release: 2024.10.5

flows: better test stage's challenge responses (#12316)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>

.bumpversion.cfg

@@ -30,5 +30,3 @@ optional_value = final
 [bumpversion:file:internal/constants/constants.go]
 
 [bumpversion:file:web/src/common/constants.ts]
-
-[bumpversion:file:website/docs/install-config/install/aws/template.yaml]

.github/actions/docker-push-variables/action.yml

@@ -11,9 +11,9 @@ inputs:
     description: "Docker image arch"
 
 outputs:
-  shouldPush:
-    description: "Whether to push the image or not"
-    value: ${{ steps.ev.outputs.shouldPush }}
+  shouldBuild:
+    description: "Whether to build image or not"
+    value: ${{ steps.ev.outputs.shouldBuild }}
 
   sha:
     description: "sha"

.github/actions/docker-push-variables/push_vars.py

@@ -7,14 +7,7 @@ from time import time
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
 
-# Decide if we should push the image or not
-should_push = True
-if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
-    # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available
-    should_push = False
-if os.environ.get("GITHUB_REPOSITORY").lower() == "goauthentik/authentik-internal":
-    # Don't push on the internal repo
-    should_push = False
+should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
 
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
@@ -71,7 +64,7 @@ def get_attest_image_names(image_with_tags: list[str]):
 
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
-    print(f"shouldPush={str(should_push).lower()}", file=_output)
+    print(f"shouldBuild={should_build}", file=_output)
     print(f"sha={sha}", file=_output)
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)

.github/workflows/api-py-publish.yml

@@ -7,7 +7,6 @@ on:
   workflow_dispatch:
 jobs:
   build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     permissions:
       id-token: write

.github/workflows/api-ts-publish.yml

@@ -7,7 +7,6 @@ on:
   workflow_dispatch:
 jobs:
   build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token

.github/workflows/ci-aws-cfn.yml

@@ -1,46 +0,0 @@
-name: authentik-ci-aws-cfn
-
-on:
-  push:
-    branches:
-      - main
-      - next
-      - version-*
-  pull_request:
-    branches:
-      - main
-      - version-*
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  check-changes-applied:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        run: |
-          npm ci
-      - name: Check changes have been applied
-        run: |
-          poetry run make aws-cfn
-          git diff --exit-code
-  ci-aws-cfn-mark:
-    if: always()
-    needs:
-      - check-changes-applied
-    runs-on: ubuntu-latest
-    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}

.github/workflows/ci-main.yml

@@ -116,7 +116,7 @@ jobs:
           poetry run make test
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           flags: unit
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -140,7 +140,7 @@ jobs:
           poetry run coverage run manage.py test tests/integration
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           flags: integration
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -198,7 +198,7 @@ jobs:
           poetry run coverage run manage.py test ${{ matrix.job.glob }}
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           flags: e2e
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -209,7 +209,6 @@ jobs:
           file: unittest.xml
           token: ${{ secrets.CODECOV_TOKEN }}
   ci-core-mark:
-    if: always()
     needs:
       - lint
       - test-migrations
@@ -219,9 +218,7 @@ jobs:
       - test-e2e
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark
   build:
     strategy:
       fail-fast: false
@@ -255,7 +252,7 @@ jobs:
           image-name: ghcr.io/goauthentik/dev-server
           image-arch: ${{ matrix.arch }}
       - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -272,15 +269,15 @@ jobs:
             GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
           tags: ${{ steps.ev.outputs.imageTags }}
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
           platforms: linux/${{ matrix.arch }}
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
         id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}
@@ -306,7 +303,7 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: ./.github/actions/comment-pr-instructions
         with:
           tag: ${{ steps.ev.outputs.imageMainTag }}

.github/workflows/ci-outpost.yml

@@ -49,15 +49,12 @@ jobs:
         run: |
           go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
   ci-outpost-mark:
-    if: always()
     needs:
       - lint-golint
       - test-unittest
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark
   build-container:
     timeout-minutes: 120
     needs:
@@ -93,7 +90,7 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -107,16 +104,16 @@ jobs:
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           platforms: linux/amd64,linux/arm64
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v2
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+      - uses: actions/attest-build-provenance@v1
         id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}

.github/workflows/ci-web.yml

@@ -61,15 +61,12 @@ jobs:
         working-directory: web/
         run: npm run build
   ci-web-mark:
-    if: always()
     needs:
       - build
       - lint
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark
   test:
     needs:
       - ci-web-mark

.github/workflows/ci-website.yml

@@ -62,13 +62,10 @@ jobs:
         working-directory: website/
         run: npm run ${{ matrix.job }}
   ci-website-mark:
-    if: always()
     needs:
       - lint
       - test
       - build
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark

.github/workflows/gen-update-webauthn-mds.yml

@@ -11,7 +11,6 @@ env:
 
 jobs:
   build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token

.github/workflows/ghcr-retention.yml

@@ -7,7 +7,6 @@ on:
 
 jobs:
   clean-ghcr:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     name: Delete old unused container images
     runs-on: ubuntu-latest
     steps:

.github/workflows/publish-source-docs.yml

@@ -12,7 +12,6 @@ env:
 
 jobs:
   publish-source-docs:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:

.github/workflows/release-next-branch.yml

@@ -11,7 +11,6 @@ permissions:
 
 jobs:
   update-next:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     environment: internal-production
     steps:

.github/workflows/release-publish.yml

@@ -55,7 +55,7 @@ jobs:
             VERSION=${{ github.ref }}
           tags: ${{ steps.ev.outputs.imageTags }}
           platforms: linux/amd64,linux/arm64
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -119,7 +119,7 @@ jobs:
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -169,27 +169,6 @@ jobs:
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           tag: ${{ github.ref }}
-  upload-aws-cfn-template:
-    permissions:
-      # Needed for AWS login
-      id-token: write
-      contents: read
-    needs:
-      - build-server
-      - build-outpost
-    env:
-      AWS_REGION: eu-central-1
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
-          aws-region: ${{ env.AWS_REGION }}
-      - name: Upload template
-        run: |
-          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
-          aws s3 cp website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
   test-release:
     needs:
       - build-server

.github/workflows/release-tag.yml

@@ -18,7 +18,7 @@ jobs:
           echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
           docker buildx install
           mkdir -p ./gen-ts-api
-          docker build -t testing:latest .
+          docker build --no-cache -t testing:latest .
           echo "AUTHENTIK_IMAGE=testing" >> .env
           echo "AUTHENTIK_TAG=latest" >> .env
           docker compose up --no-start

.github/workflows/repo-mirror.yml

@@ -1,21 +0,0 @@
-name: "authentik-repo-mirror"
-
-on: [push, delete]
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: pixta-dev/repository-mirroring-action@v1
-        with:
-          target_repo_url:
-            git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key:
-            ${{ secrets.GH_MIRROR_KEY }}
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-stale.yml

@@ -11,7 +11,6 @@ permissions:
 
 jobs:
   stale:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token

CONTRIBUTING.md

@@ -1 +1 @@
-website/docs/developer-docs/index.md
+website/developer-docs/index.md

Dockerfile

@@ -80,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"

Makefile

@@ -5,7 +5,7 @@ PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik tests scripts lifecycle .github website/docs/install-config/install/aws
+PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
 
 GEN_API_TS = "gen-ts-api"
@@ -252,9 +252,6 @@ website-build:
 website-watch:  ## Build and watch the documentation website, updating automatically
 	cd website && npm run watch
 
-aws-cfn:
-	cd website && npm run aws-cfn
-
 #########################
 ## Docker
 #########################

SECURITY.md

@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 
 ## Independent audits and pentests
 
-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation]](https://docs.goauthentik.io/docs/security).
+In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
 
 ## What authentik classifies as a CVE
 

authentik/blueprints/v1/importer.py

@@ -65,12 +65,7 @@ from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    AuthorizationCode,
-    DeviceToken,
-    RefreshToken,
-)
+from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
@@ -130,7 +125,6 @@ def excluded_models() -> list[type[Model]]:
         MicrosoftEntraProviderGroup,
         EndpointDevice,
         EndpointDeviceConnection,
-        DeviceToken,
     )
 
 
@@ -299,11 +293,7 @@ class Importer:
 
         serializer_kwargs = {}
         model_instance = existing_models.first()
-        if (
-            not isinstance(model(), BaseMetaModel)
-            and model_instance
-            and entry.state != BlueprintEntryDesiredState.MUST_CREATED
-        ):
+        if not isinstance(model(), BaseMetaModel) and model_instance:
             self.logger.debug(
                 "Initialise serializer with instance",
                 model=model,
@@ -313,12 +303,11 @@ class Importer:
             serializer_kwargs["instance"] = model_instance
             serializer_kwargs["partial"] = True
         elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
-            msg = (
-                f"State is set to {BlueprintEntryDesiredState.MUST_CREATED.value} "
-                "and object exists already",
-            )
             raise EntryInvalidError.from_entry(
-                ValidationError({k: msg for k in entry.identifiers.keys()}, "unique"),
+                (
+                    f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
+                    "and object exists already",
+                ),
                 entry,
             )
         else:

authentik/blueprints/v1/tasks.py

@@ -159,7 +159,7 @@ def blueprints_discovery(self: SystemTask, path: str | None = None):
         check_blueprint_v1_file(blueprint)
         count += 1
     self.set_status(
-        TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=count))
+        TaskStatus.SUCCESSFUL, _("Successfully imported %(count)d files." % {"count": count})
     )
 
 

authentik/brands/api.py

@@ -84,8 +84,8 @@ class CurrentBrandSerializer(PassiveSerializer):
 
     matched_domain = CharField(source="domain")
     branding_title = CharField()
-    branding_logo = CharField(source="branding_logo_url")
-    branding_favicon = CharField(source="branding_favicon_url")
+    branding_logo = CharField()
+    branding_favicon = CharField()
     ui_footer_links = ListField(
         child=FooterLinkSerializer(),
         read_only=True,

authentik/brands/middleware.py

@@ -25,7 +25,5 @@ class BrandMiddleware:
             locale = brand.default_locale
             if locale != "":
                 locale_to_set = locale
-        if locale_to_set:
         with override(locale_to_set):
             return self.get_response(request)
-        return self.get_response(request)

authentik/brands/models.py

@@ -10,7 +10,6 @@ from structlog.stdlib import get_logger
 
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
-from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 
 LOGGER = get_logger()
@@ -72,18 +71,6 @@ class Brand(SerializerModel):
     )
     attributes = models.JSONField(default=dict, blank=True)
 
-    def branding_logo_url(self) -> str:
-        """Get branding_logo with the correct prefix"""
-        if self.branding_logo.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.branding_logo
-        return self.branding_logo
-
-    def branding_favicon_url(self) -> str:
-        """Get branding_favicon with the correct prefix"""
-        if self.branding_favicon.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.branding_favicon
-        return self.branding_favicon
-
     @property
     def serializer(self) -> Serializer:
         from authentik.brands.api import BrandSerializer

authentik/core/api/groups.py

@@ -103,6 +103,9 @@ class GroupSerializer(ModelSerializer):
             "users": {
                 "default": list,
             },
+            # TODO: This field isn't unique on the database which is hard to backport
+            # hence we just validate the uniqueness here
+            "name": {"validators": [UniqueValidator(Group.objects.all())]},
         }
 
 

authentik/core/api/transactional_applications.py

@@ -1,12 +1,10 @@
 """transactional application and provider creation"""
 
 from django.apps import apps
-from django.db.models import Model
-from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -24,7 +22,6 @@ from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Provider
 from authentik.lib.utils.reflection import all_subclasses
-from authentik.policies.api.bindings import PolicyBindingSerializer
 
 
 def get_provider_serializer_mapping():
@@ -48,13 +45,6 @@ class TransactionProviderField(DictField):
     """Dictionary field which can hold provider creation data"""
 
 
-class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
-    """PolicyBindingSerializer which does not require target as target is set implicitly"""
-
-    class Meta(PolicyBindingSerializer.Meta):
-        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
-
-
 class TransactionApplicationSerializer(PassiveSerializer):
     """Serializer for creating a provider and an application in one transaction"""
 
@@ -62,8 +52,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
     provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
     provider = TransactionProviderField()
 
-    policy_bindings = TransactionPolicyBindingSerializer(many=True, required=False)
-
     _provider_model: type[Provider] = None
 
     def validate_provider_model(self, fq_model_name: str) -> str:
@@ -108,19 +96,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
                 id="app",
             )
         )
-        for binding in attrs.get("policy_bindings", []):
-            binding["target"] = KeyOf(None, ScalarNode(tag="", value="app"))
-            for key, value in binding.items():
-                if not isinstance(value, Model):
-                    continue
-                binding[key] = value.pk
-            blueprint.entries.append(
-                BlueprintEntry(
-                    model="authentik_policies.policybinding",
-                    state=BlueprintEntryDesiredState.MUST_CREATED,
-                    identifiers=binding,
-                )
-            )
         importer = Importer(blueprint, {})
         try:
             valid, _ = importer.validate(raise_validation_errors=True)
@@ -145,7 +120,8 @@ class TransactionApplicationResponseSerializer(PassiveSerializer):
 class TransactionalApplicationView(APIView):
     """Create provider and application and attach them in a single transaction"""
 
-    permission_classes = [IsAuthenticated]
+    # TODO: Migrate to a more specific permission
+    permission_classes = [IsAdminUser]
 
     @extend_schema(
         request=TransactionApplicationSerializer(),
@@ -157,23 +133,8 @@ class TransactionalApplicationView(APIView):
         """Convert data into a blueprint, validate it and apply it"""
         data = TransactionApplicationSerializer(data=request.data)
         data.is_valid(raise_exception=True)
-        blueprint: Blueprint = data.validated_data
-        for entry in blueprint.entries:
-            full_model = entry.get_model(blueprint)
-            app, __, model = full_model.partition(".")
-            if not request.user.has_perm(f"{app}.add_{model}"):
-                raise PermissionDenied(
-                    {
-                        entry.id: _(
-                            "User lacks permission to create {model}".format_map(
-                                {
-                                    "model": full_model,
-                                }
-                            )
-                        )
-                    }
-                )
-        importer = Importer(blueprint, {})
+
+        importer = Importer(data.validated_data, {})
         applied = importer.apply()
         response = {"applied": False, "logs": []}
         response["applied"] = applied

authentik/core/api/users.py

@@ -666,12 +666,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
 
     @permission_required("authentik_core.impersonate")
     @extend_schema(
-        request=inline_serializer(
-            "ImpersonationSerializer",
-            {
-                "reason": CharField(required=True),
-            },
-        ),
+        request=OpenApiTypes.NONE,
         responses={
             "204": OpenApiResponse(description="Successfully started impersonation"),
             "401": OpenApiResponse(description="Access denied"),
@@ -684,7 +679,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             LOGGER.debug("User attempted to impersonate", user=request.user)
             return Response(status=401)
         user_to_be = self.get_object()
-        reason = request.data.get("reason", "")
         # Check both object-level perms and global perms
         if not request.user.has_perm(
             "authentik_core.impersonate", user_to_be
@@ -694,16 +688,11 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         if user_to_be.pk == self.request.user.pk:
             LOGGER.debug("User attempted to impersonate themselves", user=request.user)
             return Response(status=401)
-        if not reason and request.tenant.impersonation_require_reason:
-            LOGGER.debug(
-                "User attempted to impersonate without providing a reason", user=request.user
-            )
-            return Response(status=401)
 
         request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
         request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
 
-        Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
+        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
 
         return Response(status=201)
 

authentik/core/middleware.py

@@ -42,10 +42,8 @@ class ImpersonateMiddleware:
             # Ensure that the user is active, otherwise nothing will work
             request.user.is_active = True
 
-        if locale_to_set:
         with override(locale_to_set):
             return self.get_response(request)
-        return self.get_response(request)
 
 
 class RequestIDMiddleware:

authentik/core/migrations/0040_alter_group_name.py

@@ -1,21 +0,0 @@
-# Generated by Django 5.0.8 on 2024-08-08 12:09
-
-from django.db import migrations, models
-
-from authentik.lib.migrations import fallback_names
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
-    ]
-
-    operations = [
-        migrations.RunPython(fallback_names("authentik_core", "group", "name")),
-        migrations.AlterField(
-            model_name="group",
-            name="name",
-            field=models.TextField(unique=True, verbose_name="name"),
-        ),
-    ]

authentik/core/models.py

@@ -173,7 +173,7 @@ class Group(SerializerModel, AttributesMixin):
 
     group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
 
-    name = models.TextField(verbose_name=_("name"), unique=True)
+    name = models.TextField(_("name"))
     is_superuser = models.BooleanField(
         default=False, help_text=_("Users added to this group will be superusers.")
     )

authentik/core/sources/flow_manager.py

@@ -265,7 +265,12 @@ class SourceFlowManager:
         if stages:
             for stage in stages:
                 plan.append_stage(stage)
-        return plan.to_redirect(self.request, flow)
+        self.request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
+            flow_slug=flow.slug,
+        )
 
     def handle_auth(
         self,

authentik/core/templates/base/header_js.html

@@ -9,9 +9,6 @@
         versionFamily: "{{ version_family }}",
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",
-        api: {
-            base: "{{ base_url }}",
-        },
     };
     window.addEventListener("DOMContentLoaded", function () {
         {% for message in messages %}

authentik/core/templates/base/skeleton.html

@@ -9,8 +9,8 @@
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
         <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="icon" href="{{ brand.branding_favicon }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">

authentik/core/templates/login/base_full.html

@@ -4,7 +4,7 @@
 {% load i18n %}
 
 {% block head_before %}
-<link rel="prefetch" href="{% static 'dist/assets/images/flow_background.jpg' %}" />
+<link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
@@ -13,7 +13,7 @@
 {% block head %}
 <style>
 :root {
-    --ak-flow-background: url("{% static 'dist/assets/images/flow_background.jpg' %}");
+    --ak-flow-background: url("/static/dist/assets/images/flow_background.jpg");
     --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
@@ -50,7 +50,7 @@
     <div class="ak-login-container">
         <main class="pf-c-login__main">
             <div class="pf-c-login__main-header pf-c-brand ak-brand">
-                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
+                <img src="{{ brand.branding_logo }}" alt="authentik Logo" />
             </div>
             <header class="pf-c-login__main-header">
                 <h1 class="pf-c-title pf-m-3xl">

authentik/core/tests/test_impersonation.py

@@ -29,8 +29,7 @@ class TestImpersonation(APITestCase):
             reverse(
                 "authentik_api:user-impersonate",
                 kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
         )
 
         response = self.client.get(reverse("authentik_api:user-me"))
@@ -56,8 +55,7 @@ class TestImpersonation(APITestCase):
             reverse(
                 "authentik_api:user-impersonate",
                 kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
         )
         self.assertEqual(response.status_code, 201)
 
@@ -77,8 +75,7 @@ class TestImpersonation(APITestCase):
             reverse(
                 "authentik_api:user-impersonate",
                 kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
         )
         self.assertEqual(response.status_code, 201)
 
@@ -92,8 +89,7 @@ class TestImpersonation(APITestCase):
         self.client.force_login(self.other_user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": "some reason"},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
         )
         self.assertEqual(response.status_code, 403)
 
@@ -109,8 +105,7 @@ class TestImpersonation(APITestCase):
         self.client.force_login(self.user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}),
-            data={"reason": "some reason"},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk})
         )
         self.assertEqual(response.status_code, 401)
 
@@ -123,22 +118,7 @@ class TestImpersonation(APITestCase):
         self.client.force_login(self.user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": "some reason"},
-        )
-        self.assertEqual(response.status_code, 401)
-
-        response = self.client.get(reverse("authentik_api:user-me"))
-        response_body = loads(response.content.decode())
-        self.assertEqual(response_body["user"]["username"], self.user.username)
-
-    def test_impersonate_reason_required(self):
-        """test impersonation that user must provide reason"""
-        self.client.force_login(self.user)
-
-        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": ""},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
         )
         self.assertEqual(response.status_code, 401)
 

authentik/core/tests/test_transactional_applications_api.py

@@ -1,13 +1,11 @@
 """Test Transactional API"""
 
 from django.urls import reverse
-from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Application, Group
-from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
 
 
@@ -15,9 +13,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
     """Test Transactional API"""
 
     def setUp(self) -> None:
-        self.user = create_test_user()
-        assign_perm("authentik_core.add_application", self.user)
-        assign_perm("authentik_providers_oauth2.add_oauth2provider", self.user)
+        self.user = create_test_admin_user()
 
     def test_create_transactional(self):
         """Test transactional Application + provider creation"""
@@ -46,66 +42,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
         self.assertIsNotNone(app)
         self.assertEqual(app.provider.pk, provider.pk)
 
-    def test_create_transactional_permission_denied(self):
-        """Test transactional Application + provider creation (missing permissions)"""
-        self.client.force_login(self.user)
-        uid = generate_id()
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_saml.samlprovider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(create_test_flow().pk),
-                    "invalidation_flow": str(create_test_flow().pk),
-                    "acs_url": "https://goauthentik.io",
-                },
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"provider": "User lacks permission to create authentik_providers_saml.samlprovider"},
-        )
-
-    def test_create_transactional_bindings(self):
-        """Test transactional Application + provider creation"""
-        assign_perm("authentik_policies.add_policybinding", self.user)
-        self.client.force_login(self.user)
-        uid = generate_id()
-        group = Group.objects.create(name=generate_id())
-        authorization_flow = create_test_flow()
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_oauth2.oauth2provider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(authorization_flow.pk),
-                    "invalidation_flow": str(authorization_flow.pk),
-                    "redirect_uris": [],
-                },
-                "policy_bindings": [{"group": group.pk, "order": 0}],
-            },
-        )
-        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
-        provider = OAuth2Provider.objects.filter(name=uid).first()
-        self.assertIsNotNone(provider)
-        app = Application.objects.filter(slug=uid).first()
-        self.assertIsNotNone(app)
-        self.assertEqual(app.provider.pk, provider.pk)
-        binding = PolicyBinding.objects.filter(target=app).first()
-        self.assertIsNotNone(binding)
-        self.assertEqual(binding.target, app)
-        self.assertEqual(binding.group, group)
-
     def test_create_transactional_invalid(self):
         """Test transactional Application + provider creation"""
         self.client.force_login(self.user)
@@ -135,32 +71,3 @@ class TestTransactionalApplicationsAPI(APITestCase):
                 }
             },
         )
-
-    def test_create_transactional_duplicate_name_provider(self):
-        """Test transactional Application + provider creation"""
-        self.client.force_login(self.user)
-        uid = generate_id()
-        OAuth2Provider.objects.create(
-            name=uid,
-            authorization_flow=create_test_flow(),
-            invalidation_flow=create_test_flow(),
-        )
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_oauth2.oauth2provider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(create_test_flow().pk),
-                    "invalidation_flow": str(create_test_flow().pk),
-                },
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"provider": {"name": ["State is set to must_created and object exists already"]}},
-        )

authentik/core/views/apps.py

@@ -17,8 +17,10 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import (
     SESSION_KEY_APPLICATION_PRE,
+    SESSION_KEY_PLAN,
     ToDefaultFlow,
 )
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.stages.consent.stage import (
     PLAN_CONTEXT_CONSENT_HEADER,
     PLAN_CONTEXT_CONSENT_PERMISSIONS,
@@ -56,7 +58,8 @@ class RedirectToAppLaunch(View):
         except FlowNonApplicableException:
             raise Http404 from None
         plan.insert_stage(in_memory_stage(RedirectToAppStage))
-        return plan.to_redirect(request, flow)
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)
 
 
 class RedirectToAppStage(ChallengeStageView):

authentik/core/views/interface.py

@@ -16,7 +16,6 @@ from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
 from authentik.brands.models import Brand
 from authentik.core.models import UserTypes
-from authentik.lib.config import CONFIG
 from authentik.policies.denied import AccessDeniedResponse
 
 
@@ -52,7 +51,6 @@ class InterfaceView(TemplateView):
         kwargs["version_subdomain"] = f"version-{LOCAL_VERSION.major}-{LOCAL_VERSION.minor}"
         kwargs["build"] = get_build_hash()
         kwargs["url_kwargs"] = self.kwargs
-        kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
         return super().get_context_data(**kwargs)
 
 

authentik/crypto/tasks.py

@@ -85,5 +85,5 @@ def certificate_discovery(self: SystemTask):
         if dirty:
             cert.save()
     self.set_status(
-        TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=discovered))
+        TaskStatus.SUCCESSFUL, _("Successfully imported %(count)d files." % {"count": discovered})
     )

authentik/enterprise/providers/rac/templates/if/rac.html

@@ -6,8 +6,8 @@
 <script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
-<link rel="icon" href="{{ tenant.branding_favicon_url }}">
-<link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}">
+<link rel="icon" href="{{ tenant.branding_favicon }}">
+<link rel="shortcut icon" href="{{ tenant.branding_favicon }}">
 {% include "base/header_js.html" %}
 {% endblock %}
 

authentik/enterprise/providers/rac/views.py

@@ -18,7 +18,9 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import RedirectStage
+from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.time import timedelta_from_string
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.engine import PolicyEngine
 
 
@@ -54,7 +56,12 @@ class RACStartView(EnterprisePolicyAccessView):
                 provider=self.provider,
             )
         )
-        return plan.to_redirect(request, self.provider.authorization_flow)
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            request.GET,
+            flow_slug=self.provider.authorization_flow.slug,
+        )
 
 
 class RACInterface(InterfaceView):

authentik/events/models.py

@@ -60,7 +60,7 @@ def default_event_duration():
     """Default duration an Event is saved.
     This is used as a fallback when no brand is available"""
     try:
-        tenant = get_current_tenant(only=["event_retention"])
+        tenant = get_current_tenant()
         return now() + timedelta_from_string(tenant.event_retention)
     except Tenant.DoesNotExist:
         return now() + timedelta(days=365)

authentik/flows/models.py

@@ -14,7 +14,6 @@ from structlog.stdlib import get_logger
 from authentik.core.models import Token
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.challenge import FlowLayout
-from authentik.lib.config import CONFIG
 from authentik.lib.models import InheritanceForeignKey, SerializerModel
 from authentik.lib.utils.reflection import class_to_path
 from authentik.policies.models import PolicyBindingModel
@@ -178,13 +177,9 @@ class Flow(SerializerModel, PolicyBindingModel):
         """Get the URL to the background image. If the name is /static or starts with http
         it is returned as-is"""
         if not self.background:
-            return (
-                CONFIG.get("web.path", "/")[:-1] + "/static/dist/assets/images/flow_background.jpg"
-            )
-        if self.background.name.startswith("http"):
+            return "/static/dist/assets/images/flow_background.jpg"
+        if self.background.name.startswith("http") or self.background.name.startswith("/static"):
             return self.background.name
-        if self.background.name.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.background.name
         return self.background.url
 
     stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)

authentik/flows/planner.py

@@ -1,10 +1,10 @@
 """Flows Planner"""
 
 from dataclasses import dataclass, field
-from typing import TYPE_CHECKING, Any
+from typing import Any
 
 from django.core.cache import cache
-from django.http import HttpRequest, HttpResponse
+from django.http import HttpRequest
 from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
@@ -23,15 +23,10 @@ from authentik.flows.models import (
     in_memory_stage,
 )
 from authentik.lib.config import CONFIG
-from authentik.lib.utils.urls import redirect_with_qs
 from authentik.outposts.models import Outpost
 from authentik.policies.engine import PolicyEngine
 from authentik.root.middleware import ClientIPMiddleware
 
-if TYPE_CHECKING:
-    from authentik.flows.stage import StageView
-
-
 LOGGER = get_logger()
 PLAN_CONTEXT_PENDING_USER = "pending_user"
 PLAN_CONTEXT_SSO = "is_sso"
@@ -115,54 +110,6 @@ class FlowPlan:
         """Check if there are any stages left in this plan"""
         return len(self.markers) + len(self.bindings) > 0
 
-    def requires_flow_executor(
-        self,
-        allowed_silent_types: list["StageView"] | None = None,
-    ):
-        # Check if we actually need to show the Flow executor, or if we can jump straight to the end
-        found_unskippable = True
-        if allowed_silent_types:
-            LOGGER.debug("Checking if we can skip the flow executor...")
-            # Policies applied to the flow have already been evaluated, so we're checking for stages
-            # allow-listed or bindings that require a policy re-eval
-            found_unskippable = False
-            for binding, marker in zip(self.bindings, self.markers, strict=True):
-                if binding.stage.view not in allowed_silent_types:
-                    found_unskippable = True
-                if marker and isinstance(marker, ReevaluateMarker):
-                    found_unskippable = True
-        LOGGER.debug("Required flow executor status", status=found_unskippable)
-        return found_unskippable
-
-    def to_redirect(
-        self,
-        request: HttpRequest,
-        flow: Flow,
-        allowed_silent_types: list["StageView"] | None = None,
-    ) -> HttpResponse:
-        """Redirect to the flow executor for this flow plan"""
-        from authentik.flows.views.executor import (
-            SESSION_KEY_PLAN,
-            FlowExecutorView,
-        )
-
-        request.session[SESSION_KEY_PLAN] = self
-        requires_flow_executor = self.requires_flow_executor(allowed_silent_types)
-
-        if not requires_flow_executor:
-            # No unskippable stages found, so we can directly return the response of the last stage
-            final_stage: type[StageView] = self.bindings[-1].stage.view
-            temp_exec = FlowExecutorView(flow=flow, request=request, plan=self)
-            temp_exec.current_stage = self.bindings[-1].stage
-            stage = final_stage(request=request, executor=temp_exec)
-            return stage.dispatch(request)
-
-        return redirect_with_qs(
-            "authentik_core:if-flow",
-            request.GET,
-            flow_slug=flow.slug,
-        )
-
 
 class FlowPlanner:
     """Execute all policies to plan out a flat list of all Stages

authentik/flows/templates/if/flow-sfe.html

@@ -9,8 +9,8 @@
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
         <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="icon" href="{{ brand.branding_favicon }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">

authentik/flows/tests/test_planner.py

@@ -5,8 +5,6 @@ from unittest.mock import MagicMock, Mock, PropertyMock, patch
 from django.contrib.auth.models import AnonymousUser
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.core.cache import cache
-from django.http import HttpRequest
-from django.shortcuts import redirect
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
 from guardian.shortcuts import get_anonymous_user
@@ -16,14 +14,8 @@ from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.markers import ReevaluateMarker, StageMarker
-from authentik.flows.models import (
-    FlowAuthenticationRequirement,
-    FlowDesignation,
-    FlowStageBinding,
-    in_memory_stage,
-)
+from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
-from authentik.flows.stage import StageView
 from authentik.lib.tests.utils import dummy_get_response
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost
@@ -219,99 +211,3 @@ class TestFlowPlanner(TestCase):
 
             self.assertIsInstance(plan.markers[0], StageMarker)
             self.assertIsInstance(plan.markers[1], ReevaluateMarker)
-
-    def test_to_redirect(self):
-        """Test to_redirect and skipping the flow executor"""
-        flow = create_test_flow()
-        flow.authentication = FlowAuthenticationRequirement.NONE
-        request = self.request_factory.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(request)
-        request.session.save()
-
-        request.user = AnonymousUser()
-        planner = FlowPlanner(flow)
-        planner.allow_empty_flows = True
-        plan = planner.plan(request)
-        self.assertTrue(plan.requires_flow_executor())
-        self.assertEqual(
-            plan.to_redirect(request, flow).url,
-            reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug}),
-        )
-
-    def test_to_redirect_skip_simple(self):
-        """Test to_redirect and skipping the flow executor"""
-        flow = create_test_flow()
-        flow.authentication = FlowAuthenticationRequirement.NONE
-        request = self.request_factory.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        middleware = SessionMiddleware(dummy_get_response)
-        middleware.process_request(request)
-        request.session.save()
-        request.user = AnonymousUser()
-        planner = FlowPlanner(flow)
-        planner.allow_empty_flows = True
-        plan = planner.plan(request)
-
-        class TStageView(StageView):
-            def dispatch(self, request: HttpRequest, *args, **kwargs):
-                return redirect("https://authentik.company")
-
-        plan.append_stage(in_memory_stage(TStageView))
-        self.assertFalse(plan.requires_flow_executor(allowed_silent_types=[TStageView]))
-        self.assertEqual(
-            plan.to_redirect(request, flow, allowed_silent_types=[TStageView]).url,
-            "https://authentik.company",
-        )
-
-    def test_to_redirect_skip_stage(self):
-        """Test to_redirect and skipping the flow executor
-        (with a stage bound that cannot be skipped)"""
-        flow = create_test_flow()
-        flow.authentication = FlowAuthenticationRequirement.NONE
-
-        FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy"), order=0
-        )
-
-        request = self.request_factory.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        request.user = AnonymousUser()
-        planner = FlowPlanner(flow)
-        planner.allow_empty_flows = True
-        plan = planner.plan(request)
-
-        class TStageView(StageView):
-            def dispatch(self, request: HttpRequest, *args, **kwargs):
-                return redirect("https://authentik.company")
-
-        plan.append_stage(in_memory_stage(TStageView))
-        self.assertTrue(plan.requires_flow_executor(allowed_silent_types=[TStageView]))
-
-    def test_to_redirect_skip_policies(self):
-        """Test to_redirect and skipping the flow executor
-        (with a marker on the stage view type that can be skipped)
-
-        Note that this is not actually used anywhere in the code, all stages that are dynamically
-        added are statically added"""
-        flow = create_test_flow()
-        flow.authentication = FlowAuthenticationRequirement.NONE
-
-        request = self.request_factory.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-        )
-        request.user = AnonymousUser()
-        planner = FlowPlanner(flow)
-        planner.allow_empty_flows = True
-        plan = planner.plan(request)
-
-        class TStageView(StageView):
-            def dispatch(self, request: HttpRequest, *args, **kwargs):
-                return redirect("https://authentik.company")
-
-        plan.append_stage(in_memory_stage(TStageView), ReevaluateMarker(None))
-        self.assertTrue(plan.requires_flow_executor(allowed_silent_types=[TStageView]))

authentik/flows/views/executor.py

@@ -597,4 +597,9 @@ class ConfigureFlowInitView(LoginRequiredMixin, View):
         except FlowNonApplicableException:
             LOGGER.warning("Flow not applicable to user")
             raise Http404 from None
-        return plan.to_redirect(request, stage.configure_flow)
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
+            flow_slug=stage.configure_flow.slug,
+        )

authentik/lib/default.yml

@@ -135,7 +135,6 @@ web:
   # No default here as it's set dynamically
   # workers: 2
   threads: 4
-  path: /
 
 worker:
   concurrency: 2

authentik/lib/sentry.py

@@ -36,7 +36,6 @@ from authentik.lib.utils.http import authentik_user_agent
 from authentik.lib.utils.reflection import get_env
 
 LOGGER = get_logger()
-_root_path = CONFIG.get("web.path", "/")
 
 
 class SentryIgnoredException(Exception):
@@ -91,7 +90,7 @@ def traces_sampler(sampling_context: dict) -> float:
     path = sampling_context.get("asgi_scope", {}).get("path", "")
     _type = sampling_context.get("asgi_scope", {}).get("type", "")
     # Ignore all healthcheck routes
-    if path.startswith(f"{_root_path}-/health") or path.startswith(f"{_root_path}-/metrics"):
+    if path.startswith("/-/health") or path.startswith("/-/metrics"):
         return 0
     if _type == "websocket":
         return 0

authentik/lib/sync/outgoing/tasks.py

@@ -82,7 +82,7 @@ class SyncTasks:
                 return
             try:
                 for page in users_paginator.page_range:
-                    messages.append(_("Syncing page {page} of users".format(page=page)))
+                    messages.append(_("Syncing page %(page)d of users" % {"page": page}))
                     for msg in sync_objects.apply_async(
                         args=(class_to_path(User), page, provider_pk),
                         time_limit=PAGE_TIMEOUT,
@@ -90,7 +90,7 @@ class SyncTasks:
                     ).get():
                         messages.append(LogEvent(**msg))
                 for page in groups_paginator.page_range:
-                    messages.append(_("Syncing page {page} of groups".format(page=page)))
+                    messages.append(_("Syncing page %(page)d of groups" % {"page": page}))
                     for msg in sync_objects.apply_async(
                         args=(class_to_path(Group), page, provider_pk),
                         time_limit=PAGE_TIMEOUT,

authentik/policies/expiry/models.py

@@ -43,9 +43,8 @@ class PasswordExpiryPolicy(Policy):
                 request.user.set_unusable_password()
                 request.user.save()
                 message = _(
-                    "Password expired {days} days ago. Please update your password.".format(
-                        days=days_since_expiry
-                    )
+                    "Password expired %(days)d days ago. Please update your password."
+                    % {"days": days_since_expiry}
                 )
                 return PolicyResult(False, message)
             return PolicyResult(False, _("Password has expired."))

authentik/policies/password/models.py

@@ -135,7 +135,7 @@ class PasswordPolicy(Policy):
         LOGGER.debug("got hibp result", count=final_count, hash=pw_hash[:5])
         if final_count > self.hibp_allowed_count:
             LOGGER.debug("password failed", check="hibp", count=final_count)
-            message = _("Password exists on {count} online lists.".format(count=final_count))
+            message = _("Password exists on %(count)d online lists." % {"count": final_count})
             return PolicyResult(False, message)
         return PolicyResult(True)
 

authentik/providers/oauth2/api/providers.py

@@ -73,8 +73,7 @@ class OAuth2ProviderSerializer(ProviderSerializer):
             "sub_mode",
             "property_mappings",
             "issuer_mode",
-            "jwt_federation_sources",
-            "jwt_federation_providers",
+            "jwks_sources",
         ]
         extra_kwargs = ProviderSerializer.Meta.extra_kwargs
 

authentik/providers/oauth2/migrations/0025_rename_jwks_sources_oauth2provider_jwt_federation_sources_and_more.py

@@ -1,25 +0,0 @@
-# Generated by Django 5.0.9 on 2024-11-22 14:25
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_providers_oauth2", "0024_remove_oauth2provider_redirect_uris_and_more"),
-    ]
-
-    operations = [
-        migrations.RenameField(
-            model_name="oauth2provider",
-            old_name="jwks_sources",
-            new_name="jwt_federation_sources",
-        ),
-        migrations.AddField(
-            model_name="oauth2provider",
-            name="jwt_federation_providers",
-            field=models.ManyToManyField(
-                blank=True, default=None, to="authentik_providers_oauth2.oauth2provider"
-            ),
-        ),
-    ]

authentik/providers/oauth2/models.py

@@ -244,7 +244,7 @@ class OAuth2Provider(WebfingerProvider, Provider):
         related_name="oauth2provider_encryption_key_set",
     )
 
-    jwt_federation_sources = models.ManyToManyField(
+    jwks_sources = models.ManyToManyField(
         OAuthSource,
         verbose_name=_(
             "Any JWT signed by the JWK of the selected source can be used to authenticate."
@@ -253,7 +253,6 @@ class OAuth2Provider(WebfingerProvider, Provider):
         default=None,
         blank=True,
     )
-    jwt_federation_providers = models.ManyToManyField("OAuth2Provider", blank=True, default=None)
 
     @cached_property
     def jwt_key(self) -> tuple[str | PrivateKeyTypes, str]:

authentik/providers/oauth2/tests/test_authorize.py

@@ -311,7 +311,7 @@ class TestAuthorize(OAuthTestCase):
         user = create_test_admin_user()
         self.client.force_login(user)
         # Step 1, initiate params and get redirect to flow
-        response = self.client.get(
+        self.client.get(
             reverse("authentik_providers_oauth2:authorize"),
             data={
                 "response_type": "code",
@@ -320,10 +320,16 @@ class TestAuthorize(OAuthTestCase):
                 "redirect_uri": "foo://localhost",
             },
         )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
         code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertEqual(
-            response.url,
-            f"foo://localhost?code={code.code}&state={state}",
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
         )
         self.assertAlmostEqual(
             code.expires.timestamp() - now().timestamp(),
@@ -371,7 +377,7 @@ class TestAuthorize(OAuthTestCase):
             ),
         ):
             # Step 1, initiate params and get redirect to flow
-            response = self.client.get(
+            self.client.get(
                 reverse("authentik_providers_oauth2:authorize"),
                 data={
                     "response_type": "id_token",
@@ -382,16 +388,22 @@ class TestAuthorize(OAuthTestCase):
                     "nonce": generate_id(),
                 },
             )
+            response = self.client.get(
+                reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+            )
             token: AccessToken = AccessToken.objects.filter(user=user).first()
             expires = timedelta_from_string(provider.access_token_validity).total_seconds()
-            self.assertEqual(
-                response.url,
-                (
+            self.assertJSONEqual(
+                response.content.decode(),
+                {
+                    "component": "xak-flow-redirect",
+                    "to": (
                         f"http://localhost#access_token={token.token}"
                         f"&id_token={provider.encode(token.id_token.to_dict())}"
                         f"&token_type={TOKEN_TYPE}"
                         f"&expires_in={int(expires)}&state={state}"
                     ),
+                },
             )
             jwt = self.validate_jwt(token, provider)
             self.assertEqual(jwt["amr"], ["pwd"])
@@ -443,7 +455,7 @@ class TestAuthorize(OAuthTestCase):
             ),
         ):
             # Step 1, initiate params and get redirect to flow
-            response = self.client.get(
+            self.client.get(
                 reverse("authentik_providers_oauth2:authorize"),
                 data={
                     "response_type": "id_token",
@@ -454,7 +466,10 @@ class TestAuthorize(OAuthTestCase):
                     "nonce": generate_id(),
                 },
             )
-            self.assertEqual(response.status_code, 302)
+            response = self.client.get(
+                reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+            )
+            self.assertEqual(response.status_code, 200)
             token: AccessToken = AccessToken.objects.filter(user=user).first()
             expires = timedelta_from_string(provider.access_token_validity).total_seconds()
             jwt = self.validate_jwe(token, provider)
@@ -491,7 +506,7 @@ class TestAuthorize(OAuthTestCase):
             ),
         ):
             # Step 1, initiate params and get redirect to flow
-            response = self.client.get(
+            self.client.get(
                 reverse("authentik_providers_oauth2:authorize"),
                 data={
                     "response_type": "code",
@@ -503,10 +518,16 @@ class TestAuthorize(OAuthTestCase):
                     "nonce": generate_id(),
                 },
             )
+            response = self.client.get(
+                reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+            )
             code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-            self.assertEqual(
-                response.url,
-                f"http://localhost#code={code.code}&state={state}",
+            self.assertJSONEqual(
+                response.content.decode(),
+                {
+                    "component": "xak-flow-redirect",
+                    "to": (f"http://localhost#code={code.code}" f"&state={state}"),
+                },
             )
             self.assertAlmostEqual(
                 code.expires.timestamp() - now().timestamp(),

authentik/providers/oauth2/tests/test_token_cc_jwt_provider.py

@@ -1,228 +0,0 @@
-"""Test token view"""
-
-from datetime import datetime, timedelta
-from json import loads
-
-from django.test import RequestFactory
-from django.urls import reverse
-from django.utils.timezone import now
-from jwt import decode
-
-from authentik.blueprints.tests import apply_blueprint
-from authentik.core.models import Application, Group
-from authentik.core.tests.utils import create_test_cert, create_test_flow, create_test_user
-from authentik.lib.generators import generate_id
-from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.constants import (
-    GRANT_TYPE_CLIENT_CREDENTIALS,
-    SCOPE_OPENID,
-    SCOPE_OPENID_EMAIL,
-    SCOPE_OPENID_PROFILE,
-    TOKEN_TYPE,
-)
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    OAuth2Provider,
-    RedirectURI,
-    RedirectURIMatchingMode,
-    ScopeMapping,
-)
-from authentik.providers.oauth2.tests.utils import OAuthTestCase
-
-
-class TestTokenClientCredentialsJWTProvider(OAuthTestCase):
-    """Test token (client_credentials, with JWT) view"""
-
-    @apply_blueprint("system/providers-oauth2.yaml")
-    def setUp(self) -> None:
-        super().setUp()
-        self.factory = RequestFactory()
-        self.other_cert = create_test_cert()
-        self.cert = create_test_cert()
-
-        self.other_provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            authorization_flow=create_test_flow(),
-            signing_key=self.other_cert,
-        )
-        self.other_provider.property_mappings.set(ScopeMapping.objects.all())
-        self.app = Application.objects.create(
-            name=generate_id(), slug=generate_id(), provider=self.other_provider
-        )
-
-        self.provider: OAuth2Provider = OAuth2Provider.objects.create(
-            name="test",
-            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
-            signing_key=self.cert,
-        )
-        self.provider.jwt_federation_providers.add(self.other_provider)
-        self.provider.property_mappings.set(ScopeMapping.objects.all())
-        self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
-
-    def test_invalid_type(self):
-        """test invalid type"""
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            {
-                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
-                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
-                "client_id": self.provider.client_id,
-                "client_assertion_type": "foo",
-                "client_assertion": "foo.bar",
-            },
-        )
-        self.assertEqual(response.status_code, 400)
-        body = loads(response.content.decode())
-        self.assertEqual(body["error"], "invalid_grant")
-
-    def test_invalid_jwt(self):
-        """test invalid JWT"""
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            {
-                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
-                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
-                "client_id": self.provider.client_id,
-                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-                "client_assertion": "foo.bar",
-            },
-        )
-        self.assertEqual(response.status_code, 400)
-        body = loads(response.content.decode())
-        self.assertEqual(body["error"], "invalid_grant")
-
-    def test_invalid_signature(self):
-        """test invalid JWT"""
-        token = self.provider.encode(
-            {
-                "sub": "foo",
-                "exp": datetime.now() + timedelta(hours=2),
-            }
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            {
-                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
-                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
-                "client_id": self.provider.client_id,
-                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-                "client_assertion": token + "foo",
-            },
-        )
-        self.assertEqual(response.status_code, 400)
-        body = loads(response.content.decode())
-        self.assertEqual(body["error"], "invalid_grant")
-
-    def test_invalid_expired(self):
-        """test invalid JWT"""
-        token = self.provider.encode(
-            {
-                "sub": "foo",
-                "exp": datetime.now() - timedelta(hours=2),
-            }
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            {
-                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
-                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
-                "client_id": self.provider.client_id,
-                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-                "client_assertion": token,
-            },
-        )
-        self.assertEqual(response.status_code, 400)
-        body = loads(response.content.decode())
-        self.assertEqual(body["error"], "invalid_grant")
-
-    def test_invalid_no_app(self):
-        """test invalid JWT"""
-        self.app.provider = None
-        self.app.save()
-        token = self.provider.encode(
-            {
-                "sub": "foo",
-                "exp": datetime.now() + timedelta(hours=2),
-            }
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            {
-                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
-                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
-                "client_id": self.provider.client_id,
-                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-                "client_assertion": token,
-            },
-        )
-        self.assertEqual(response.status_code, 400)
-        body = loads(response.content.decode())
-        self.assertEqual(body["error"], "invalid_grant")
-
-    def test_invalid_access_denied(self):
-        """test invalid JWT"""
-        group = Group.objects.create(name="foo")
-        PolicyBinding.objects.create(
-            group=group,
-            target=self.app,
-            order=0,
-        )
-        token = self.provider.encode(
-            {
-                "sub": "foo",
-                "exp": datetime.now() + timedelta(hours=2),
-            }
-        )
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            {
-                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
-                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
-                "client_id": self.provider.client_id,
-                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-                "client_assertion": token,
-            },
-        )
-        self.assertEqual(response.status_code, 400)
-        body = loads(response.content.decode())
-        self.assertEqual(body["error"], "invalid_grant")
-
-    def test_successful(self):
-        """test successful"""
-        user = create_test_user()
-        token = self.other_provider.encode(
-            {
-                "sub": "foo",
-                "exp": datetime.now() + timedelta(hours=2),
-            }
-        )
-        AccessToken.objects.create(
-            provider=self.other_provider,
-            token=token,
-            user=user,
-            auth_time=now(),
-        )
-
-        response = self.client.post(
-            reverse("authentik_providers_oauth2:token"),
-            {
-                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
-                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
-                "client_id": self.provider.client_id,
-                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-                "client_assertion": token,
-            },
-        )
-        self.assertEqual(response.status_code, 200)
-        body = loads(response.content.decode())
-        self.assertEqual(body["token_type"], TOKEN_TYPE)
-        _, alg = self.provider.jwt_key
-        jwt = decode(
-            body["access_token"],
-            key=self.provider.signing_key.public_key,
-            algorithms=[alg],
-            audience=self.provider.client_id,
-        )
-        self.assertEqual(jwt["given_name"], user.name)
-        self.assertEqual(jwt["preferred_username"], user.username)

authentik/providers/oauth2/tests/test_token_cc_jwt_source.py

@@ -37,16 +37,9 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
     def setUp(self) -> None:
         super().setUp()
         self.factory = RequestFactory()
-        self.other_cert = create_test_cert()
-        # Provider used as a helper to sign JWTs with the same key as the OAuth source has
-        self.helper_provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-            authorization_flow=create_test_flow(),
-            signing_key=self.other_cert,
-        )
         self.cert = create_test_cert()
 
-        jwk = JWKSView().get_jwk_for_key(self.other_cert, "sig")
+        jwk = JWKSView().get_jwk_for_key(self.cert, "sig")
         self.source: OAuthSource = OAuthSource.objects.create(
             name=generate_id(),
             slug=generate_id(),
@@ -69,7 +62,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
             redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://testserver")],
             signing_key=self.cert,
         )
-        self.provider.jwt_federation_sources.add(self.source)
+        self.provider.jwks_sources.add(self.source)
         self.provider.property_mappings.set(ScopeMapping.objects.all())
         self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
 
@@ -107,7 +100,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
 
     def test_invalid_signature(self):
         """test invalid JWT"""
-        token = self.helper_provider.encode(
+        token = self.provider.encode(
             {
                 "sub": "foo",
                 "exp": datetime.now() + timedelta(hours=2),
@@ -129,7 +122,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
 
     def test_invalid_expired(self):
         """test invalid JWT"""
-        token = self.helper_provider.encode(
+        token = self.provider.encode(
             {
                 "sub": "foo",
                 "exp": datetime.now() - timedelta(hours=2),
@@ -153,7 +146,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
         """test invalid JWT"""
         self.app.provider = None
         self.app.save()
-        token = self.helper_provider.encode(
+        token = self.provider.encode(
             {
                 "sub": "foo",
                 "exp": datetime.now() + timedelta(hours=2),
@@ -181,7 +174,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
             target=self.app,
             order=0,
         )
-        token = self.helper_provider.encode(
+        token = self.provider.encode(
             {
                 "sub": "foo",
                 "exp": datetime.now() + timedelta(hours=2),
@@ -203,7 +196,7 @@ class TestTokenClientCredentialsJWTSource(OAuthTestCase):
 
     def test_successful(self):
         """test successful"""
-        token = self.helper_provider.encode(
+        token = self.provider.encode(
             {
                 "sub": "foo",
                 "exp": datetime.now() + timedelta(hours=2),

authentik/providers/oauth2/tests/test_token_pkce.py

@@ -45,7 +45,7 @@ class TestTokenPKCE(OAuthTestCase):
         challenge = generate_id()
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         # Step 1, initiate params and get redirect to flow
-        response = self.client.get(
+        self.client.get(
             reverse("authentik_providers_oauth2:authorize"),
             data={
                 "response_type": "code",
@@ -56,10 +56,16 @@ class TestTokenPKCE(OAuthTestCase):
                 "code_challenge_method": "S256",
             },
         )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
         code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertEqual(
-            response.url,
-            f"foo://localhost?code={code.code}&state={state}",
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
         )
         response = self.client.post(
             reverse("authentik_providers_oauth2:token"),
@@ -101,7 +107,7 @@ class TestTokenPKCE(OAuthTestCase):
         self.client.force_login(user)
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         # Step 1, initiate params and get redirect to flow
-        response = self.client.get(
+        self.client.get(
             reverse("authentik_providers_oauth2:authorize"),
             data={
                 "response_type": "code",
@@ -112,10 +118,16 @@ class TestTokenPKCE(OAuthTestCase):
                 # "code_challenge_method": "S256",
             },
         )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
         code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertEqual(
-            response.url,
-            f"foo://localhost?code={code.code}&state={state}",
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
         )
         response = self.client.post(
             reverse("authentik_providers_oauth2:token"),
@@ -162,7 +174,7 @@ class TestTokenPKCE(OAuthTestCase):
         )
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         # Step 1, initiate params and get redirect to flow
-        response = self.client.get(
+        self.client.get(
             reverse("authentik_providers_oauth2:authorize"),
             data={
                 "response_type": "code",
@@ -173,10 +185,16 @@ class TestTokenPKCE(OAuthTestCase):
                 "code_challenge_method": "S256",
             },
         )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
         code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertEqual(
-            response.url,
-            f"foo://localhost?code={code.code}&state={state}",
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
         )
         response = self.client.post(
             reverse("authentik_providers_oauth2:token"),
@@ -207,7 +225,7 @@ class TestTokenPKCE(OAuthTestCase):
         verifier = generate_id()
         header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
         # Step 1, initiate params and get redirect to flow
-        response = self.client.get(
+        self.client.get(
             reverse("authentik_providers_oauth2:authorize"),
             data={
                 "response_type": "code",
@@ -217,10 +235,16 @@ class TestTokenPKCE(OAuthTestCase):
                 "code_challenge": verifier,
             },
         )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
         code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
-        self.assertEqual(
-            response.url,
-            f"foo://localhost?code={code.code}&state={state}",
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
         )
         response = self.client.post(
             reverse("authentik_providers_oauth2:token"),

authentik/providers/oauth2/views/authorize.py

@@ -27,7 +27,9 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.stage import StageView
+from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.time import timedelta_from_string
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.types import PolicyRequest
 from authentik.policies.views import PolicyAccessView, RequestValidationError
@@ -452,16 +454,11 @@ class AuthorizationFlowInitView(PolicyAccessView):
 
         plan.append_stage(in_memory_stage(OAuthFulfillmentStage))
 
-        return plan.to_redirect(
-            self.request,
-            self.provider.authorization_flow,
-            # We can only skip the flow executor and directly go to the final redirect URL if
-            #  we can submit the data to the RP via URL
-            allowed_silent_types=(
-                [OAuthFulfillmentStage]
-                if self.params.response_mode in [ResponseMode.QUERY, ResponseMode.FRAGMENT]
-                else []
-            ),
+        self.request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
+            flow_slug=self.provider.authorization_flow.slug,
         )
 
 

authentik/providers/oauth2/views/device_init.py

@@ -16,6 +16,7 @@ from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.oauth2.models import DeviceToken
 from authentik.providers.oauth2.views.device_finish import (
@@ -72,7 +73,12 @@ class CodeValidatorView(PolicyAccessView):
             LOGGER.warning("Flow not applicable to user")
             return None
         plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
-        return plan.to_redirect(self.request, self.token.provider.authorization_flow)
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            request.GET,
+            flow_slug=self.token.provider.authorization_flow.slug,
+        )
 
 
 class DeviceEntryView(PolicyAccessView):
@@ -103,7 +109,11 @@ class DeviceEntryView(PolicyAccessView):
         plan.append_stage(in_memory_stage(OAuthDeviceCodeStage))
 
         self.request.session[SESSION_KEY_PLAN] = plan
-        return plan.to_redirect(self.request, device_flow)
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
+            flow_slug=device_flow.slug,
+        )
 
 
 class OAuthDeviceCodeChallenge(Challenge):
@@ -127,7 +137,7 @@ class OAuthDeviceCodeChallengeResponse(ChallengeResponse):
 
 
 class OAuthDeviceCodeStage(ChallengeStageView):
-    """Flow challenge for users to enter device code"""
+    """Flow challenge for users to enter device codes"""
 
     response_class = OAuthDeviceCodeChallengeResponse
 

authentik/providers/oauth2/views/end_session.py

@@ -7,6 +7,8 @@ from authentik.core.models import Application
 from authentik.flows.models import Flow, in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import SessionEndStage
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.views import PolicyAccessView
 
 
@@ -35,4 +37,9 @@ class EndSessionView(PolicyAccessView):
             },
         )
         plan.insert_stage(in_memory_stage(SessionEndStage))
-        return plan.to_redirect(self.request, self.flow)
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
+            flow_slug=self.flow.slug,
+        )

authentik/providers/oauth2/views/token.py

@@ -362,9 +362,23 @@ class TokenParams:
             },
         ).from_http(request, user=user)
 
-    def __validate_jwt_from_source(
-        self, assertion: str
-    ) -> tuple[dict, OAuthSource] | tuple[None, None]:
+    def __post_init_client_credentials_jwt(self, request: HttpRequest):
+        assertion_type = request.POST.get(CLIENT_ASSERTION_TYPE, "")
+        if assertion_type != CLIENT_ASSERTION_TYPE_JWT:
+            LOGGER.warning("Invalid assertion type", assertion_type=assertion_type)
+            raise TokenError("invalid_grant")
+
+        client_secret = request.POST.get("client_secret", None)
+        assertion = request.POST.get(CLIENT_ASSERTION, client_secret)
+        if not assertion:
+            LOGGER.warning("Missing client assertion")
+            raise TokenError("invalid_grant")
+
+        token = None
+
+        source: OAuthSource | None = None
+        parsed_key: PyJWK | None = None
+
         # Fully decode the JWT without verifying the signature, so we can get access to
         # the header.
         # Get the Key ID from the header, and use that to optimise our source query to only find
@@ -379,23 +393,19 @@ class TokenParams:
             LOGGER.warning("failed to parse JWT for kid lookup", exc=exc)
             raise TokenError("invalid_grant") from None
         expected_kid = decode_unvalidated["header"]["kid"]
-        fallback_alg = decode_unvalidated["header"]["alg"]
-        token = source = None
-        for source in self.provider.jwt_federation_sources.filter(
+        for source in self.provider.jwks_sources.filter(
             oidc_jwks__keys__contains=[{"kid": expected_kid}]
         ):
             LOGGER.debug("verifying JWT with source", source=source.slug)
             keys = source.oidc_jwks.get("keys", [])
             for key in keys:
-                if key.get("kid") and key.get("kid") != expected_kid:
-                    continue
                 LOGGER.debug("verifying JWT with key", source=source.slug, key=key.get("kid"))
                 try:
-                    parsed_key = PyJWK.from_dict(key).key
+                    parsed_key = PyJWK.from_dict(key)
                     token = decode(
                         assertion,
-                        parsed_key,
-                        algorithms=[key.get("alg")] if "alg" in key else [fallback_alg],
+                        parsed_key.key,
+                        algorithms=[key.get("alg")],
                         options={
                             "verify_aud": False,
                         },
@@ -404,61 +414,13 @@ class TokenParams:
                 # and not a public key
                 except (PyJWTError, ValueError, TypeError, AttributeError) as exc:
                     LOGGER.warning("failed to verify JWT", exc=exc, source=source.slug)
-        if token:
-            LOGGER.info("successfully verified JWT with source", source=source.slug)
-        return token, source
-
-    def __validate_jwt_from_provider(
-        self, assertion: str
-    ) -> tuple[dict, OAuth2Provider] | tuple[None, None]:
-        token = provider = _key = None
-        federated_token = AccessToken.objects.filter(
-            token=assertion, provider__in=self.provider.jwt_federation_providers.all()
-        ).first()
-        if federated_token:
-            _key, _alg = federated_token.provider.jwt_key
-            try:
-                token = decode(
-                    assertion,
-                    _key.public_key(),
-                    algorithms=[_alg],
-                    options={
-                        "verify_aud": False,
-                    },
-                )
-                provider = federated_token.provider
-                self.user = federated_token.user
-            except (PyJWTError, ValueError, TypeError, AttributeError) as exc:
-                LOGGER.warning(
-                    "failed to verify JWT", exc=exc, provider=federated_token.provider.name
-                )
-
-        if token:
-            LOGGER.info("successfully verified JWT with provider", provider=provider.name)
-        return token, provider
-
-    def __post_init_client_credentials_jwt(self, request: HttpRequest):
-        assertion_type = request.POST.get(CLIENT_ASSERTION_TYPE, "")
-        if assertion_type != CLIENT_ASSERTION_TYPE_JWT:
-            LOGGER.warning("Invalid assertion type", assertion_type=assertion_type)
-            raise TokenError("invalid_grant")
-
-        client_secret = request.POST.get("client_secret", None)
-        assertion = request.POST.get(CLIENT_ASSERTION, client_secret)
-        if not assertion:
-            LOGGER.warning("Missing client assertion")
-            raise TokenError("invalid_grant")
-
-        source = provider = None
-
-        token, source = self.__validate_jwt_from_source(assertion)
-        if not token:
-            token, provider = self.__validate_jwt_from_provider(assertion)
 
         if not token:
             LOGGER.warning("No token could be verified")
             raise TokenError("invalid_grant")
 
+        LOGGER.info("successfully verified JWT with source", source=source.slug)
+
         if "exp" in token:
             exp = datetime.fromtimestamp(token["exp"])
             # Non-timezone aware check since we assume `exp` is in UTC
@@ -472,7 +434,6 @@ class TokenParams:
             raise TokenError("invalid_grant")
 
         self.__check_policy_access(app, request, oauth_jwt=token)
-        if not provider:
         self.__create_user_from_jwt(token, app, source)
 
         method_args = {
@@ -480,8 +441,8 @@ class TokenParams:
         }
         if source:
             method_args["source"] = source
-        if provider:
-            method_args["provider"] = provider
+        if parsed_key:
+            method_args["jwk_id"] = parsed_key.key_id
         Event.new(
             action=EventAction.LOGIN,
             **{

authentik/providers/proxy/api.py

@@ -94,8 +94,7 @@ class ProxyProviderSerializer(ProviderSerializer):
             "intercept_header_auth",
             "redirect_uris",
             "cookie_domain",
-            "jwt_federation_sources",
-            "jwt_federation_providers",
+            "jwks_sources",
             "access_token_validity",
             "refresh_token_validity",
             "outpost_set",

authentik/providers/saml/views/slo.py

@@ -13,6 +13,8 @@ from authentik.events.models import Event, EventAction
 from authentik.flows.models import Flow, in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import SessionEndStage
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
@@ -62,7 +64,12 @@ class SAMLSLOView(PolicyAccessView):
             },
         )
         plan.insert_stage(in_memory_stage(SessionEndStage))
-        return plan.to_redirect(self.request, self.flow)
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
+            flow_slug=self.flow.slug,
+        )
 
     def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:
         """GET and POST use the same handler, but we can't

authentik/providers/saml/views/sso.py

@@ -13,11 +13,12 @@ from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
-from authentik.flows.views.executor import SESSION_KEY_POST
+from authentik.flows.views.executor import SESSION_KEY_PLAN, SESSION_KEY_POST
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.saml.exceptions import CannotHandleAssertion
-from authentik.providers.saml.models import SAMLBindings, SAMLProvider
+from authentik.providers.saml.models import SAMLProvider
 from authentik.providers.saml.processors.authn_request_parser import AuthNRequestParser
 from authentik.providers.saml.views.flows import (
     REQUEST_KEY_RELAY_STATE,
@@ -73,12 +74,11 @@ class SAMLSSOView(PolicyAccessView):
         except FlowNonApplicableException:
             raise Http404 from None
         plan.append_stage(in_memory_stage(SAMLFlowFinalView))
-        return plan.to_redirect(
-            request,
-            self.provider.authorization_flow,
-            allowed_silent_types=(
-                [SAMLFlowFinalView] if self.provider.sp_binding in [SAMLBindings.REDIRECT] else []
-            ),
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            request.GET,
+            flow_slug=self.provider.authorization_flow.slug,
         )
 
     def post(self, request: HttpRequest, application_slug: str) -> HttpResponse:

authentik/root/settings.py

@@ -32,8 +32,6 @@ LOGIN_URL = "authentik_flows:default-authentication"
 # Custom user model
 AUTH_USER_MODEL = "authentik_core.User"
 
-CSRF_COOKIE_PATH = LANGUAGE_COOKIE_PATH = SESSION_COOKIE_PATH = CONFIG.get("web.path", "/")
-
 CSRF_COOKIE_NAME = "authentik_csrf"
 CSRF_HEADER_NAME = "HTTP_X_AUTHENTIK_CSRF"
 LANGUAGE_COOKIE_NAME = "authentik_language"
@@ -428,7 +426,7 @@ if _ERROR_REPORTING:
 # https://docs.djangoproject.com/en/2.1/howto/static-files/
 
 STATICFILES_DIRS = [BASE_DIR / Path("web")]
-STATIC_URL = CONFIG.get("web.path", "/") + "static/"
+STATIC_URL = "/static/"
 
 STORAGES = {
     "staticfiles": {

authentik/root/urls.py

@@ -4,7 +4,6 @@ from django.urls import include, path
 from structlog.stdlib import get_logger
 
 from authentik.core.views import error
-from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_apps
 from authentik.root.monitoring import LiveView, MetricsView, ReadyView
 
@@ -15,7 +14,7 @@ handler403 = error.ForbiddenView.as_view()
 handler404 = error.NotFoundView.as_view()
 handler500 = error.ServerErrorView.as_view()
 
-_urlpatterns = []
+urlpatterns = []
 
 for _authentik_app in get_apps():
     mountpoints = None
@@ -36,7 +35,7 @@ for _authentik_app in get_apps():
                 namespace=namespace,
             ),
         )
-        _urlpatterns.append(_path)
+        urlpatterns.append(_path)
         LOGGER.debug(
             "Mounted URLs",
             app_name=_authentik_app.name,
@@ -44,10 +43,8 @@ for _authentik_app in get_apps():
             namespace=namespace,
         )
 
-_urlpatterns += [
+urlpatterns += [
     path("-/metrics/", MetricsView.as_view(), name="metrics"),
     path("-/health/live/", LiveView.as_view(), name="health-live"),
     path("-/health/ready/", ReadyView.as_view(), name="health-ready"),
 ]
-
-urlpatterns = [path(CONFIG.get("web.path", "/")[1:], include(_urlpatterns))]

authentik/root/websocket.py

@@ -2,16 +2,13 @@
 
 from importlib import import_module
 
-from channels.routing import URLRouter
-from django.urls import path
 from structlog.stdlib import get_logger
 
-from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_apps
 
 LOGGER = get_logger()
 
-_websocket_urlpatterns = []
+websocket_urlpatterns = []
 for _authentik_app in get_apps():
     try:
         api_urls = import_module(f"{_authentik_app.name}.urls")
@@ -20,15 +17,8 @@ for _authentik_app in get_apps():
     if not hasattr(api_urls, "websocket_urlpatterns"):
         continue
     urls: list = api_urls.websocket_urlpatterns
-    _websocket_urlpatterns.extend(urls)
+    websocket_urlpatterns.extend(urls)
     LOGGER.debug(
         "Mounted Websocket URLs",
         app_name=_authentik_app.name,
     )
-
-websocket_urlpatterns = [
-    path(
-        CONFIG.get("web.path", "/")[1:],
-        URLRouter(_websocket_urlpatterns),
-    ),
-]

authentik/sources/kerberos/models.py

@@ -6,6 +6,7 @@ from tempfile import gettempdir
 from typing import Any
 
 import gssapi
+import kadmin
 import pglock
 from django.db import connection, models
 from django.db.models.fields import b64decode
@@ -13,8 +14,6 @@ from django.http import HttpRequest
 from django.shortcuts import reverse
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
-from kadmin import KAdmin
-from kadmin.exceptions import PyKAdminException
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
@@ -31,8 +30,9 @@ from authentik.flows.challenge import RedirectChallenge
 LOGGER = get_logger()
 
 
-# Creating kadmin connections is expensive. As such, this global is used to reuse
-# existing kadmin connections instead of creating new ones
+# python-kadmin leaks file descriptors. As such, this global is used to reuse
+# existing kadmin connections instead of creating new ones, which results in less to no file
+# descriptors leaks
 _kadmin_connections: dict[str, Any] = {}
 
 
@@ -198,13 +198,13 @@ class KerberosSource(Source):
         conf_path.write_text(self.krb5_conf)
         return str(conf_path)
 
-    def _kadmin_init(self) -> KAdmin | None:
+    def _kadmin_init(self) -> "kadmin.KAdmin | None":
         # kadmin doesn't use a ccache for its connection
         # as such, we don't need to create a separate ccache for each source
         if not self.sync_principal:
             return None
         if self.sync_password:
-            return KAdmin.with_password(
+            return kadmin.init_with_password(
                 self.sync_principal,
                 self.sync_password,
             )
@@ -215,18 +215,18 @@ class KerberosSource(Source):
                 keytab_path.touch(mode=0o600)
                 keytab_path.write_bytes(b64decode(self.sync_keytab))
                 keytab = f"FILE:{keytab_path}"
-            return KAdmin.with_keytab(
+            return kadmin.init_with_keytab(
                 self.sync_principal,
                 keytab,
             )
         if self.sync_ccache:
-            return KAdmin.with_ccache(
+            return kadmin.init_with_ccache(
                 self.sync_principal,
                 self.sync_ccache,
             )
         return None
 
-    def connection(self) -> KAdmin | None:
+    def connection(self) -> "kadmin.KAdmin | None":
         """Get kadmin connection"""
         if str(self.pk) not in _kadmin_connections:
             kadm = self._kadmin_init()
@@ -246,7 +246,7 @@ class KerberosSource(Source):
                     status["status"] = "no connection"
                     return status
                 status["principal_exists"] = kadm.principal_exists(self.sync_principal)
-            except PyKAdminException as exc:
+            except kadmin.KAdminError as exc:
                 status["status"] = str(exc)
         return status
 

authentik/sources/kerberos/signals.py

@@ -1,8 +1,8 @@
 """authentik kerberos source signals"""
 
+import kadmin
 from django.db.models.signals import post_save
 from django.dispatch import receiver
-from kadmin.exceptions import PyKAdminException
 from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
 
@@ -45,12 +45,10 @@ def kerberos_sync_password(sender, user: User, password: str, **_):
             continue
         with Krb5ConfContext(source):
             try:
-                kadm = source.connection()
-                kadm.get_principal(user_source_connection.identifier).change_password(
-                    kadm,
-                    password,
+                source.connection().getprinc(user_source_connection.identifier).change_password(
+                    password
                 )
-            except PyKAdminException as exc:
+            except kadmin.KAdminError as exc:
                 LOGGER.warning("failed to set Kerberos password", exc=exc, source=source)
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,

authentik/sources/kerberos/sync.py

@@ -2,9 +2,9 @@
 
 from typing import Any
 
+import kadmin
 from django.core.exceptions import FieldError
 from django.db import IntegrityError, transaction
-from kadmin import KAdmin
 from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.core.expression.exceptions import (
@@ -30,7 +30,7 @@ class KerberosSync:
 
     _source: KerberosSource
     _logger: BoundLogger
-    _connection: KAdmin
+    _connection: "kadmin.KAdmin"
     mapper: SourceMapper
     user_manager: PropertyMappingManager
     group_manager: PropertyMappingManager
@@ -161,7 +161,7 @@ class KerberosSync:
 
         user_count = 0
         with Krb5ConfContext(self._source):
-            for principal in self._connection.list_principals(None):
+            for principal in self._connection.principals():
                 if self._handle_principal(principal):
                     user_count += 1
         return user_count

authentik/sources/kerberos/tests/test_auth.py

@@ -23,7 +23,6 @@ class TestKerberosAuth(KerberosTestCase):
         )
         self.user = User.objects.create(username=generate_id())
         self.user.set_unusable_password()
-        self.user.save()
         UserKerberosSourceConnection.objects.create(
             source=self.source, user=self.user, identifier=self.realm.user_princ
         )

authentik/sources/kerberos/tests/test_spnego.py

@@ -2,8 +2,6 @@
 
 from base64 import b64decode, b64encode
 from pathlib import Path
-from sys import platform
-from unittest import skipUnless
 
 import gssapi
 from django.urls import reverse
@@ -38,7 +36,6 @@ class TestSPNEGOSource(KerberosTestCase):
         )
         self.assertEqual(response.status_code, 200)
 
-    @skipUnless(platform.startswith("linux"), "Requires compatible GSSAPI implementation")
     def test_source_login(self):
         """test login view"""
         response = self.client.get(

authentik/sources/saml/views.py

@@ -31,7 +31,8 @@ from authentik.flows.planner import (
     FlowPlanner,
 )
 from authentik.flows.stage import ChallengeStageView
-from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET
+from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.lib.views import bad_request_message
 from authentik.providers.saml.utils.encoding import nice64
 from authentik.sources.saml.exceptions import MissingSAMLResponse, UnsupportedNameIDFormat
@@ -88,7 +89,12 @@ class InitiateView(View):
             raise Http404 from None
         for stage in stages_to_append:
             plan.append_stage(stage)
-        return plan.to_redirect(self.request, source.pre_authentication_flow)
+        self.request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
+            flow_slug=source.pre_authentication_flow.slug,
+        )
 
     def get(self, request: HttpRequest, source_slug: str) -> HttpResponse:
         """Replies with an XHTML SSO Request."""

authentik/tenants/api/settings.py

@@ -23,7 +23,6 @@ class SettingsSerializer(ModelSerializer):
             "footer_links",
             "gdpr_compliance",
             "impersonation",
-            "impersonation_require_reason",
             "default_token_duration",
             "default_token_length",
         ]

authentik/tenants/migrations/0004_tenant_impersonation_require_reason.py

@@ -1,21 +0,0 @@
-# Generated by Django 5.0.9 on 2024-11-07 15:08
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_tenants", "0003_alter_tenant_default_token_duration"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="tenant",
-            name="impersonation_require_reason",
-            field=models.BooleanField(
-                default=True,
-                help_text="Require administrators to provide a reason for impersonating a user.",
-            ),
-        ),
-    ]

authentik/tenants/models.py

@@ -85,10 +85,6 @@ class Tenant(TenantMixin, SerializerModel):
     impersonation = models.BooleanField(
         help_text=_("Globally enable/disable impersonation."), default=True
     )
-    impersonation_require_reason = models.BooleanField(
-        help_text=_("Require administrators to provide a reason for impersonating a user."),
-        default=True,
-    )
     default_token_duration = models.TextField(
         help_text=_("Default token duration"),
         default=DEFAULT_TOKEN_DURATION,

authentik/tenants/utils.py

@@ -8,11 +8,9 @@ from authentik.root.install_id import get_install_id
 from authentik.tenants.models import Tenant
 
 
-def get_current_tenant(only: list[str] | None = None) -> Tenant:
+def get_current_tenant() -> Tenant:
     """Get tenant for current request"""
-    if only is None:
-        only = []
-    return Tenant.objects.only(*only).get(schema_name=connection.schema_name)
+    return Tenant.objects.get(schema_name=connection.schema_name)
 
 
 def get_unique_identifier() -> str:

blueprints/schema.json

@@ -5617,20 +5617,13 @@
                     "title": "Issuer mode",
                     "description": "Configure how the issuer field of the ID Token should be filled."
                 },
-                "jwt_federation_sources": {
+                "jwks_sources": {
                     "type": "array",
                     "items": {
                         "type": "integer",
                         "title": "Any JWT signed by the JWK of the selected source can be used to authenticate."
                     },
                     "title": "Any JWT signed by the JWK of the selected source can be used to authenticate."
-                },
-                "jwt_federation_providers": {
-                    "type": "array",
-                    "items": {
-                        "type": "integer"
-                    },
-                    "title": "Jwt federation providers"
                 }
             },
             "required": []
@@ -5753,7 +5746,7 @@
                     "type": "string",
                     "title": "Cookie domain"
                 },
-                "jwt_federation_sources": {
+                "jwks_sources": {
                     "type": "array",
                     "items": {
                         "type": "integer",
@@ -5761,13 +5754,6 @@
                     },
                     "title": "Any JWT signed by the JWK of the selected source can be used to authenticate."
                 },
-                "jwt_federation_providers": {
-                    "type": "array",
-                    "items": {
-                        "type": "integer"
-                    },
-                    "title": "Jwt federation providers"
-                },
                 "access_token_validity": {
                     "type": "string",
                     "minLength": 1,

cmd/server/healthcheck.go

@@ -47,7 +47,7 @@ func checkServer() int {
 	h := &http.Client{
 		Transport: web.NewUserAgentTransport("goauthentik.io/healthcheck", http.DefaultTransport),
 	}
-	url := fmt.Sprintf("http://%s%s-/health/live/", config.Get().Listen.HTTP, config.Get().Web.Path)
+	url := fmt.Sprintf("http://%s/-/health/live/", config.Get().Listen.HTTP)
 	res, err := h.Head(url)
 	if err != nil {
 		log.WithError(err).Warning("failed to send healthcheck request")

cmd/server/server.go

@@ -61,7 +61,7 @@ var rootCmd = &cobra.Command{
 		ex := common.Init()
 		defer common.Defer()
 
-		u, err := url.Parse(fmt.Sprintf("http://%s%s", config.Get().Listen.HTTP, config.Get().Web.Path))
+		u, err := url.Parse(fmt.Sprintf("http://%s", config.Get().Listen.HTTP))
 		if err != nil {
 			panic(err)
 		}

docker-compose.yml

@@ -49,10 +49,8 @@ services:
       - "${COMPOSE_PORT_HTTP:-9000}:9000"
       - "${COMPOSE_PORT_HTTPS:-9443}:9443"
     depends_on:
-      postgresql:
-        condition: service_healthy
-      redis:
-        condition: service_healthy
+      - postgresql
+      - redis
   worker:
     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.5}
     restart: unless-stopped
@@ -78,10 +76,8 @@ services:
     env_file:
       - .env
     depends_on:
-      postgresql:
-        condition: service_healthy
-      redis:
-        condition: service_healthy
+      - postgresql
+      - redis
 
 volumes:
   database:

go.mod

@@ -7,7 +7,7 @@ toolchain go1.23.0
 require (
 	beryju.io/ldap v0.1.0
 	github.com/coreos/go-oidc/v3 v3.11.0
-	github.com/getsentry/sentry-go v0.30.0
+	github.com/getsentry/sentry-go v0.29.1
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.8
 	github.com/go-openapi/runtime v0.28.0
@@ -27,12 +27,12 @@ require (
 	github.com/sethvargo/go-envconfig v1.1.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
-	github.com/stretchr/testify v1.10.0
+	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024105.1
+	goauthentik.io/api/v3 v3.2024083.13
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.24.0
-	golang.org/x/sync v0.10.0
+	golang.org/x/oauth2 v0.23.0
+	golang.org/x/sync v0.8.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )

go.sum

@@ -69,8 +69,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.30.0 h1:lWUwDnY7sKHaVIoZ9wYqRHJ5iEmoc0pqcRqFkosKzBo=
-github.com/getsentry/sentry-go v0.30.0/go.mod h1:WU9B9/1/sHDqeV8T+3VwwbjeR5MSXs/6aqG3mqZrezA=
+github.com/getsentry/sentry-go v0.29.1 h1:DyZuChN8Hz3ARxGVV8ePaNXh1dQ7d76AiB117xcREwA=
+github.com/getsentry/sentry-go v0.29.1/go.mod h1:x3AtIzN01d6SiWkderzaH28Tm0lgkafpJ5Bm3li39O0=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -274,8 +274,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/wwt/guac v1.3.2 h1:sH6OFGa/1tBs7ieWBVlZe7t6F5JAOWBry/tqQL/Vup4=
 github.com/wwt/guac v1.3.2/go.mod h1:eKm+NrnK7A88l4UBEcYNpZQGMpZRryYKoz4D/0/n1C0=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024105.1 h1:PxOlStLdM+L80ciVJUWZRhf2VQrDVnNMcv+exeQ/qUA=
-goauthentik.io/api/v3 v3.2024105.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024083.13 h1:xKh3feJYUeLw583zZ5ifgV0qjD37ZCOzgXPfbHQSbHM=
+goauthentik.io/api/v3 v3.2024083.13/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -388,8 +388,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
-golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -400,8 +400,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

internal/config/struct.go

@@ -14,7 +14,6 @@ type Config struct {
 	// Config for both core and outposts
 	Debug  bool         `yaml:"debug" env:"AUTHENTIK_DEBUG, overwrite"`
 	Listen ListenConfig `yaml:"listen" env:", prefix=AUTHENTIK_LISTEN__"`
-	Web    WebConfig    `yaml:"web" env:", prefix=AUTHENTIK_WEB__"`
 
 	// Outpost specific config
 	// These are only relevant for proxy/ldap outposts, and cannot be set via YAML
@@ -73,7 +72,3 @@ type OutpostConfig struct {
 	Discover               bool   `yaml:"discover" env:"DISCOVER, overwrite"`
 	DisableEmbeddedOutpost bool   `yaml:"disable_embedded_outpost" env:"DISABLE_EMBEDDED_OUTPOST, overwrite"`
 }
-
-type WebConfig struct {
-	Path string `yaml:"path" env:"PATH, overwrite"`
-}

internal/outpost/ak/api.go

@@ -56,10 +56,10 @@ type APIController struct {
 func NewAPIController(akURL url.URL, token string) *APIController {
 	rsp := sentry.StartSpan(context.Background(), "authentik.outposts.init")
 
-	apiConfig := api.NewConfiguration()
-	apiConfig.Host = akURL.Host
-	apiConfig.Scheme = akURL.Scheme
-	apiConfig.HTTPClient = &http.Client{
+	config := api.NewConfiguration()
+	config.Host = akURL.Host
+	config.Scheme = akURL.Scheme
+	config.HTTPClient = &http.Client{
 		Transport: web.NewUserAgentTransport(
 			constants.OutpostUserAgent(),
 			web.NewTracingTransport(
@@ -68,15 +68,10 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 			),
 		),
 	}
-	apiConfig.Servers = api.ServerConfigurations{
-		{
-			URL: fmt.Sprintf("%sapi/v3", akURL.Path),
-		},
-	}
-	apiConfig.AddDefaultHeader("Authorization", fmt.Sprintf("Bearer %s", token))
+	config.AddDefaultHeader("Authorization", fmt.Sprintf("Bearer %s", token))
 
 	// create the API client, with the transport
-	apiClient := api.NewAPIClient(apiConfig)
+	apiClient := api.NewAPIClient(config)
 
 	log := log.WithField("logger", "authentik.outpost.ak-api-controller")
 

internal/outpost/ak/api_ws.go

@@ -17,7 +17,7 @@ import (
 )
 
 func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
-	pathTemplate := "%s://%s%sws/outpost/%s/?%s"
+	pathTemplate := "%s://%s/ws/outpost/%s/?%s"
 	query := akURL.Query()
 	query.Set("instance_uuid", ac.instanceUUID.String())
 	scheme := strings.ReplaceAll(akURL.Scheme, "http", "ws")
@@ -37,7 +37,7 @@ func (ac *APIController) initWS(akURL url.URL, outpostUUID string) error {
 		},
 	}
 
-	ws, _, err := dialer.Dial(fmt.Sprintf(pathTemplate, scheme, akURL.Host, akURL.Path, outpostUUID, akURL.Query().Encode()), header)
+	ws, _, err := dialer.Dial(fmt.Sprintf(pathTemplate, scheme, akURL.Host, outpostUUID, akURL.Query().Encode()), header)
 	if err != nil {
 		ac.logger.WithError(err).Warning("failed to connect websocket")
 		return err
@@ -83,7 +83,6 @@ func (ac *APIController) reconnectWS() {
 	u := url.URL{
 		Host:   ac.Client.GetConfig().Host,
 		Scheme: ac.Client.GetConfig().Scheme,
-		Path:   strings.ReplaceAll(ac.Client.GetConfig().Servers[0].URL, "api/v3", ""),
 	}
 	attempt := 1
 	for {

internal/web/metrics.go

@@ -46,7 +46,7 @@ func (ws *WebServer) runMetricsServer() {
 		).ServeHTTP(rw, r)
 
 		// Get upstream metrics
-		re, err := http.NewRequest("GET", fmt.Sprintf("%s%s-/metrics/", ws.upstreamURL.String(), config.Get().Web.Path), nil)
+		re, err := http.NewRequest("GET", fmt.Sprintf("%s/-/metrics/", ws.ul.String()), nil)
 		if err != nil {
 			l.WithError(err).Warning("failed to get upstream metrics")
 			return

internal/web/proxy.go

@@ -9,15 +9,14 @@ import (
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
-	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/utils/sentry"
 )
 
 func (ws *WebServer) configureProxy() {
 	// Reverse proxy to the application server
 	director := func(req *http.Request) {
-		req.URL.Scheme = ws.upstreamURL.Scheme
-		req.URL.Host = ws.upstreamURL.Host
+		req.URL.Scheme = ws.ul.Scheme
+		req.URL.Host = ws.ul.Host
 		if _, ok := req.Header["User-Agent"]; !ok {
 			// explicitly disable User-Agent so it's not set to default value
 			req.Header.Set("User-Agent", "")
@@ -33,10 +32,7 @@ func (ws *WebServer) configureProxy() {
 	}
 	rp.ErrorHandler = ws.proxyErrorHandler
 	rp.ModifyResponse = ws.proxyModifyResponse
-	ws.mainRouter.PathPrefix(config.Get().Web.Path).Path("/-/health/live/").HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) {
-		rw.WriteHeader(200)
-	}))
-	ws.mainRouter.PathPrefix(config.Get().Web.Path).HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) {
+	ws.m.PathPrefix("/").HandlerFunc(sentry.SentryNoSample(func(rw http.ResponseWriter, r *http.Request) {
 		if !ws.g.IsRunning() {
 			ws.proxyErrorHandler(rw, r, errors.New("authentik starting"))
 			return

internal/web/static.go

@@ -14,74 +14,46 @@ import (
 )
 
 func (ws *WebServer) configureStatic() {
-	// Setup routers
-	staticRouter := ws.loggingRouter.NewRoute().Subrouter()
+	staticRouter := ws.lh.NewRoute().Subrouter()
 	staticRouter.Use(ws.staticHeaderMiddleware)
-	indexLessRouter := staticRouter.NewRoute().Subrouter()
-	// Specifically disable index
-	indexLessRouter.Use(web.DisableIndex)
+	staticRouter.Use(web.DisableIndex)
 
 	distFs := http.FileServer(http.Dir("./web/dist"))
+	authentikHandler := http.StripPrefix("/static/authentik/", http.FileServer(http.Dir("./web/authentik")))
 
-	pathStripper := func(handler http.Handler, paths ...string) http.Handler {
-		h := handler
-		for _, path := range paths {
-			h = http.StripPrefix(path, h)
-		}
-		return h
-	}
+	// Root file paths, from which they should be accessed
+	staticRouter.PathPrefix("/static/dist/").Handler(http.StripPrefix("/static/dist/", distFs))
+	staticRouter.PathPrefix("/static/authentik/").Handler(authentikHandler)
 
-	helpHandler := http.FileServer(http.Dir("./website/help/"))
-
-	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/static/dist/").Handler(pathStripper(
-		distFs,
-		"static/dist/",
-		config.Get().Web.Path,
-	))
-	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/static/authentik/").Handler(pathStripper(
-		http.FileServer(http.Dir("./web/authentik")),
-		"static/authentik/",
-		config.Get().Web.Path,
-	))
-
-	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/flow/{flow_slug}/assets").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+	// Also serve assets folder in specific interfaces since fonts in patternfly are imported
+	// with a relative path
+	staticRouter.PathPrefix("/if/flow/{flow_slug}/assets").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		vars := mux.Vars(r)
 
-		pathStripper(
-			distFs,
-			"if/flow/"+vars["flow_slug"],
-			config.Get().Web.Path,
-		).ServeHTTP(rw, r)
+		web.DisableIndex(http.StripPrefix(fmt.Sprintf("/if/flow/%s", vars["flow_slug"]), distFs)).ServeHTTP(rw, r)
 	})
-	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/admin/assets").Handler(http.StripPrefix(fmt.Sprintf("%sif/admin", config.Get().Web.Path), distFs))
-	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/user/assets").Handler(http.StripPrefix(fmt.Sprintf("%sif/user", config.Get().Web.Path), distFs))
-	indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/rac/{app_slug}/assets").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+	staticRouter.PathPrefix("/if/admin/assets").Handler(http.StripPrefix("/if/admin", distFs))
+	staticRouter.PathPrefix("/if/user/assets").Handler(http.StripPrefix("/if/user", distFs))
+	staticRouter.PathPrefix("/if/rac/{app_slug}/assets").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		vars := mux.Vars(r)
 
-		pathStripper(
-			distFs,
-			"if/rac/"+vars["app_slug"],
-			config.Get().Web.Path,
-		).ServeHTTP(rw, r)
+		web.DisableIndex(http.StripPrefix(fmt.Sprintf("/if/rac/%s", vars["app_slug"]), distFs)).ServeHTTP(rw, r)
 	})
 
 	// Media files, if backend is file
 	if config.Get().Storage.Media.Backend == "file" {
 		fsMedia := http.StripPrefix("/media", http.FileServer(http.Dir(config.Get().Storage.Media.File.Path)))
-		indexLessRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		staticRouter.PathPrefix("/media/").HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		    w.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
 		    fsMedia.ServeHTTP(w, r)
 		})
 	}
 
-	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/if/help/").Handler(pathStripper(
-		helpHandler,
-		config.Get().Web.Path,
-		"/if/help/",
-	))
-	staticRouter.PathPrefix(config.Get().Web.Path).PathPrefix("/help").Handler(http.RedirectHandler(fmt.Sprintf("%sif/help/", config.Get().Web.Path), http.StatusMovedPermanently))
+	staticRouter.PathPrefix("/if/help/").Handler(http.StripPrefix("/if/help/", http.FileServer(http.Dir("./website/help/"))))
+	staticRouter.PathPrefix("/help").Handler(http.RedirectHandler("/if/help/", http.StatusMovedPermanently))
 
-	staticRouter.PathPrefix(config.Get().Web.Path).Path("/robots.txt").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+	// Static misc files
+	ws.lh.Path("/robots.txt").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		rw.Header()["Content-Type"] = []string{"text/plain"}
 		rw.WriteHeader(200)
 		_, err := rw.Write(staticWeb.RobotsTxt)
@@ -89,7 +61,7 @@ func (ws *WebServer) configureStatic() {
 			ws.log.WithError(err).Warning("failed to write response")
 		}
 	})
-	staticRouter.PathPrefix(config.Get().Web.Path).Path("/.well-known/security.txt").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+	ws.lh.Path("/.well-known/security.txt").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		rw.Header()["Content-Type"] = []string{"text/plain"}
 		rw.WriteHeader(200)
 		_, err := rw.Write(staticWeb.SecurityTxt)

internal/web/web.go

@@ -34,12 +34,12 @@ type WebServer struct {
 	BrandTLS    *brand_tls.Watcher
 
 	g   *gounicorn.GoUnicorn
-	gunicornReady  bool
-	mainRouter     *mux.Router
-	loggingRouter  *mux.Router
+	gr  bool
+	m   *mux.Router
+	lh  *mux.Router
 	log *log.Entry
-	upstreamClient *http.Client
-	upstreamURL    *url.URL
+	uc  *http.Client
+	ul  *url.URL
 }
 
 const UnixSocketName = "authentik-core.sock"
@@ -73,22 +73,17 @@ func NewWebServer() *WebServer {
 	u, _ := url.Parse("http://localhost:8000")
 
 	ws := &WebServer{
-		mainRouter:     mainHandler,
-		loggingRouter:  loggingHandler,
+		m:   mainHandler,
+		lh:  loggingHandler,
 		log: l,
-		gunicornReady:  true,
-		upstreamClient: upstreamClient,
-		upstreamURL:    u,
+		gr:  true,
+		uc:  upstreamClient,
+		ul:  u,
 	}
 	ws.configureStatic()
 	ws.configureProxy()
-	// Redirect for sub-folder
-	if sp := config.Get().Web.Path; sp != "/" {
-		ws.mainRouter.Path("/").Handler(http.RedirectHandler(sp, http.StatusFound))
-	}
-	hcUrl := fmt.Sprintf("%s%s-/health/live/", ws.upstreamURL.String(), config.Get().Web.Path)
 	ws.g = gounicorn.New(func() bool {
-		req, err := http.NewRequest(http.MethodGet, hcUrl, nil)
+		req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/-/health/live/", ws.ul.String()), nil)
 		if err != nil {
 			ws.log.WithError(err).Warning("failed to create request for healthcheck")
 			return false
@@ -112,7 +107,7 @@ func (ws *WebServer) Start() {
 
 func (ws *WebServer) attemptStartBackend() {
 	for {
-		if !ws.gunicornReady {
+		if !ws.gr {
 			return
 		}
 		err := ws.g.Start()
@@ -140,7 +135,7 @@ func (ws *WebServer) Core() *gounicorn.GoUnicorn {
 }
 
 func (ws *WebServer) upstreamHttpClient() *http.Client {
-	return ws.upstreamClient
+	return ws.uc
 }
 
 func (ws *WebServer) Shutdown() {
@@ -165,7 +160,7 @@ func (ws *WebServer) listenPlain() {
 
 func (ws *WebServer) serve(listener net.Listener) {
 	srv := &http.Server{
-		Handler: ws.mainRouter,
+		Handler: ws.m,
 	}
 
 	// See https://golang.org/pkg/net/http/#Server.Shutdown

ldap.Dockerfile

@@ -33,7 +33,6 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
 # Stage 2: Run
 FROM ghcr.io/goauthentik/fips-debian:bookworm-slim-fips
 
-ARG VERSION
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 

lifecycle/ak.py

@@ -1,17 +1,15 @@
 """Wrapper for lifecycle/ak, to be installed by poetry"""
 
-from os import system, waitstatus_to_exitcode
+from os import system
 from pathlib import Path
-from sys import argv, exit
+from sys import argv
 
 
 def main():
     """Wrapper around ak bash script"""
     current_path = Path(__file__)
     args = " ".join(argv[1:])
-    res = system(f"{current_path.parent}/ak {args}")  # nosec
-    exit_code = waitstatus_to_exitcode(res)
-    exit(exit_code)
+    system(f"{current_path.parent}/ak {args}")  # nosec
 
 
 if __name__ == "__main__":