rawProvider as SCIMProvider;
+    return renderSummary("SCIM", provider.name, [[msg("URL"), provider.url]]);
+}
+
+function renderRadiusOverview(rawProvider: OneOfProvider) {
+    const provider = rawProvider as RadiusProvider;
+    return renderSummary("Radius", provider.name, [
+        [msg("Client Networks"), provider.clientNetworks],
+    ]);
+}
+
+function renderRACOverview(rawProvider: OneOfProvider) {
+    // @ts-expect-error TS6133
+    const _provider = rawProvider as RACProvider;
+}
+
+function formatRedirectUris(uris: RedirectURI[] = []) {
+    return uris.length > 0
+        ? html`<ul class="pf-c-list pf-m-plain">
+              ${uris.map(
+                  (uri) =>
+                      html`<li>
+                          ${uri.url}
+                          (${uri.matchingMode === MatchingModeEnum.Strict
+                              ? msg("strict")
+                              : msg("regexp")})
+                      </li>`,
+              )}
+          </ul>`
+        : "-";
+}
+
+const proxyModeToLabel = new Map([
+    [ProxyMode.Proxy, msg("Proxy")],
+    [ProxyMode.ForwardSingle, msg("Forward auth (single application)")],
+    [ProxyMode.ForwardDomain, msg("Forward auth (domain-level)")],
+    [ProxyMode.UnknownDefaultOpenApi, msg("Unknown proxy mode")],
+]);
+
+function renderProxyOverview(rawProvider: OneOfProvider) {
+    const provider = rawProvider as ProxyProvider;
+    return renderSummary("Proxy", provider.name, [
+        [msg("Mode"), proxyModeToLabel.get(provider.mode ?? ProxyMode.Proxy)],
+        ...match(provider.mode)
+            .with(
+                ProxyMode.Proxy,
+                () =>
+                    [
+                        [msg("Internal Host"), provider.internalHost],
+                        [msg("External Host"), provider.externalHost],
+                    ] as DescriptionPair[],
+            )
+            .with(
+                ProxyMode.ForwardSingle,
+                () => [[msg("External Host"), provider.externalHost]] as DescriptionPair[],
+            )
+            .with(
+                ProxyMode.ForwardDomain,
+                () =>
+                    [
+                        [msg("Authentication URL"), provider.externalHost],
+                        [msg("Cookie domain"), provider.cookieDomain],
+                    ] as DescriptionPair[],
+            )
+            .otherwise(() => {
+                throw new Error(
+                    `Unrecognized proxy mode: ${provider.mode?.toString() ?? "-- undefined __"}`,
+                );
+            }),
+        [
+            msg("Basic-Auth"),
+            html` <ak-status-label
+                type="info"
+                ?good=${provider.basicAuthEnabled}
+            ></ak-status-label>`,
+        ],
+    ]);
+}
+
+const clientTypeToLabel = new Map<ClientTypeEnum, string>([
+    [ClientTypeEnum.Confidential, msg("Confidential")],
+    [ClientTypeEnum.Public, msg("Public")],
+    [ClientTypeEnum.UnknownDefaultOpenApi, msg("Unknown type")],
+]);
+
+function renderOAuth2Overview(rawProvider: OneOfProvider) {
+    const provider = rawProvider as OAuth2Provider;
+    return renderSummary("OAuth2", provider.name, [
+        [msg("Client type"), provider.clientType ? clientTypeToLabel.get(provider.clientType) : ""],
+        [msg("Client ID"), provider.clientId],
+        [msg("Redirect URIs"), formatRedirectUris(provider.redirectUris)],
+    ]);
+}
+
+function renderLDAPOverview(rawProvider: OneOfProvider) {
+    const provider = rawProvider as LDAPProvider;
+    return renderSummary("Proxy", provider.name, [[msg("Base DN"), provider.baseDn]]);
+}
+
+const providerName = (p: ProviderModelEnum): string => p.toString().split(".")[1];
+
+export const providerRenderers = new Map([
+    [providerName(ProviderModelEnum.SamlSamlprovider), renderSAMLOverview],
+    [providerName(ProviderModelEnum.ScimScimprovider), renderSCIMOverview],
+    [providerName(ProviderModelEnum.RadiusRadiusprovider), renderRadiusOverview],
+    [providerName(ProviderModelEnum.RacRacprovider), renderRACOverview],
+    [providerName(ProviderModelEnum.ProxyProxyprovider), renderProxyOverview],
+    [providerName(ProviderModelEnum.Oauth2Oauth2provider), renderOAuth2Overview],
+    [providerName(ProviderModelEnum.LdapLdapprovider), renderLDAPOverview],
+]);

web/src/admin/applications/wizard/steps/ak-application-wizard-application-step.ts

@@ -0,0 +1,192 @@
+import { policyOptions } from "@goauthentik/admin/applications/PolicyOptions.js";
+import { ApplicationWizardStep } from "@goauthentik/admin/applications/wizard/ApplicationWizardStep.js";
+import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import { isSlug } from "@goauthentik/common/utils.js";
+import { camelToSnake } from "@goauthentik/common/utils.js";
+import "@goauthentik/components/ak-radio-input";
+import "@goauthentik/components/ak-slug-input";
+import "@goauthentik/components/ak-switch-input";
+import "@goauthentik/components/ak-text-input";
+import { type NavigableButton, type WizardButton } from "@goauthentik/components/ak-wizard/types";
+import { type KeyUnknown } from "@goauthentik/elements/forms/Form";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+
+import { msg } from "@lit/localize";
+import { html } from "lit";
+import { customElement, query, state } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import { type ApplicationRequest } from "@goauthentik/api";
+
+import { ApplicationWizardStateUpdate, ValidationRecord } from "../types";
+
+const autoTrim = (v: unknown) => (typeof v === "string" ? v.trim() : v);
+
+const trimMany = (o: KeyUnknown, vs: string[]) =>
+    Object.fromEntries(vs.map((v) => [v, autoTrim(o[v])]));
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const isStr = (v: any): v is string => typeof v === "string";
+
+@customElement("ak-application-wizard-application-step")
+export class ApplicationWizardApplicationStep extends ApplicationWizardStep {
+    label = msg("Application");
+
+    @state()
+    errors = new Map<string, string>();
+
+    @query("form#applicationform")
+    form!: HTMLFormElement;
+
+    constructor() {
+        super();
+        // This is the first step. Ensure it is always enabled.
+        this.enabled = true;
+    }
+
+    errorMessages(name: string) {
+        return this.errors.has(name)
+            ? [this.errors.get(name)]
+            : (this.wizard.errors?.app?.[name] ??
+                  this.wizard.errors?.app?.[camelToSnake(name)] ??
+                  []);
+    }
+
+    get buttons(): WizardButton[] {
+        return [{ kind: "next", destination: "provider-choice" }, { kind: "cancel" }];
+    }
+
+    get valid() {
+        this.errors = new Map();
+        const values = trimMany(this.formValues ?? {}, ["metaLaunchUrl", "name", "slug"]);
+
+        if (values["name"] === "") {
+            this.errors.set("name", msg("An application name is required"));
+        }
+        if (
+            !(
+                isStr(values["metaLaunchUrl"]) &&
+                (values["metaLaunchUrl"] === "" || URL.canParse(values["metaLaunchUrl"]))
+            )
+        ) {
+            this.errors.set("metaLaunchUrl", msg("Not a valid URL"));
+        }
+        if (!(isStr(values["slug"]) && values["slug"] !== "" && isSlug(values["slug"]))) {
+            this.errors.set("slug", msg("Not a valid slug"));
+        }
+        return this.errors.size === 0;
+    }
+
+    override handleButton(button: NavigableButton) {
+        if (button.kind === "next") {
+            if (!this.valid) {
+                this.handleEnabling({
+                    disabled: ["provider-choice", "provider", "bindings", "submit"],
+                });
+                return;
+            }
+            const app: Partial<ApplicationRequest> = this.formValues as Partial<ApplicationRequest>;
+
+            let payload: ApplicationWizardStateUpdate = {
+                app: this.formValues,
+                errors: this.removeErrors("app"),
+            };
+            if (app.name && (this.wizard.provider?.name ?? "").trim() === "") {
+                payload = {
+                    ...payload,
+                    provider: { name: `Provider for ${app.name}` },
+                };
+            }
+            this.handleUpdate(payload, button.destination, {
+                enable: "provider-choice",
+            });
+            return;
+        }
+        super.handleButton(button);
+    }
+
+    renderForm(app: Partial<ApplicationRequest>, errors: ValidationRecord) {
+        return html` <ak-wizard-title>${msg("Configure The Application")}</ak-wizard-title>
+            <form id="applicationform" class="pf-c-form pf-m-horizontal" slot="form">
+                <ak-text-input
+                    name="name"
+                    value=${ifDefined(app.name)}
+                    label=${msg("Name")}
+                    required
+                    ?invalid=${this.errors.has("name")}
+                    .errorMessages=${errors.name ?? this.errorMessages("name")}
+                    help=${msg("Application's display Name.")}
+                    id="ak-application-wizard-details-name"
+                ></ak-text-input>
+                <ak-slug-input
+                    name="slug"
+                    value=${ifDefined(app.slug)}
+                    label=${msg("Slug")}
+                    source="#ak-application-wizard-details-name"
+                    required
+                    ?invalid=${errors.slug ?? this.errors.has("slug")}
+                    .errorMessages=${this.errorMessages("slug")}
+                    help=${msg("Internal application name used in URLs.")}
+                ></ak-slug-input>
+                <ak-text-input
+                    name="group"
+                    value=${ifDefined(app.group)}
+                    label=${msg("Group")}
+                    .errorMessages=${errors.group ?? []}
+                    help=${msg(
+                        "Optionally enter a group name. Applications with identical groups are shown grouped together.",
+                    )}
+                ></ak-text-input>
+                <ak-radio-input
+                    label=${msg("Policy engine mode")}
+                    required
+                    name="policyEngineMode"
+                    .options=${policyOptions}
+                    .value=${app.policyEngineMode}
+                    .errorMessages=${errors.policyEngineMode ?? []}
+                ></ak-radio-input>
+                <ak-form-group aria-label=${msg("UI Settings")}>
+                    <span slot="header"> ${msg("UI Settings")} </span>
+                    <div slot="body" class="pf-c-form">
+                        <ak-text-input
+                            name="metaLaunchUrl"
+                            label=${msg("Launch URL")}
+                            value=${ifDefined(app.metaLaunchUrl)}
+                            ?invalid=${this.errors.has("metaLaunchUrl")}
+                            .errorMessages=${errors.metaLaunchUrl ??
+                            this.errorMessages("metaLaunchUrl")}
+                            help=${msg(
+                                "If left empty, authentik will try to extract the launch URL based on the selected provider.",
+                            )}
+                        ></ak-text-input>
+                        <ak-switch-input
+                            name="openInNewTab"
+                            ?checked=${app.openInNewTab ?? false}
+                            label=${msg("Open in new tab")}
+                            help=${msg(
+                                "If checked, the launch URL will open in a new browser tab or window from the user's application library.",
+                            )}
+                        >
+                        </ak-switch-input>
+                    </div>
+                </ak-form-group>
+            </form>`;
+    }
+
+    renderMain() {
+        if (!(this.wizard.app && this.wizard.errors)) {
+            throw new Error("Application Step received uninitialized wizard context.");
+        }
+        return this.renderForm(
+            this.wizard.app as ApplicationRequest,
+            this.wizard.errors?.app ?? {},
+        );
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-application-step": ApplicationWizardApplicationStep;
+    }
+}

web/src/admin/applications/wizard/steps/ak-application-wizard-bindings-step.ts

@@ -0,0 +1,163 @@
+import { ApplicationWizardStep } from "@goauthentik/admin/applications/wizard/ApplicationWizardStep.js";
+import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import "@goauthentik/components/ak-radio-input";
+import "@goauthentik/components/ak-slug-input";
+import "@goauthentik/components/ak-status-label";
+import "@goauthentik/components/ak-switch-input";
+import "@goauthentik/components/ak-text-input";
+import { type WizardButton } from "@goauthentik/components/ak-wizard/types";
+import "@goauthentik/elements/ak-table/ak-select-table.js";
+import { SelectTable } from "@goauthentik/elements/ak-table/ak-select-table.js";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import { P, match } from "ts-pattern";
+
+import { msg, str } from "@lit/localize";
+import { css, html } from "lit";
+import { customElement, query } from "lit/decorators.js";
+
+import PFCard from "@patternfly/patternfly/components/Card/card.css";
+
+import { makeEditButton } from "./bindings/ak-application-wizard-bindings-edit-button.js";
+import "./bindings/ak-application-wizard-bindings-toolbar.js";
+
+const COLUMNS = [
+    [msg("Order"), "order"],
+    [msg("Binding")],
+    [msg("Enabled"), "enabled"],
+    [msg("Timeout"), "timeout"],
+    [msg("Actions")],
+];
+
+@customElement("ak-application-wizard-bindings-step")
+export class ApplicationWizardBindingsStep extends ApplicationWizardStep {
+    label = msg("Configure Bindings");
+
+    get buttons(): WizardButton[] {
+        return [
+            { kind: "next", destination: "submit" },
+            { kind: "back", destination: "provider" },
+            { kind: "cancel" },
+        ];
+    }
+
+    @query("ak-select-table")
+    selectTable!: SelectTable;
+
+    static get styles() {
+        return super.styles.concat(
+            PFCard,
+            css`
+                .pf-c-card {
+                    margin-top: 1em;
+                }
+            `,
+        );
+    }
+
+    get bindingsAsColumns() {
+        return this.wizard.bindings.map((binding, index) => {
+            const { order, enabled, timeout } = binding;
+            const isSet = P.string.minLength(1);
+            const policy = match(binding)
+                .with({ policy: isSet }, (v) => msg(str`Policy ${v.policyObj?.name}`))
+                .with({ group: isSet }, (v) => msg(str`Group ${v.groupObj?.name}`))
+                .with({ user: isSet }, (v) => msg(str`User ${v.userObj?.name}`))
+                .otherwise(() => msg("-"));
+
+            return {
+                key: index,
+                content: [
+                    order,
+                    policy,
+                    html`<ak-status-label type="warning" ?good=${enabled}></ak-status-label>`,
+                    timeout,
+                    makeEditButton(msg("Edit"), index, (ev: CustomEvent<number>) =>
+                        this.onBindingEvent(ev.detail),
+                    ),
+                ],
+            };
+        });
+    }
+
+    // TODO Fix those dispatches so that we handle them here, in this component, and *choose* how to
+    // forward them.
+    onBindingEvent(binding?: number) {
+        this.handleUpdate({ currentBinding: binding ?? -1 }, "edit-binding", {
+            enable: "edit-binding",
+        });
+    }
+
+    onDeleteBindings() {
+        const toDelete = this.selectTable
+            .json()
+            .map((i) => (typeof i === "string" ? parseInt(i, 10) : i));
+        const bindings = this.wizard.bindings.filter((binding, index) => !toDelete.includes(index));
+        this.handleUpdate({ bindings }, "bindings");
+    }
+
+    renderEmptyCollection() {
+        return html`<ak-wizard-title
+                >${msg("Configure Policy/User/Group Bindings")}</ak-wizard-title
+            >
+            <h6 class="pf-c-title pf-m-md">
+                ${msg("These policies control which users can access this application.")}
+            </h6>
+            <div class="pf-c-card">
+                <ak-application-wizard-bindings-toolbar
+                    @clickNew=${() => this.onBindingEvent()}
+                    @clickDelete=${() => this.onDeleteBindings()}
+                ></ak-application-wizard-bindings-toolbar>
+                <ak-select-table
+                    multiple
+                    id="bindings"
+                    order="order"
+                    .columns=${COLUMNS}
+                    .content=${[]}
+                ></ak-select-table>
+                <ak-empty-state header=${msg("No bound policies.")} icon="pf-icon-module">
+                    <div slot="body">${msg("No policies are currently bound to this object.")}</div>
+                    <div slot="primary">
+                        <button
+                            @click=${() => this.onBindingEvent()}
+                            class="pf-c-button pf-m-primary"
+                        >
+                            ${msg("Bind policy/group/user")}
+                        </button>
+                    </div>
+                </ak-empty-state>
+            </div>`;
+    }
+
+    renderCollection() {
+        return html` <ak-wizard-title>${msg("Configure Policy Bindings")}</ak-wizard-title>
+            <h6 class="pf-c-title pf-m-md">
+                ${msg("These policies control which users can access this application.")}
+            </h6>
+            <ak-application-wizard-bindings-toolbar
+                @clickNew=${() => this.onBindingEvent()}
+                @clickDelete=${() => this.onDeleteBindings()}
+                ?can-delete=${this.wizard.bindings.length > 0}
+            ></ak-application-wizard-bindings-toolbar>
+            <ak-select-table
+                multiple
+                id="bindings"
+                order="order"
+                .columns=${COLUMNS}
+                .content=${this.bindingsAsColumns}
+            ></ak-select-table>`;
+    }
+
+    renderMain() {
+        if ((this.wizard.bindings ?? []).length === 0) {
+            return this.renderEmptyCollection();
+        }
+        return this.renderCollection();
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-applications-step": ApplicationWizardBindingsStep;
+    }
+}

web/src/admin/applications/wizard/steps/ak-application-wizard-edit-binding-step.ts

@@ -0,0 +1,235 @@
+import { ApplicationWizardStep } from "@goauthentik/admin/applications/wizard/ApplicationWizardStep.js";
+import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { groupBy } from "@goauthentik/common/utils";
+import "@goauthentik/components/ak-radio-input";
+import "@goauthentik/components/ak-switch-input";
+import "@goauthentik/components/ak-text-input";
+import "@goauthentik/components/ak-toggle-group";
+import { type NavigableButton, type WizardButton } from "@goauthentik/components/ak-wizard/types";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import "@goauthentik/elements/forms/SearchSelect";
+import { type SearchSelectBase } from "@goauthentik/elements/forms/SearchSelect/SearchSelect.js";
+import "@goauthentik/elements/forms/SearchSelect/ak-search-select-ez.js";
+
+import { msg } from "@lit/localize";
+import { html, nothing } from "lit";
+import { customElement, query, state } from "lit/decorators.js";
+
+import { CoreApi, Group, PoliciesApi, Policy, PolicyBinding, User } from "@goauthentik/api";
+
+const withQuery = <T>(search: string | undefined, args: T) => (search ? { ...args, search } : args);
+
+enum target {
+    policy = "policy",
+    group = "group",
+    user = "user",
+}
+
+const policyObjectKeys: Record<target, keyof PolicyBinding> = {
+    [target.policy]: "policyObj",
+    [target.group]: "groupObj",
+    [target.user]: "userObj",
+};
+
+const PASS_FAIL = [
+    [msg("Pass"), true, false],
+    [msg("Don't Pass"), false, true],
+].map(([label, value, d]) => ({ label, value, default: d }));
+
+@customElement("ak-application-wizard-edit-binding-step")
+export class ApplicationWizardEditBindingStep extends ApplicationWizardStep {
+    label = msg("Edit Binding");
+
+    hide = true;
+
+    @query("form#bindingform")
+    form!: HTMLFormElement;
+
+    @query(".policy-search-select")
+    searchSelect!: SearchSelectBase<Policy> | SearchSelectBase<Group> | SearchSelectBase<User>;
+
+    @state()
+    policyGroupUser: target = target.policy;
+
+    instanceId = -1;
+
+    instance?: PolicyBinding;
+
+    get buttons(): WizardButton[] {
+        return [
+            { kind: "next", label: msg("Save Binding"), destination: "bindings" },
+            { kind: "back", destination: "bindings" },
+            { kind: "cancel" },
+        ];
+    }
+
+    override handleButton(button: NavigableButton) {
+        if (button.kind === "next") {
+            if (!this.form.checkValidity()) {
+                return;
+            }
+            const policyObject = this.searchSelect.selectedObject;
+            const policyKey = policyObjectKeys[this.policyGroupUser];
+            const newBinding: PolicyBinding = {
+                ...(this.formValues as unknown as PolicyBinding),
+                [policyKey]: policyObject,
+            };
+
+            const bindings = [...(this.wizard.bindings ?? [])];
+
+            if (this.instanceId === -1) {
+                bindings.push(newBinding);
+            } else {
+                bindings[this.instanceId] = newBinding;
+            }
+
+            this.instanceId = -1;
+            this.handleUpdate({ bindings }, "bindings");
+            return;
+        }
+        super.handleButton(button);
+    }
+
+    // The search select configurations for the three different types of fetches that we care about,
+    // policy, user, and group, all using the SearchSelectEZ protocol.
+    searchSelectConfigs(kind: target) {
+        switch (kind) {
+            case target.policy:
+                return {
+                    fetchObjects: async (query?: string): Promise<Policy[]> => {
+                        const policies = await new PoliciesApi(DEFAULT_CONFIG).policiesAllList(
+                            withQuery(query, {
+                                ordering: "name",
+                            }),
+                        );
+                        return policies.results;
+                    },
+                    groupBy: (items: Policy[]) =>
+                        groupBy(items, (policy) => policy.verboseNamePlural),
+                    renderElement: (policy: Policy): string => policy.name,
+                    value: (policy: Policy | undefined): string | undefined => policy?.pk,
+                    selected: (policy: Policy): boolean => policy.pk === this.instance?.policy,
+                };
+            case target.group:
+                return {
+                    fetchObjects: async (query?: string): Promise<Group[]> => {
+                        const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(
+                            withQuery(query, {
+                                ordering: "name",
+                                includeUsers: false,
+                            }),
+                        );
+                        return groups.results;
+                    },
+                    renderElement: (group: Group): string => group.name,
+                    value: (group: Group | undefined): string | undefined => group?.pk,
+                    selected: (group: Group): boolean => group.pk === this.instance?.group,
+                };
+            case target.user:
+                return {
+                    fetchObjects: async (query?: string): Promise<User[]> => {
+                        const users = await new CoreApi(DEFAULT_CONFIG).coreUsersList(
+                            withQuery(query, {
+                                ordering: "username",
+                            }),
+                        );
+                        return users.results;
+                    },
+                    renderElement: (user: User): string => user.username,
+                    renderDescription: (user: User) => html`${user.name}`,
+                    value: (user: User | undefined): number | undefined => user?.pk,
+                    selected: (user: User): boolean => user.pk === this.instance?.user,
+                };
+            default:
+                throw new Error(`Unrecognized policy binding target ${kind}`);
+        }
+    }
+
+    renderSearch(title: string, policyKind: target) {
+        if (policyKind !== this.policyGroupUser) {
+            return nothing;
+        }
+
+        return html`<ak-form-element-horizontal label=${title} name=${policyKind}>
+            <ak-search-select-ez
+                .config=${this.searchSelectConfigs(policyKind)}
+                class="policy-search-select"
+                blankable
+            ></ak-search-select-ez>
+        </ak-form-element-horizontal>`;
+    }
+
+    renderForm(instance?: PolicyBinding) {
+        return html`<ak-wizard-title>${msg("Create a Policy/User/Group Binding")}</ak-wizard-title>
+            <form id="bindingform" class="pf-c-form pf-m-horizontal" slot="form">
+                <div class="pf-c-card pf-m-selectable pf-m-selected">
+                    <div class="pf-c-card__body">
+                        <ak-toggle-group
+                            value=${this.policyGroupUser}
+                            @ak-toggle=${(ev: CustomEvent<{ value: target }>) => {
+                                this.policyGroupUser = ev.detail.value;
+                            }}
+                        >
+                            <option value=${target.policy}>${msg("Policy")}</option>
+                            <option value=${target.group}>${msg("Group")}</option>
+                            <option value=${target.user}>${msg("User")}</option>
+                        </ak-toggle-group>
+                    </div>
+                    <div class="pf-c-card__footer">
+                        ${this.renderSearch(msg("Policy"), target.policy)}
+                        ${this.renderSearch(msg("Group"), target.group)}
+                        ${this.renderSearch(msg("User"), target.user)}
+                    </div>
+                </div>
+                <ak-switch-input
+                    name="enabled"
+                    ?checked=${instance?.enabled ?? true}
+                    label=${msg("Enabled")}
+                ></ak-switch-input>
+                <ak-switch-input
+                    name="negate"
+                    ?checked=${instance?.negate ?? false}
+                    label=${msg("Negate result")}
+                    help=${msg("Negates the outcome of the binding. Messages are unaffected.")}
+                ></ak-switch-input>
+                <ak-number-input
+                    label=${msg("Order")}
+                    name="order"
+                    value="${instance?.order ?? 0}"
+                    required
+                ></ak-number-input>
+                <ak-number-input
+                    label=${msg("Timeout")}
+                    name="timeout"
+                    value="${instance?.timeout ?? 30}"
+                    required
+                ></ak-number-input>
+                <ak-radio-input
+                    name="failureResult"
+                    label=${msg("Failure result")}
+                    .options=${PASS_FAIL}
+                ></ak-radio-input>
+            </form>`;
+    }
+
+    renderMain() {
+        if (!(this.wizard.bindings && this.wizard.errors)) {
+            throw new Error("Application Step received uninitialized wizard context.");
+        }
+        const currentBinding = this.wizard.currentBinding ?? -1;
+        if (this.instanceId !== currentBinding) {
+            this.instanceId = currentBinding;
+            this.instance =
+                this.instanceId === -1 ? undefined : this.wizard.bindings[this.instanceId];
+        }
+        return this.renderForm(this.instance);
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-edit-binding-step": ApplicationWizardEditBindingStep;
+    }
+}

web/src/admin/applications/wizard/steps/ak-application-wizard-provider-choice-step.ts

@@ -0,0 +1,94 @@
+import { ApplicationWizardStep } from "@goauthentik/admin/applications/wizard/ApplicationWizardStep.js";
+import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import type { NavigableButton, WizardButton } from "@goauthentik/components/ak-wizard/types";
+import "@goauthentik/elements/EmptyState.js";
+import { WithLicenseSummary } from "@goauthentik/elements/Interface/licenseSummaryProvider.js";
+import { bound } from "@goauthentik/elements/decorators/bound.js";
+import "@goauthentik/elements/forms/FormGroup.js";
+import "@goauthentik/elements/forms/HorizontalFormElement.js";
+import { TypeCreateWizardPageLayouts } from "@goauthentik/elements/wizard/TypeCreateWizardPage.js";
+import "@goauthentik/elements/wizard/TypeCreateWizardPage.js";
+
+import { consume } from "@lit/context";
+import { msg } from "@lit/localize";
+import { html } from "lit";
+import { customElement, state } from "lit/decorators.js";
+
+import { TypeCreate } from "@goauthentik/api";
+
+import { applicationWizardProvidersContext } from "../ContextIdentity";
+import { type LocalTypeCreate } from "./ProviderChoices.js";
+
+@customElement("ak-application-wizard-provider-choice-step")
+export class ApplicationWizardProviderChoiceStep extends WithLicenseSummary(ApplicationWizardStep) {
+    label = msg("Choose A Provider");
+
+    @state()
+    failureMessage = "";
+
+    @consume({ context: applicationWizardProvidersContext, subscribe: true })
+    public providerModelsList!: LocalTypeCreate[];
+
+    get buttons(): WizardButton[] {
+        return [
+            { kind: "next", destination: "provider" },
+            { kind: "back", destination: "application" },
+            { kind: "cancel" },
+        ];
+    }
+
+    override handleButton(button: NavigableButton) {
+        this.failureMessage = "";
+        if (button.kind === "next") {
+            if (!this.wizard.providerModel) {
+                this.failureMessage = msg("Please choose a provider type before proceeding.");
+                this.handleEnabling({ disabled: ["provider", "bindings", "submit"] });
+                return;
+            }
+            this.handleUpdate(undefined, button.destination, { enable: "provider" });
+            return;
+        }
+        super.handleButton(button);
+    }
+
+    @bound
+    onSelect(ev: CustomEvent<LocalTypeCreate>) {
+        ev.stopPropagation();
+        const detail: TypeCreate = ev.detail;
+        this.handleUpdate({ providerModel: detail.modelName });
+    }
+
+    renderMain() {
+        const selectedTypes = this.providerModelsList.filter(
+            (t) => t.modelName === this.wizard.providerModel,
+        );
+
+        return this.providerModelsList.length > 0
+            ? html` <ak-wizard-title>${msg("Choose a Provider Type")}</ak-wizard-title>
+                  <form class="pf-c-form pf-m-horizontal">
+                      <ak-wizard-page-type-create
+                          .types=${this.providerModelsList}
+                          name="selectProviderType"
+                          layout=${TypeCreateWizardPageLayouts.grid}
+                          .selectedType=${selectedTypes.length > 0 ? selectedTypes[0] : undefined}
+                          @select=${(ev: CustomEvent<LocalTypeCreate>) => {
+                              this.handleUpdate(
+                                  {
+                                      ...this.wizard,
+                                      providerModel: ev.detail.modelName,
+                                  },
+                                  undefined,
+                                  { enable: "provider" },
+                              );
+                          }}
+                      ></ak-wizard-page-type-create>
+                  </form>`
+            : html`<ak-empty-state loading header=${msg("Loading")}></ak-empty-state>`;
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-provider-choice-step": ApplicationWizardProviderChoiceStep;
+    }
+}

web/src/admin/applications/wizard/steps/ak-application-wizard-provider-step.ts

@@ -0,0 +1,113 @@
+import { type NavigableButton, type WizardButton } from "@goauthentik/components/ak-wizard/types";
+
+import { msg } from "@lit/localize";
+import { PropertyValues, nothing } from "lit";
+import { customElement, query, state } from "lit/decorators.js";
+import { html, unsafeStatic } from "lit/static-html.js";
+
+import { ApplicationWizardStep } from "../ApplicationWizardStep.js";
+import { OneOfProvider } from "../types.js";
+import { ApplicationWizardProviderForm } from "./providers/ApplicationWizardProviderForm.js";
+import "./providers/ak-application-wizard-provider-for-ldap.js";
+import "./providers/ak-application-wizard-provider-for-oauth.js";
+import "./providers/ak-application-wizard-provider-for-proxy.js";
+import "./providers/ak-application-wizard-provider-for-rac.js";
+import "./providers/ak-application-wizard-provider-for-radius.js";
+import "./providers/ak-application-wizard-provider-for-saml.js";
+import "./providers/ak-application-wizard-provider-for-scim.js";
+
+const providerToTag = new Map([
+    ["ldapprovider", "ak-application-wizard-provider-for-ldap"],
+    ["oauth2provider", "ak-application-wizard-provider-for-oauth"],
+    ["proxyprovider", "ak-application-wizard-provider-for-proxy"],
+    ["racprovider", "ak-application-wizard-provider-for-rac"],
+    ["radiusprovider", "ak-application-wizard-provider-for-radius"],
+    ["samlprovider", "ak-application-wizard-provider-for-saml"],
+    ["scimprovider", "ak-application-wizard-provider-for-scim"],
+]);
+
+@customElement("ak-application-wizard-provider-step")
+export class ApplicationWizardProviderStep extends ApplicationWizardStep {
+    @state()
+    label = msg("Configure Provider");
+
+    @query("#providerform")
+    element!: ApplicationWizardProviderForm<OneOfProvider>;
+
+    get valid() {
+        return this.element.valid;
+    }
+
+    get formValues() {
+        return this.element.formValues;
+    }
+
+    override handleButton(button: NavigableButton) {
+        if (button.kind === "next") {
+            if (!this.valid) {
+                this.handleEnabling({
+                    disabled: ["bindings", "submit"],
+                });
+                return;
+            }
+            const payload = {
+                provider: {
+                    ...this.formValues,
+                    mode: this.wizard.proxyMode,
+                },
+                errors: this.removeErrors("provider"),
+            };
+            this.handleUpdate(payload, button.destination, {
+                enable: ["bindings", "submit"],
+            });
+            return;
+        }
+        super.handleButton(button);
+    }
+
+    get buttons(): WizardButton[] {
+        return [
+            { kind: "next", destination: "bindings" },
+            { kind: "back", destination: "provider-choice" },
+            { kind: "cancel" },
+        ];
+    }
+
+    renderMain() {
+        if (!this.wizard.providerModel) {
+            throw new Error("Attempted to access provider page without providing a provider type.");
+        }
+
+        // This is, I'm afraid, some rather esoteric bit of Lit-ing, and it makes ESLint
+        // sad.  It does allow us to get away with specifying very little about the
+        // provider here.
+        const tag = providerToTag.get(this.wizard.providerModel);
+        return tag
+            ? // eslint-disable-next-line lit/binding-positions,lit/no-invalid-html
+              html`<${unsafeStatic(tag)}
+                id="providerform"
+            .wizard=${this.wizard}
+            .errors=${this.wizard.errors?.provider ?? {}}
+
+            ></${
+                /* eslint-disable-next-line lit/binding-positions,lit/no-invalid-html */
+                unsafeStatic(tag)
+            }>`
+            : nothing;
+    }
+
+    updated(changed: PropertyValues<this>) {
+        if (changed.has("wizard")) {
+            const label = this.element?.label ?? this.label;
+            if (label !== this.label) {
+                this.label = label;
+            }
+        }
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-provider-step": ApplicationWizardProviderStep;
+    }
+}

web/src/admin/applications/wizard/steps/ak-application-wizard-submit-step.ts

@@ -0,0 +1,360 @@
+import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { EVENT_REFRESH } from "@goauthentik/common/constants";
+import { parseAPIError } from "@goauthentik/common/errors";
+import { WizardNavigationEvent } from "@goauthentik/components/ak-wizard/events.js";
+import { type WizardButton } from "@goauthentik/components/ak-wizard/types";
+import { CustomEmitterElement } from "@goauthentik/elements/utils/eventEmitter";
+import { P, match } from "ts-pattern";
+
+import { msg } from "@lit/localize";
+import { TemplateResult, css, html, nothing } from "lit";
+import { customElement, state } from "lit/decorators.js";
+import { classMap } from "lit/directives/class-map.js";
+
+// import { map } from "lit/directives/map.js";
+import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css";
+import PFEmptyState from "@patternfly/patternfly/components/EmptyState/empty-state.css";
+import PFProgressStepper from "@patternfly/patternfly/components/ProgressStepper/progress-stepper.css";
+import PFTitle from "@patternfly/patternfly/components/Title/title.css";
+import PFBullseye from "@patternfly/patternfly/layouts/Bullseye/bullseye.css";
+
+import {
+    type ApplicationRequest,
+    CoreApi,
+    type ModelRequest,
+    type PolicyBinding,
+    ProviderModelEnum,
+    ProxyMode,
+    type ProxyProviderRequest,
+    type TransactionApplicationRequest,
+    type TransactionApplicationResponse,
+    type TransactionPolicyBindingRequest,
+} from "@goauthentik/api";
+
+import { ApplicationWizardStep } from "../ApplicationWizardStep.js";
+import { ExtendedValidationError, OneOfProvider } from "../types.js";
+import { providerRenderers } from "./SubmitStepOverviewRenderers.js";
+
+const _submitStates = ["reviewing", "running", "submitted"] as const;
+type SubmitStates = (typeof _submitStates)[number];
+
+type StrictProviderModelEnum = Exclude<ProviderModelEnum, "11184809">;
+
+const providerMap: Map<string, string> = Object.values(ProviderModelEnum)
+    .filter((value) => /^authentik_providers_/.test(value) && /provider$/.test(value))
+    .reduce((acc: Map<string, string>, value) => {
+        acc.set(value.split(".")[1], value);
+        return acc;
+    }, new Map());
+
+type NonEmptyArray<T> = [T, ...T[]];
+
+type MaybeTemplateResult = TemplateResult | typeof nothing;
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const isNotEmpty = (arr: any): arr is NonEmptyArray<any> => Array.isArray(arr) && arr.length > 0;
+
+const cleanApplication = (app: Partial<ApplicationRequest>): ApplicationRequest => ({
+    name: "",
+    slug: "",
+    ...app,
+});
+
+const cleanBinding = (binding: PolicyBinding): TransactionPolicyBindingRequest => ({
+    policy: binding.policy,
+    group: binding.group,
+    user: binding.user,
+    negate: binding.negate,
+    enabled: binding.enabled,
+    order: binding.order,
+    timeout: binding.timeout,
+    failureResult: binding.failureResult,
+});
+
+@customElement("ak-application-wizard-submit-step")
+export class ApplicationWizardSubmitStep extends CustomEmitterElement(ApplicationWizardStep) {
+    static get styles() {
+        return [
+            ...ApplicationWizardStep.styles,
+            PFBullseye,
+            PFEmptyState,
+            PFTitle,
+            PFProgressStepper,
+            PFDescriptionList,
+            css`
+                .ak-wizard-main-content .pf-c-title {
+                    padding-bottom: var(--pf-global--spacer--md);
+                    padding-top: var(--pf-global--spacer--md);
+                }
+            `,
+        ];
+    }
+
+    label = msg("Review and Submit Application");
+
+    @state()
+    state: SubmitStates = "reviewing";
+
+    async send() {
+        const app = this.wizard.app;
+        const provider = this.wizard.provider as ModelRequest;
+
+        if (app === undefined) {
+            throw new Error("Reached the submit state with the app undefined");
+        }
+
+        if (provider === undefined) {
+            throw new Error("Reached the submit state with the provider undefined");
+        }
+
+        // Stringly-based API. Not the best, but it works. Just be aware that it is
+        // stringly-based.
+
+        const providerModel = providerMap.get(this.wizard.providerModel) as StrictProviderModelEnum;
+        provider.providerModel = providerModel;
+
+        // Special case for the Proxy provider.
+        if (this.wizard.providerModel === "proxyprovider") {
+            (provider as ProxyProviderRequest).mode = this.wizard.proxyMode;
+            if ((provider as ProxyProviderRequest).mode !== ProxyMode.ForwardDomain) {
+                (provider as ProxyProviderRequest).cookieDomain = "";
+            }
+        }
+
+        const request: TransactionApplicationRequest = {
+            app: cleanApplication(this.wizard.app),
+            providerModel,
+            provider,
+            policyBindings: (this.wizard.bindings ?? []).map(cleanBinding),
+        };
+
+        this.state = "running";
+
+        return (
+            new CoreApi(DEFAULT_CONFIG)
+                .coreTransactionalApplicationsUpdate({
+                    transactionApplicationRequest: request,
+                })
+                .then((_response: TransactionApplicationResponse) => {
+                    this.dispatchCustomEvent(EVENT_REFRESH);
+                    this.state = "submitted";
+                })
+
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                .catch(async (resolution: any) => {
+                    const errors = (await parseAPIError(
+                        await resolution,
+                    )) as ExtendedValidationError;
+
+                    // THIS is a really gross special case; if the user is duplicating the name of
+                    // an existing provider, the error appears on the `app` (!) error object. We
+                    // have to move that to the `provider.name` error field so it shows up in the
+                    // right place.
+                    if (Array.isArray(errors?.app?.provider)) {
+                        const providerError = errors.app.provider;
+                        errors.provider = errors.provider ?? {};
+                        errors.provider.name = providerError;
+                        delete errors.app.provider;
+                        if (Object.keys(errors.app).length === 0) {
+                            delete errors.app;
+                        }
+                    }
+                    this.handleUpdate({ errors });
+                    this.state = "reviewing";
+                })
+        );
+    }
+
+    override handleButton(button: WizardButton) {
+        match([button.kind, this.state])
+            .with([P.union("back", "cancel"), P._], () => {
+                super.handleButton(button);
+            })
+            .with(["close", "submitted"], () => {
+                super.handleButton(button);
+            })
+            .with(["next", "reviewing"], () => {
+                this.send();
+            })
+            .with([P._, "running"], () => {
+                throw new Error("No buttons should be showing when running submit phase");
+            })
+            .otherwise(() => {
+                throw new Error(
+                    `Submit step received incoherent button/state combination: ${[button.kind, state]}`,
+                );
+            });
+    }
+
+    get buttons(): WizardButton[] {
+        const forReview: WizardButton[] = [
+            { kind: "next", label: msg("Submit"), destination: "here" },
+            { kind: "back", destination: "bindings" },
+            { kind: "cancel" },
+        ];
+
+        const forSubmit: WizardButton[] = [{ kind: "close" }];
+
+        return match(this.state)
+            .with("submitted", () => forSubmit)
+            .with("running", () => [])
+            .with("reviewing", () => forReview)
+            .exhaustive();
+    }
+
+    renderInfo(
+        state: string,
+        label: string,
+        icons: string[],
+        extraInfo: MaybeTemplateResult = nothing,
+    ) {
+        const icon = classMap(icons.reduce((acc, icon) => ({ ...acc, [icon]: true }), {}));
+
+        return html`<div data-ouid-component-state=${this.state} class="ak-wizard-main-content">
+            <div class="pf-l-bullseye">
+                <div class="pf-c-empty-state pf-m-lg">
+                    <div class="pf-c-empty-state__content">
+                        <i class="fas ${icon} pf-c-empty-state__icon" aria-hidden="true"></i>
+                        <h1 data-ouia-commit-state=${state} class="pf-c-title pf-m-lg">${label}</h1>
+                        ${extraInfo}
+                    </div>
+                </div>
+            </div>
+        </div>`;
+    }
+
+    renderError() {
+        if (Object.keys(this.wizard.errors).length === 0) {
+            return nothing;
+        }
+
+        const navTo = (step: string) => () => this.dispatchEvent(new WizardNavigationEvent(step));
+        const errors = this.wizard.errors;
+        return html` <hr class="pf-c-divider" />
+            ${match(errors as ExtendedValidationError)
+                .with(
+                    { app: P.nonNullable },
+                    () =>
+                        html`<p>${msg("There was an error in the application.")}</p>
+                            <p>
+                                <a @click=${navTo("application")}
+                                    >${msg("Review the application.")}</a
+                                >
+                            </p>`,
+                )
+                .with(
+                    { provider: P.nonNullable },
+                    () =>
+                        html`<p>${msg("There was an error in the provider.")}</p>
+                            <p>
+                                <a @click=${navTo("provider")}>${msg("Review the provider.")}</a>
+                            </p>`,
+                )
+                .with(
+                    { detail: P.nonNullable },
+                    () =>
+                        `<p>${msg("There was an error. Please go back and review the application.")}: ${errors.detail}</p>`,
+                )
+                .with(
+                    {
+                        nonFieldErrors: P.when(isNotEmpty),
+                    },
+                    () =>
+                        html`<p>${msg("There was an error:")}:</p>
+                            <ul>
+                                ${(errors.nonFieldErrors ?? []).map(
+                                    (e: string) => html`<li>${e}</li>`,
+                                )}
+                            </ul>
+                            <p>${msg("Please go back and review the application.")}</p>`,
+                )
+                .otherwise(
+                    () =>
+                        html`<p>
+                            ${msg(
+                                "There was an error creating the application, but no error message was sent. Please review the server logs.",
+                            )}
+                        </p>`,
+                )}`;
+    }
+
+    renderReview(app: Partial<ApplicationRequest>, provider: OneOfProvider) {
+        const renderer = providerRenderers.get(this.wizard.providerModel);
+        if (!renderer) {
+            throw new Error(
+                `Provider ${this.wizard.providerModel ?? "-- undefined --"} has no summary renderer.`,
+            );
+        }
+        return html`
+            <div class="ak-wizard-main-content">
+                <ak-wizard-title>${msg("Review the Application and Provider")}</ak-wizard-title>
+                <h2 class="pf-c-title pf-m-xl">${msg("Application")}</h2>
+                <dl class="pf-c-description-list">
+                    <div class="pf-c-description-list__group">
+                        <dt class="pf-c-description-list__term">${msg("Name")}</dt>
+                        <dt class="pf-c-description-list__description">${app.name}</dt>
+                    </div>
+                    <div class="pf-c-description-list__group">
+                        <dt class="pf-c-description-list__term">${msg("Group")}</dt>
+                        <dt class="pf-c-description-list__description">${app.group || msg("-")}</dt>
+                    </div>
+                    <div class="pf-c-description-list__group">
+                        <dt class="pf-c-description-list__term">${msg("Policy engine mode")}</dt>
+                        <dt class="pf-c-description-list__description">
+                            ${app.policyEngineMode?.toUpperCase()}
+                        </dt>
+                    </div>
+                    ${(app.metaLaunchUrl ?? "").trim() !== ""
+                        ? html` <div class="pf-c-description-list__group">
+                              <dt class="pf-c-description-list__term">${msg("Launch URL")}</dt>
+                              <dt class="pf-c-description-list__description">
+                                  ${app.metaLaunchUrl}
+                              </dt>
+                          </div>`
+                        : nothing}
+                </dl>
+                ${renderer
+                    ? html` <h2 class="pf-c-title pf-m-xl pf-u-pt-xl">${msg("Provider")}</h2>
+                          ${renderer(provider)}`
+                    : nothing}
+            </div>
+        `;
+    }
+
+    renderMain() {
+        const app = this.wizard.app;
+        const provider = this.wizard.provider;
+        if (!(this.wizard && app && provider)) {
+            throw new Error("Submit step received uninitialized wizard context");
+        }
+        // An empty object is truthy, an empty array is falsey. *WAT Javascript*.
+        const keys = Object.keys(this.wizard.errors);
+        return match([this.state, keys])
+            .with(["submitted", P._], () =>
+                this.renderInfo("success", msg("Your application has been saved"), [
+                    "fa-check-circle",
+                    "pf-m-success",
+                ]),
+            )
+            .with(["running", P._], () =>
+                this.renderInfo("running", msg("Saving application..."), ["fa-cogs", "pf-m-info"]),
+            )
+            .with(["reviewing", []], () => this.renderReview(app, provider))
+            .with(["reviewing", [P.any, ...P.array()]], () =>
+                this.renderInfo(
+                    "error",
+                    msg("authentik was unable to complete this process."),
+                    ["fa-times-circle", "pf-m-danger"],
+                    this.renderError(),
+                ),
+            )
+            .exhaustive();
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-submit-step": ApplicationWizardSubmitStep;
+    }
+}

web/src/admin/applications/wizard/steps/bindings/ak-application-wizard-bindings-edit-button.ts

@@ -0,0 +1,50 @@
+import { AKElement } from "@goauthentik/elements/Base.js";
+import { bound } from "@goauthentik/elements/decorators/bound.js";
+
+import { msg } from "@lit/localize";
+import { html } from "lit";
+import { customElement, property } from "lit/decorators.js";
+
+import PFButton from "@patternfly/patternfly/components/Button/button.css";
+
+@customElement("ak-application-wizard-binding-step-edit-button")
+export class ApplicationWizardBindingStepEditButton extends AKElement {
+    static get styles() {
+        return [PFButton];
+    }
+
+    @property({ type: Number })
+    value = -1;
+
+    @bound
+    onClick(ev: Event) {
+        ev.stopPropagation();
+        this.dispatchEvent(
+            new CustomEvent<number>("click-edit", {
+                bubbles: true,
+                composed: true,
+                detail: this.value,
+            }),
+        );
+    }
+
+    render() {
+        return html`<button class="pf-c-button pf-c-secondary" @click=${this.onClick}>
+            ${msg("Edit")}
+        </button>`;
+    }
+}
+
+export function makeEditButton(
+    label: string,
+    value: number,
+    handler: (_: CustomEvent<number>) => void,
+) {
+    return html`<ak-application-wizard-binding-step-edit-button
+        class="pf-c-button pf-m-secondary"
+        .value=${value}
+        @click-edit=${handler}
+    >
+        ${label}
+    </ak-application-wizard-binding-step-edit-button>`;
+}

web/src/admin/applications/wizard/steps/bindings/ak-application-wizard-bindings-toolbar.ts

@@ -0,0 +1,53 @@
+import { AKElement } from "@goauthentik/elements/Base";
+
+import { msg } from "@lit/localize";
+import { html } from "lit";
+import { customElement, property } from "lit/decorators.js";
+
+import PFButton from "@patternfly/patternfly/components/Button/button.css";
+import PFToolbar from "@patternfly/patternfly/components/Toolbar/toolbar.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";
+
+@customElement("ak-application-wizard-bindings-toolbar")
+export class ApplicationWizardBindingsToolbar extends AKElement {
+    static get styles() {
+        return [PFBase, PFButton, PFToolbar];
+    }
+
+    @property({ type: Boolean, attribute: "can-delete", reflect: true })
+    canDelete = false;
+
+    notify(eventName: string) {
+        this.dispatchEvent(new Event(eventName, { bubbles: true, composed: true }));
+    }
+
+    render() {
+        return html`
+            <div class="pf-c-toolbar">
+                <div class="pf-c-toolbar__content">
+                    <div class="pf-c-toolbar__group">
+                        <button
+                            class="pf-c-button pf-m-primary"
+                            @click=${() => this.notify("clickNew")}
+                        >
+                            ${msg("Bind existing policy/group/user")}
+                        </button>
+                    </div>
+                    <button
+                        class="pf-c-button pf-m-danger"
+                        ?disabled=${!this.canDelete}
+                        @click=${() => this.notify("clickDelete")}
+                    >
+                        ${msg("Delete")}
+                    </button>
+                </div>
+            </div>
+        `;
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-bindings-toolbar": ApplicationWizardBindingsToolbar;
+    }
+}

web/src/admin/applications/wizard/steps/providers/ApplicationWizardProviderForm.ts

@@ -0,0 +1,62 @@
+import { camelToSnake } from "@goauthentik/common/utils.js";
+import "@goauthentik/components/ak-number-input";
+import "@goauthentik/components/ak-radio-input";
+import "@goauthentik/components/ak-switch-input";
+import "@goauthentik/components/ak-text-input";
+import { AKElement } from "@goauthentik/elements/Base.js";
+import { KeyUnknown, serializeForm } from "@goauthentik/elements/forms/Form";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import { HorizontalFormElement } from "@goauthentik/elements/forms/HorizontalFormElement";
+
+import { property, query } from "lit/decorators.js";
+
+import { styles as AwadStyles } from "../../ApplicationWizardFormStepStyles.css.js";
+import { type ApplicationWizardState, type OneOfProvider } from "../../types";
+
+export class ApplicationWizardProviderForm<T extends OneOfProvider> extends AKElement {
+    static get styles() {
+        return AwadStyles;
+    }
+
+    label = "";
+
+    @property({ type: Object, attribute: false })
+    wizard!: ApplicationWizardState;
+
+    @property({ type: Object, attribute: false })
+    errors: Map<string | number | symbol, string> = new Map();
+
+    @query("form#providerform")
+    form!: HTMLFormElement;
+
+    get formValues(): KeyUnknown | undefined {
+        const elements = [
+            ...Array.from(
+                this.form.querySelectorAll<HorizontalFormElement>("ak-form-element-horizontal"),
+            ),
+            ...Array.from(this.form.querySelectorAll<HTMLElement>("[data-ak-control=true]")),
+        ];
+        return serializeForm(elements as unknown as NodeListOf<HorizontalFormElement>);
+    }
+
+    get valid() {
+        this.errors = new Map();
+        return this.form.checkValidity();
+    }
+
+    errorMessages(name: string) {
+        return this.errors.has(name)
+            ? [this.errors.get(name)]
+            : (this.wizard.errors?.provider?.[name] ??
+                  this.wizard.errors?.provider?.[camelToSnake(name)] ??
+                  []);
+    }
+
+    isValid(name: keyof T) {
+        return !(
+            (this.wizard.errors?.provider?.[name as string] ?? []).length > 0 ||
+            this.errors.has(name)
+        );
+    }
+}

web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-ldap.ts

@@ -0,0 +1,44 @@
+import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import { ValidationRecord } from "@goauthentik/admin/applications/wizard/types";
+import { renderForm } from "@goauthentik/admin/providers/ldap/LDAPProviderFormForm.js";
+import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider.js";
+
+import { msg } from "@lit/localize";
+import { html } from "lit";
+import { customElement } from "lit/decorators.js";
+
+import type { LDAPProvider } from "@goauthentik/api";
+
+import { ApplicationWizardProviderForm } from "./ApplicationWizardProviderForm.js";
+
+@customElement("ak-application-wizard-provider-for-ldap")
+export class ApplicationWizardLdapProviderForm extends WithBrandConfig(
+    ApplicationWizardProviderForm<LDAPProvider>,
+) {
+    label = msg("Configure LDAP Provider");
+
+    renderForm(provider: LDAPProvider, errors: ValidationRecord) {
+        return html`
+            <ak-wizard-title>${this.label}</ak-wizard-title>
+            <form id="providerform" class="pf-c-form pf-m-horizontal" slot="form">
+                ${renderForm(provider ?? {}, errors, this.brand)}
+            </form>
+        `;
+    }
+
+    render() {
+        if (!(this.wizard.provider && this.wizard.errors)) {
+            throw new Error("LDAP Provider Step received uninitialized wizard context.");
+        }
+        return this.renderForm(
+            this.wizard.provider as LDAPProvider,
+            this.wizard.errors.provider ?? {},
+        );
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-provider-for-ldap": ApplicationWizardLdapProviderForm;
+    }
+}

web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-oauth.ts

@@ -0,0 +1,64 @@
+import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import { renderForm } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderFormForm.js";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+
+import { msg } from "@lit/localize";
+import { html } from "lit";
+import { customElement, state } from "lit/decorators.js";
+
+import { OAuth2ProviderRequest, SourcesApi } from "@goauthentik/api";
+import { type OAuth2Provider, type PaginatedOAuthSourceList } from "@goauthentik/api";
+
+import { ExtendedValidationError } from "../../types.js";
+import { ApplicationWizardProviderForm } from "./ApplicationWizardProviderForm.js";
+
+@customElement("ak-application-wizard-provider-for-oauth")
+export class ApplicationWizardOauth2ProviderForm extends ApplicationWizardProviderForm<OAuth2ProviderRequest> {
+    label = msg("Configure OAuth2 Provider");
+
+    @state()
+    showClientSecret = true;
+
+    @state()
+    oauthSources?: PaginatedOAuthSourceList;
+
+    constructor() {
+        super();
+        new SourcesApi(DEFAULT_CONFIG)
+            .sourcesOauthList({
+                ordering: "name",
+                hasJwks: true,
+            })
+            .then((oauthSources: PaginatedOAuthSourceList) => {
+                this.oauthSources = oauthSources;
+            });
+    }
+
+    renderForm(provider: OAuth2Provider, errors: ExtendedValidationError) {
+        const showClientSecretCallback = (show: boolean) => {
+            this.showClientSecret = show;
+        };
+        return html` <ak-wizard-title>${this.label}</ak-wizard-title>
+            <form id="providerform" class="pf-c-form pf-m-horizontal" slot="form">
+                ${renderForm(
+                    provider ?? {},
+                    errors,
+                    this.showClientSecret,
+                    showClientSecretCallback,
+                )}
+            </form>`;
+    }
+
+    render() {
+        if (!(this.wizard.provider && this.wizard.errors)) {
+            throw new Error("Oauth2 Provider Step received uninitialized wizard context.");
+        }
+        return this.renderForm(this.wizard.provider as OAuth2Provider, this.wizard.errors);
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-provider-for-oauth": ApplicationWizardOauth2ProviderForm;
+    }
+}

web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-proxy.ts

@@ -0,0 +1,67 @@
+import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import { ValidationRecord } from "@goauthentik/admin/applications/wizard/types";
+import {
+    ProxyModeValue,
+    type SetMode,
+    type SetShowHttpBasic,
+    renderForm,
+} from "@goauthentik/admin/providers/proxy/ProxyProviderFormForm.js";
+import { WizardUpdateEvent } from "@goauthentik/components/ak-wizard/events.js";
+
+import { msg } from "@lit/localize";
+import { html } from "lit";
+import { customElement, state } from "lit/decorators.js";
+
+import { ProxyMode, ProxyProvider } from "@goauthentik/api";
+
+import { ApplicationWizardProviderForm } from "./ApplicationWizardProviderForm";
+
+@customElement("ak-application-wizard-provider-for-proxy")
+export class ApplicationWizardProxyProviderForm extends ApplicationWizardProviderForm<ProxyProvider> {
+    label = msg("Configure Proxy Provider");
+
+    @state()
+    showHttpBasic = true;
+
+    renderForm(provider: ProxyProvider, errors: ValidationRecord) {
+        const onSetMode: SetMode = (ev: CustomEvent<ProxyModeValue>) => {
+            this.dispatchEvent(
+                new WizardUpdateEvent({ ...this.wizard, proxyMode: ev.detail.value }),
+            );
+            // We deliberately chose not to make the forms "controlled," but we do need this form to
+            // respond immediately to a state change in the wizard.
+            window.setTimeout(() => this.requestUpdate(), 0);
+        };
+
+        const onSetShowHttpBasic: SetShowHttpBasic = (ev: Event) => {
+            const el = ev.target as HTMLInputElement;
+            this.showHttpBasic = el.checked;
+        };
+
+        return html` <ak-wizard-title>${this.label}</ak-wizard-title>
+            <form id="providerform" class="pf-c-form pf-m-horizontal" slot="form">
+                ${renderForm(provider ?? {}, errors ?? [], {
+                    mode: this.wizard.proxyMode ?? ProxyMode.Proxy,
+                    onSetMode,
+                    showHttpBasic: this.showHttpBasic,
+                    onSetShowHttpBasic,
+                })}
+            </form>`;
+    }
+
+    render() {
+        if (!(this.wizard.provider && this.wizard.errors)) {
+            throw new Error("Proxy Provider Step received uninitialized wizard context.");
+        }
+        return this.renderForm(
+            this.wizard.provider as ProxyProvider,
+            this.wizard.errors?.provider ?? {},
+        );
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-provider-for-proxy": ApplicationWizardProxyProviderForm;
+    }
+}

web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-rac.ts

@@ -1,4 +1,5 @@
-import "@goauthentik/admin/applications/wizard/ak-wizard-title";
+import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import "@goauthentik/admin/common/ak-crypto-certificate-search.js";
 import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import {
     propertyMappingsProvider,
@@ -7,33 +8,29 @@ import {
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
 
 import { msg } from "@lit/localize";
 import { html } from "lit";
 import { customElement } from "lit/decorators.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 
-import { FlowsInstancesListDesignationEnum, RACProvider } from "@goauthentik/api";
+import { FlowsInstancesListDesignationEnum, type RACProvider } from "@goauthentik/api";
 
-import BaseProviderPanel from "../BaseProviderPanel";
+import { ApplicationWizardProviderForm } from "./ApplicationWizardProviderForm.js";
 
-@customElement("ak-application-wizard-authentication-for-rac")
-export class ApplicationWizardAuthenticationByRAC extends BaseProviderPanel {
-    render() {
-        const provider = this.wizard.provider as RACProvider | undefined;
-        const errors = this.wizard.errors.provider;
+@customElement("ak-application-wizard-provider-for-rac")
+export class ApplicationWizardRACProviderForm extends ApplicationWizardProviderForm<RACProvider> {
+    label = msg("Configure Remote Access Provider");
 
-        return html`<ak-wizard-title
-                >${msg("Configure Remote Access Provider Provider")}</ak-wizard-title
-            >
-            <form class="pf-c-form pf-m-horizontal" @input=${this.handleChange}>
+    renderForm(provider: RACProvider) {
+        return html`
+            <ak-wizard-title>${this.label}</ak-wizard-title>
+            <form id="providerform" class="pf-c-form pf-m-horizontal" slot="form">
                 <ak-text-input
                     name="name"
                     label=${msg("Name")}
-                    value=${ifDefined(provider?.name)}
-                    .errorMessages=${errors?.name ?? []}
+                    value=${ifDefined(provider.name)}
+                    .errorMessages=${this.errorMessages("name")}
                     required
                 ></ak-text-input>
 
@@ -44,7 +41,7 @@ export class ApplicationWizardAuthenticationByRAC extends BaseProviderPanel {
                 >
                     <ak-flow-search
                         flowType=${FlowsInstancesListDesignationEnum.Authorization}
-                        .currentFlow=${provider?.authorizationFlow}
+                        .currentFlow=${provider.authorizationFlow}
                         required
                     ></ak-flow-search>
                     <p class="pf-c-form__helper-text">
@@ -56,7 +53,7 @@ export class ApplicationWizardAuthenticationByRAC extends BaseProviderPanel {
                     name="connectionExpiry"
                     label=${msg("Connection expiry")}
                     required
-                    value="${provider?.connectionExpiry ?? "hours=8"}"
+                    value="${provider.connectionExpiry ?? "hours=8"}"
                     help=${msg(
                         "Determines how long a session lasts before being disconnected and requiring re-authorization.",
                     )}
@@ -78,14 +75,20 @@ export class ApplicationWizardAuthenticationByRAC extends BaseProviderPanel {
                         </ak-form-element-horizontal>
                     </div>
                 </ak-form-group>
-            </form>`;
+            </form>
+        `;
+    }
+
+    render() {
+        if (!(this.wizard.provider && this.wizard.errors)) {
+            throw new Error("RAC Provider Step received uninitialized wizard context.");
+        }
+        return this.renderForm(this.wizard.provider as RACProvider);
     }
 }
 
-export default ApplicationWizardAuthenticationByRAC;
-
 declare global {
     interface HTMLElementTagNameMap {
-        "ak-application-wizard-authentication-for-rac": ApplicationWizardAuthenticationByRAC;
+        "ak-application-wizard-provider-for-rac": ApplicationWizardRACProviderForm;
     }
 }

web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-radius.ts

@@ -0,0 +1,42 @@
+import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import { ValidationRecord } from "@goauthentik/admin/applications/wizard/types";
+import { renderForm } from "@goauthentik/admin/providers/radius/RadiusProviderFormForm.js";
+import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
+
+import { msg } from "@lit/localize";
+import { customElement } from "@lit/reactive-element/decorators.js";
+import { html } from "lit";
+
+import { RadiusProvider } from "@goauthentik/api";
+
+import { ApplicationWizardProviderForm } from "./ApplicationWizardProviderForm.js";
+
+@customElement("ak-application-wizard-provider-for-radius")
+export class ApplicationWizardRadiusProviderForm extends WithBrandConfig(
+    ApplicationWizardProviderForm<RadiusProvider>,
+) {
+    label = msg("Configure Radius Provider");
+
+    renderForm(provider: RadiusProvider, errors: ValidationRecord) {
+        return html` <ak-wizard-title>${this.label}</ak-wizard-title>
+            <form id="providerform" class="pf-c-form pf-m-horizontal" slot="form">
+                ${renderForm(provider ?? {}, errors, this.brand)}
+            </form>`;
+    }
+
+    render() {
+        if (!(this.wizard.provider && this.wizard.errors)) {
+            throw new Error("RAC Provider Step received uninitialized wizard context.");
+        }
+        return this.renderForm(
+            this.wizard.provider as RadiusProvider,
+            this.wizard.errors?.provider ?? {},
+        );
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-provider-for-radius": ApplicationWizardRadiusProviderForm;
+    }
+}

web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-saml.ts

@@ -0,0 +1,51 @@
+import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import { type AkCryptoCertificateSearch } from "@goauthentik/admin/common/ak-crypto-certificate-search";
+import { renderForm } from "@goauthentik/admin/providers/saml/SAMLProviderFormForm.js";
+import "@goauthentik/elements/forms/FormGroup";
+
+import { msg } from "@lit/localize";
+import { customElement, state } from "@lit/reactive-element/decorators.js";
+import { html } from "lit";
+
+import { SAMLProvider } from "@goauthentik/api";
+
+import { ApplicationWizardProviderForm } from "./ApplicationWizardProviderForm";
+
+@customElement("ak-application-wizard-provider-for-saml")
+export class ApplicationWizardProviderSamlForm extends ApplicationWizardProviderForm<SAMLProvider> {
+    label = msg("Configure SAML Provider");
+
+    @state()
+    hasSigningKp = false;
+
+    renderForm() {
+        const setHasSigningKp = (ev: InputEvent) => {
+            const target = ev.target as AkCryptoCertificateSearch;
+            if (!target) return;
+            this.hasSigningKp = !!target.selectedKeypair;
+        };
+
+        return html` <ak-wizard-title>${this.label}</ak-wizard-title>
+            <form id="providerform" class="pf-c-form pf-m-horizontal" slot="form">
+                ${renderForm(
+                    (this.wizard.provider as SAMLProvider) ?? {},
+                    this.wizard.errors?.provider ?? {},
+                    setHasSigningKp,
+                    this.hasSigningKp,
+                )}
+            </form>`;
+    }
+
+    render() {
+        if (!(this.wizard.provider && this.wizard.errors)) {
+            throw new Error("SAML Provider Step received uninitialized wizard context.");
+        }
+        return this.renderForm();
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-provider-for-saml": ApplicationWizardProviderSamlForm;
+    }
+}

web/src/admin/applications/wizard/steps/providers/ak-application-wizard-provider-for-scim.ts

@@ -0,0 +1,35 @@
+import "@goauthentik/admin/applications/wizard/ak-wizard-title.js";
+import { renderForm } from "@goauthentik/admin/providers/scim/SCIMProviderFormForm.js";
+import "@goauthentik/elements/forms/FormGroup";
+
+import { msg } from "@lit/localize";
+import { customElement, state } from "@lit/reactive-element/decorators.js";
+import { html } from "lit";
+
+import { PaginatedSCIMMappingList, type SCIMProvider } from "@goauthentik/api";
+
+import { ApplicationWizardProviderForm } from "./ApplicationWizardProviderForm";
+
+@customElement("ak-application-wizard-provider-for-scim")
+export class ApplicationWizardSCIMProvider extends ApplicationWizardProviderForm<SCIMProvider> {
+    label = msg("Configure SCIM Provider");
+
+    @state()
+    propertyMappings?: PaginatedSCIMMappingList;
+
+    render() {
+        return html`<ak-wizard-title>${this.label}</ak-wizard-title>
+            <form id="providerform" class="pf-c-form pf-m-horizontal" slot="form">
+                ${renderForm(
+                    (this.wizard.provider as SCIMProvider) ?? {},
+                    this.wizard.errors.provider,
+                )}
+            </form>`;
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-application-wizard-provider-for-scim": ApplicationWizardSCIMProvider;
+    }
+}

web/src/admin/applications/wizard/stories/ak-application-context-display-for-test.ts

@@ -1,24 +0,0 @@
-import { consume } from "@lit/context";
-import { customElement } from "@lit/reactive-element/decorators/custom-element.js";
-import { state } from "@lit/reactive-element/decorators/state.js";
-import { LitElement, html } from "lit";
-
-import { applicationWizardContext } from "../ContextIdentity";
-import type { ApplicationWizardState } from "../types";
-
-@customElement("ak-application-context-display-for-test")
-export class ApplicationContextDisplayForTest extends LitElement {
-    @consume({ context: applicationWizardContext, subscribe: true })
-    @state()
-    private wizard!: ApplicationWizardState;
-
-    render() {
-        return html`<div><pre>${JSON.stringify(this.wizard, null, 2)}</pre></div>`;
-    }
-}
-
-declare global {
-    interface HTMLElementTagNameMap {
-        "ak-application-context-display-for-test": ApplicationContextDisplayForTest;
-    }
-}

web/src/admin/applications/wizard/stories/ak-application-wizard-main.stories.ts

@@ -1,54 +0,0 @@
-import { Meta } from "@storybook/web-components";
-
-import { TemplateResult, html } from "lit";
-
-import { ApplicationWizard } from "../ak-application-wizard";
-import "../ak-application-wizard";
-import { mockData } from "./mockData";
-
-const metadata: Meta<ApplicationWizard> = {
-    title: "Elements / Application Wizard Implementation / Main",
-    component: "ak-application-wizard",
-    parameters: {
-        docs: {
-            description: {
-                component: "The first page of the application wizard",
-            },
-        },
-        mockData,
-    },
-};
-
-const LIGHT = "pf-t-light";
-function injectTheme() {
-    setTimeout(() => {
-        if (!document.body.classList.contains(LIGHT)) {
-            document.body.classList.add(LIGHT);
-        }
-    });
-}
-
-export default metadata;
-
-const container = (testItem: TemplateResult) => {
-    injectTheme();
-    return html` <div style="background: #fff; padding: 1.0rem;">
-        <style>
-            li {
-                display: block;
-            }
-            p {
-                margin-top: 1em;
-            }
-        </style>
-        ${testItem}
-    </div>`;
-};
-
-export const MainPage = () => {
-    return container(html`
-        <ak-application-wizard></ak-application-wizard>
-        <hr />
-        <ak-application-context-display-for-test></ak-application-context-display-for-test>
-    `);
-};

web/src/admin/applications/wizard/stories/mockData.ts

@@ -1,62 +0,0 @@
-import {
-    dummyAuthenticationFlowsSearch,
-    dummyAuthorizationFlowsSearch,
-    dummyCoreGroupsSearch,
-    dummyCryptoCertsSearch,
-    dummyHasJwks,
-    dummyPropertyMappings,
-    dummyProviderTypesList,
-    dummySAMLProviderMappings,
-} from "./samples";
-
-export const mockData = [
-    {
-        url: "/api/v3/providers/all/types/",
-        method: "GET",
-        status: 200,
-        response: dummyProviderTypesList,
-    },
-    {
-        url: "/api/v3/core/groups/?ordering=name",
-        method: "GET",
-        status: 200,
-        response: dummyCoreGroupsSearch,
-    },
-
-    {
-        url: "/api/v3/crypto/certificatekeypairs/?has_key=true&include_details=false&ordering=name",
-        method: "GET",
-        status: 200,
-        response: dummyCryptoCertsSearch,
-    },
-    {
-        url: "/api/v3/flows/instances/?designation=authentication&ordering=slug",
-        method: "GET",
-        status: 200,
-        response: dummyAuthenticationFlowsSearch,
-    },
-    {
-        url: "/api/v3/flows/instances/?designation=authorization&ordering=slug",
-        method: "GET",
-        status: 200,
-        response: dummyAuthorizationFlowsSearch,
-    },
-    {
-        url: "/api/v3/propertymappings/scope/?ordering=scope_name",
-        method: "GET",
-        status: 200,
-        response: dummyPropertyMappings,
-    },
-    {
-        url: "/api/v3/sources/oauth/?has_jwks=true&ordering=name",
-        method: "GET",
-        status: 200,
-        response: dummyHasJwks,
-    },
-    {
-        url: "/api/v3/propertymappings/saml/?ordering=saml_name",
-        method: "GET",
-        status: 200,
-        response: dummySAMLProviderMappings,
-    },
-];

web/src/admin/applications/wizard/stories/samples.ts

@@ -1,375 +0,0 @@
-export const dummyCryptoCertsSearch = {
-    pagination: {
-        next: 0,
-        previous: 0,
-        count: 1,
-        current: 1,
-        total_pages: 1,
-        start_index: 1,
-        end_index: 1,
-    },
-    results: [
-        {
-            pk: "63efd1b8-6c39-4f65-8157-9a406cb37447",
-            name: "authentik Self-signed Certificate",
-            fingerprint_sha256: null,
-            fingerprint_sha1: null,
-            cert_expiry: null,
-            cert_subject: null,
-            private_key_available: true,
-            private_key_type: null,
-            certificate_download_url:
-                "/api/v3/crypto/certificatekeypairs/63efd1b8-6c39-4f65-8157-9a406cb37447/view_certificate/?download",
-            private_key_download_url:
-                "/api/v3/crypto/certificatekeypairs/63efd1b8-6c39-4f65-8157-9a406cb37447/view_private_key/?download",
-            managed: null,
-        },
-    ],
-};
-
-export const dummyAuthenticationFlowsSearch = {
-    pagination: {
-        next: 0,
-        previous: 0,
-        count: 2,
-        current: 1,
-        total_pages: 1,
-        start_index: 1,
-        end_index: 2,
-    },
-    results: [
-        {
-            pk: "2594b1a0-f234-4965-8b93-a8631a55bd5c",
-            policybindingmodel_ptr_id: "0bc529a6-dcd0-4ba8-8fef-5702348832f9",
-            name: "Welcome to authentik!",
-            slug: "default-authentication-flow",
-            title: "Welcome to authentik!",
-            designation: "authentication",
-            background: "/static/dist/assets/images/flow_background.jpg",
-            stages: [
-                "bad9fbce-fb86-4ba4-8124-e7a1d8c147f3",
-                "1da1f272-a76e-4112-be95-f02421fca1d4",
-                "945cd956-6670-4dfa-ab3a-2a72dd3051a7",
-                "0fc1fc5c-b928-4d99-a892-9ae48de089f5",
-            ],
-            policies: [],
-            cache_count: 0,
-            policy_engine_mode: "any",
-            compatibility_mode: false,
-            export_url: "/api/v3/flows/instances/default-authentication-flow/export/",
-            layout: "stacked",
-            denied_action: "message_continue",
-            authentication: "none",
-        },
-        {
-            pk: "3526dbd1-b50e-4553-bada-fbe7b3c2f660",
-            policybindingmodel_ptr_id: "cde67954-b78a-4fe9-830e-c2aba07a724a",
-            name: "Welcome to authentik!",
-            slug: "default-source-authentication",
-            title: "Welcome to authentik!",
-            designation: "authentication",
-            background: "/static/dist/assets/images/flow_background.jpg",
-            stages: ["3713b252-cee3-4acb-a02f-083f26459fff"],
-            policies: ["f42a4c7f-6586-4b14-9325-a832127ba295"],
-            cache_count: 0,
-            policy_engine_mode: "any",
-            compatibility_mode: false,
-            export_url: "/api/v3/flows/instances/default-source-authentication/export/",
-            layout: "stacked",
-            denied_action: "message_continue",
-            authentication: "require_unauthenticated",
-        },
-    ],
-};
-
-export const dummyAuthorizationFlowsSearch = {
-    pagination: {
-        next: 0,
-        previous: 0,
-        count: 2,
-        current: 1,
-        total_pages: 1,
-        start_index: 1,
-        end_index: 2,
-    },
-    results: [
-        {
-            pk: "9e01f011-8b3f-43d6-bedf-c29be5f3a428",
-            policybindingmodel_ptr_id: "14179ef8-2726-4027-9e2f-dc99185199bf",
-            name: "Authorize Application",
-            slug: "default-provider-authorization-explicit-consent",
-            title: "Redirecting to %(app)s",
-            designation: "authorization",
-            background: "/static/dist/assets/images/flow_background.jpg",
-            stages: ["ed5f015f-82b9-450f-addf-1e9d21d8dda3"],
-            policies: [],
-            cache_count: 0,
-            policy_engine_mode: "any",
-            compatibility_mode: false,
-            export_url:
-                "/api/v3/flows/instances/default-provider-authorization-explicit-consent/export/",
-            layout: "stacked",
-            denied_action: "message_continue",
-            authentication: "require_authenticated",
-        },
-        {
-            pk: "06f11ee3-cbe3-456d-81df-fae4c0a62951",
-            policybindingmodel_ptr_id: "686e6539-8b9f-473e-9f54-e05cc207dd2a",
-            name: "Authorize Application",
-            slug: "default-provider-authorization-implicit-consent",
-            title: "Redirecting to %(app)s",
-            designation: "authorization",
-            background: "/static/dist/assets/images/flow_background.jpg",
-            stages: [],
-            policies: [],
-            cache_count: 0,
-            policy_engine_mode: "any",
-            compatibility_mode: false,
-            export_url:
-                "/api/v3/flows/instances/default-provider-authorization-implicit-consent/export/",
-            layout: "stacked",
-            denied_action: "message_continue",
-            authentication: "require_authenticated",
-        },
-    ],
-};
-
-export const dummyCoreGroupsSearch = {
-    pagination: {
-        next: 0,
-        previous: 0,
-        count: 1,
-        current: 1,
-        total_pages: 1,
-        start_index: 1,
-        end_index: 1,
-    },
-    results: [
-        {
-            pk: "67543d37-0ee2-4a4c-b020-9e735a8b5178",
-            num_pk: 13734,
-            name: "authentik Admins",
-            is_superuser: true,
-            parent: null,
-            users: [1],
-            attributes: {},
-            users_obj: [
-                {
-                    pk: 1,
-                    username: "akadmin",
-                    name: "authentik Default Admin",
-                    is_active: true,
-                    last_login: "2023-07-03T16:08:11.196942Z",
-                    email: "ken@goauthentik.io",
-                    attributes: {
-                        settings: {
-                            locale: "en",
-                        },
-                    },
-                    uid: "6dedc98b3fdd0f9afdc705e9d577d61127d89f1d91ea2f90f0b9a353615fb8f2",
-                },
-            ],
-        },
-    ],
-};
-
-export const dummyPropertyMappings = {
-    pagination: {
-        next: 0,
-        previous: 0,
-        count: 4,
-        current: 1,
-        total_pages: 1,
-        start_index: 1,
-        end_index: 4,
-    },
-    results: [
-        {
-            pk: "30d87af7-9d9d-4292-873e-a52145ba4bcb",
-            managed: "goauthentik.io/providers/proxy/scope-proxy",
-            name: "authentik default OAuth Mapping: Proxy outpost",
-            expression:
-                '# This mapping is used by the authentik proxy. It passes extra user attributes,\n# which are used for example for the HTTP-Basic Authentication mapping.\nreturn {\n    "ak_proxy": {\n        "user_attributes": request.user.group_attributes(request),\n        "is_superuser": request.user.is_superuser,\n    }\n}',
-            component: "ak-property-mapping-scope-form",
-            verbose_name: "Scope Mapping",
-            verbose_name_plural: "Scope Mappings",
-            meta_model_name: "authentik_providers_oauth2.scopemapping",
-            scope_name: "ak_proxy",
-            description: "authentik Proxy - User information",
-        },
-        {
-            pk: "3e3751ed-a24c-4f47-a051-e2e05b5cd306",
-            managed: "goauthentik.io/providers/oauth2/scope-email",
-            name: "authentik default OAuth Mapping: OpenID 'email'",
-            expression: 'return {\n    "email": request.user.email,\n    "email_verified": True\n}',
-            component: "ak-property-mapping-scope-form",
-            verbose_name: "Scope Mapping",
-            verbose_name_plural: "Scope Mappings",
-            meta_model_name: "authentik_providers_oauth2.scopemapping",
-            scope_name: "email",
-            description: "Email address",
-        },
-        {
-            pk: "81c5e330-d8a0-45cd-9cad-e6a49a9c428f",
-            managed: "goauthentik.io/providers/oauth2/scope-openid",
-            name: "authentik default OAuth Mapping: OpenID 'openid'",
-            expression:
-                "# This scope is required by the OpenID-spec, and must as such exist in authentik.\n# The scope by itself does not grant any information\nreturn {}",
-            component: "ak-property-mapping-scope-form",
-            verbose_name: "Scope Mapping",
-            verbose_name_plural: "Scope Mappings",
-            meta_model_name: "authentik_providers_oauth2.scopemapping",
-            scope_name: "openid",
-            description: "",
-        },
-        {
-            pk: "7ad9cd6f-bcc8-425d-b7c2-c7c4592a1b36",
-            managed: "goauthentik.io/providers/oauth2/scope-profile",
-            name: "authentik default OAuth Mapping: OpenID 'profile'",
-            expression:
-                'return {\n    # Because authentik only saves the user\'s full name, and has no concept of first and last names,\n    # the full name is used as given name.\n    # You can override this behaviour in custom mappings, i.e. `request.user.name.split(" ")`\n    "name": request.user.name,\n    "given_name": request.user.name,\n    "preferred_username": request.user.username,\n    "nickname": request.user.username,\n    # groups is not part of the official userinfo schema, but is a quasi-standard\n    "groups": [group.name for group in request.user.ak_groups.all()],\n}',
-            component: "ak-property-mapping-scope-form",
-            verbose_name: "Scope Mapping",
-            verbose_name_plural: "Scope Mappings",
-            meta_model_name: "authentik_providers_oauth2.scopemapping",
-            scope_name: "profile",
-            description: "General Profile Information",
-        },
-    ],
-};
-
-export const dummyHasJwks = {
-    pagination: {
-        next: 0,
-        previous: 0,
-        count: 0,
-        current: 1,
-        total_pages: 1,
-        start_index: 0,
-        end_index: 0,
-    },
-    results: [],
-};
-
-export const dummySAMLProviderMappings = {
-    pagination: {
-        next: 0,
-        previous: 0,
-        count: 7,
-        current: 1,
-        total_pages: 1,
-        start_index: 1,
-        end_index: 7,
-    },
-    results: [
-        {
-            pk: "9f1f23b7-1956-4daa-b08b-338cab9b3953",
-            managed: "goauthentik.io/providers/saml/uid",
-            name: "authentik default SAML Mapping: User ID",
-            expression: "return request.user.pk",
-            component: "ak-property-mapping-saml-form",
-            verbose_name: "SAML Property Mapping",
-            verbose_name_plural: "SAML Property Mappings",
-            meta_model_name: "authentik_providers_saml.samlpropertymapping",
-            saml_name: "http://schemas.goauthentik.io/2021/02/saml/uid",
-            friendly_name: null,
-        },
-        {
-            pk: "801b6328-bb0b-4ec6-b52c-f3dc7bb6ec7f",
-            managed: "goauthentik.io/providers/saml/username",
-            name: "authentik default SAML Mapping: Username",
-            expression: "return request.user.username",
-            component: "ak-property-mapping-saml-form",
-            verbose_name: "SAML Property Mapping",
-            verbose_name_plural: "SAML Property Mappings",
-            meta_model_name: "authentik_providers_saml.samlpropertymapping",
-            saml_name: "http://schemas.goauthentik.io/2021/02/saml/username",
-            friendly_name: null,
-        },
-        {
-            pk: "27c4d370-658d-4acf-9f61-cfa6dd020b11",
-            managed: "goauthentik.io/providers/saml/ms-windowsaccountname",
-            name: "authentik default SAML Mapping: WindowsAccountname (Username)",
-            expression: "return request.user.username",
-            component: "ak-property-mapping-saml-form",
-            verbose_name: "SAML Property Mapping",
-            verbose_name_plural: "SAML Property Mappings",
-            meta_model_name: "authentik_providers_saml.samlpropertymapping",
-            saml_name: "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
-            friendly_name: null,
-        },
-        {
-            pk: "757b185b-1c21-42b4-a2ee-04d6f7b655b3",
-            managed: "goauthentik.io/providers/saml/groups",
-            name: "authentik default SAML Mapping: Groups",
-            expression: "for group in request.user.ak_groups.all():\n    yield group.name",
-            component: "ak-property-mapping-saml-form",
-            verbose_name: "SAML Property Mapping",
-            verbose_name_plural: "SAML Property Mappings",
-            meta_model_name: "authentik_providers_saml.samlpropertymapping",
-            saml_name: "http://schemas.xmlsoap.org/claims/Group",
-            friendly_name: null,
-        },
-        {
-            pk: "de67cee7-7c56-4c1d-9466-9ad0e0105092",
-            managed: "goauthentik.io/providers/saml/email",
-            name: "authentik default SAML Mapping: Email",
-            expression: "return request.user.email",
-            component: "ak-property-mapping-saml-form",
-            verbose_name: "SAML Property Mapping",
-            verbose_name_plural: "SAML Property Mappings",
-            meta_model_name: "authentik_providers_saml.samlpropertymapping",
-            saml_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
-            friendly_name: null,
-        },
-        {
-            pk: "42a936a5-11a9-4442-8748-ec27a8ab9546",
-            managed: "goauthentik.io/providers/saml/name",
-            name: "authentik default SAML Mapping: Name",
-            expression: "return request.user.name",
-            component: "ak-property-mapping-saml-form",
-            verbose_name: "SAML Property Mapping",
-            verbose_name_plural: "SAML Property Mappings",
-            meta_model_name: "authentik_providers_saml.samlpropertymapping",
-            saml_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
-            friendly_name: null,
-        },
-        {
-            pk: "06bee8f0-e5b4-4ce8-959a-308ba0769917",
-            managed: "goauthentik.io/providers/saml/upn",
-            name: "authentik default SAML Mapping: UPN",
-            expression: "return request.user.attributes.get('upn', request.user.email)",
-            component: "ak-property-mapping-saml-form",
-            verbose_name: "SAML Property Mapping",
-            verbose_name_plural: "SAML Property Mappings",
-            meta_model_name: "authentik_providers_saml.samlpropertymapping",
-            saml_name: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
-            friendly_name: null,
-        },
-    ],
-};
-
-// prettier-ignore
-export const dummyProviderTypesList = [
-    ["LDAP Provider", "ldapprovider", 
-     "Allow applications to authenticate against authentik's users using LDAP.", 
-    ], 
-    ["OAuth2/OpenID Provider", "oauth2provider", 
-     "OAuth2 Provider for generic OAuth and OpenID Connect Applications.", 
-    ], 
-    ["Proxy Provider", "proxyprovider", 
-     "Protect applications that don't support any of the other\n    Protocols by using a Reverse-Proxy.", 
-    ], 
-    ["Radius Provider", "radiusprovider", 
-     "Allow applications to authenticate against authentik's users using Radius.", 
-    ], 
-    ["SAML Provider", "samlprovider", 
-     "SAML 2.0 Endpoint for applications which support SAML.", 
-    ], 
-    ["SCIM Provider", "scimprovider", 
-     "SCIM 2.0 provider to create users and groups in external applications", 
-    ], 
-    ["SAML Provider from Metadata", "", 
-     "Create a SAML Provider by importing its Metadata.", 
-    ], 
-].map(([name, model_name, description]) => ({ name, description, model_name }));

web/src/admin/applications/wizard/types.ts

@@ -1,10 +1,10 @@
-import { type WizardStep } from "@goauthentik/components/ak-wizard-main/types";
-
 import {
     type ApplicationRequest,
     type LDAPProviderRequest,
     type OAuth2ProviderRequest,
+    type PolicyBinding,
     type ProvidersSamlImportMetadataCreateRequest,
+    type ProxyMode,
     type ProxyProviderRequest,
     type RACProviderRequest,
     type RadiusProviderRequest,
@@ -23,21 +23,41 @@ export type OneOfProvider =
     | Partial<OAuth2ProviderRequest>
     | Partial<LDAPProviderRequest>;
 
+export type ValidationRecord = { [key: string]: string[] };
+
+// TODO: Elf, extend this type and apply it to every object in the wizard.  Then run
+// the type-checker again.
+
+export type ExtendedValidationError = ValidationError & {
+    app?: ValidationRecord;
+    provider?: ValidationRecord;
+    bindings?: ValidationRecord;
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    detail?: any;
+};
+
+// We use the PolicyBinding instead of the PolicyBindingRequest here, because that gives us a slot
+// in which to preserve the retrieved policy, group, or user object from the SearchSelect used to
+// find it, which in turn allows us to create a user-friendly display of bindings on the "List of
+// configured bindings" page in the wizard. The PolicyBinding is converted into a
+// PolicyBindingRequest during the submission phase.
+
 export interface ApplicationWizardState {
-    providerModel: string;
     app: Partial<ApplicationRequest>;
+    providerModel: string;
     provider: OneOfProvider;
-    errors: ValidationError;
+    proxyMode: ProxyMode;
+    bindings: PolicyBinding[];
+    currentBinding: number;
+    errors: ExtendedValidationError;
 }
 
-type StatusType = "invalid" | "valid" | "submitted" | "failed";
-
-export type ApplicationWizardStateUpdate = {
-    update?: ApplicationWizardState;
-    status?: StatusType;
-};
-
-export type ApplicationStep = WizardStep & {
-    id: string;
-    valid: boolean;
-};
+export interface ApplicationWizardStateUpdate {
+    app?: Partial<ApplicationRequest>;
+    providerModel?: string;
+    provider?: OneOfProvider;
+    proxyMode?: ProxyMode;
+    bindings?: PolicyBinding[];
+    currentBinding?: number;
+    errors?: ValidationError;
+}

web/src/admin/common/ak-crypto-certificate-search.ts

@@ -5,8 +5,8 @@ import "@goauthentik/elements/forms/SearchSelect";
 import { CustomListenerElement } from "@goauthentik/elements/utils/eventEmitter";
 
 import { html } from "lit";
-import { customElement } from "lit/decorators.js";
-import { property, query } from "lit/decorators.js";
+import { customElement, property, query } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";
 
 import {
     CertificateKeyPair,
@@ -114,6 +114,7 @@ export class AkCryptoCertificateSearch extends CustomListenerElement(AKElement)
     render() {
         return html`
             <ak-search-select
+                name=${ifDefined(this.name ?? undefined)}
                 .fetchObjects=${this.fetchObjects}
                 .renderElement=${renderElement}
                 .value=${renderValue}

web/src/admin/common/ak-flow-search/FlowSearch.ts

@@ -7,6 +7,7 @@ import { CustomListenerElement } from "@goauthentik/elements/utils/eventEmitter"
 
 import { html } from "lit";
 import { property, query } from "lit/decorators.js";
+import { ifDefined } from "lit/directives/if-defined.js";
 
 import { FlowsApi, FlowsInstancesListDesignationEnum } from "@goauthentik/api";
 import type { Flow, FlowsInstancesListRequest } from "@goauthentik/api";
@@ -133,7 +134,7 @@ export class FlowSearch<T extends Flow> extends CustomListenerElement(AKElement)
                 .renderElement=${renderElement}
                 .renderDescription=${renderDescription}
                 .value=${getFlowValue}
-                .name=${this.name}
+                name=${ifDefined(this.name ?? undefined)}
                 @ak-change=${this.handleSearchUpdate}
                 ?blankable=${!this.required}
             >

web/src/admin/providers/ProviderWizard.ts

@@ -43,8 +43,11 @@ export class ProviderWizard extends AKElement {
     @query("ak-wizard")
     wizard?: Wizard;
 
-    async firstUpdated(): Promise<void> {
-        this.providerTypes = await new ProvidersApi(DEFAULT_CONFIG).providersAllTypesList();
+    connectedCallback() {
+        super.connectedCallback();
+        new ProvidersApi(DEFAULT_CONFIG).providersAllTypesList().then((providerTypes) => {
+            this.providerTypes = providerTypes;
+        });
     }
 
     render(): TemplateResult {
@@ -58,6 +61,7 @@ export class ProviderWizard extends AKElement {
                 }}
             >
                 <ak-wizard-page-type-create
+                    name="selectProviderType"
                     slot="initial"
                     layout=${TypeCreateWizardPageLayouts.grid}
                     .types=${this.providerTypes}

web/src/admin/providers/ldap/LDAPProviderForm.ts

@@ -2,24 +2,13 @@ import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first } from "@goauthentik/common/utils";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/forms/Radio";
-import "@goauthentik/elements/forms/SearchSelect";
 
-import { msg } from "@lit/localize";
-import { TemplateResult, html } from "lit";
 import { customElement } from "lit/decorators.js";
-import { ifDefined } from "lit/directives/if-defined.js";
 
-import {
-    FlowsInstancesListDesignationEnum,
-    LDAPAPIAccessMode,
-    LDAPProvider,
-    ProvidersApi,
-} from "@goauthentik/api";
+import { LDAPProvider, ProvidersApi } from "@goauthentik/api";
+
+import { renderForm } from "./LDAPProviderFormForm.js";
 
 @customElement("ak-provider-ldap-form")
 export class LDAPProviderFormPage extends WithBrandConfig(BaseProviderForm<LDAPProvider>) {
@@ -42,212 +31,8 @@ export class LDAPProviderFormPage extends WithBrandConfig(BaseProviderForm<LDAPP
         }
     }
 
-    // All Provider objects have an Authorization flow, but not all providers have an Authentication
-    // flow. LDAP needs only one field, but it is not an Authorization field, it is an
-    // Authentication field. So, yeah, we're using the authorization field to store the
-    // authentication information, which is why the ak-branded-flow-search call down there looks so
-    // weird-- we're looking up Authentication flows, but we're storing them in the Authorization
-    // field of the target Provider.
-    renderForm(): TemplateResult {
-        return html` <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
-                <input
-                    type="text"
-                    value="${ifDefined(this.instance?.name)}"
-                    class="pf-c-form-control"
-                    required
-                />
-            </ak-form-element-horizontal>
-            <ak-form-element-horizontal label=${msg("Bind mode")} name="bindMode">
-                <ak-radio
-                    .options=${[
-                        {
-                            label: msg("Cached binding"),
-                            value: LDAPAPIAccessMode.Cached,
-                            default: true,
-                            description: html`${msg(
-                                "Flow is executed and session is cached in memory. Flow is executed when session expires",
-                            )}`,
-                        },
-                        {
-                            label: msg("Direct binding"),
-                            value: LDAPAPIAccessMode.Direct,
-                            description: html`${msg(
-                                "Always execute the configured bind flow to authenticate the user",
-                            )}`,
-                        },
-                    ]}
-                    .value=${this.instance?.bindMode}
-                >
-                </ak-radio>
-                <p class="pf-c-form__helper-text">
-                    ${msg("Configure how the outpost authenticates requests.")}
-                </p>
-            </ak-form-element-horizontal>
-            <ak-form-element-horizontal label=${msg("Search mode")} name="searchMode">
-                <ak-radio
-                    .options=${[
-                        {
-                            label: msg("Cached querying"),
-                            value: LDAPAPIAccessMode.Cached,
-                            default: true,
-                            description: html`${msg(
-                                "The outpost holds all users and groups in-memory and will refresh every 5 Minutes",
-                            )}`,
-                        },
-                        {
-                            label: msg("Direct querying"),
-                            value: LDAPAPIAccessMode.Direct,
-                            description: html`${msg(
-                                "Always returns the latest data, but slower than cached querying",
-                            )}`,
-                        },
-                    ]}
-                    .value=${this.instance?.searchMode}
-                >
-                </ak-radio>
-                <p class="pf-c-form__helper-text">
-                    ${msg("Configure how the outpost queries the core authentik server's users.")}
-                </p>
-            </ak-form-element-horizontal>
-            <ak-form-element-horizontal name="mfaSupport">
-                <label class="pf-c-switch">
-                    <input
-                        class="pf-c-switch__input"
-                        type="checkbox"
-                        ?checked=${first(this.instance?.mfaSupport, true)}
-                    />
-                    <span class="pf-c-switch__toggle">
-                        <span class="pf-c-switch__toggle-icon">
-                            <i class="fas fa-check" aria-hidden="true"></i>
-                        </span>
-                    </span>
-                    <span class="pf-c-switch__label">${msg("Code-based MFA Support")}</span>
-                </label>
-                <p class="pf-c-form__helper-text">
-                    ${msg(
-                        "When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.",
-                    )}
-                </p>
-            </ak-form-element-horizontal>
-
-            <ak-form-group expanded>
-                <span slot="header"> ${msg("Flow settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${msg("Bind flow")}
-                        name="authorizationFlow"
-                        required
-                    >
-                        <ak-branded-flow-search
-                            flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                            .currentFlow=${this.instance?.authorizationFlow}
-                            .brandFlow=${this.brand?.flowAuthentication}
-                            required
-                        ></ak-branded-flow-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Flow used for users to authenticate.")}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Unbind flow")}
-                        name="invalidationFlow"
-                        required
-                    >
-                        <ak-branded-flow-search
-                            flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                            .currentFlow=${this.instance?.invalidationFlow}
-                            .brandFlow=${this.brand.flowInvalidation}
-                            defaultFlowSlug="default-invalidation-flow"
-                            required
-                        ></ak-branded-flow-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Flow used for unbinding users.")}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-            <ak-form-group .expanded=${true}>
-                <span slot="header"> ${msg("Protocol settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${msg("Base DN")}
-                        ?required=${true}
-                        name="baseDn"
-                    >
-                        <input
-                            type="text"
-                            value="${first(this.instance?.baseDn, "DC=ldap,DC=goauthentik,DC=io")}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "LDAP DN under which bind requests and search requests can be made.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal label=${msg("Certificate")} name="certificate">
-                        <ak-crypto-certificate-search
-                            .certificate=${this.instance?.certificate}
-                        ></ak-crypto-certificate-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("TLS Server name")}
-                        name="tlsServerName"
-                    >
-                        <input
-                            type="text"
-                            value="${first(this.instance?.tlsServerName, "")}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("UID start number")}
-                        ?required=${true}
-                        name="uidStartNumber"
-                    >
-                        <input
-                            type="number"
-                            value="${first(this.instance?.uidStartNumber, 2000)}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "The start for uidNumbers, this number is added to the user.Pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("GID start number")}
-                        ?required=${true}
-                        name="gidStartNumber"
-                    >
-                        <input
-                            type="number"
-                            value="${first(this.instance?.gidStartNumber, 4000)}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "The start for gidNumbers, this number is added to a number generated from the group.Pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>`;
+    renderForm() {
+        return renderForm(this.instance ?? {}, [], this.brand);
     }
 }
 

web/src/admin/providers/ldap/LDAPProviderFormForm.ts

@@ -0,0 +1,178 @@
+import "@goauthentik/admin/common/ak-crypto-certificate-search";
+import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
+import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
+import "@goauthentik/components/ak-number-input";
+import "@goauthentik/components/ak-radio-input";
+import "@goauthentik/components/ak-text-input";
+import "@goauthentik/components/ak-textarea-input";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import "@goauthentik/elements/forms/Radio";
+import "@goauthentik/elements/forms/SearchSelect";
+import "@goauthentik/elements/utils/TimeDeltaHelp";
+
+import { msg } from "@lit/localize";
+import { html, nothing } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import {
+    CurrentBrand,
+    FlowsInstancesListDesignationEnum,
+    LDAPProvider,
+    ValidationError,
+} from "@goauthentik/api";
+
+import {
+    bindModeOptions,
+    cryptoCertificateHelp,
+    gidStartNumberHelp,
+    mfaSupportHelp,
+    searchModeOptions,
+    tlsServerNameHelp,
+    uidStartNumberHelp,
+} from "./LDAPOptionsAndHelp.js";
+
+// All Provider objects have an Authorization flow, but not all providers have an Authentication
+// flow. LDAP needs only one field, but it is not an Authorization field, it is an Authentication
+// field. So, yeah, we're using the authorization field to store the authentication information,
+// which is why the ak-branded-flow-search call down there looks so weird-- we're looking up
+// Authentication flows, but we're storing them in the Authorization field of the target Provider.
+
+export function renderForm(
+    provider?: Partial<LDAPProvider>,
+    errors: ValidationError = {},
+    brand?: CurrentBrand,
+) {
+    return html`
+        <ak-text-input
+            name="name"
+            value=${ifDefined(provider?.name)}
+            label=${msg("Name")}
+            .errorMessages=${errors?.name ?? []}
+            required
+            help=${msg("Method's display Name.")}
+        ></ak-text-input>
+        <ak-radio-input
+            label=${msg("Bind mode")}
+            name="bindMode"
+            .options=${bindModeOptions}
+            .value=${provider?.bindMode}
+            help=${msg("Configure how the outpost authenticates requests.")}
+        >
+        </ak-radio-input>
+
+        <ak-radio-input
+            label=${msg("Search mode")}
+            name="searchMode"
+            .options=${searchModeOptions}
+            .value=${provider?.searchMode}
+            help=${msg("Configure how the outpost queries the core authentik server's users.")}
+        >
+        </ak-radio-input>
+
+        <ak-switch-input
+            name="mfaSupport"
+            label=${msg("Code-based MFA Support")}
+            ?checked=${provider?.mfaSupport ?? true}
+            help=${mfaSupportHelp}
+        >
+        </ak-switch-input>
+
+        <ak-form-group expanded>
+            <span slot="header"> ${msg("Flow settings")} </span>
+
+            <div slot="body" class="pf-c-form">
+                <ak-form-element-horizontal
+                    label=${msg("Bind flow")}
+                    ?required=${true}
+                    name="authorizationFlow"
+                    .errorMessages=${errors?.authorizationFlow ?? []}
+                >
+                    <ak-branded-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                        .currentFlow=${provider?.authorizationFlow}
+                        .brandFlow=${brand?.flowAuthentication}
+                        required
+                    ></ak-branded-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Flow used for users to authenticate.")}
+                    </p>
+                </ak-form-element-horizontal>
+
+                <ak-form-element-horizontal
+                    label=${msg("Unbind flow")}
+                    name="invalidationFlow"
+                    required
+                >
+                    <ak-branded-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                        .currentFlow=${provider?.invalidationFlow}
+                        .brandFlow=${brand?.flowInvalidation}
+                        defaultFlowSlug="default-invalidation-flow"
+                        .errorMessages=${errors?.invalidationFlow ?? []}
+                        required
+                    ></ak-branded-flow-search>
+                    <p class="pf-c-form__helper-text">${msg("Flow used for unbinding users.")}</p>
+                </ak-form-element-horizontal>
+            </div>
+        </ak-form-group>
+
+        <ak-form-group expanded>
+            <span slot="header"> ${msg("Protocol settings")} </span>
+            <div slot="body" class="pf-c-form">
+                <ak-text-input
+                    name="baseDn"
+                    label=${msg("Base DN")}
+                    required
+                    value="${provider?.baseDn ?? "DC=ldap,DC=goauthentik,DC=io"}"
+                    .errorMessages=${errors?.baseDn ?? []}
+                    help=${msg(
+                        "LDAP DN under which bind requests and search requests can be made.",
+                    )}
+                >
+                </ak-text-input>
+
+                <ak-form-element-horizontal
+                    label=${msg("Certificate")}
+                    name="certificate"
+                    .errorMessages=${errors?.certificate ?? []}
+                >
+                    <ak-crypto-certificate-search
+                        certificate=${ifDefined(provider?.certificate ?? nothing)}
+                        name="certificate"
+                    >
+                    </ak-crypto-certificate-search>
+                    <p class="pf-c-form__helper-text">${cryptoCertificateHelp}</p>
+                </ak-form-element-horizontal>
+
+                <ak-text-input
+                    label=${msg("TLS Server name")}
+                    name="tlsServerName"
+                    value="${provider?.tlsServerName ?? ""}"
+                    .errorMessages=${errors?.tlsServerName ?? []}
+                    help=${tlsServerNameHelp}
+                ></ak-text-input>
+
+                <ak-number-input
+                    label=${msg("UID start number")}
+                    required
+                    name="uidStartNumber"
+                    value="${provider?.uidStartNumber ?? 2000}"
+                    .errorMessages=${errors?.uidStartNumber ?? []}
+                    help=${uidStartNumberHelp}
+                ></ak-number-input>
+
+                <ak-number-input
+                    label=${msg("GID start number")}
+                    required
+                    name="gidStartNumber"
+                    value="${provider?.gidStartNumber ?? 4000}"
+                    .errorMessages=${errors?.gidStartNumber ?? []}
+                    help=${gidStartNumberHelp}
+                ></ak-number-input>
+            </div>
+        </ak-form-group>
+    `;
+}

web/src/admin/providers/oauth2/OAuth2ProviderForm.ts

@@ -1,121 +1,13 @@
-import "@goauthentik/admin/common/ak-crypto-certificate-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
-import {
-    IRedirectURIInput,
-    akOAuthRedirectURIInput,
-} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-radio-input";
-import "@goauthentik/components/ak-text-input";
-import "@goauthentik/components/ak-textarea-input";
-import "@goauthentik/elements/ak-array-input.js";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
 import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/forms/Radio";
-import "@goauthentik/elements/forms/SearchSelect";
-import "@goauthentik/elements/utils/TimeDeltaHelp";
 
-import { msg } from "@lit/localize";
-import { TemplateResult, css, html } from "lit";
+import { css } from "lit";
 import { customElement, state } from "lit/decorators.js";
-import { ifDefined } from "lit/directives/if-defined.js";
 
-import {
-    ClientTypeEnum,
-    FlowsInstancesListDesignationEnum,
-    IssuerModeEnum,
-    MatchingModeEnum,
-    OAuth2Provider,
-    ProvidersApi,
-    RedirectURI,
-    SubModeEnum,
-} from "@goauthentik/api";
+import { ClientTypeEnum, OAuth2Provider, ProvidersApi } from "@goauthentik/api";
 
-import { propertyMappingsProvider, propertyMappingsSelector } from "./OAuth2ProviderFormHelpers.js";
-import { oauth2SourcesProvider, oauth2SourcesSelector } from "./OAuth2Sources.js";
-
-export const clientTypeOptions = [
-    {
-        label: msg("Confidential"),
-        value: ClientTypeEnum.Confidential,
-        default: true,
-        description: html`${msg(
-            "Confidential clients are capable of maintaining the confidentiality of their credentials such as client secrets",
-        )}`,
-    },
-    {
-        label: msg("Public"),
-        value: ClientTypeEnum.Public,
-        description: html`${msg(
-            "Public clients are incapable of maintaining the confidentiality and should use methods like PKCE. ",
-        )}`,
-    },
-];
-
-export const subjectModeOptions = [
-    {
-        label: msg("Based on the User's hashed ID"),
-        value: SubModeEnum.HashedUserId,
-        default: true,
-    },
-    {
-        label: msg("Based on the User's ID"),
-        value: SubModeEnum.UserId,
-    },
-    {
-        label: msg("Based on the User's UUID"),
-        value: SubModeEnum.UserUuid,
-    },
-    {
-        label: msg("Based on the User's username"),
-        value: SubModeEnum.UserUsername,
-    },
-    {
-        label: msg("Based on the User's Email"),
-        value: SubModeEnum.UserEmail,
-        description: html`${msg("This is recommended over the UPN mode.")}`,
-    },
-    {
-        label: msg("Based on the User's UPN"),
-        value: SubModeEnum.UserUpn,
-        description: html`${msg(
-            "Requires the user to have a 'upn' attribute set, and falls back to hashed user ID. Use this mode only if you have different UPN and Mail domains.",
-        )}`,
-    },
-];
-
-export const issuerModeOptions = [
-    {
-        label: msg("Each provider has a different issuer, based on the application slug"),
-        value: IssuerModeEnum.PerProvider,
-        default: true,
-    },
-    {
-        label: msg("Same identifier is used for all providers"),
-        value: IssuerModeEnum.Global,
-    },
-];
-
-const redirectUriHelpMessages = [
-    msg(
-        "Valid redirect URIs after a successful authorization flow. Also specify any origins here for Implicit flows.",
-    ),
-    msg(
-        "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.",
-    ),
-    msg(
-        'To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.',
-    ),
-];
-
-export const redirectUriHelp = html`${redirectUriHelpMessages.map(
-    (m) => html`<p class="pf-c-form__helper-text">${m}</p>`,
-)}`;
+import { renderForm } from "./OAuth2ProviderFormForm.js";
 
 const providerToSelect = (provider: OAuth2Provider) => [provider.pk, provider.name];
 
@@ -168,9 +60,6 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
     @state()
     showClientSecret = true;
 
-    @state()
-    redirectUris: RedirectURI[] = [];
-
     static get styles() {
         return super.styles.concat(css`
             ak-array-input {
@@ -184,7 +73,6 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
             id: pk,
         });
         this.showClientSecret = provider.clientType === ClientTypeEnum.Confidential;
-        this.redirectUris = provider.redirectUris;
         return provider;
     }
 
@@ -201,259 +89,11 @@ export class OAuth2ProviderFormPage extends BaseProviderForm<OAuth2Provider> {
         }
     }
 
-    renderForm(): TemplateResult {
-        const provider = this.instance;
-
-        return html` <ak-text-input
-                name="name"
-                label=${msg("Name")}
-                value=${ifDefined(provider?.name)}
-                required
-            ></ak-text-input>
-
-            <ak-form-element-horizontal
-                name="authorizationFlow"
-                label=${msg("Authorization flow")}
-                ?required=${true}
-            >
-                <ak-flow-search
-                    flowType=${FlowsInstancesListDesignationEnum.Authorization}
-                    .currentFlow=${provider?.authorizationFlow}
-                    required
-                ></ak-flow-search>
-                <p class="pf-c-form__helper-text">
-                    ${msg("Flow used when authorizing this provider.")}
-                </p>
-            </ak-form-element-horizontal>
-            <ak-form-group expanded>
-                <span slot="header"> ${msg("Protocol settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-radio-input
-                        name="clientType"
-                        label=${msg("Client type")}
-                        .value=${provider?.clientType}
-                        required
-                        @change=${(ev: CustomEvent<{ value: ClientTypeEnum }>) => {
-                            this.showClientSecret = ev.detail.value !== ClientTypeEnum.Public;
-                        }}
-                        .options=${clientTypeOptions}
-                    >
-                    </ak-radio-input>
-                    <ak-text-input
-                        name="clientId"
-                        label=${msg("Client ID")}
-                        value="${first(
-                            provider?.clientId,
-                            randomString(40, ascii_letters + digits),
-                        )}"
-                        required
-                    >
-                    </ak-text-input>
-                    <ak-text-input
-                        name="clientSecret"
-                        label=${msg("Client Secret")}
-                        value="${first(
-                            provider?.clientSecret,
-                            randomString(128, ascii_letters + digits),
-                        )}"
-                        ?hidden=${!this.showClientSecret}
-                    >
-                    </ak-text-input>
-                    <ak-form-element-horizontal
-                        label=${msg("Redirect URIs/Origins")}
-                        required
-                        name="redirectUris"
-                    >
-                        <ak-array-input
-                            .items=${this.instance?.redirectUris ?? []}
-                            .newItem=${() => ({ matchingMode: MatchingModeEnum.Strict, url: "" })}
-                            .row=${(f?: RedirectURI) =>
-                                akOAuthRedirectURIInput({
-                                    ".redirectURI": f,
-                                    "style": "width: 100%",
-                                    "name": "oauth2-redirect-uri",
-                                } as unknown as IRedirectURIInput)}
-                        >
-                        </ak-array-input>
-                        ${redirectUriHelp}
-                    </ak-form-element-horizontal>
-
-                    <ak-form-element-horizontal label=${msg("Signing Key")} name="signingKey">
-                        <!-- NOTE: 'null' cast to 'undefined' on signingKey to satisfy Lit requirements -->
-                        <ak-crypto-certificate-search
-                            certificate=${ifDefined(this.instance?.signingKey ?? undefined)}
-                            singleton
-                        ></ak-crypto-certificate-search>
-                        <p class="pf-c-form__helper-text">${msg("Key used to sign the tokens.")}</p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal label=${msg("Encryption Key")} name="encryptionKey">
-                        <!-- NOTE: 'null' cast to 'undefined' on encryptionKey to satisfy Lit requirements -->
-                        <ak-crypto-certificate-search
-                            certificate=${ifDefined(this.instance?.encryptionKey ?? undefined)}
-                        ></ak-crypto-certificate-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Key used to encrypt the tokens.")}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-
-            <ak-form-group>
-                <span slot="header"> ${msg("Advanced flow settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        name="authenticationFlow"
-                        label=${msg("Authentication flow")}
-                    >
-                        <ak-flow-search
-                            flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                            .currentFlow=${provider?.authenticationFlow}
-                        ></ak-flow-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "Flow used when a user access this provider and is not authenticated.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Invalidation flow")}
-                        name="invalidationFlow"
-                        required
-                    >
-                        <ak-flow-search
-                            flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                            .currentFlow=${provider?.invalidationFlow}
-                            defaultFlowSlug="default-provider-invalidation-flow"
-                            required
-                        ></ak-flow-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Flow used when logging out of this provider.")}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-
-            <ak-form-group>
-                <span slot="header"> ${msg("Advanced protocol settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-text-input
-                        name="accessCodeValidity"
-                        label=${msg("Access code validity")}
-                        required
-                        value="${first(provider?.accessCodeValidity, "minutes=1")}"
-                        .bighelp=${html`<p class="pf-c-form__helper-text">
-                                ${msg("Configure how long access codes are valid for.")}
-                            </p>
-                            <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
-                    >
-                    </ak-text-input>
-                    <ak-text-input
-                        name="accessTokenValidity"
-                        label=${msg("Access Token validity")}
-                        value="${first(provider?.accessTokenValidity, "minutes=5")}"
-                        required
-                        .bighelp=${html` <p class="pf-c-form__helper-text">
-                                ${msg("Configure how long access tokens are valid for.")}
-                            </p>
-                            <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
-                    >
-                    </ak-text-input>
-
-                    <ak-text-input
-                        name="refreshTokenValidity"
-                        label=${msg("Refresh Token validity")}
-                        value="${first(provider?.refreshTokenValidity, "days=30")}"
-                        ?required=${true}
-                        .bighelp=${html` <p class="pf-c-form__helper-text">
-                                ${msg("Configure how long refresh tokens are valid for.")}
-                            </p>
-                            <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
-                    >
-                    </ak-text-input>
-                    <ak-form-element-horizontal label=${msg("Scopes")} name="propertyMappings">
-                        <ak-dual-select-dynamic-selected
-                            .provider=${propertyMappingsProvider}
-                            .selector=${propertyMappingsSelector(provider?.propertyMappings)}
-                            available-label=${msg("Available Scopes")}
-                            selected-label=${msg("Selected Scopes")}
-                        ></ak-dual-select-dynamic-selected>
-
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "Select which scopes can be used by the client. The client still has to specify the scope to access the data.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-radio-input
-                        name="subMode"
-                        label=${msg("Subject mode")}
-                        required
-                        .options=${subjectModeOptions}
-                        .value=${provider?.subMode}
-                        help=${msg(
-                            "Configure what data should be used as unique User Identifier. For most cases, the default should be fine.",
-                        )}
-                    >
-                    </ak-radio-input>
-                    <ak-switch-input
-                        name="includeClaimsInIdToken"
-                        label=${msg("Include claims in id_token")}
-                        ?checked=${first(provider?.includeClaimsInIdToken, true)}
-                        help=${msg(
-                            "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.",
-                        )}
-                    ></ak-switch-input>
-                    <ak-radio-input
-                        name="issuerMode"
-                        label=${msg("Issuer mode")}
-                        required
-                        .options=${issuerModeOptions}
-                        .value=${provider?.issuerMode}
-                        help=${msg(
-                            "Configure how the issuer field of the ID Token should be filled.",
-                        )}
-                    >
-                    </ak-radio-input>
-                </div>
-            </ak-form-group>
-
-            <ak-form-group>
-                <span slot="header">${msg("Machine-to-Machine authentication settings")}</span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${msg("Federated OIDC Sources")}
-                        name="jwtFederationSources"
-                    >
-                        <ak-dual-select-dynamic-selected
-                            .provider=${oauth2SourcesProvider}
-                            .selector=${oauth2SourcesSelector(provider?.jwtFederationSources)}
-                            available-label=${msg("Available Sources")}
-                            selected-label=${msg("Selected Sources")}
-                        ></ak-dual-select-dynamic-selected>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Federated OIDC Providers")}
-                        name="jwtFederationProviders"
-                    >
-                        <ak-dual-select-dynamic-selected
-                            .provider=${oauth2ProvidersProvider}
-                            .selector=${oauth2ProviderSelector(provider?.jwtFederationProviders)}
-                            available-label=${msg("Available Providers")}
-                            selected-label=${msg("Selected Providers")}
-                        ></ak-dual-select-dynamic-selected>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "JWTs signed by the selected providers can be used to authenticate to this provider.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>`;
+    renderForm() {
+        const showClientSecretCallback = (show: boolean) => {
+            this.showClientSecret = show;
+        };
+        return renderForm(this.instance ?? {}, [], this.showClientSecret, showClientSecretCallback);
     }
 }
 

web/src/admin/providers/oauth2/OAuth2ProviderFormForm.ts

@@ -0,0 +1,369 @@
+import "@goauthentik/admin/common/ak-crypto-certificate-search";
+import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
+import {
+    IRedirectURIInput,
+    akOAuthRedirectURIInput,
+} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
+import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
+import "@goauthentik/components/ak-radio-input";
+import "@goauthentik/components/ak-text-input";
+import "@goauthentik/components/ak-textarea-input";
+import "@goauthentik/elements/ak-array-input.js";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import "@goauthentik/elements/forms/Radio";
+import "@goauthentik/elements/forms/SearchSelect";
+import "@goauthentik/elements/utils/TimeDeltaHelp";
+
+import { msg } from "@lit/localize";
+import { html } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import {
+    ClientTypeEnum,
+    FlowsInstancesListDesignationEnum,
+    IssuerModeEnum,
+    MatchingModeEnum,
+    OAuth2Provider,
+    RedirectURI,
+    SubModeEnum,
+    ValidationError,
+} from "@goauthentik/api";
+
+import { propertyMappingsProvider, propertyMappingsSelector } from "./OAuth2ProviderFormHelpers.js";
+import { oauth2ProvidersProvider, oauth2ProvidersSelector } from "./OAuth2ProvidersProvider.js";
+import { oauth2SourcesProvider, oauth2SourcesSelector } from "./OAuth2Sources.js";
+
+export const clientTypeOptions = [
+    {
+        label: msg("Confidential"),
+        value: ClientTypeEnum.Confidential,
+        default: true,
+        description: html`${msg(
+            "Confidential clients are capable of maintaining the confidentiality of their credentials such as client secrets",
+        )}`,
+    },
+    {
+        label: msg("Public"),
+        value: ClientTypeEnum.Public,
+        description: html`${msg(
+            "Public clients are incapable of maintaining the confidentiality and should use methods like PKCE. ",
+        )}`,
+    },
+];
+
+export const subjectModeOptions = [
+    {
+        label: msg("Based on the User's hashed ID"),
+        value: SubModeEnum.HashedUserId,
+        default: true,
+    },
+    {
+        label: msg("Based on the User's ID"),
+        value: SubModeEnum.UserId,
+    },
+    {
+        label: msg("Based on the User's UUID"),
+        value: SubModeEnum.UserUuid,
+    },
+    {
+        label: msg("Based on the User's username"),
+        value: SubModeEnum.UserUsername,
+    },
+    {
+        label: msg("Based on the User's Email"),
+        value: SubModeEnum.UserEmail,
+        description: html`${msg("This is recommended over the UPN mode.")}`,
+    },
+    {
+        label: msg("Based on the User's UPN"),
+        value: SubModeEnum.UserUpn,
+        description: html`${msg(
+            "Requires the user to have a 'upn' attribute set, and falls back to hashed user ID. Use this mode only if you have different UPN and Mail domains.",
+        )}`,
+    },
+];
+
+export const issuerModeOptions = [
+    {
+        label: msg("Each provider has a different issuer, based on the application slug"),
+        value: IssuerModeEnum.PerProvider,
+        default: true,
+    },
+    {
+        label: msg("Same identifier is used for all providers"),
+        value: IssuerModeEnum.Global,
+    },
+];
+
+const redirectUriHelpMessages = [
+    msg(
+        "Valid redirect URIs after a successful authorization flow. Also specify any origins here for Implicit flows.",
+    ),
+    msg(
+        "If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.",
+    ),
+    msg(
+        'To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.',
+    ),
+];
+
+export const redirectUriHelp = html`${redirectUriHelpMessages.map(
+    (m) => html`<p class="pf-c-form__helper-text">${m}</p>`,
+)}`;
+
+type ShowClientSecret = (show: boolean) => void;
+const defaultShowClientSecret: ShowClientSecret = (_show) => undefined;
+
+export function renderForm(
+    provider: Partial<OAuth2Provider>,
+    errors: ValidationError,
+    showClientSecret = false,
+    showClientSecretCallback: ShowClientSecret = defaultShowClientSecret,
+) {
+    return html` <ak-text-input
+            name="name"
+            label=${msg("Name")}
+            value=${ifDefined(provider?.name)}
+            required
+        ></ak-text-input>
+
+        <ak-form-element-horizontal
+            name="authorizationFlow"
+            label=${msg("Authorization flow")}
+            ?required=${true}
+        >
+            <ak-flow-search
+                flowType=${FlowsInstancesListDesignationEnum.Authorization}
+                .currentFlow=${provider?.authorizationFlow}
+                required
+            ></ak-flow-search>
+            <p class="pf-c-form__helper-text">
+                ${msg("Flow used when authorizing this provider.")}
+            </p>
+        </ak-form-element-horizontal>
+        <ak-form-group expanded>
+            <span slot="header"> ${msg("Protocol settings")} </span>
+            <div slot="body" class="pf-c-form">
+                <ak-radio-input
+                    name="clientType"
+                    label=${msg("Client type")}
+                    .value=${provider?.clientType}
+                    required
+                    @change=${(ev: CustomEvent<{ value: ClientTypeEnum }>) => {
+                        showClientSecretCallback(ev.detail.value !== ClientTypeEnum.Public);
+                    }}
+                    .options=${clientTypeOptions}
+                >
+                </ak-radio-input>
+                <ak-text-input
+                    name="clientId"
+                    label=${msg("Client ID")}
+                    value="${first(provider?.clientId, randomString(40, ascii_letters + digits))}"
+                    required
+                >
+                </ak-text-input>
+                <ak-text-input
+                    name="clientSecret"
+                    label=${msg("Client Secret")}
+                    value="${first(
+                        provider?.clientSecret,
+                        randomString(128, ascii_letters + digits),
+                    )}"
+                    ?hidden=${!showClientSecret}
+                >
+                </ak-text-input>
+                <ak-form-element-horizontal
+                    label=${msg("Redirect URIs/Origins (RegEx)")}
+                    required
+                    name="redirectUris"
+                >
+                    <ak-array-input
+                        .items=${provider?.redirectUris ?? []}
+                        .newItem=${() => ({ matchingMode: MatchingModeEnum.Strict, url: "" })}
+                        .row=${(f?: RedirectURI) =>
+                            akOAuthRedirectURIInput({
+                                ".redirectURI": f,
+                                "style": "width: 100%",
+                                "name": "oauth2-redirect-uri",
+                            } as unknown as IRedirectURIInput)}
+                    >
+                    </ak-array-input>
+                    ${redirectUriHelp}
+                </ak-form-element-horizontal>
+
+                <ak-form-element-horizontal label=${msg("Signing Key")} name="signingKey">
+                    <!-- NOTE: 'null' cast to 'undefined' on signingKey to satisfy Lit requirements -->
+                    <ak-crypto-certificate-search
+                        certificate=${ifDefined(provider?.signingKey ?? undefined)}
+                        singleton
+                    ></ak-crypto-certificate-search>
+                    <p class="pf-c-form__helper-text">${msg("Key used to sign the tokens.")}</p>
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal label=${msg("Encryption Key")} name="encryptionKey">
+                    <!-- NOTE: 'null' cast to 'undefined' on encryptionKey to satisfy Lit requirements -->
+                    <ak-crypto-certificate-search
+                        certificate=${ifDefined(provider?.encryptionKey ?? undefined)}
+                    ></ak-crypto-certificate-search>
+                    <p class="pf-c-form__helper-text">${msg("Key used to encrypt the tokens.")}</p>
+                </ak-form-element-horizontal>
+            </div>
+        </ak-form-group>
+
+        <ak-form-group>
+            <span slot="header"> ${msg("Advanced flow settings")} </span>
+            <div slot="body" class="pf-c-form">
+                <ak-form-element-horizontal
+                    name="authenticationFlow"
+                    label=${msg("Authentication flow")}
+                >
+                    <ak-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                        .currentFlow=${provider?.authenticationFlow}
+                    ></ak-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "Flow used when a user access this provider and is not authenticated.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal
+                    label=${msg("Invalidation flow")}
+                    name="invalidationFlow"
+                    required
+                >
+                    <ak-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                        .currentFlow=${provider?.invalidationFlow}
+                        defaultFlowSlug="default-provider-invalidation-flow"
+                        required
+                    ></ak-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Flow used when logging out of this provider.")}
+                    </p>
+                </ak-form-element-horizontal>
+            </div>
+        </ak-form-group>
+
+        <ak-form-group>
+            <span slot="header"> ${msg("Advanced protocol settings")} </span>
+            <div slot="body" class="pf-c-form">
+                <ak-text-input
+                    name="accessCodeValidity"
+                    label=${msg("Access code validity")}
+                    required
+                    value="${first(provider?.accessCodeValidity, "minutes=1")}"
+                    .bighelp=${html`<p class="pf-c-form__helper-text">
+                            ${msg("Configure how long access codes are valid for.")}
+                        </p>
+                        <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
+                >
+                </ak-text-input>
+                <ak-text-input
+                    name="accessTokenValidity"
+                    label=${msg("Access Token validity")}
+                    value="${first(provider?.accessTokenValidity, "minutes=5")}"
+                    required
+                    .bighelp=${html` <p class="pf-c-form__helper-text">
+                            ${msg("Configure how long access tokens are valid for.")}
+                        </p>
+                        <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
+                >
+                </ak-text-input>
+
+                <ak-text-input
+                    name="refreshTokenValidity"
+                    label=${msg("Refresh Token validity")}
+                    value="${first(provider?.refreshTokenValidity, "days=30")}"
+                    ?required=${true}
+                    .bighelp=${html` <p class="pf-c-form__helper-text">
+                            ${msg("Configure how long refresh tokens are valid for.")}
+                        </p>
+                        <ak-utils-time-delta-help></ak-utils-time-delta-help>`}
+                >
+                </ak-text-input>
+                <ak-form-element-horizontal label=${msg("Scopes")} name="propertyMappings">
+                    <ak-dual-select-dynamic-selected
+                        .provider=${propertyMappingsProvider}
+                        .selector=${propertyMappingsSelector(provider?.propertyMappings)}
+                        available-label=${msg("Available Scopes")}
+                        selected-label=${msg("Selected Scopes")}
+                    ></ak-dual-select-dynamic-selected>
+
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "Select which scopes can be used by the client. The client still has to specify the scope to access the data.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
+                <ak-radio-input
+                    name="subMode"
+                    label=${msg("Subject mode")}
+                    required
+                    .options=${subjectModeOptions}
+                    .value=${provider?.subMode}
+                    help=${msg(
+                        "Configure what data should be used as unique User Identifier. For most cases, the default should be fine.",
+                    )}
+                >
+                </ak-radio-input>
+                <ak-switch-input
+                    name="includeClaimsInIdToken"
+                    label=${msg("Include claims in id_token")}
+                    ?checked=${first(provider?.includeClaimsInIdToken, true)}
+                    help=${msg(
+                        "Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.",
+                    )}
+                ></ak-switch-input>
+                <ak-radio-input
+                    name="issuerMode"
+                    label=${msg("Issuer mode")}
+                    required
+                    .options=${issuerModeOptions}
+                    .value=${provider?.issuerMode}
+                    help=${msg("Configure how the issuer field of the ID Token should be filled.")}
+                >
+                </ak-radio-input>
+            </div>
+        </ak-form-group>
+
+        <ak-form-group>
+            <span slot="header">${msg("Machine-to-Machine authentication settings")}</span>
+            <div slot="body" class="pf-c-form">
+                <ak-form-element-horizontal
+                    label=${msg("Federated OIDC Sources")}
+                    name="jwtFederationSources"
+                >
+                    <ak-dual-select-dynamic-selected
+                        .provider=${oauth2SourcesProvider}
+                        .selector=${oauth2SourcesSelector(provider?.jwtFederationSources)}
+                        available-label=${msg("Available Sources")}
+                        selected-label=${msg("Selected Sources")}
+                    ></ak-dual-select-dynamic-selected>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal
+                    label=${msg("Federated OIDC Providers")}
+                    name="jwtFederationProviders"
+                >
+                    <ak-dual-select-dynamic-selected
+                        .provider=${oauth2ProvidersProvider}
+                        .selector=${oauth2ProvidersSelector(provider?.jwtFederationProviders)}
+                        available-label=${msg("Available Providers")}
+                        selected-label=${msg("Selected Providers")}
+                    ></ak-dual-select-dynamic-selected>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "JWTs signed by the selected providers can be used to authenticate to this provider.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
+            </div>
+        </ak-form-group>`;
+}

web/src/admin/providers/oauth2/OAuth2ProvidersProvider.ts

@@ -0,0 +1,43 @@
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { DualSelectPair } from "@goauthentik/elements/ak-dual-select/types";
+
+import { OAuth2Provider, ProvidersApi } from "@goauthentik/api";
+
+const providerToSelect = (provider: OAuth2Provider) => [provider.pk, provider.name];
+
+export async function oauth2ProvidersProvider(page = 1, search = "") {
+    const oauthProviders = await new ProvidersApi(DEFAULT_CONFIG).providersOauth2List({
+        ordering: "name",
+        pageSize: 20,
+        search: search.trim(),
+        page,
+    });
+
+    return {
+        pagination: oauthProviders.pagination,
+        options: oauthProviders.results.map((provider) => providerToSelect(provider)),
+    };
+}
+
+export function oauth2ProvidersSelector(instanceProviders: number[] | undefined) {
+    if (!instanceProviders) {
+        return async (mappings: DualSelectPair<OAuth2Provider>[]) =>
+            mappings.filter(
+                ([_0, _1, _2, source]: DualSelectPair<OAuth2Provider>) => source !== undefined,
+            );
+    }
+
+    return async () => {
+        const oauthSources = new ProvidersApi(DEFAULT_CONFIG);
+        const mappings = await Promise.allSettled(
+            instanceProviders.map((instanceId) =>
+                oauthSources.providersOauth2Retrieve({ id: instanceId }),
+            ),
+        );
+
+        return mappings
+            .filter((s) => s.status === "fulfilled")
+            .map((s) => s.value)
+            .map(providerToSelect);
+    };
+}

web/src/admin/providers/proxy/ProxyProviderForm.ts

@@ -1,40 +1,18 @@
 import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
-import {
-    oauth2ProviderSelector,
-    oauth2ProvidersProvider,
-} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderForm";
-import {
-    oauth2SourcesProvider,
-    oauth2SourcesSelector,
-} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first } from "@goauthentik/common/utils";
-import "@goauthentik/components/ak-toggle-group";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/forms/SearchSelect";
-import "@goauthentik/elements/utils/TimeDeltaHelp";
 
-import { msg } from "@lit/localize";
-import { CSSResult, TemplateResult, html } from "lit";
+import { CSSResult } from "lit";
 import { customElement, state } from "lit/decorators.js";
-import { ifDefined } from "lit/directives/if-defined.js";
 
 import PFContent from "@patternfly/patternfly/components/Content/content.css";
 import PFList from "@patternfly/patternfly/components/List/list.css";
 import PFSpacing from "@patternfly/patternfly/utilities/Spacing/spacing.css";
 
-import {
-    FlowsInstancesListDesignationEnum,
-    ProvidersApi,
-    ProxyMode,
-    ProxyProvider,
-} from "@goauthentik/api";
+import { ProvidersApi, ProxyMode, ProxyProvider } from "@goauthentik/api";
 
-import { propertyMappingsProvider, propertyMappingsSelector } from "./ProxyProviderFormHelpers.js";
+import { SetMode, SetShowHttpBasic, renderForm } from "./ProxyProviderFormForm.js";
 
 @customElement("ak-provider-proxy-form")
 export class ProxyProviderFormPage extends BaseProviderForm<ProxyProvider> {
@@ -46,8 +24,8 @@ export class ProxyProviderFormPage extends BaseProviderForm<ProxyProvider> {
         const provider = await new ProvidersApi(DEFAULT_CONFIG).providersProxyRetrieve({
             id: pk,
         });
-        this.showHttpBasic = first(provider.basicAuthEnabled, true);
-        this.mode = first(provider.mode, ProxyMode.Proxy);
+        this.showHttpBasic = provider.basicAuthEnabled ?? true;
+        this.mode = provider.mode ?? ProxyMode.Proxy;
         return provider;
     }
 
@@ -74,392 +52,22 @@ export class ProxyProviderFormPage extends BaseProviderForm<ProxyProvider> {
         }
     }
 
-    renderHttpBasic(): TemplateResult {
-        return html`<ak-text-input
-                name="basicAuthUserAttribute"
-                label=${msg("HTTP-Basic Username Key")}
-                value="${ifDefined(this.instance?.basicAuthUserAttribute)}"
-                help=${msg(
-                    "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used.",
-                )}
-            >
-            </ak-text-input>
-
-            <ak-text-input
-                name="basicAuthPasswordAttribute"
-                label=${msg("HTTP-Basic Password Key")}
-                value="${ifDefined(this.instance?.basicAuthPasswordAttribute)}"
-                help=${msg(
-                    "User/Group Attribute used for the password part of the HTTP-Basic Header.",
-                )}
-            >
-            </ak-text-input>`;
-    }
-
-    renderModeSelector(): TemplateResult {
-        const setMode = (ev: CustomEvent<{ value: ProxyMode }>) => {
+    renderForm() {
+        const onSetMode: SetMode = (ev) => {
             this.mode = ev.detail.value;
         };
 
-        // prettier-ignore
-        return html`
-            <ak-toggle-group value=${this.mode} @ak-toggle=${setMode}>
-                <option value=${ProxyMode.Proxy}>${msg("Proxy")}</option>
-                <option value=${ProxyMode.ForwardSingle}>${msg("Forward auth (single application)")}</option>
-                <option value=${ProxyMode.ForwardDomain}>${msg("Forward auth (domain level)")}</option>
-            </ak-toggle-group>
-        `;
-    }
+        const onSetShowHttpBasic: SetShowHttpBasic = (ev: Event) => {
+            const el = ev.target as HTMLInputElement;
+            this.showHttpBasic = el.checked;
+        };
 
-    renderSettings(): TemplateResult {
-        switch (this.mode) {
-            case ProxyMode.Proxy:
-                return html`<p class="pf-u-mb-xl">
-                        ${msg(
-                            "This provider will behave like a transparent reverse-proxy, except requests must be authenticated. If your upstream application uses HTTPS, make sure to connect to the outpost using HTTPS as well.",
-                        )}
-                    </p>
-                    <ak-form-element-horizontal
-                        label=${msg("External host")}
-                        ?required=${true}
-                        name="externalHost"
-                    >
-                        <input
-                            type="text"
-                            value="${ifDefined(this.instance?.externalHost)}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "The external URL you'll access the application at. Include any non-standard port.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Internal host")}
-                        ?required=${true}
-                        name="internalHost"
-                    >
-                        <input
-                            type="text"
-                            value="${ifDefined(this.instance?.internalHost)}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Upstream host that the requests are forwarded to.")}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal name="internalHostSslValidation">
-                        <label class="pf-c-switch">
-                            <input
-                                class="pf-c-switch__input"
-                                type="checkbox"
-                                ?checked=${first(this.instance?.internalHostSslValidation, true)}
-                            />
-                            <span class="pf-c-switch__toggle">
-                                <span class="pf-c-switch__toggle-icon">
-                                    <i class="fas fa-check" aria-hidden="true"></i>
-                                </span>
-                            </span>
-                            <span class="pf-c-switch__label"
-                                >${msg("Internal host SSL Validation")}</span
-                            >
-                        </label>
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Validate SSL Certificates of upstream servers.")}
-                        </p>
-                    </ak-form-element-horizontal>`;
-            case ProxyMode.ForwardSingle:
-                return html`<p class="pf-u-mb-xl">
-                        ${msg(
-                            "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).",
-                        )}
-                    </p>
-                    <ak-form-element-horizontal
-                        label=${msg("External host")}
-                        ?required=${true}
-                        name="externalHost"
-                    >
-                        <input
-                            type="text"
-                            value="${ifDefined(this.instance?.externalHost)}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "The external URL you'll access the application at. Include any non-standard port.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>`;
-            case ProxyMode.ForwardDomain:
-                return html`<p class="pf-u-mb-xl">
-                        ${msg(
-                            "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.",
-                        )}
-                    </p>
-                    <div class="pf-u-mb-xl">
-                        ${msg("An example setup can look like this:")}
-                        <ul class="pf-c-list">
-                            <li>${msg("authentik running on auth.example.com")}</li>
-                            <li>${msg("app1 running on app1.example.com")}</li>
-                        </ul>
-                        ${msg(
-                            "In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com.",
-                        )}
-                    </div>
-                    <ak-form-element-horizontal
-                        label=${msg("Authentication URL")}
-                        ?required=${true}
-                        name="externalHost"
-                    >
-                        <input
-                            type="text"
-                            value="${first(this.instance?.externalHost, window.location.origin)}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "The external URL you'll authenticate at. The authentik core server should be reachable under this URL.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Cookie domain")}
-                        name="cookieDomain"
-                        ?required=${true}
-                    >
-                        <input
-                            type="text"
-                            value="${ifDefined(this.instance?.cookieDomain)}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>`;
-            case ProxyMode.UnknownDefaultOpenApi:
-                return html`<p>${msg("Unknown proxy mode")}</p>`;
-        }
-    }
-
-    renderForm(): TemplateResult {
-        return html`
-            <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
-                <input
-                    type="text"
-                    value="${ifDefined(this.instance?.name)}"
-                    class="pf-c-form-control"
-                    required
-                />
-            </ak-form-element-horizontal>
-            <ak-form-element-horizontal
-                label=${msg("Authorization flow")}
-                required
-                name="authorizationFlow"
-            >
-                <ak-flow-search
-                    flowType=${FlowsInstancesListDesignationEnum.Authorization}
-                    .currentFlow=${this.instance?.authorizationFlow}
-                    required
-                ></ak-flow-search>
-                <p class="pf-c-form__helper-text">
-                    ${msg("Flow used when authorizing this provider.")}
-                </p>
-            </ak-form-element-horizontal>
-
-            <div class="pf-c-card pf-m-selectable pf-m-selected">
-                <div class="pf-c-card__body">${this.renderModeSelector()}</div>
-                <div class="pf-c-card__footer">${this.renderSettings()}</div>
-            </div>
-            <ak-form-element-horizontal label=${msg("Token validity")} name="accessTokenValidity">
-                <input
-                    type="text"
-                    value="${first(this.instance?.accessTokenValidity, "hours=24")}"
-                    class="pf-c-form-control"
-                />
-                <p class="pf-c-form__helper-text">
-                    ${msg("Configure how long tokens are valid for.")}
-                </p>
-                <ak-utils-time-delta-help></ak-utils-time-delta-help>
-            </ak-form-element-horizontal>
-
-            <ak-form-group>
-                <span slot="header">${msg("Advanced protocol settings")}</span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal label=${msg("Certificate")} name="certificate">
-                        <ak-crypto-certificate-search
-                            .certificate=${this.instance?.certificate}
-                        ></ak-crypto-certificate-search>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Additional scopes")}
-                        name="propertyMappings"
-                    >
-                        <ak-dual-select-dynamic-selected
-                            .provider=${propertyMappingsProvider}
-                            .selector=${propertyMappingsSelector(this.instance?.propertyMappings)}
-                            available-label="${msg("Available Scopes")}"
-                            selected-label="${msg("Selected Scopes")}"
-                        ></ak-dual-select-dynamic-selected>
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Additional scope mappings, which are passed to the proxy.")}
-                        </p>
-                    </ak-form-element-horizontal>
-
-                    <ak-form-element-horizontal
-                        label="${this.mode === ProxyMode.ForwardDomain
-                            ? msg("Unauthenticated URLs")
-                            : msg("Unauthenticated Paths")}"
-                        name="skipPathRegex"
-                    >
-                        <textarea class="pf-c-form-control">
-${this.instance?.skipPathRegex}</textarea
-                        >
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression.",
-                            )}
-                        </p>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-            <ak-form-group>
-                <span slot="header">${msg("Authentication settings")}</span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal name="interceptHeaderAuth">
-                        <label class="pf-c-switch">
-                            <input
-                                class="pf-c-switch__input"
-                                type="checkbox"
-                                ?checked=${first(this.instance?.interceptHeaderAuth, true)}
-                            />
-                            <span class="pf-c-switch__toggle">
-                                <span class="pf-c-switch__toggle-icon">
-                                    <i class="fas fa-check" aria-hidden="true"></i>
-                                </span>
-                            </span>
-                            <span class="pf-c-switch__label"
-                                >${msg("Intercept header authentication")}</span
-                            >
-                        </label>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "When enabled, authentik will intercept the Authorization header to authenticate the request.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal name="basicAuthEnabled">
-                        <label class="pf-c-switch">
-                            <input
-                                class="pf-c-switch__input"
-                                type="checkbox"
-                                ?checked=${first(this.instance?.basicAuthEnabled, false)}
-                                @change=${(ev: Event) => {
-                                    const el = ev.target as HTMLInputElement;
-                                    this.showHttpBasic = el.checked;
-                                }}
-                            />
-                            <span class="pf-c-switch__toggle">
-                                <span class="pf-c-switch__toggle-icon">
-                                    <i class="fas fa-check" aria-hidden="true"></i>
-                                </span>
-                            </span>
-                            <span class="pf-c-switch__label"
-                                >${msg("Send HTTP-Basic Authentication")}</span
-                            >
-                        </label>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "Send a custom HTTP-Basic Authentication header based on values from authentik.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    ${this.showHttpBasic ? this.renderHttpBasic() : html``}
-                    <ak-form-element-horizontal
-                        label=${msg("Trusted OIDC Sources")}
-                        name="jwtFederationSources"
-                    >
-                        <ak-dual-select-dynamic-selected
-                            .provider=${oauth2SourcesProvider}
-                            .selector=${oauth2SourcesSelector(this.instance?.jwtFederationSources)}
-                            available-label=${msg("Available Sources")}
-                            selected-label=${msg("Selected Sources")}
-                        ></ak-dual-select-dynamic-selected>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Federated OIDC Providers")}
-                        name="jwtFederationProviders"
-                    >
-                        <ak-dual-select-dynamic-selected
-                            .provider=${oauth2ProvidersProvider}
-                            .selector=${oauth2ProviderSelector(
-                                this.instance?.jwtFederationProviders,
-                            )}
-                            available-label=${msg("Available Providers")}
-                            selected-label=${msg("Selected Providers")}
-                        ></ak-dual-select-dynamic-selected>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "JWTs signed by the selected providers can be used to authenticate to this provider.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-
-            <ak-form-group>
-                <span slot="header"> ${msg("Advanced flow settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${msg("Authentication flow")}
-                        ?required=${false}
-                        name="authenticationFlow"
-                    >
-                        <ak-flow-search
-                            flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                            .currentFlow=${this.instance?.authenticationFlow}
-                        ></ak-flow-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "Flow used when a user access this provider and is not authenticated.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Invalidation flow")}
-                        name="invalidationFlow"
-                        required
-                    >
-                        <ak-flow-search
-                            flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                            .currentFlow=${this.instance?.invalidationFlow}
-                            defaultFlowSlug="default-provider-invalidation-flow"
-                            required
-                        ></ak-flow-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Flow used when logging out of this provider.")}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-        `;
+        return renderForm(this.instance ?? {}, [], {
+            mode: this.mode,
+            onSetMode,
+            showHttpBasic: this.showHttpBasic,
+            onSetShowHttpBasic,
+        });
     }
 }
 

web/src/admin/providers/proxy/ProxyProviderFormForm.ts

@@ -0,0 +1,363 @@
+import "@goauthentik/admin/common/ak-crypto-certificate-search";
+import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
+import {
+    oauth2ProviderSelector,
+    oauth2ProvidersProvider,
+} from "@goauthentik/admin/providers/oauth2/OAuth2ProviderForm";
+import {
+    oauth2SourcesProvider,
+    oauth2SourcesSelector,
+} from "@goauthentik/admin/providers/oauth2/OAuth2Sources.js";
+import "@goauthentik/components/ak-toggle-group";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import "@goauthentik/elements/forms/SearchSelect";
+import "@goauthentik/elements/utils/TimeDeltaHelp";
+import { match } from "ts-pattern";
+
+import { msg } from "@lit/localize";
+import { html, nothing } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import {
+    FlowsInstancesListDesignationEnum,
+    ProxyMode,
+    ProxyProvider,
+    ValidationError,
+} from "@goauthentik/api";
+
+import { propertyMappingsProvider, propertyMappingsSelector } from "./ProxyProviderFormHelpers.js";
+
+export type ProxyModeValue = { value: ProxyMode };
+export type SetMode = (ev: CustomEvent<ProxyModeValue>) => void;
+export type SetShowHttpBasic = (ev: Event) => void;
+
+export interface ProxyModeExtraArgs {
+    mode: ProxyMode;
+    onSetMode: SetMode;
+    showHttpBasic: boolean;
+    onSetShowHttpBasic: SetShowHttpBasic;
+}
+
+function renderHttpBasic(provider: Partial<ProxyProvider>) {
+    return html`<ak-text-input
+            name="basicAuthUserAttribute"
+            label=${msg("HTTP-Basic Username Key")}
+            value="${ifDefined(provider?.basicAuthUserAttribute)}"
+            help=${msg(
+                "User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used.",
+            )}
+        >
+        </ak-text-input>
+
+        <ak-text-input
+            name="basicAuthPasswordAttribute"
+            label=${msg("HTTP-Basic Password Key")}
+            value="${ifDefined(provider?.basicAuthPasswordAttribute)}"
+            help=${msg("User/Group Attribute used for the password part of the HTTP-Basic Header.")}
+        >
+        </ak-text-input>`;
+}
+
+function renderModeSelector(mode: ProxyMode, onSet: SetMode) {
+    // prettier-ignore
+    return html` <ak-toggle-group
+        value=${mode}
+        @ak-toggle=${onSet}
+        data-ouid-component-name="proxy-type-toggle"
+    >
+        <option value=${ProxyMode.Proxy}>${msg("Proxy")}</option>
+        <option value=${ProxyMode.ForwardSingle}>${msg("Forward auth (single application)")}</option>
+        <option value=${ProxyMode.ForwardDomain}>${msg("Forward auth (domain level)")}</option>
+    </ak-toggle-group>`;
+}
+
+function renderProxySettings(provider: Partial<ProxyProvider>, errors?: ValidationError) {
+    return html`<p class="pf-u-mb-xl">
+            ${msg(
+                "This provider will behave like a transparent reverse-proxy, except requests must be authenticated. If your upstream application uses HTTPS, make sure to connect to the outpost using HTTPS as well.",
+            )}
+        </p>
+        <ak-text-input
+            name="externalHost"
+            label=${msg("External host")}
+            value="${ifDefined(provider?.externalHost)}"
+            required
+            .errorMessages=${errors?.externalHost ?? []}
+            help=${msg(
+                "The external URL you'll access the application at. Include any non-standard port.",
+            )}
+        ></ak-text-input>
+        <ak-text-input
+            name="internalHost"
+            label=${msg("Internal host")}
+            value="${ifDefined(provider?.internalHost)}"
+            required
+            .errorMessages=${errors?.internalHost ?? []}
+            help=${msg("Upstream host that the requests are forwarded to.")}
+        ></ak-text-input>
+
+        <ak-switch-input
+            name="internalHostSslValidation"
+            label=${msg("Internal host SSL Validation")}
+            ?checked=${provider?.internalHostSslValidation ?? true}
+            help=${msg("Validate SSL Certificates of upstream servers.")}
+        >
+        </ak-switch-input>`;
+}
+
+function renderForwardSingleSettings(provider: Partial<ProxyProvider>, errors?: ValidationError) {
+    return html`<p class="pf-u-mb-xl">
+            ${msg(
+                "Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you).",
+            )}
+        </p>
+        <ak-text-input
+            name="externalHost"
+            label=${msg("External host")}
+            value="${ifDefined(provider?.externalHost)}"
+            required
+            .errorMessages=${errors?.externalHost ?? []}
+            help=${msg(
+                "The external URL you'll access the application at. Include any non-standard port.",
+            )}
+        ></ak-text-input>`;
+}
+
+function renderForwardDomainSettings(provider: Partial<ProxyProvider>, errors?: ValidationError) {
+    return html`<p class="pf-u-mb-xl">
+            ${msg(
+                "Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.",
+            )}
+        </p>
+        <div class="pf-u-mb-xl">
+            ${msg("An example setup can look like this:")}
+            <ul class="pf-c-list">
+                <li>${msg("authentik running on auth.example.com")}</li>
+                <li>${msg("app1 running on app1.example.com")}</li>
+            </ul>
+            ${msg(
+                "In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com.",
+            )}
+        </div>
+
+        <ak-text-input
+            name="externalHost"
+            label=${msg("Authentication URL")}
+            value="${provider?.externalHost ?? window.location.origin}"
+            required
+            .errorMessages=${errors?.externalHost ?? []}
+            help=${msg(
+                "The external URL you'll authenticate at. The authentik core server should be reachable under this URL.",
+            )}
+        ></ak-text-input>
+
+        <ak-text-input
+            label=${msg("Cookie domain")}
+            name="cookieDomain"
+            value="${ifDefined(provider?.cookieDomain)}"
+            required
+            .errorMessages=${errors?.cookieDomain ?? []}
+            help=${msg(
+                "Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'.",
+            )}
+        ></ak-text-input> `;
+}
+
+type StrictProxyMode = Omit<ProxyMode, "11184809">;
+
+function renderSettings(provider: Partial<ProxyProvider>, mode: ProxyMode) {
+    return match(mode as StrictProxyMode)
+        .with(ProxyMode.Proxy, () => renderProxySettings(provider))
+        .with(ProxyMode.ForwardSingle, () => renderForwardSingleSettings(provider))
+        .with(ProxyMode.ForwardDomain, () => renderForwardDomainSettings(provider))
+        .otherwise(() => {
+            throw new Error("Unrecognized proxy mode");
+        });
+}
+
+export function renderForm(
+    provider: Partial<ProxyProvider> = {},
+    errors: ValidationError = {},
+    args: ProxyModeExtraArgs,
+) {
+    const { mode, onSetMode, showHttpBasic, onSetShowHttpBasic } = args;
+
+    return html`
+        <ak-text-input
+            name="name"
+            value=${ifDefined(provider?.name)}
+            label=${msg("Name")}
+            .errorMessages=${errors?.name ?? []}
+            required
+        ></ak-text-input>
+
+        <ak-form-element-horizontal
+            label=${msg("Authorization flow")}
+            required
+            name="authorizationFlow"
+        >
+            <ak-flow-search
+                flowType=${FlowsInstancesListDesignationEnum.Authorization}
+                .currentFlow=${provider?.authorizationFlow}
+                required
+            ></ak-flow-search>
+            <p class="pf-c-form__helper-text">
+                ${msg("Flow used when authorizing this provider.")}
+            </p>
+        </ak-form-element-horizontal>
+
+        <div class="pf-c-card pf-m-selectable pf-m-selected">
+            <div class="pf-c-card__body">${renderModeSelector(mode, onSetMode)}</div>
+            <div class="pf-c-card__footer">${renderSettings(provider, mode)}</div>
+        </div>
+
+        <ak-text-input
+            label=${msg("Token validity")}
+            name="accessTokenValidity"
+            value="${provider?.accessTokenValidity ?? "hours=24"}"
+            .errorMessages=${errors?.accessTokenValidity ?? []}
+            required
+            .help=${msg("Configure how long tokens are valid for.")}
+        ></ak-text-input>
+
+        <ak-form-group>
+            <span slot="header">${msg("Advanced protocol settings")}</span>
+            <div slot="body" class="pf-c-form">
+                <ak-form-element-horizontal label=${msg("Certificate")} name="certificate">
+                    <ak-crypto-certificate-search
+                        .certificate=${provider?.certificate}
+                    ></ak-crypto-certificate-search>
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal
+                    label=${msg("Additional scopes")}
+                    name="propertyMappings"
+                >
+                    <ak-dual-select-dynamic-selected
+                        .provider=${propertyMappingsProvider}
+                        .selector=${propertyMappingsSelector(provider?.propertyMappings)}
+                        available-label="${msg("Available Scopes")}"
+                        selected-label="${msg("Selected Scopes")}"
+                    ></ak-dual-select-dynamic-selected>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Additional scope mappings, which are passed to the proxy.")}
+                    </p>
+                </ak-form-element-horizontal>
+
+                <ak-form-element-horizontal
+                    label="${mode === ProxyMode.ForwardDomain
+                        ? msg("Unauthenticated URLs")
+                        : msg("Unauthenticated Paths")}"
+                    name="skipPathRegex"
+                >
+                    <textarea class="pf-c-form-control">${provider?.skipPathRegex}</textarea>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression.",
+                        )}
+                    </p>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
+            </div>
+        </ak-form-group>
+        <ak-form-group>
+            <span slot="header">${msg("Authentication settings")}</span>
+            <div slot="body" class="pf-c-form">
+                <ak-switch-input
+                    name="interceptHeaderAuth"
+                    label=${msg("Intercept header authentication")}
+                    ?checked=${provider?.interceptHeaderAuth ?? true}
+                    help=${msg(
+                        "When enabled, authentik will intercept the Authorization header to authenticate the request.",
+                    )}
+                >
+                </ak-switch-input>
+
+                <ak-switch-input
+                    name="basicAuthEnabled"
+                    label=${msg("Send HTTP-Basic Authentication")}
+                    ?checked=${provider?.basicAuthEnabled ?? false}
+                    help=${msg(
+                        "Send a custom HTTP-Basic Authentication header based on values from authentik.",
+                    )}
+                    @change=${onSetShowHttpBasic}
+                >
+                </ak-switch-input>
+
+                ${showHttpBasic ? renderHttpBasic(provider) : nothing}
+                <ak-form-element-horizontal
+                    label=${msg("Trusted OIDC Sources")}
+                    name="jwtFederationSources"
+                >
+                    <ak-dual-select-dynamic-selected
+                        .provider=${oauth2SourcesProvider}
+                        .selector=${oauth2SourcesSelector(provider?.jwtFederationSources)}
+                        available-label=${msg("Available Sources")}
+                        selected-label=${msg("Selected Sources")}
+                    ></ak-dual-select-dynamic-selected>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal
+                    label=${msg("Federated OIDC Providers")}
+                    name="jwtFederationProviders"
+                >
+                    <ak-dual-select-dynamic-selected
+                        .provider=${oauth2ProvidersProvider}
+                        .selector=${oauth2ProviderSelector(provider?.jwtFederationProviders)}
+                        available-label=${msg("Available Providers")}
+                        selected-label=${msg("Selected Providers")}
+                    ></ak-dual-select-dynamic-selected>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "JWTs signed by the selected providers can be used to authenticate to this provider.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
+            </div>
+        </ak-form-group>
+
+        <ak-form-group>
+            <span slot="header"> ${msg("Advanced flow settings")} </span>
+            <div slot="body" class="pf-c-form">
+                <ak-form-element-horizontal
+                    label=${msg("Authentication flow")}
+                    name="authenticationFlow"
+                >
+                    <ak-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                        .currentFlow=${provider?.authenticationFlow}
+                    ></ak-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "Flow used when a user access this provider and is not authenticated.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal
+                    label=${msg("Invalidation flow")}
+                    name="invalidationFlow"
+                    required
+                >
+                    <ak-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                        .currentFlow=${provider?.invalidationFlow}
+                        defaultFlowSlug="default-provider-invalidation-flow"
+                        required
+                    ></ak-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Flow used when logging out of this provider.")}
+                    </p>
+                </ak-form-element-horizontal>
+            </div>
+        </ak-form-group>
+    `;
+}

web/src/admin/providers/radius/RadiusProviderForm.ts

@@ -1,21 +1,12 @@
-import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/forms/SearchSelect";
 
-import { msg } from "@lit/localize";
-import { TemplateResult, html } from "lit";
-import { ifDefined } from "lit-html/directives/if-defined.js";
 import { customElement } from "lit/decorators.js";
 
-import { FlowsInstancesListDesignationEnum, ProvidersApi, RadiusProvider } from "@goauthentik/api";
+import { ProvidersApi, RadiusProvider } from "@goauthentik/api";
 
-import { propertyMappingsProvider, propertyMappingsSelector } from "./RadiusProviderFormHelpers.js";
+import { renderForm } from "./RadiusProviderFormForm.js";
 
 @customElement("ak-provider-radius-form")
 export class RadiusProviderFormPage extends WithBrandConfig(BaseProviderForm<RadiusProvider>) {
@@ -38,125 +29,8 @@ export class RadiusProviderFormPage extends WithBrandConfig(BaseProviderForm<Rad
         }
     }
 
-    // All Provider objects have an Authorization flow, but not all providers have an Authentication
-    // flow. Radius needs only one field, but it is not the Authorization field, it is an
-    // Authentication field. So, yeah, we're using the authorization field to store the
-    // authentication information, which is why the ak-branded-flow-search call down there looks so
-    // weird-- we're looking up Authentication flows, but we're storing them in the Authorization
-    // field of the target Provider.
-    renderForm(): TemplateResult {
-        return html`
-            <ak-form-element-horizontal label=${msg("Name")} required name="name">
-                <input
-                    type="text"
-                    value="${ifDefined(this.instance?.name)}"
-                    class="pf-c-form-control"
-                    required
-                />
-            </ak-form-element-horizontal>
-            <ak-form-element-horizontal
-                label=${msg("Authentication flow")}
-                required
-                name="authorizationFlow"
-            >
-                <ak-branded-flow-search
-                    flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                    .currentFlow=${this.instance?.authorizationFlow}
-                    .brandFlow=${this.brand?.flowAuthentication}
-                    required
-                ></ak-branded-flow-search>
-                <p class="pf-c-form__helper-text">${msg("Flow used for users to authenticate.")}</p>
-            </ak-form-element-horizontal>
-            <ak-form-element-horizontal name="mfaSupport">
-                <label class="pf-c-switch">
-                    <input
-                        class="pf-c-switch__input"
-                        type="checkbox"
-                        ?checked=${first(this.instance?.mfaSupport, true)}
-                    />
-                    <span class="pf-c-switch__toggle">
-                        <span class="pf-c-switch__toggle-icon">
-                            <i class="fas fa-check" aria-hidden="true"></i>
-                        </span>
-                    </span>
-                    <span class="pf-c-switch__label">${msg("Code-based MFA Support")}</span>
-                </label>
-                <p class="pf-c-form__helper-text">
-                    ${msg(
-                        "When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.",
-                    )}
-                </p>
-            </ak-form-element-horizontal>
-
-            <ak-form-group expanded>
-                <span slot="header"> ${msg("Protocol settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${msg("Shared secret")}
-                        required
-                        name="sharedSecret"
-                    >
-                        <input
-                            type="text"
-                            value="${first(
-                                this.instance?.sharedSecret,
-                                randomString(128, ascii_letters + digits),
-                            )}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Client Networks")}
-                        required
-                        name="clientNetworks"
-                    >
-                        <input
-                            type="text"
-                            value="${first(this.instance?.clientNetworks, "0.0.0.0/0, ::/0")}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg(`List of CIDRs (comma-seperated) that clients can connect from. A more specific
-                            CIDR will match before a looser one. Clients connecting from a non-specified CIDR
-                            will be dropped.`)}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Property mappings")}
-                        name="propertyMappings"
-                    >
-                        <ak-dual-select-dynamic-selected
-                            .provider=${propertyMappingsProvider}
-                            .selector=${propertyMappingsSelector(this.instance?.propertyMappings)}
-                            available-label=${msg("Available Property Mappings")}
-                            selected-label=${msg("Selected Property Mappings")}
-                        ></ak-dual-select-dynamic-selected>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-            <ak-form-group>
-                <span slot="header"> ${msg("Advanced flow settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${msg("Invalidation flow")}
-                        name="invalidationFlow"
-                        required
-                    >
-                        <ak-flow-search
-                            flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                            .currentFlow=${this.instance?.invalidationFlow}
-                            defaultFlowSlug="default-invalidation-flow"
-                            required
-                        ></ak-flow-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Flow used when logging out of this provider.")}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div></ak-form-group
-            >
-        `;
+    renderForm() {
+        return renderForm(this.instance ?? {}, [], this.brand);
     }
 }
 

web/src/admin/providers/radius/RadiusProviderFormForm.ts

@@ -0,0 +1,130 @@
+import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
+import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
+import { ascii_letters, digits, first, randomString } from "@goauthentik/common/utils";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import "@goauthentik/elements/forms/SearchSelect";
+
+import { msg } from "@lit/localize";
+import { html } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import {
+    CurrentBrand,
+    FlowsInstancesListDesignationEnum,
+    RadiusProvider,
+    ValidationError,
+} from "@goauthentik/api";
+
+import { propertyMappingsProvider, propertyMappingsSelector } from "./RadiusProviderFormHelpers.js";
+
+const mfaSupportHelp = msg(
+    "When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon.",
+);
+
+const clientNetworksHelp = msg(
+    "List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.",
+);
+
+// All Provider objects have an Authorization flow, but not all providers have an Authentication
+// flow. Radius needs only one field, but it is not the Authorization field, it is an
+// Authentication field. So, yeah, we're using the authorization field to store the
+// authentication information, which is why the ak-branded-flow-search call down there looks so
+// weird-- we're looking up Authentication flows, but we're storing them in the Authorization
+// field of the target Provider.
+
+export function renderForm(
+    provider?: Partial<RadiusProvider>,
+    errors: ValidationError = {},
+    brand?: CurrentBrand,
+) {
+    return html`
+        <ak-text-input
+            name="name"
+            label=${msg("Name")}
+            value=${ifDefined(provider?.name)}
+            .errorMessages=${errors?.name ?? []}
+            required
+        >
+        </ak-text-input>
+
+        <ak-form-element-horizontal
+            label=${msg("Authentication flow")}
+            required
+            name="authorizationFlow"
+            .errorMessages=${errors?.authorizationFlow ?? []}
+        >
+            <ak-branded-flow-search
+                flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                .currentFlow=${provider?.authorizationFlow}
+                .brandFlow=${brand?.flowAuthentication}
+                required
+            ></ak-branded-flow-search>
+            <p class="pf-c-form__helper-text">${msg("Flow used for users to authenticate.")}</p>
+        </ak-form-element-horizontal>
+
+        <ak-switch-input
+            name="mfaSupport"
+            label=${msg("Code-based MFA Support")}
+            ?checked=${provider?.mfaSupport ?? true}
+            help=${mfaSupportHelp}
+        >
+        </ak-switch-input>
+
+        <ak-form-group expanded>
+            <span slot="header"> ${msg("Protocol settings")} </span>
+            <div slot="body" class="pf-c-form">
+                <ak-text-input
+                    name="sharedSecret"
+                    label=${msg("Shared secret")}
+                    .errorMessages=${errors?.sharedSecret ?? []}
+                    value=${first(
+                        provider?.sharedSecret,
+                        randomString(128, ascii_letters + digits),
+                    )}
+                    required
+                ></ak-text-input>
+                <ak-text-input
+                    name="clientNetworks"
+                    label=${msg("Client Networks")}
+                    value=${first(provider?.clientNetworks, "0.0.0.0/0, ::/0")}
+                    .errorMessages=${errors?.clientNetworks ?? []}
+                    required
+                    help=${clientNetworksHelp}
+                ></ak-text-input>
+                <ak-form-element-horizontal
+                    label=${msg("Property mappings")}
+                    name="propertyMappings"
+                >
+                    <ak-dual-select-dynamic-selected
+                        .provider=${propertyMappingsProvider}
+                        .selector=${propertyMappingsSelector(provider?.propertyMappings)}
+                        available-label=${msg("Available Property Mappings")}
+                        selected-label=${msg("Selected Property Mappings")}
+                    ></ak-dual-select-dynamic-selected>
+                </ak-form-element-horizontal>
+            </div>
+        </ak-form-group>
+        <ak-form-group>
+            <span slot="header"> ${msg("Advanced flow settings")} </span>
+            <div slot="body" class="pf-c-form">
+                <ak-form-element-horizontal
+                    label=${msg("Invalidation flow")}
+                    name="invalidationFlow"
+                    required
+                >
+                    <ak-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                        .currentFlow=${provider?.invalidationFlow}
+                        .errorMessages=${errors?.invalidationFlow ?? []}
+                        defaultFlowSlug="default-invalidation-flow"
+                        required
+                    ></ak-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Flow used when logging out of this provider.")}
+                    </p>
+                </ak-form-element-horizontal>
+            </div></ak-form-group
+        >
+    `;
+}

web/src/admin/providers/saml/SAMLProviderForm.ts

@@ -1,36 +1,12 @@
-import {
-    digestAlgorithmOptions,
-    signatureAlgorithmOptions,
-} from "@goauthentik/admin/applications/wizard/methods/saml/SamlProviderOptions";
-import "@goauthentik/admin/common/ak-crypto-certificate-search";
-import AkCryptoCertificateSearch from "@goauthentik/admin/common/ak-crypto-certificate-search";
-import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
+import { type AkCryptoCertificateSearch } from "@goauthentik/admin/common/ak-crypto-certificate-search";
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first } from "@goauthentik/common/utils";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/forms/Radio";
-import "@goauthentik/elements/forms/SearchSelect";
-import "@goauthentik/elements/utils/TimeDeltaHelp";
 
-import { msg } from "@lit/localize";
-import { TemplateResult, html, nothing } from "lit";
 import { customElement, state } from "lit/decorators.js";
-import { ifDefined } from "lit/directives/if-defined.js";
 
-import {
-    FlowsInstancesListDesignationEnum,
-    PropertymappingsApi,
-    PropertymappingsProviderSamlListRequest,
-    ProvidersApi,
-    SAMLPropertyMapping,
-    SAMLProvider,
-    SpBindingEnum,
-} from "@goauthentik/api";
+import { ProvidersApi, SAMLProvider } from "@goauthentik/api";
 
-import { propertyMappingsProvider, propertyMappingsSelector } from "./SAMLProviderFormHelpers.js";
+import { renderForm } from "./SAMLProviderFormForm.js";
 
 @customElement("ak-provider-saml-form")
 export class SAMLProviderFormPage extends BaseProviderForm<SAMLProvider> {
@@ -58,366 +34,14 @@ export class SAMLProviderFormPage extends BaseProviderForm<SAMLProvider> {
         }
     }
 
-    renderForm(): TemplateResult {
-        return html` <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
-                <input
-                    type="text"
-                    value="${ifDefined(this.instance?.name)}"
-                    class="pf-c-form-control"
-                    required
-                />
-            </ak-form-element-horizontal>
-            <ak-form-element-horizontal
-                label=${msg("Authorization flow")}
-                required
-                name="authorizationFlow"
-            >
-                <ak-flow-search
-                    flowType=${FlowsInstancesListDesignationEnum.Authorization}
-                    .currentFlow=${this.instance?.authorizationFlow}
-                    required
-                ></ak-flow-search>
-                <p class="pf-c-form__helper-text">
-                    ${msg("Flow used when authorizing this provider.")}
-                </p>
-            </ak-form-element-horizontal>
+    renderForm() {
+        const setHasSigningKp = (ev: InputEvent) => {
+            const target = ev.target as AkCryptoCertificateSearch;
+            if (!target) return;
+            this.hasSigningKp = !!target.selectedKeypair;
+        };
 
-            <ak-form-group .expanded=${true}>
-                <span slot="header"> ${msg("Protocol settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${msg("ACS URL")}
-                        ?required=${true}
-                        name="acsUrl"
-                    >
-                        <input
-                            type="text"
-                            value="${ifDefined(this.instance?.acsUrl)}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Issuer")}
-                        ?required=${true}
-                        name="issuer"
-                    >
-                        <input
-                            type="text"
-                            value="${this.instance?.issuer || "authentik"}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">${msg("Also known as EntityID.")}</p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Service Provider Binding")}
-                        ?required=${true}
-                        name="spBinding"
-                    >
-                        <ak-radio
-                            .options=${[
-                                {
-                                    label: msg("Redirect"),
-                                    value: SpBindingEnum.Redirect,
-                                    default: true,
-                                },
-                                {
-                                    label: msg("Post"),
-                                    value: SpBindingEnum.Post,
-                                },
-                            ]}
-                            .value=${this.instance?.spBinding}
-                        >
-                        </ak-radio>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "Determines how authentik sends the response back to the Service Provider.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal label=${msg("Audience")} name="audience">
-                        <input
-                            type="text"
-                            value="${ifDefined(this.instance?.audience)}"
-                            class="pf-c-form-control"
-                        />
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-
-            <ak-form-group>
-                <span slot="header"> ${msg("Advanced flow settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${msg("Authentication flow")}
-                        ?required=${false}
-                        name="authenticationFlow"
-                    >
-                        <ak-flow-search
-                            flowType=${FlowsInstancesListDesignationEnum.Authentication}
-                            .currentFlow=${this.instance?.authenticationFlow}
-                        ></ak-flow-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "Flow used when a user access this provider and is not authenticated.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Invalidation flow")}
-                        name="invalidationFlow"
-                        required
-                    >
-                        <ak-flow-search
-                            flowType=${FlowsInstancesListDesignationEnum.Invalidation}
-                            .currentFlow=${this.instance?.invalidationFlow}
-                            defaultFlowSlug="default-provider-invalidation-flow"
-                            required
-                        ></ak-flow-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Flow used when logging out of this provider.")}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-
-            <ak-form-group>
-                <span slot="header"> ${msg("Advanced protocol settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${msg("Signing Certificate")}
-                        name="signingKp"
-                    >
-                        <ak-crypto-certificate-search
-                            .certificate=${this.instance?.signingKp}
-                            @input=${(ev: InputEvent) => {
-                                const target = ev.target as AkCryptoCertificateSearch;
-                                if (!target) return;
-                                this.hasSigningKp = !!target.selectedKeypair;
-                            }}
-                        ></ak-crypto-certificate-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "Certificate used to sign outgoing Responses going to the Service Provider.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    ${this.hasSigningKp
-                        ? html` <ak-form-element-horizontal name="signAssertion">
-                                  <label class="pf-c-switch">
-                                      <input
-                                          class="pf-c-switch__input"
-                                          type="checkbox"
-                                          ?checked=${first(this.instance?.signAssertion, true)}
-                                      />
-                                      <span class="pf-c-switch__toggle">
-                                          <span class="pf-c-switch__toggle-icon">
-                                              <i class="fas fa-check" aria-hidden="true"></i>
-                                          </span>
-                                      </span>
-                                      <span class="pf-c-switch__label"
-                                          >${msg("Sign assertions")}</span
-                                      >
-                                  </label>
-                                  <p class="pf-c-form__helper-text">
-                                      ${msg(
-                                          "When enabled, the assertion element of the SAML response will be signed.",
-                                      )}
-                                  </p>
-                              </ak-form-element-horizontal>
-                              <ak-form-element-horizontal name="signResponse">
-                                  <label class="pf-c-switch">
-                                      <input
-                                          class="pf-c-switch__input"
-                                          type="checkbox"
-                                          ?checked=${first(this.instance?.signResponse, false)}
-                                      />
-                                      <span class="pf-c-switch__toggle">
-                                          <span class="pf-c-switch__toggle-icon">
-                                              <i class="fas fa-check" aria-hidden="true"></i>
-                                          </span>
-                                      </span>
-                                      <span class="pf-c-switch__label"
-                                          >${msg("Sign responses")}</span
-                                      >
-                                  </label>
-                                  <p class="pf-c-form__helper-text">
-                                      ${msg(
-                                          "When enabled, the assertion element of the SAML response will be signed.",
-                                      )}
-                                  </p>
-                              </ak-form-element-horizontal>`
-                        : nothing}
-                    <ak-form-element-horizontal
-                        label=${msg("Verification Certificate")}
-                        name="verificationKp"
-                    >
-                        <ak-crypto-certificate-search
-                            .certificate=${this.instance?.verificationKp}
-                            nokey
-                        ></ak-crypto-certificate-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Encryption Certificate")}
-                        name="encryptionKp"
-                    >
-                        <ak-crypto-certificate-search
-                            .certificate=${this.instance?.encryptionKp}
-                        ></ak-crypto-certificate-search>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "When selected, assertions will be encrypted using this keypair.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Property mappings")}
-                        name="propertyMappings"
-                    >
-                        <ak-dual-select-dynamic-selected
-                            .provider=${propertyMappingsProvider}
-                            .selector=${propertyMappingsSelector(this.instance?.propertyMappings)}
-                            available-label=${msg("Available User Property Mappings")}
-                            selected-label=${msg("Selected User Property Mappings")}
-                        ></ak-dual-select-dynamic-selected>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("NameID Property Mapping")}
-                        name="nameIdMapping"
-                    >
-                        <ak-search-select
-                            .fetchObjects=${async (
-                                query?: string,
-                            ): Promise<SAMLPropertyMapping[]> => {
-                                const args: PropertymappingsProviderSamlListRequest = {
-                                    ordering: "saml_name",
-                                };
-                                if (query !== undefined) {
-                                    args.search = query;
-                                }
-                                const items = await new PropertymappingsApi(
-                                    DEFAULT_CONFIG,
-                                ).propertymappingsProviderSamlList(args);
-                                return items.results;
-                            }}
-                            .renderElement=${(item: SAMLPropertyMapping): string => {
-                                return item.name;
-                            }}
-                            .value=${(
-                                item: SAMLPropertyMapping | undefined,
-                            ): string | undefined => {
-                                return item?.pk;
-                            }}
-                            .selected=${(item: SAMLPropertyMapping): boolean => {
-                                return this.instance?.nameIdMapping === item.pk;
-                            }}
-                            ?blankable=${true}
-                        >
-                        </ak-search-select>
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-
-                    <ak-form-element-horizontal
-                        label=${msg("Assertion valid not before")}
-                        ?required=${true}
-                        name="assertionValidNotBefore"
-                    >
-                        <input
-                            type="text"
-                            value="${this.instance?.assertionValidNotBefore || "minutes=-5"}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Configure the maximum allowed time drift for an assertion.")}
-                        </p>
-                        <ak-utils-time-delta-help></ak-utils-time-delta-help>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Assertion valid not on or after")}
-                        ?required=${true}
-                        name="assertionValidNotOnOrAfter"
-                    >
-                        <input
-                            type="text"
-                            value="${this.instance?.assertionValidNotOnOrAfter || "minutes=5"}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Assertion not valid on or after current time + this value.")}
-                        </p>
-                        <ak-utils-time-delta-help></ak-utils-time-delta-help>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Session valid not on or after")}
-                        ?required=${true}
-                        name="sessionValidNotOnOrAfter"
-                    >
-                        <input
-                            type="text"
-                            value="${this.instance?.sessionValidNotOnOrAfter || "minutes=86400"}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Session not valid on or after current time + this value.")}
-                        </p>
-                        <ak-utils-time-delta-help></ak-utils-time-delta-help>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Default relay state")}
-                        ?required=${true}
-                        name="defaultRelayState"
-                    >
-                        <input
-                            type="text"
-                            value="${this.instance?.defaultRelayState || ""}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "When using IDP-initiated logins, the relay state will be set to this value.",
-                            )}
-                        </p>
-                        <ak-utils-time-delta-help></ak-utils-time-delta-help>
-                    </ak-form-element-horizontal>
-
-                    <ak-form-element-horizontal
-                        label=${msg("Digest algorithm")}
-                        ?required=${true}
-                        name="digestAlgorithm"
-                    >
-                        <ak-radio
-                            .options=${digestAlgorithmOptions}
-                            .value=${this.instance?.digestAlgorithm}
-                        >
-                        </ak-radio>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Signature algorithm")}
-                        ?required=${true}
-                        name="signatureAlgorithm"
-                    >
-                        <ak-radio
-                            .options=${signatureAlgorithmOptions}
-                            .value=${this.instance?.signatureAlgorithm}
-                        >
-                        </ak-radio>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>`;
+        return renderForm(this.instance ?? {}, [], setHasSigningKp, this.hasSigningKp);
     }
 }
 

web/src/admin/providers/saml/SAMLProviderFormForm.ts

@@ -0,0 +1,305 @@
+import "@goauthentik/admin/common/ak-crypto-certificate-search";
+import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import "@goauthentik/elements/forms/Radio";
+import "@goauthentik/elements/forms/SearchSelect";
+import "@goauthentik/elements/utils/TimeDeltaHelp";
+
+import { msg } from "@lit/localize";
+import { html, nothing } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import {
+    FlowsInstancesListDesignationEnum,
+    PropertymappingsApi,
+    PropertymappingsProviderSamlListRequest,
+    SAMLPropertyMapping,
+    SAMLProvider,
+    SpBindingEnum,
+    ValidationError,
+} from "@goauthentik/api";
+
+import { propertyMappingsProvider, propertyMappingsSelector } from "./SAMLProviderFormHelpers.js";
+import { digestAlgorithmOptions, signatureAlgorithmOptions } from "./SAMLProviderOptions";
+
+const serviceProviderBindingOptions = [
+    {
+        label: msg("Redirect"),
+        value: SpBindingEnum.Redirect,
+        default: true,
+    },
+    {
+        label: msg("Post"),
+        value: SpBindingEnum.Post,
+    },
+];
+
+function renderHasSigningKp(provider?: Partial<SAMLProvider>) {
+    return html` <ak-switch-input
+            name="signAssertion"
+            label=${msg("Sign assertions")}
+            ?checked=${provider?.signAssertion ?? true}
+            help=${msg("When enabled, the assertion element of the SAML response will be signed.")}
+        >
+        </ak-switch-input>
+
+        <ak-switch-input
+            name="signResponse"
+            label=${msg("Sign responses")}
+            ?checked=${provider?.signResponse ?? false}
+            help=${msg("When enabled, the assertion element of the SAML response will be signed.")}
+        >
+        </ak-switch-input>`;
+}
+
+export function renderForm(
+    provider: Partial<SAMLProvider> = {},
+    errors: ValidationError,
+    setHasSigningKp: (ev: InputEvent) => void,
+    hasSigningKp: boolean,
+) {
+    return html` <ak-text-input
+            name="name"
+            value=${ifDefined(provider?.name)}
+            label=${msg("Name")}
+            required
+            .errorMessages=${errors?.name ?? []}
+        ></ak-text-input>
+        <ak-form-element-horizontal
+            name="authorizationFlow"
+            label=${msg("Authorization flow")}
+            required
+        >
+            <ak-flow-search
+                flowType=${FlowsInstancesListDesignationEnum.Authorization}
+                .currentFlow=${provider?.authorizationFlow}
+                required
+                .errorMessages=${errors?.authorizationFlow ?? []}
+            ></ak-flow-search>
+            <p class="pf-c-form__helper-text">
+                ${msg("Flow used when authorizing this provider.")}
+            </p>
+        </ak-form-element-horizontal>
+
+        <ak-form-group .expanded=${true}>
+            <span slot="header"> ${msg("Protocol settings")} </span>
+            <div slot="body" class="pf-c-form">
+                <ak-text-input
+                    name="acsUrl"
+                    label=${msg("ACS URL")}
+                    value="${ifDefined(provider?.acsUrl)}"
+                    required
+                    .errorMessages=${errors?.acsUrl ?? []}
+                ></ak-text-input>
+                <ak-text-input
+                    label=${msg("Issuer")}
+                    name="issuer"
+                    value="${provider?.issuer || "authentik"}"
+                    required
+                    .errorMessages=${errors?.issuer ?? []}
+                    help=${msg("Also known as EntityID.")}
+                ></ak-text-input>
+                <ak-radio-input
+                    label=${msg("Service Provider Binding")}
+                    name="spBinding"
+                    required
+                    .options=${serviceProviderBindingOptions}
+                    .value=${provider?.spBinding}
+                    help=${msg(
+                        "Determines how authentik sends the response back to the Service Provider.",
+                    )}
+                >
+                </ak-radio-input>
+                <ak-text-input
+                    name="audience"
+                    label=${msg("Audience")}
+                    value="${ifDefined(provider?.audience)}"
+                    .errorMessages=${errors?.audience ?? []}
+                ></ak-text-input>
+            </div>
+        </ak-form-group>
+
+        <ak-form-group>
+            <span slot="header"> ${msg("Advanced flow settings")} </span>
+            <div slot="body" class="pf-c-form">
+                <ak-form-element-horizontal
+                    label=${msg("Authentication flow")}
+                    ?required=${false}
+                    name="authenticationFlow"
+                >
+                    <ak-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Authentication}
+                        .currentFlow=${provider?.authenticationFlow}
+                    ></ak-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "Flow used when a user access this provider and is not authenticated.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal
+                    label=${msg("Invalidation flow")}
+                    name="invalidationFlow"
+                    required
+                >
+                    <ak-flow-search
+                        flowType=${FlowsInstancesListDesignationEnum.Invalidation}
+                        .currentFlow=${provider?.invalidationFlow}
+                        defaultFlowSlug="default-provider-invalidation-flow"
+                        required
+                    ></ak-flow-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Flow used when logging out of this provider.")}
+                    </p>
+                </ak-form-element-horizontal>
+            </div>
+        </ak-form-group>
+
+        <ak-form-group>
+            <span slot="header"> ${msg("Advanced protocol settings")} </span>
+            <div slot="body" class="pf-c-form">
+                <ak-form-element-horizontal label=${msg("Signing Certificate")} name="signingKp">
+                    <ak-crypto-certificate-search
+                        .certificate=${provider?.signingKp}
+                        @input=${setHasSigningKp}
+                    ></ak-crypto-certificate-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "Certificate used to sign outgoing Responses going to the Service Provider.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
+                ${hasSigningKp ? renderHasSigningKp(provider) : nothing}
+
+                <ak-form-element-horizontal
+                    label=${msg("Verification Certificate")}
+                    name="verificationKp"
+                >
+                    <ak-crypto-certificate-search
+                        .certificate=${provider?.verificationKp}
+                        nokey
+                    ></ak-crypto-certificate-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal
+                    label=${msg("Encryption Certificate")}
+                    name="encryptionKp"
+                >
+                    <ak-crypto-certificate-search
+                        .certificate=${provider?.encryptionKp}
+                    ></ak-crypto-certificate-search>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("When selected, assertions will be encrypted using this keypair.")}
+                    </p>
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal
+                    label=${msg("Property mappings")}
+                    name="propertyMappings"
+                >
+                    <ak-dual-select-dynamic-selected
+                        .provider=${propertyMappingsProvider}
+                        .selector=${propertyMappingsSelector(provider?.propertyMappings)}
+                        available-label=${msg("Available User Property Mappings")}
+                        selected-label=${msg("Selected User Property Mappings")}
+                    ></ak-dual-select-dynamic-selected>
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal
+                    label=${msg("NameID Property Mapping")}
+                    name="nameIdMapping"
+                >
+                    <ak-search-select
+                        .fetchObjects=${async (query?: string): Promise<SAMLPropertyMapping[]> => {
+                            const args: PropertymappingsProviderSamlListRequest = {
+                                ordering: "saml_name",
+                            };
+                            if (query !== undefined) {
+                                args.search = query;
+                            }
+                            const items = await new PropertymappingsApi(
+                                DEFAULT_CONFIG,
+                            ).propertymappingsProviderSamlList(args);
+                            return items.results;
+                        }}
+                        .renderElement=${(item: SAMLPropertyMapping): string => {
+                            return item.name;
+                        }}
+                        .value=${(item: SAMLPropertyMapping | undefined): string | undefined => {
+                            return item?.pk;
+                        }}
+                        .selected=${(item: SAMLPropertyMapping): boolean => {
+                            return provider?.nameIdMapping === item.pk;
+                        }}
+                        ?blankable=${true}
+                    >
+                    </ak-search-select>
+                    <p class="pf-c-form__helper-text">
+                        ${msg(
+                            "Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected.",
+                        )}
+                    </p>
+                </ak-form-element-horizontal>
+
+                <ak-text-input
+                    name="assertionValidNotBefore"
+                    label=${msg("Assertion valid not before")}
+                    value="${provider?.assertionValidNotBefore || "minutes=-5"}"
+                    required
+                    .errorMessages=${errors?.assertionValidNotBefore ?? []}
+                    help=${msg("Configure the maximum allowed time drift for an assertion.")}
+                ></ak-text-input>
+
+                <ak-text-input
+                    name="assertionValidNotOnOrAfter"
+                    label=${msg("Assertion valid not on or after")}
+                    value="${provider?.assertionValidNotOnOrAfter || "minutes=5"}"
+                    required
+                    .errorMessages=${errors?.assertionValidNotBefore ?? []}
+                    help=${msg("Assertion not valid on or after current time + this value.")}
+                ></ak-text-input>
+
+                <ak-text-input
+                    name="sessionValidNotOnOrAfter"
+                    label=${msg("Session valid not on or after")}
+                    value="${provider?.sessionValidNotOnOrAfter || "minutes=86400"}"
+                    required
+                    .errorMessages=${errors?.sessionValidNotOnOrAfter ?? []}
+                    help=${msg("Session not valid on or after current time + this value.")}
+                ></ak-text-input>
+
+                <ak-text-input
+                    name="defaultRelayState"
+                    label=${msg("Default relay state")}
+                    value="${provider?.defaultRelayState || ""}"
+                    .errorMessages=${errors?.sessionValidNotOnOrAfter ?? []}
+                    help=${msg(
+                        "When using IDP-initiated logins, the relay state will be set to this value.",
+                    )}
+                ></ak-text-input>
+
+                <ak-radio-input
+                    name="digestAlgorithm"
+                    label=${msg("Digest algorithm")}
+                    .options=${digestAlgorithmOptions}
+                    .value=${provider?.digestAlgorithm}
+                    required
+                >
+                </ak-radio-input>
+
+                <ak-radio-input
+                    name="signatureAlgorithm"
+                    label=${msg("Signature algorithm")}
+                    .options=${signatureAlgorithmOptions}
+                    .value=${provider?.signatureAlgorithm}
+                    required
+                >
+                </ak-radio-input>
+            </div>
+        </ak-form-group>`;
+}

web/src/admin/providers/scim/SCIMProviderForm.ts

@@ -1,26 +1,11 @@
 import { BaseProviderForm } from "@goauthentik/admin/providers/BaseProviderForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import { first } from "@goauthentik/common/utils";
-import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
-import "@goauthentik/elements/forms/FormGroup";
-import "@goauthentik/elements/forms/HorizontalFormElement";
-import "@goauthentik/elements/forms/Radio";
-import "@goauthentik/elements/forms/SearchSelect";
 
-import { msg } from "@lit/localize";
-import { TemplateResult, html } from "lit";
 import { customElement } from "lit/decorators.js";
-import { ifDefined } from "lit/directives/if-defined.js";
 
-import {
-    CoreApi,
-    CoreGroupsListRequest,
-    Group,
-    ProvidersApi,
-    SCIMProvider,
-} from "@goauthentik/api";
+import { ProvidersApi, SCIMProvider } from "@goauthentik/api";
 
-import { propertyMappingsProvider, propertyMappingsSelector } from "./SCIMProviderFormHelpers.js";
+import { renderForm } from "./SCIMProviderFormForm.js";
 
 @customElement("ak-provider-scim-form")
 export class SCIMProviderFormPage extends BaseProviderForm<SCIMProvider> {
@@ -43,156 +28,8 @@ export class SCIMProviderFormPage extends BaseProviderForm<SCIMProvider> {
         }
     }
 
-    renderForm(): TemplateResult {
-        return html` <ak-form-element-horizontal label=${msg("Name")} ?required=${true} name="name">
-                <input
-                    type="text"
-                    value="${ifDefined(this.instance?.name)}"
-                    class="pf-c-form-control"
-                    required
-                />
-            </ak-form-element-horizontal>
-            <ak-form-group .expanded=${true}>
-                <span slot="header"> ${msg("Protocol settings")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal label=${msg("URL")} ?required=${true} name="url">
-                        <input
-                            type="text"
-                            value="${first(this.instance?.url, "")}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg("SCIM base url, usually ends in /v2.")}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal name="verifyCertificates">
-                        <label class="pf-c-switch">
-                            <input
-                                class="pf-c-switch__input"
-                                type="checkbox"
-                                ?checked=${first(this.instance?.verifyCertificates, true)}
-                            />
-                            <span class="pf-c-switch__toggle">
-                                <span class="pf-c-switch__toggle-icon">
-                                    <i class="fas fa-check" aria-hidden="true"></i>
-                                </span>
-                            </span>
-                            <span class="pf-c-switch__label"
-                                >${msg("Verify SCIM server's certificates")}</span
-                            >
-                        </label>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Token")}
-                        ?required=${true}
-                        name="token"
-                    >
-                        <input
-                            type="text"
-                            value="${first(this.instance?.token, "")}"
-                            class="pf-c-form-control"
-                            required
-                        />
-                        <p class="pf-c-form__helper-text">
-                            ${msg(
-                                "Token to authenticate with. Currently only bearer authentication is supported.",
-                            )}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-            <ak-form-group ?expanded=${true}>
-                <span slot="header">${msg("User filtering")}</span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal name="excludeUsersServiceAccount">
-                        <label class="pf-c-switch">
-                            <input
-                                class="pf-c-switch__input"
-                                type="checkbox"
-                                ?checked=${first(this.instance?.excludeUsersServiceAccount, true)}
-                            />
-                            <span class="pf-c-switch__toggle">
-                                <span class="pf-c-switch__toggle-icon">
-                                    <i class="fas fa-check" aria-hidden="true"></i>
-                                </span>
-                            </span>
-                            <span class="pf-c-switch__label"
-                                >${msg("Exclude service accounts")}</span
-                            >
-                        </label>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal label=${msg("Group")} name="filterGroup">
-                        <ak-search-select
-                            .fetchObjects=${async (query?: string): Promise<Group[]> => {
-                                const args: CoreGroupsListRequest = {
-                                    ordering: "name",
-                                    includeUsers: false,
-                                };
-                                if (query !== undefined) {
-                                    args.search = query;
-                                }
-                                const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(
-                                    args,
-                                );
-                                return groups.results;
-                            }}
-                            .renderElement=${(group: Group): string => {
-                                return group.name;
-                            }}
-                            .value=${(group: Group | undefined): string | undefined => {
-                                return group ? group.pk : undefined;
-                            }}
-                            .selected=${(group: Group): boolean => {
-                                return group.pk === this.instance?.filterGroup;
-                            }}
-                            ?blankable=${true}
-                        >
-                        </ak-search-select>
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Only sync users within the selected group.")}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>
-            <ak-form-group ?expanded=${true}>
-                <span slot="header"> ${msg("Attribute mapping")} </span>
-                <div slot="body" class="pf-c-form">
-                    <ak-form-element-horizontal
-                        label=${msg("User Property Mappings")}
-                        name="propertyMappings">
-                        <ak-dual-select-dynamic-selected
-                            .provider=${propertyMappingsProvider}
-                            .selector=${propertyMappingsSelector(
-                                this.instance?.propertyMappings,
-                                "goauthentik.io/providers/scim/user",
-                            )}
-                            available-label=${msg("Available User Property Mappings")}
-                            selected-label=${msg("Selected User Property Mappings")}
-                        ></ak-dual-select-dynamic-selected>
-                        </select>
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Property mappings used to user mapping.")}
-                        </p>
-                    </ak-form-element-horizontal>
-                    <ak-form-element-horizontal
-                        label=${msg("Group Property Mappings")}
-                        name="propertyMappingsGroup">
-                        <ak-dual-select-dynamic-selected
-                            .provider=${propertyMappingsProvider}
-                            .selector=${propertyMappingsSelector(
-                                this.instance?.propertyMappingsGroup,
-                                "goauthentik.io/providers/scim/group",
-                            )}
-                            available-label=${msg("Available Group Property Mappings")}
-                            selected-label=${msg("Selected Group Property Mappings")}
-                        ></ak-dual-select-dynamic-selected>
-                        <p class="pf-c-form__helper-text">
-                            ${msg("Property mappings used to group creation.")}
-                        </p>
-                    </ak-form-element-horizontal>
-                </div>
-            </ak-form-group>`;
+    renderForm() {
+        return renderForm(this.instance ?? {}, []);
     }
 }
 

web/src/admin/providers/scim/SCIMProviderFormForm.ts

@@ -0,0 +1,146 @@
+import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
+import { first } from "@goauthentik/common/utils";
+import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
+import "@goauthentik/elements/forms/FormGroup";
+import "@goauthentik/elements/forms/HorizontalFormElement";
+import "@goauthentik/elements/forms/Radio";
+import "@goauthentik/elements/forms/SearchSelect";
+
+import { msg } from "@lit/localize";
+import { html } from "lit";
+import { ifDefined } from "lit/directives/if-defined.js";
+
+import {
+    CoreApi,
+    CoreGroupsListRequest,
+    Group,
+    SCIMProvider,
+    ValidationError,
+} from "@goauthentik/api";
+
+import { propertyMappingsProvider, propertyMappingsSelector } from "./SCIMProviderFormHelpers.js";
+
+export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationError = {}) {
+    return html`
+        <ak-text-input
+            name="name"
+            value=${ifDefined(provider?.name)}
+            label=${msg("Name")}
+            .errorMessages=${errors?.name ?? []}
+            required
+            help=${msg("Method's display Name.")}
+        ></ak-text-input>
+        <ak-form-group expanded>
+            <span slot="header"> ${msg("Protocol settings")} </span>
+            <div slot="body" class="pf-c-form">
+                <ak-text-input
+                    name="url"
+                    label=${msg("URL")}
+                    value="${first(provider?.url, "")}"
+                    .errorMessages=${errors?.url ?? []}
+                    required
+                    help=${msg("SCIM base url, usually ends in /v2.")}
+                ></ak-text-input>
+
+                <ak-switch-input
+                    name="verifyCertificates"
+                    label=${msg("Verify SCIM server's certificates")}
+                    ?checked=${provider?.verifyCertificates ?? true}
+                >
+                </ak-switch-input>
+
+                <ak-text-input
+                    name="token"
+                    label=${msg("Token")}
+                    value="${provider?.token ?? ""}"
+                    .errorMessages=${errors?.token ?? []}
+                    required
+                    help=${msg(
+                        "Token to authenticate with. Currently only bearer authentication is supported.",
+                    )}
+                ></ak-text-input>
+            </div>
+        </ak-form-group>
+        <ak-form-group expanded>
+            <span slot="header">${msg("User filtering")}</span>
+            <div slot="body" class="pf-c-form">
+                <ak-switch-input
+                    name="excludeUsersServiceAccount"
+                    label=${msg("Exclude service accounts")}
+                    ?checked=${first(provider?.excludeUsersServiceAccount, true)}
+                >
+                </ak-switch-input>
+
+                <ak-form-element-horizontal label=${msg("Group")} name="filterGroup">
+                    <ak-search-select
+                        .fetchObjects=${async (query?: string): Promise<Group[]> => {
+                            const args: CoreGroupsListRequest = {
+                                ordering: "name",
+                                includeUsers: false,
+                            };
+                            if (query !== undefined) {
+                                args.search = query;
+                            }
+                            const groups = await new CoreApi(DEFAULT_CONFIG).coreGroupsList(args);
+                            return groups.results;
+                        }}
+                        .renderElement=${(group: Group): string => {
+                            return group.name;
+                        }}
+                        .value=${(group: Group | undefined): string | undefined => {
+                            return group ? group.pk : undefined;
+                        }}
+                        .selected=${(group: Group): boolean => {
+                            return group.pk === provider?.filterGroup;
+                        }}
+                        blankable
+                    >
+                    </ak-search-select>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Only sync users within the selected group.")}
+                    </p>
+                </ak-form-element-horizontal>
+            </div>
+        </ak-form-group>
+
+        <ak-form-group expanded>
+            <span slot="header"> ${msg("Attribute mapping")} </span>
+            <div slot="body" class="pf-c-form">
+                <ak-form-element-horizontal
+                    label=${msg("User Property Mappings")}
+                    name="propertyMappings"
+                >
+                    <ak-dual-select-dynamic-selected
+                        .provider=${propertyMappingsProvider}
+                        .selector=${propertyMappingsSelector(
+                            provider?.propertyMappings,
+                            "goauthentik.io/providers/scim/user",
+                        )}
+                        available-label=${msg("Available User Property Mappings")}
+                        selected-label=${msg("Selected User Property Mappings")}
+                    ></ak-dual-select-dynamic-selected>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Property mappings used to user mapping.")}
+                    </p>
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal
+                    label=${msg("Group Property Mappings")}
+                    name="propertyMappingsGroup"
+                >
+                    <ak-dual-select-dynamic-selected
+                        .provider=${propertyMappingsProvider}
+                        .selector=${propertyMappingsSelector(
+                            provider?.propertyMappingsGroup,
+                            "goauthentik.io/providers/scim/group",
+                        )}
+                        available-label=${msg("Available Group Property Mappings")}
+                        selected-label=${msg("Selected Group Property Mappings")}
+                    ></ak-dual-select-dynamic-selected>
+                    <p class="pf-c-form__helper-text">
+                        ${msg("Property mappings used to group creation.")}
+                    </p>
+                </ak-form-element-horizontal>
+            </div>
+        </ak-form-group>
+    `;
+}

web/src/admin/providers/scim/SCIMProviderViewPage.ts

@@ -1,3 +1,4 @@
+import "@goauthentik/admin/providers/RelatedApplicationButton";
 import "@goauthentik/admin/providers/scim/SCIMProviderForm";
 import "@goauthentik/admin/providers/scim/SCIMProviderGroupList";
 import "@goauthentik/admin/providers/scim/SCIMProviderUserList";
@@ -163,6 +164,21 @@ export class SCIMProviderViewPage extends AKElement {
                                         </div>
                                     </dd>
                                 </div>
+                                <div class="pf-c-description-list__group">
+                                    <dt class="pf-c-description-list__term">
+                                        <span class="pf-c-description-list__text"
+                                            >${msg("Assigned to application")}</span
+                                        >
+                                    </dt>
+                                    <dd class="pf-c-description-list__description">
+                                        <div class="pf-c-description-list__text">
+                                            <ak-provider-related-application
+                                                .provider=${this.provider}
+                                            ></ak-provider-related-application>
+                                        </div>
+                                    </dd>
+                                </div>
+
                                 <div class="pf-c-description-list__group">
                                     <dt class="pf-c-description-list__term">
                                         <span class="pf-c-description-list__text"

web/src/admin/sources/ldap/LDAPSourceForm.ts

@@ -38,11 +38,11 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                 slug: this.instance.slug,
                 patchedLDAPSourceRequest: data,
             });
-        } else {
-            return new SourcesApi(DEFAULT_CONFIG).sourcesLdapCreate({
-                lDAPSourceRequest: data as unknown as LDAPSourceRequest,
-            });
         }
+
+        return new SourcesApi(DEFAULT_CONFIG).sourcesLdapCreate({
+            lDAPSourceRequest: data as unknown as LDAPSourceRequest,
+        });
     }
 
     renderForm(): TemplateResult {

web/src/common/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.10.5";
+export const VERSION = "2024.12.0";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";