web: confirmation prompt updated to the latest version

* main: (2701 commits)
  website/developer-docs: add a baby Style Guide (#9900)
  website/integrations: gitlab: update certificate key pair location and specify sha (#9925)
  root: handle asgi exception (#10085)
  website: bump prettier from 3.3.1 to 3.3.2 in /website (#10082)
  web: bump prettier from 3.3.1 to 3.3.2 in /web (#10081)
  core: bump google-api-python-client from 2.132.0 to 2.133.0 (#10083)
  web: bump prettier from 3.3.1 to 3.3.2 in /tests/wdio (#10079)
  web: bump chromedriver from 125.0.3 to 126.0.0 in /tests/wdio (#10078)
  web: bump @sentry/browser from 8.8.0 to 8.9.1 in /web in the sentry group (#10080)
  web: bump braces from 3.0.2 to 3.0.3 in /web (#10077)
  website: bump braces from 3.0.2 to 3.0.3 in /website (#10076)
  web: bump braces from 3.0.2 to 3.0.3 in /tests/wdio (#10075)
  core: bump azure-identity from 1.16.0 to 1.16.1 (#10071)
  rbac: filters: fix missing attribute for unauthenticated requests (#10061)
  tests/e2e: docker-compose.yml: remove version element forgotten last time (#10067)
  providers/microsoft_entra: fix error when updating connection attributes (#10039)
  website/integrations: aws: fix about service link (#10062)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in it (#10060)
  core: bump github.com/redis/go-redis/v9 from 9.5.2 to 9.5.3 (#10046)
  core: bump github.com/gorilla/websocket from 1.5.1 to 1.5.2 (#10047)
  ...

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.6.3
+current_version = 2024.4.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@@ -17,8 +17,6 @@ optional_value = final
 
 [bumpversion:file:pyproject.toml]
 
-[bumpversion:file:package.json]
-
 [bumpversion:file:docker-compose.yml]
 
 [bumpversion:file:schema.yml]

.github/actions/comment-pr-instructions/action.yml

@@ -54,10 +54,9 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}
+            image:
+                repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}
             ```
 
             For arm64, use these values:
@@ -66,10 +65,9 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}-arm64
+            image:
+                repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}-arm64
             ```
 
             Afterwards, run the upgrade commands from the latest release notes.

.github/actions/docker-push-variables/action.yml

@@ -29,15 +29,9 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
-  imageNames:
-    description: "Docker image names"
-    value: ${{ steps.ev.outputs.imageNames }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}
-  imageMainName:
-    description: "Docker image main name"
-    value: ${{ steps.ev.outputs.imageMainName }}
 
 runs:
   using: "composite"

.github/actions/docker-push-variables/push_vars.py

@@ -7,7 +7,7 @@ from time import time
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
 
-should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
+should_build = str(os.environ.get("DOCKER_USERNAME", None) is not None).lower()
 
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
@@ -50,9 +50,8 @@ else:
             f"{name}:gh-{safe_branch_name}-{int(time())}-{sha[:7]}{suffix}",  # Use by FluxCD
         ]
 
-image_main_tag = image_tags[0].split(":")[-1]
+image_main_tag = image_tags[0]
 image_tags_rendered = ",".join(image_tags)
-image_names_rendered = ",".join(set(name.split(":")[0] for name in image_tags))
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldBuild={should_build}", file=_output)
@@ -60,6 +59,4 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)
     print(f"imageTags={image_tags_rendered}", file=_output)
-    print(f"imageNames={image_names_rendered}", file=_output)
     print(f"imageMainTag={image_main_tag}", file=_output)
-    print(f"imageMainName={image_tags[0]}", file=_output)

.github/dependabot.yml

@@ -21,10 +21,7 @@ updates:
     labels:
       - dependencies
   - package-ecosystem: npm
-    directories:
-      - "/web"
-      - "/tests/wdio"
-      - "/web/sfe"
+    directory: "/web"
     schedule:
       interval: daily
       time: "04:00"
@@ -33,6 +30,7 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "web:"
+    # TODO: deduplicate these groups
     groups:
       sentry:
         patterns:
@@ -58,6 +56,38 @@ updates:
         patterns:
           - "@rollup/*"
           - "rollup-*"
+  - package-ecosystem: npm
+    directory: "/tests/wdio"
+    schedule:
+      interval: daily
+      time: "04:00"
+    labels:
+      - dependencies
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "web:"
+    # TODO: deduplicate these groups
+    groups:
+      sentry:
+        patterns:
+          - "@sentry/*"
+          - "@spotlightjs/*"
+      babel:
+        patterns:
+          - "@babel/*"
+          - "babel-*"
+      eslint:
+        patterns:
+          - "@typescript-eslint/*"
+          - "eslint"
+          - "eslint-*"
+      storybook:
+        patterns:
+          - "@storybook/*"
+          - "*storybook*"
+      esbuild:
+        patterns:
+          - "@esbuild/*"
       wdio:
         patterns:
           - "@wdio/*"

.github/workflows/api-ts-publish.yml

@@ -31,12 +31,7 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
-        working-directory: web
-        run: |
-          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
-          npm i @goauthentik/api@$VERSION
-      - name: Upgrade /web/packages/sfe
-        working-directory: web/packages/sfe
+        working-directory: web/
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION

.github/workflows/ci-main.yml

@@ -213,16 +213,13 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -243,8 +240,7 @@ jobs:
       - name: generate ts client
         run: make gen-client-ts
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
+        uses: docker/build-push-action@v5
         with:
           context: .
           secrets: |
@@ -255,15 +251,8 @@ jobs:
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
+          cache-to: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max
           platforms: linux/${{ matrix.arch }}
-      - uses: actions/attest-build-provenance@v1
-        id: attest
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
   pr-comment:
     needs:
       - build
@@ -285,7 +274,6 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: ./.github/actions/comment-pr-instructions
         with:
-          tag: ${{ steps.ev.outputs.imageMainTag }}
+          tag: gh-${{ steps.ev.outputs.imageMainTag }}

.github/workflows/ci-outpost.yml

@@ -71,15 +71,12 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -99,8 +96,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
@@ -110,14 +106,7 @@ jobs:
           platforms: linux/amd64,linux/arm64
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v1
-        id: attest
-        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+          cache-to: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache,mode=max
   build-binary:
     timeout-minutes: 120
     needs:

.github/workflows/ci-web.yml

@@ -12,29 +12,14 @@ on:
       - version-*
 
 jobs:
-  lint:
+  lint-eslint:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        command:
-          - lint
-          - lint:lockfile
-          - tsc
-          - prettier-check
         project:
           - web
           - tests/wdio
-        include:
-          - command: tsc
-            project: web
-          - command: lit-analyse
-            project: web
-        exclude:
-          - command: lint:lockfile
-            project: tests/wdio
-          - command: tsc
-            project: tests/wdio
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -43,17 +28,85 @@ jobs:
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
-        run: |
-          npm ci
-          ${{ matrix.extra_setup }}
+        run: npm ci
       - name: Generate API
         run: make gen-client-ts
-      - name: Lint
+      - name: Eslint
         working-directory: ${{ matrix.project }}/
-        run: npm run ${{ matrix.command }}
+        run: npm run lint
+  lint-lockfile:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - working-directory: web/
+        run: |
+          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
+  lint-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: TSC
+        working-directory: web/
+        run: npm run tsc
+  lint-prettier:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - web
+          - tests/wdio
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: ${{ matrix.project }}/package.json
+          cache: "npm"
+          cache-dependency-path: ${{ matrix.project }}/package-lock.json
+      - working-directory: ${{ matrix.project }}/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: prettier
+        working-directory: ${{ matrix.project }}/
+        run: npm run prettier-check
+  lint-lit-analyse:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: |
+          npm ci
+          # lit-analyse doesn't understand path rewrites, so make it
+          # belive it's an actual module
+          cd node_modules/@goauthentik
+          ln -s ../../src/ web
+      - name: Generate API
+        run: make gen-client-ts
+      - name: lit-analyse
+        working-directory: web/
+        run: npm run lit-analyse
   ci-web-mark:
     needs:
-      - lint
+      - lint-lockfile
+      - lint-eslint
+      - lint-prettier
+      - lint-lit-analyse
+      - lint-build
     runs-on: ubuntu-latest
     steps:
       - run: echo mark
@@ -75,21 +128,3 @@ jobs:
       - name: build
         working-directory: web/
         run: npm run build
-  test:
-    needs:
-      - ci-web-mark
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: test
-        working-directory: web/
-        run: npm run test

.github/workflows/ci-website.yml

@@ -12,21 +12,27 @@ on:
       - version-*
 
 jobs:
-  lint:
+  lint-lockfile:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint:lockfile
-          - prettier-check
     steps:
       - uses: actions/checkout@v4
+      - working-directory: website/
+        run: |
+          [ -z "$(jq -r '.packages | to_entries[] | select((.key | startswith("node_modules")) and (.value | has("resolved") | not)) | .key' < package-lock.json)" ]
+  lint-prettier:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
       - working-directory: website/
         run: npm ci
-      - name: Lint
+      - name: prettier
         working-directory: website/
-        run: npm run ${{ matrix.command }}
+        run: npm run prettier-check
   test:
     runs-on: ubuntu-latest
     steps:
@@ -63,7 +69,8 @@ jobs:
         run: npm run ${{ matrix.job }}
   ci-website-mark:
     needs:
-      - lint
+      - lint-lockfile
+      - lint-prettier
       - test
       - build
     runs-on: ubuntu-latest

.github/workflows/release-publish.yml

@@ -11,13 +11,10 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -43,8 +40,7 @@ jobs:
           mkdir -p ./gen-ts-api
           mkdir -p ./gen-go-api
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: true
@@ -53,20 +49,11 @@ jobs:
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
           tags: ${{ steps.ev.outputs.imageTags }}
           platforms: linux/amd64,linux/arm64
-      - uses: actions/attest-build-provenance@v1
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -81,7 +68,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.2.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -107,20 +94,13 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
+        uses: docker/build-push-action@v5
         with:
           push: true
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v1
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.imageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
@@ -175,8 +155,8 @@ jobs:
       - uses: actions/checkout@v4
       - name: Run test suite in final docker images
         run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "PG_PASS=$(openssl rand 32 | base64)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64)" >> .env
           docker compose pull -q
           docker compose up --no-start
           docker compose start postgresql redis
@@ -198,8 +178,8 @@ jobs:
           image-name: ghcr.io/goauthentik/server
       - name: Get static files from docker image
         run: |
-          docker pull ${{ steps.ev.outputs.imageMainName }}
-          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
+          docker pull ${{ steps.ev.outputs.imageMainTag }}
+          container=$(docker container create ${{ steps.ev.outputs.imageMainTag }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
         uses: getsentry/action-release@v1

.github/workflows/release-tag.yml

@@ -14,8 +14,8 @@ jobs:
       - uses: actions/checkout@v4
       - name: Pre-release test
         run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
+          echo "PG_PASS=$(openssl rand 32 | base64)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64)" >> .env
           docker buildx install
           mkdir -p ./gen-ts-api
           docker build -t testing:latest .

.vscode/extensions.json

@@ -16,6 +16,6 @@
         "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx"
+        "unifiedjs.vscode-mdx",
     ]
 }

.vscode/launch.json

@@ -22,6 +22,6 @@
             },
             "justMyCode": true,
             "django": true
-        }
+        },
     ]
 }

.vscode/settings.json

@@ -18,21 +18,20 @@
         "sso",
         "totp",
         "traefik",
-        "webauthn"
+        "webauthn",
     ],
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
-        "!Condition sequence",
-        "!Context scalar",
-        "!Enumerate sequence",
-        "!Env scalar",
         "!Find sequence",
-        "!Format sequence",
-        "!If sequence",
-        "!Index scalar",
         "!KeyOf scalar",
-        "!Value scalar"
+        "!Context scalar",
+        "!Context sequence",
+        "!Format sequence",
+        "!Condition sequence",
+        "!Env sequence",
+        "!Env scalar",
+        "!If sequence"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",
@@ -49,7 +48,9 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": ["-count=1"],
+    "go.testFlags": [
+        "-count=1"
+    ],
     "github-actions.workflows.pinned.workflows": [
         ".github/workflows/ci-main.yml"
     ]

.vscode/tasks.json

@@ -2,67 +2,85 @@
     "version": "2.0.0",
     "tasks": [
         {
-            "label": "authentik/core: make",
+            "label": "authentik[core]: format & test",
             "command": "poetry",
-            "args": ["run", "make", "lint-fix", "lint"],
-            "presentation": {
-                "panel": "new"
-            },
-            "group": "test"
+            "args": [
+                "run",
+                "make"
+            ],
+            "group": "build",
         },
         {
-            "label": "authentik/core: run",
+            "label": "authentik[core]: run",
             "command": "poetry",
-            "args": ["run", "ak", "server"],
+            "args": [
+                "run",
+                "make",
+                "run",
+            ],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            }
+            },
         },
         {
-            "label": "authentik/web: make",
+            "label": "authentik[web]: format",
             "command": "make",
             "args": ["web"],
-            "group": "build"
+            "group": "build",
         },
         {
-            "label": "authentik/web: watch",
+            "label": "authentik[web]: watch",
             "command": "make",
             "args": ["web-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            }
+            },
         },
         {
             "label": "authentik: install",
             "command": "make",
-            "args": ["install", "-j4"],
-            "group": "build"
+            "args": ["install"],
+            "group": "build",
         },
         {
-            "label": "authentik/website: make",
+            "label": "authentik: i18n-extract",
+            "command": "poetry",
+            "args": [
+                "run",
+                "make",
+                "i18n-extract"
+            ],
+            "group": "build",
+        },
+        {
+            "label": "authentik[website]: format",
             "command": "make",
             "args": ["website"],
-            "group": "build"
+            "group": "build",
         },
         {
-            "label": "authentik/website: watch",
+            "label": "authentik[website]: watch",
             "command": "make",
             "args": ["website-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            }
+            },
         },
         {
-            "label": "authentik/api: generate",
+            "label": "authentik[api]: generate",
             "command": "poetry",
-            "args": ["run", "make", "gen"],
+            "args": [
+                "run",
+                "make",
+                "gen"
+            ],
             "group": "build"
-        }
+        },
     ]
 }

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:22 as website-builder
 
 ENV NODE_ENV=production
 
@@ -20,22 +20,17 @@ COPY ./SECURITY.md /work/
 RUN npm run build-bundled
 
 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:22 as web-builder
 
-ARG GIT_BUILD_HASH
-ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 ENV NODE_ENV=production
 
 WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
-    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
     --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
-COPY ./package.json /work
 COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
@@ -94,7 +89,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.3-slim-bookworm-fips-full AS python-deps
 
 WORKDIR /ak-root/poetry
 
@@ -121,7 +116,7 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     pip install --force-reinstall /wheels/*"
 
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.5-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.3-slim-bookworm-fips-full AS final-image
 
 ARG GIT_BUILD_HASH
 ARG VERSION

Makefile

@@ -47,8 +47,8 @@ test-go:
 	go test -timeout 0 -v -race -cover ./...
 
 test-docker:  ## Run all tests in a docker-compose
-	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
-	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
+	echo "PG_PASS=$(shell openssl rand 32 | base64)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64)" >> .env
 	docker compose pull -q
 	docker compose up --no-start
 	docker compose start postgresql redis
@@ -60,11 +60,9 @@ test: ## Run the server tests and produce a coverage report (locally)
 	coverage html
 	coverage report
 
-lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	black $(PY_SOURCES)
 	ruff check --fix $(PY_SOURCES)
-
-lint-codespell:  ## Reports spelling errors.
 	codespell -w $(CODESPELL_ARGS)
 
 lint: ## Lint the python and golang sources
@@ -241,7 +239,7 @@ website: website-lint-fix website-build  ## Automatically fix formatting issues
 website-install:
 	cd website && npm ci
 
-website-lint-fix: lint-codespell
+website-lint-fix:
 	cd website && npm run prettier
 
 website-build:

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version  | Supported |
-| -------- | --------- |
-| 2024.4.x | ✅        |
-| 2024.6.x | ✅        |
+| Version   | Supported |
+| --------- | --------- |
+| 2023.10.x | ✅        |
+| 2024.2.x  | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.6.3"
+__version__ = "2024.4.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/system.py

@@ -16,7 +16,6 @@ from rest_framework.views import APIView
 
 from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
-from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
@@ -33,7 +32,7 @@ class RuntimeDict(TypedDict):
     platform: str
     uname: str
     openssl_version: str
-    openssl_fips_enabled: bool | None
+    openssl_fips_mode: bool
     authentik_version: str
 
 
@@ -72,9 +71,7 @@ class SystemInfoSerializer(PassiveSerializer):
             "architecture": platform.machine(),
             "authentik_version": get_full_version(),
             "environment": get_env(),
-            "openssl_fips_enabled": (
-                backend._fips_enabled if LicenseKey.get_total().status().is_valid else None
-            ),
+            "openssl_fips_enabled": backend._fips_enabled,
             "openssl_version": OPENSSL_VERSION,
             "platform": platform.platform(),
             "python_version": python_version,

authentik/api/templates/api/browser.html

@@ -1,13 +1,13 @@
 {% extends "base/skeleton.html" %}
 
-{% load authentik_core %}
+{% load static %}
 
 {% block title %}
 API Browser - {{ brand.branding_title }}
 {% endblock %}
 
 {% block head %}
-{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
+<script src="{% static 'dist/standalone/api-browser/index.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}

authentik/blueprints/management/commands/apply_blueprint.py

@@ -23,11 +23,9 @@ class Command(BaseCommand):
                 for blueprint_path in options.get("blueprints", []):
                     content = BlueprintInstance(path=blueprint_path).retrieve()
                     importer = Importer.from_string(content)
-                    valid, logs = importer.validate()
+                    valid, _ = importer.validate()
                     if not valid:
-                        self.stderr.write("Blueprint invalid")
-                        for log in logs:
-                            self.stderr.write(f"\t{log.logger}: {log.event}: {log.attributes}")
+                        self.stderr.write("blueprint invalid")
                         sys_exit(1)
                     importer.apply()
 

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -113,19 +113,16 @@ class Command(BaseCommand):
             )
             model_path = f"{model._meta.app_label}.{model._meta.model_name}"
             self.schema["properties"]["entries"]["items"]["oneOf"].append(
-                self.template_entry(model_path, model, serializer)
+                self.template_entry(model_path, serializer)
             )
 
-    def template_entry(self, model_path: str, model: type[Model], serializer: Serializer) -> dict:
+    def template_entry(self, model_path: str, serializer: Serializer) -> dict:
         """Template entry for a single model"""
         model_schema = self.to_jsonschema(serializer)
         model_schema["required"] = []
         def_name = f"model_{model_path}"
         def_path = f"#/$defs/{def_name}"
         self.schema["$defs"][def_name] = model_schema
-        def_name_perm = f"model_{model_path}_permissions"
-        def_path_perm = f"#/$defs/{def_name_perm}"
-        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
         return {
             "type": "object",
             "required": ["model", "identifiers"],
@@ -138,7 +135,6 @@ class Command(BaseCommand):
                     "default": "present",
                 },
                 "conditions": {"type": "array", "items": {"type": "boolean"}},
-                "permissions": {"$ref": def_path_perm},
                 "attrs": {"$ref": def_path},
                 "identifiers": {"$ref": def_path},
             },
@@ -189,20 +185,3 @@ class Command(BaseCommand):
         if required:
             result["required"] = required
         return result
-
-    def model_permissions(self, model: type[Model]) -> dict:
-        perms = [x[0] for x in model._meta.permissions]
-        for action in model._meta.default_permissions:
-            perms.append(f"{action}_{model._meta.model_name}")
-        return {
-            "type": "array",
-            "items": {
-                "type": "object",
-                "required": ["permission"],
-                "properties": {
-                    "permission": {"type": "string", "enum": perms},
-                    "user": {"type": "integer"},
-                    "role": {"type": "string"},
-                },
-            },
-        }

authentik/blueprints/tests/fixtures/rbac_object.yaml

@@ -1,24 +0,0 @@
-version: 1
-entries:
-  - model: authentik_core.user
-    id: user
-    identifiers:
-      username: "%(id)s"
-    attrs:
-      name: "%(id)s"
-  - model: authentik_rbac.role
-    id: role
-    identifiers:
-      name: "%(id)s"
-  - model: authentik_flows.flow
-    identifiers:
-      slug: "%(id)s"
-    attrs:
-      designation: authentication
-      name: foo
-      title: foo
-    permissions:
-      - permission: view_flow
-        user: !KeyOf user
-      - permission: view_flow
-        role: !KeyOf role

authentik/blueprints/tests/fixtures/rbac_role.yaml

@@ -1,8 +0,0 @@
-version: 1
-entries:
-  - model: authentik_rbac.role
-    identifiers:
-      name: "%(id)s"
-    attrs:
-      permissions:
-        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/fixtures/rbac_user.yaml

@@ -1,9 +0,0 @@
-version: 1
-entries:
-  - model: authentik_core.user
-    identifiers:
-      username: "%(id)s"
-    attrs:
-      name: "%(id)s"
-      permissions:
-        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/test_v1_rbac.py

@@ -1,57 +0,0 @@
-"""Test blueprints v1"""
-
-from django.test import TransactionTestCase
-from guardian.shortcuts import get_perms
-
-from authentik.blueprints.v1.importer import Importer
-from authentik.core.models import User
-from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
-from authentik.rbac.models import Role
-
-
-class TestBlueprintsV1RBAC(TransactionTestCase):
-    """Test Blueprints rbac attribute"""
-
-    def test_user_permission(self):
-        """Test permissions"""
-        uid = generate_id()
-        import_yaml = load_fixture("fixtures/rbac_user.yaml", id=uid)
-
-        importer = Importer.from_string(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        user = User.objects.filter(username=uid).first()
-        self.assertIsNotNone(user)
-        self.assertTrue(user.has_perms(["authentik_blueprints.view_blueprintinstance"]))
-
-    def test_role_permission(self):
-        """Test permissions"""
-        uid = generate_id()
-        import_yaml = load_fixture("fixtures/rbac_role.yaml", id=uid)
-
-        importer = Importer.from_string(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        role = Role.objects.filter(name=uid).first()
-        self.assertIsNotNone(role)
-        self.assertEqual(
-            list(role.group.permissions.all().values_list("codename", flat=True)),
-            ["view_blueprintinstance"],
-        )
-
-    def test_object_permission(self):
-        """Test permissions"""
-        uid = generate_id()
-        import_yaml = load_fixture("fixtures/rbac_object.yaml", id=uid)
-
-        importer = Importer.from_string(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        flow = Flow.objects.filter(slug=uid).first()
-        user = User.objects.filter(username=uid).first()
-        role = Role.objects.filter(name=uid).first()
-        self.assertIsNotNone(flow)
-        self.assertEqual(get_perms(user, flow), ["view_flow"])
-        self.assertEqual(get_perms(role.group, flow), ["view_flow"])

authentik/blueprints/v1/common.py

@@ -1,7 +1,7 @@
 """transfer common classes"""
 
 from collections import OrderedDict
-from collections.abc import Generator, Iterable, Mapping
+from collections.abc import Iterable, Mapping
 from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
@@ -58,15 +58,6 @@ class BlueprintEntryDesiredState(Enum):
     MUST_CREATED = "must_created"
 
 
-@dataclass
-class BlueprintEntryPermission:
-    """Describe object-level permissions"""
-
-    permission: Union[str, "YAMLTag"]
-    user: Union[int, "YAMLTag", None] = field(default=None)
-    role: Union[str, "YAMLTag", None] = field(default=None)
-
-
 @dataclass
 class BlueprintEntry:
     """Single entry of a blueprint"""
@@ -78,7 +69,6 @@ class BlueprintEntry:
     conditions: list[Any] = field(default_factory=list)
     identifiers: dict[str, Any] = field(default_factory=dict)
     attrs: dict[str, Any] | None = field(default_factory=dict)
-    permissions: list[BlueprintEntryPermission] = field(default_factory=list)
 
     id: str | None = None
 
@@ -160,17 +150,6 @@ class BlueprintEntry:
         """Get the blueprint model, with yaml tags resolved if present"""
         return str(self.tag_resolver(self.model, blueprint))
 
-    def get_permissions(
-        self, blueprint: "Blueprint"
-    ) -> Generator[BlueprintEntryPermission, None, None]:
-        """Get permissions of this entry, with all yaml tags resolved"""
-        for perm in self.permissions:
-            yield BlueprintEntryPermission(
-                permission=self.tag_resolver(perm.permission, blueprint),
-                user=self.tag_resolver(perm.user, blueprint),
-                role=self.tag_resolver(perm.role, blueprint),
-            )
-
     def check_all_conditions_match(self, blueprint: "Blueprint") -> bool:
         """Check all conditions of this entry match (evaluate to True)"""
         return all(self.tag_resolver(self.conditions, blueprint))
@@ -328,10 +307,7 @@ class Find(YAMLTag):
         else:
             model_name = self.model_name
 
-        try:
-            model_class = apps.get_model(*model_name.split("."))
-        except LookupError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+        model_class = apps.get_model(*model_name.split("."))
 
         query = Q()
         for cond in self.conditions:

authentik/blueprints/v1/importer.py

@@ -16,7 +16,6 @@ from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from guardian.models import UserObjectPermission
-from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
 from structlog.stdlib import BoundLogger, get_logger
@@ -33,11 +32,9 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
 from authentik.core.models import (
     AuthenticatedSession,
-    GroupSourceConnection,
     PropertyMapping,
     Provider,
     Source,
-    User,
     UserSourceConnection,
 )
 from authentik.enterprise.license import LicenseKey
@@ -57,13 +54,11 @@ from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
-from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
-from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
@@ -92,7 +87,6 @@ def excluded_models() -> list[type[Model]]:
         Source,
         PropertyMapping,
         UserSourceConnection,
-        GroupSourceConnection,
         Stage,
         OutpostServiceConnection,
         Policy,
@@ -142,16 +136,6 @@ def transaction_rollback():
         pass
 
 
-def rbac_models() -> dict:
-    models = {}
-    for app in get_apps():
-        for model in app.get_models():
-            if not is_model_allowed(model):
-                continue
-            models[model._meta.model_name] = app.label
-    return models
-
-
 class Importer:
     """Import Blueprint from raw dict or YAML/JSON"""
 
@@ -170,10 +154,7 @@ class Importer:
 
     def default_context(self):
         """Default context"""
-        return {
-            "goauthentik.io/enterprise/licensed": LicenseKey.get_total().status().is_valid,
-            "goauthentik.io/rbac/models": rbac_models(),
-        }
+        return {"goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid()}
 
     @staticmethod
     def from_string(yaml_input: str, context: dict | None = None) -> "Importer":
@@ -233,17 +214,14 @@ class Importer:
 
         return main_query | sub_query
 
-    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:  # noqa: PLR0915
+    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:
         """Validate a single entry"""
         if not entry.check_all_conditions_match(self._import):
             self.logger.debug("One or more conditions of this entry are not fulfilled, skipping")
             return None
 
         model_app_label, model_name = entry.get_model(self._import).split(".")
-        try:
-            model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
-        except LookupError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+        model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
         # Don't use isinstance since we don't want to check for inheritance
         if not is_model_allowed(model):
             raise EntryInvalidError.from_entry(f"Model {model} not allowed", entry)
@@ -318,7 +296,10 @@ class Importer:
         try:
             full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
         except ValueError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+            raise EntryInvalidError.from_entry(
+                exc,
+                entry,
+            ) from exc
         always_merger.merge(full_data, updated_identifiers)
         serializer_kwargs["data"] = full_data
 
@@ -339,15 +320,6 @@ class Importer:
             ) from exc
         return serializer
 
-    def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
-        """Apply object-level permissions for an entry"""
-        for perm in entry.get_permissions(self._import):
-            if perm.user is not None:
-                assign_perm(perm.permission, User.objects.get(pk=perm.user), instance)
-            if perm.role is not None:
-                role = Role.objects.get(pk=perm.role)
-                role.assign_permission(perm.permission, obj=instance)
-
     def apply(self) -> bool:
         """Apply (create/update) models yaml, in database transaction"""
         try:
@@ -412,7 +384,6 @@ class Importer:
                 if "pk" in entry.identifiers:
                     self.__pk_map[entry.identifiers["pk"]] = instance.pk
                 entry._state = BlueprintEntryState(instance)
-                self._apply_permissions(instance, entry)
             elif state == BlueprintEntryDesiredState.ABSENT:
                 instance: Model | None = serializer.instance
                 if instance.pk:

authentik/brands/api.py

@@ -11,20 +11,21 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.tenants.utils import get_current_tenant
 
 
 class FooterLinkSerializer(PassiveSerializer):
     """Links returned in Config API"""
 
-    href = CharField(read_only=True, allow_null=True)
+    href = CharField(read_only=True)
     name = CharField(read_only=True)
 
 
@@ -55,7 +56,6 @@ class BrandSerializer(ModelSerializer):
             "flow_unenrollment",
             "flow_user_settings",
             "flow_device_code",
-            "default_application",
             "web_certificate",
             "attributes",
         ]

authentik/brands/apps.py

@@ -9,6 +9,3 @@ class AuthentikBrandsConfig(AppConfig):
     name = "authentik.brands"
     label = "authentik_brands"
     verbose_name = "authentik Brands"
-    mountpoints = {
-        "authentik.brands.urls_root": "",
-    }

authentik/brands/migrations/0007_brand_default_application.py

@@ -1,26 +0,0 @@
-# Generated by Django 5.0.6 on 2024-07-04 20:32
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0006_brand_authentik_b_domain_b9b24a_idx_and_more"),
-        ("authentik_core", "0035_alter_group_options_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="default_application",
-            field=models.ForeignKey(
-                default=None,
-                help_text="When set, external users will be redirected to this application after authenticating.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                to="authentik_core.application",
-            ),
-        ),
-    ]

authentik/brands/models.py

@@ -3,7 +3,6 @@
 from uuid import uuid4
 
 from django.db import models
-from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
@@ -52,16 +51,6 @@ class Brand(SerializerModel):
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
     )
 
-    default_application = models.ForeignKey(
-        "authentik_core.Application",
-        null=True,
-        default=None,
-        on_delete=models.SET_DEFAULT,
-        help_text=_(
-            "When set, external users will be redirected to this application after authenticating."
-        ),
-    )
-
     web_certificate = models.ForeignKey(
         CertificateKeyPair,
         null=True,
@@ -99,13 +88,3 @@ class Brand(SerializerModel):
             models.Index(fields=["domain"]),
             models.Index(fields=["default"]),
         ]
-
-
-class WebfingerProvider(models.Model):
-    """Provider which supports webfinger discovery"""
-
-    class Meta:
-        abstract = True
-
-    def webfinger(self, resource: str, request: HttpRequest) -> dict:
-        raise NotImplementedError()

authentik/brands/tests.py

@@ -5,11 +5,7 @@ from rest_framework.test import APITestCase
 
 from authentik.brands.api import Themes
 from authentik.brands.models import Brand
-from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
-from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import OAuth2Provider
-from authentik.providers.saml.models import SAMLProvider
 
 
 class TestBrands(APITestCase):
@@ -79,45 +75,3 @@ class TestBrands(APITestCase):
             reverse("authentik_api:brand-list"), data={"domain": "bar", "default": True}
         )
         self.assertEqual(response.status_code, 400)
-
-    def test_webfinger_no_app(self):
-        """Test Webfinger"""
-        create_test_brand()
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
-        )
-
-    def test_webfinger_not_supported(self):
-        """Test Webfinger"""
-        brand = create_test_brand()
-        provider = SAMLProvider.objects.create(
-            name=generate_id(),
-        )
-        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-        brand.default_application = app
-        brand.save()
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
-        )
-
-    def test_webfinger_oidc(self):
-        """Test Webfinger"""
-        brand = create_test_brand()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-        )
-        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-        brand.default_application = app
-        brand.save()
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_brands:webfinger")).content.decode(),
-            {
-                "links": [
-                    {
-                        "href": f"http://testserver/application/o/{app.slug}/",
-                        "rel": "http://openid.net/specs/connect/1.0/issuer",
-                    }
-                ],
-                "subject": None,
-            },
-        )

authentik/brands/urls_root.py

@@ -1,9 +0,0 @@
-"""authentik brand root URLs"""
-
-from django.urls import path
-
-from authentik.brands.views.webfinger import WebFingerView
-
-urlpatterns = [
-    path(".well-known/webfinger", WebFingerView.as_view(), name="webfinger"),
-]

authentik/brands/utils.py

@@ -5,7 +5,7 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from sentry_sdk import get_current_span
+from sentry_sdk.hub import Hub
 
 from authentik import get_full_version
 from authentik.brands.models import Brand
@@ -33,7 +33,7 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
     brand = getattr(request, "brand", DEFAULT_BRAND)
     tenant = getattr(request, "tenant", Tenant())
     trace = ""
-    span = get_current_span()
+    span = Hub.current.scope.span
     if span:
         trace = span.to_traceparent()
     return {

authentik/brands/views/webfinger.py

@@ -1,29 +0,0 @@
-from typing import Any
-
-from django.http import HttpRequest, HttpResponse, JsonResponse
-from django.views import View
-
-from authentik.brands.models import Brand, WebfingerProvider
-from authentik.core.models import Application
-
-
-class WebFingerView(View):
-    """Webfinger endpoint"""
-
-    def get(self, request: HttpRequest) -> HttpResponse:
-        brand: Brand = request.brand
-        if not brand.default_application:
-            return JsonResponse({})
-        application: Application = brand.default_application
-        provider = application.get_provider()
-        if not provider or not isinstance(provider, WebfingerProvider):
-            return JsonResponse({})
-        webfinger_data = provider.webfinger(request.GET.get("resource"), request)
-        return JsonResponse(webfinger_data)
-
-    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-        response = super().dispatch(request, *args, **kwargs)
-        # RFC7033 spec
-        response["Access-Control-Allow-Origin"] = "*"
-        response["Content-Type"] = "application/jrd+json"
-        return response

authentik/core/api/applications.py

@@ -17,6 +17,7 @@ from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodFiel
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
@@ -25,7 +26,6 @@ from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
@@ -103,12 +103,7 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
     """Application Viewset"""
 
-    queryset = (
-        Application.objects.all()
-        .with_provider()
-        .prefetch_related("policies")
-        .prefetch_related("backchannel_providers")
-    )
+    queryset = Application.objects.all().prefetch_related("provider")
     serializer_class = ApplicationSerializer
     search_fields = [
         "name",
@@ -152,15 +147,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 applications.append(application)
         return applications
 
-    def _filter_applications_with_launch_url(
-        self, pagined_apps: Iterator[Application]
-    ) -> list[Application]:
-        applications = []
-        for app in pagined_apps:
-            if app.get_launch_url():
-                applications.append(app)
-        return applications
-
     @extend_schema(
         parameters=[
             OpenApiParameter(
@@ -218,11 +204,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.INT,
             ),
-            OpenApiParameter(
-                name="only_with_launch_url",
-                location=OpenApiParameter.QUERY,
-                type=OpenApiTypes.BOOL,
-            ),
         ]
     )
     def list(self, request: Request) -> Response:
@@ -235,10 +216,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         if superuser_full_list and request.user.is_superuser:
             return super().list(request)
 
-        only_with_launch_url = str(
-            request.query_params.get("only_with_launch_url", "false")
-        ).lower()
-
         queryset = self._filter_queryset_for_list(self.get_queryset())
         paginator: Pagination = self.paginator
         paginated_apps = paginator.paginate_queryset(queryset, request)
@@ -274,10 +251,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                     allowed_applications,
                     timeout=86400,
                 )
-
-        if only_with_launch_url == "true":
-            allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
-
         serializer = self.get_serializer(allowed_applications, many=True)
         return self.get_paginated_response(serializer.data)
 

authentik/core/api/authenticated_sessions.py

@@ -8,12 +8,12 @@ from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict

authentik/core/api/devices.py

@@ -2,13 +2,7 @@
 
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
-from rest_framework.fields import (
-    BooleanField,
-    CharField,
-    DateTimeField,
-    IntegerField,
-    SerializerMethodField,
-)
+from rest_framework.fields import BooleanField, CharField, IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAdminUser, IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -26,9 +20,6 @@ class DeviceSerializer(MetaNameSerializer):
     name = CharField()
     type = SerializerMethodField()
     confirmed = BooleanField()
-    created = DateTimeField(read_only=True)
-    last_updated = DateTimeField(read_only=True)
-    last_used = DateTimeField(read_only=True, allow_null=True)
 
     def get_type(self, instance: Device) -> str:
         """Get type of device"""

authentik/core/api/groups.py

@@ -17,12 +17,12 @@ from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer, ValidationError
+from rest_framework.serializers import ListSerializer, ModelSerializer, ValidationError
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.core.models import Group, User
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required

authentik/core/api/property_mappings.py

@@ -2,23 +2,17 @@
 
 from json import dumps
 
-from django_filters.filters import AllValuesMultipleFilter, BooleanFilter
-from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import (
-    OpenApiParameter,
-    OpenApiResponse,
-    extend_schema,
-    extend_schema_field,
-)
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
-from rest_framework.fields import BooleanField, CharField, SerializerMethodField
+from rest_framework.fields import BooleanField, CharField
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.blueprints.api import ManagedSerializer
@@ -26,7 +20,6 @@ from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
     MetaNameSerializer,
-    ModelSerializer,
     PassiveSerializer,
 )
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
@@ -74,18 +67,6 @@ class PropertyMappingSerializer(ManagedSerializer, ModelSerializer, MetaNameSeri
         ]
 
 
-class PropertyMappingFilterSet(FilterSet):
-    """Filter for PropertyMapping"""
-
-    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
-
-    managed__isnull = BooleanFilter(field_name="managed", lookup_expr="isnull")
-
-    class Meta:
-        model = PropertyMapping
-        fields = ["name", "managed"]
-
-
 class PropertyMappingViewSet(
     TypesMixin,
     mixins.RetrieveModelMixin,
@@ -106,9 +87,11 @@ class PropertyMappingViewSet(
 
     queryset = PropertyMapping.objects.select_subclasses()
     serializer_class = PropertyMappingSerializer
-    filterset_class = PropertyMappingFilterSet
+    search_fields = [
+        "name",
+    ]
+    filterset_fields = {"managed": ["isnull"]}
     ordering = ["name"]
-    search_fields = ["name"]
 
     @permission_required("authentik_core.view_propertymapping")
     @extend_schema(

authentik/core/api/providers.py

@@ -6,12 +6,13 @@ from django.utils.translation import gettext_lazy as _
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
 from rest_framework import mixins
-from rest_framework.fields import ReadOnlyField, SerializerMethodField
+from rest_framework.fields import ReadOnlyField
+from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.core.api.utils import MetaNameSerializer
 from authentik.core.models import Provider
 
 

authentik/core/api/sources.py

@@ -11,6 +11,7 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 
@@ -18,8 +19,8 @@ from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
-from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
+from authentik.core.api.utils import MetaNameSerializer
+from authentik.core.models import Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.lib.utils.file import (
     FilePathSerializer,
@@ -60,8 +61,6 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
             "enabled",
             "authentication_flow",
             "enrollment_flow",
-            "user_property_mappings",
-            "group_property_mappings",
             "component",
             "verbose_name",
             "verbose_name_plural",
@@ -190,47 +189,6 @@ class UserSourceConnectionViewSet(
     queryset = UserSourceConnection.objects.all()
     serializer_class = UserSourceConnectionSerializer
     permission_classes = [OwnerSuperuserPermissions]
-    filterset_fields = ["user", "source__slug"]
-    search_fields = ["source__slug"]
+    filterset_fields = ["user"]
     filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
-    ordering = ["source__slug", "pk"]
-
-
-class GroupSourceConnectionSerializer(SourceSerializer):
-    """Group Source Connection Serializer"""
-
-    source = SourceSerializer(read_only=True)
-
-    class Meta:
-        model = GroupSourceConnection
-        fields = [
-            "pk",
-            "group",
-            "source",
-            "identifier",
-            "created",
-        ]
-        extra_kwargs = {
-            "group": {"read_only": True},
-            "identifier": {"read_only": True},
-            "created": {"read_only": True},
-        }
-
-
-class GroupSourceConnectionViewSet(
-    mixins.RetrieveModelMixin,
-    mixins.UpdateModelMixin,
-    mixins.DestroyModelMixin,
-    UsedByMixin,
-    mixins.ListModelMixin,
-    GenericViewSet,
-):
-    """Group-source connection Viewset"""
-
-    queryset = GroupSourceConnection.objects.all()
-    serializer_class = GroupSourceConnectionSerializer
-    permission_classes = [OwnerSuperuserPermissions]
-    filterset_fields = ["group", "source__slug"]
-    search_fields = ["source__slug"]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
-    ordering = ["source__slug", "pk"]
+    ordering = ["pk"]

authentik/core/api/tokens.py

@@ -12,6 +12,7 @@ from rest_framework.fields import CharField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.authorization import OwnerSuperuserPermissions
@@ -19,7 +20,7 @@ from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_EXPIRING,
     USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
@@ -44,13 +45,6 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
             self.fields["key"] = CharField(required=False)
 
-    def validate_user(self, user: User):
-        """Ensure user of token cannot be changed"""
-        if self.instance and self.instance.user_id:
-            if user.pk != self.instance.user_id:
-                raise ValidationError("User cannot be changed")
-        return user
-
     def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
         """Ensure only API or App password tokens are created."""
         request: Request = self.context.get("request")

authentik/core/api/users.py

@@ -5,7 +5,6 @@ from json import loads
 from typing import Any
 
 from django.contrib.auth import update_session_auth_hash
-from django.contrib.auth.models import Permission
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.db.models.functions import ExtractHour
@@ -34,21 +33,16 @@ from drf_spectacular.utils import (
 )
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.exceptions import ValidationError
-from rest_framework.fields import (
-    BooleanField,
-    CharField,
-    ChoiceField,
-    DateTimeField,
-    IntegerField,
-    ListField,
-    SerializerMethodField,
-)
+from rest_framework.fields import CharField, IntegerField, ListField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
+    BooleanField,
+    DateTimeField,
     ListSerializer,
+    ModelSerializer,
     PrimaryKeyRelatedField,
+    ValidationError,
 )
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
@@ -58,12 +52,7 @@ from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import (
-    JSONDictField,
-    LinkSerializer,
-    ModelSerializer,
-    PassiveSerializer,
-)
+from authentik.core.api.utils import JSONDictField, LinkSerializer, PassiveSerializer
 from authentik.core.middleware import (
     SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
     SESSION_KEY_IMPERSONATE_USER,
@@ -85,7 +74,6 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
-from authentik.rbac.models import get_permission_choices
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -149,19 +137,12 @@ class UserSerializer(ModelSerializer):
         super().__init__(*args, **kwargs)
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
             self.fields["password"] = CharField(required=False, allow_null=True)
-            self.fields["permissions"] = ListField(
-                required=False, child=ChoiceField(choices=get_permission_choices())
-            )
 
     def create(self, validated_data: dict) -> User:
         """If this serializer is used in the blueprint context, we allow for
         directly setting a password. However should be done via the `set_password`
         method instead of directly setting it like rest_framework."""
         password = validated_data.pop("password", None)
-        permissions = Permission.objects.filter(
-            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
-        )
-        validated_data["user_permissions"] = permissions
         instance: User = super().create(validated_data)
         self._set_password(instance, password)
         return instance
@@ -170,10 +151,6 @@ class UserSerializer(ModelSerializer):
         """Same as `create` above, set the password directly if we're in a blueprint
         context"""
         password = validated_data.pop("password", None)
-        permissions = Permission.objects.filter(
-            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
-        )
-        validated_data["user_permissions"] = permissions
         instance = super().update(instance, validated_data)
         self._set_password(instance, password)
         return instance

authentik/core/api/utils.py

@@ -12,12 +12,9 @@ from rest_framework.fields import (
     JSONField,
     SerializerMethodField,
 )
-from rest_framework.serializers import ModelSerializer as BaseModelSerializer
 from rest_framework.serializers import (
     Serializer,
     ValidationError,
-    model_meta,
-    raise_errors_on_nested_writes,
 )
 
 
@@ -28,39 +25,6 @@ def is_dict(value: Any):
     raise ValidationError("Value must be a dictionary, and not have any duplicate keys.")
 
 
-class ModelSerializer(BaseModelSerializer):
-
-    def update(self, instance: Model, validated_data):
-        raise_errors_on_nested_writes("update", self, validated_data)
-        info = model_meta.get_field_info(instance)
-
-        # Simply set each attribute on the instance, and then save it.
-        # Note that unlike `.create()` we don't need to treat many-to-many
-        # relationships as being a special case. During updates we already
-        # have an instance pk for the relationships to be associated with.
-        m2m_fields = []
-        for attr, value in validated_data.items():
-            if attr in info.relations and info.relations[attr].to_many:
-                m2m_fields.append((attr, value))
-            else:
-                setattr(instance, attr, value)
-
-        instance.save()
-
-        # Note that many-to-many fields are set after updating instance.
-        # Setting m2m fields triggers signals which could potentially change
-        # updated instance and we do not want it to collide with .update()
-        for attr, value in m2m_fields:
-            field = getattr(instance, attr)
-            # We can't check for inheritance here as m2m managers are generated dynamically
-            if field.__class__.__name__ == "RelatedManager":
-                field.set(value, bulk=False)
-            else:
-                field.set(value)
-
-        return instance
-
-
 class JSONDictField(JSONField):
     """JSON Field which only allows dictionaries"""
 

authentik/core/expression/evaluator.py

@@ -76,11 +76,8 @@ class PropertyMappingEvaluator(BaseEvaluator):
         )
         if "request" in self._context:
             req: PolicyRequest = self._context["request"]
-            if req.http_request:
-                event.from_http(req.http_request, req.user)
-                return
-            elif req.user:
-                event.set_user(req.user)
+            event.from_http(req.http_request, req.user)
+            return
         event.save()
 
     def evaluate(self, *args, **kwargs) -> Any:

authentik/core/expression/exceptions.py

@@ -1,6 +1,5 @@
 """authentik core exceptions"""
 
-from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.sentry import SentryIgnoredException
 
 
@@ -13,7 +12,7 @@ class PropertyMappingExpressionException(SentryIgnoredException):
         self.mapping = mapping
 
 
-class SkipObjectException(ControlFlowException):
+class SkipObjectException(PropertyMappingExpressionException):
     """Exception which can be raised in a property mapping to skip syncing an object.
     Only applies to Property mappings which sync objects, and not on mappings which transitively
     apply to a single user"""

authentik/core/management/commands/change_user_type.py

@@ -1,28 +0,0 @@
-"""Change user type"""
-
-from authentik.core.models import User, UserTypes
-from authentik.tenants.management import TenantCommand
-
-
-class Command(TenantCommand):
-    """Change user type"""
-
-    def add_arguments(self, parser):
-        parser.add_argument("--type", type=str, required=True)
-        parser.add_argument("--all", action="store_true")
-        parser.add_argument("usernames", nargs="+", type=str)
-
-    def handle_per_tenant(self, **options):
-        new_type = UserTypes(options["type"])
-        qs = (
-            User.objects.exclude_anonymous()
-            .exclude(type=UserTypes.SERVICE_ACCOUNT)
-            .exclude(type=UserTypes.INTERNAL_SERVICE_ACCOUNT)
-        )
-        if options["usernames"] and options["all"]:
-            self.stderr.write("--all and usernames specified, only one can be specified")
-            return
-        if options["usernames"] and not options["all"]:
-            qs = qs.filter(username__in=options["usernames"])
-        updated = qs.update(type=new_type)
-        self.stdout.write(f"Updated {updated} users.")

authentik/core/migrations/0029_provider_backchannel_applications_and_more.py

@@ -7,13 +7,12 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
 def backport_is_backchannel(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
     from authentik.providers.ldap.models import LDAPProvider
     from authentik.providers.scim.models import SCIMProvider
 
     for model in [LDAPProvider, SCIMProvider]:
         try:
-            for obj in model.objects.using(db_alias).only("is_backchannel"):
+            for obj in model.objects.only("is_backchannel"):
                 obj.is_backchannel = True
                 obj.save()
         except (DatabaseError, InternalError, ProgrammingError):

authentik/core/migrations/0036_source_group_property_mappings_and_more.py

@@ -1,43 +0,0 @@
-# Generated by Django 5.0.2 on 2024-02-29 11:05
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0035_alter_group_options_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="source",
-            name="group_property_mappings",
-            field=models.ManyToManyField(
-                blank=True,
-                default=None,
-                related_name="source_grouppropertymappings_set",
-                to="authentik_core.propertymapping",
-            ),
-        ),
-        migrations.AddField(
-            model_name="source",
-            name="user_property_mappings",
-            field=models.ManyToManyField(
-                blank=True,
-                default=None,
-                related_name="source_userpropertymappings_set",
-                to="authentik_core.propertymapping",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="source",
-            name="property_mappings",
-            field=models.ManyToManyField(
-                blank=True,
-                default=None,
-                related_name="source_set",
-                to="authentik_core.propertymapping",
-            ),
-        ),
-    ]

authentik/core/migrations/0037_remove_source_property_mappings.py

@@ -1,18 +0,0 @@
-# Generated by Django 5.0.2 on 2024-02-29 11:21
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_sources_ldap", "0005_remove_ldappropertymapping_object_field_and_more"),
-        ("authentik_core", "0036_source_group_property_mappings_and_more"),
-    ]
-
-    operations = [
-        migrations.RemoveField(
-            model_name="source",
-            name="property_mappings",
-        ),
-    ]

authentik/core/migrations/0038_source_authentik_c_enabled_d72365_idx.py

@@ -1,19 +0,0 @@
-# Generated by Django 5.0.7 on 2024-07-22 13:32
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0037_remove_source_property_mappings"),
-        ("authentik_flows", "0027_auto_20231028_1424"),
-        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
-    ]
-
-    operations = [
-        migrations.AddIndex(
-            model_name="source",
-            index=models.Index(fields=["enabled"], name="authentik_c_enabled_d72365_idx"),
-        ),
-    ]

authentik/core/migrations/0039_source_group_matching_mode_alter_group_name_and_more.py

@@ -1,67 +0,0 @@
-# Generated by Django 5.0.7 on 2024-08-01 18:52
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0038_source_authentik_c_enabled_d72365_idx"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="source",
-            name="group_matching_mode",
-            field=models.TextField(
-                choices=[
-                    ("identifier", "Use the source-specific identifier"),
-                    (
-                        "name_link",
-                        "Link to a group with identical name. Can have security implications when a group name is used with another source.",
-                    ),
-                    (
-                        "name_deny",
-                        "Use the group name, but deny enrollment when the name already exists.",
-                    ),
-                ],
-                default="identifier",
-                help_text="How the source determines if an existing group should be used or a new group created.",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="group",
-            name="name",
-            field=models.TextField(verbose_name="name"),
-        ),
-        migrations.CreateModel(
-            name="GroupSourceConnection",
-            fields=[
-                (
-                    "id",
-                    models.AutoField(
-                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
-                    ),
-                ),
-                ("created", models.DateTimeField(auto_now_add=True)),
-                ("last_updated", models.DateTimeField(auto_now=True)),
-                ("identifier", models.TextField()),
-                (
-                    "group",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.group"
-                    ),
-                ),
-                (
-                    "source",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.source"
-                    ),
-                ),
-            ],
-            options={
-                "unique_together": {("group", "source")},
-            },
-        ),
-    ]

authentik/core/models.py

@@ -11,7 +11,6 @@ from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.db import models
 from django.db.models import Q, QuerySet, options
-from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
 from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.timezone import now
@@ -27,9 +26,7 @@ from authentik.blueprints.models import ManagedModel
 from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
-from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.generators import generate_id
-from authentik.lib.merge import MERGE_LIST_UNIQUE
 from authentik.lib.models import (
     CreatedUpdatedModel,
     DomainlessFormattedURLValidator,
@@ -102,38 +99,6 @@ class UserTypes(models.TextChoices):
     INTERNAL_SERVICE_ACCOUNT = "internal_service_account"
 
 
-class AttributesMixin(models.Model):
-    """Adds an attributes property to a model"""
-
-    attributes = models.JSONField(default=dict, blank=True)
-
-    class Meta:
-        abstract = True
-
-    def update_attributes(self, properties: dict[str, Any]):
-        """Update fields and attributes, but correctly by merging dicts"""
-        for key, value in properties.items():
-            if key == "attributes":
-                continue
-            setattr(self, key, value)
-        final_attributes = {}
-        MERGE_LIST_UNIQUE.merge(final_attributes, self.attributes)
-        MERGE_LIST_UNIQUE.merge(final_attributes, properties.get("attributes", {}))
-        self.attributes = final_attributes
-        self.save()
-
-    @classmethod
-    def update_or_create_attributes(
-        cls, query: dict[str, Any], properties: dict[str, Any]
-    ) -> tuple[models.Model, bool]:
-        """Same as django's update_or_create but correctly updates attributes by merging dicts"""
-        instance = cls.objects.filter(**query).first()
-        if not instance:
-            return cls.objects.create(**properties), True
-        instance.update_attributes(properties)
-        return instance, False
-
-
 class GroupQuerySet(CTEQuerySet):
     def with_children_recursive(self):
         """Recursively get all groups that have the current queryset as parents
@@ -168,12 +133,12 @@ class GroupQuerySet(CTEQuerySet):
         return cte.join(Group, group_uuid=cte.col.group_uuid).with_cte(cte)
 
 
-class Group(SerializerModel, AttributesMixin):
+class Group(SerializerModel):
     """Group model which supports a basic hierarchy and has attributes"""
 
     group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
 
-    name = models.TextField(_("name"))
+    name = models.CharField(_("name"), max_length=80)
     is_superuser = models.BooleanField(
         default=False, help_text=_("Users added to this group will be superusers.")
     )
@@ -188,27 +153,10 @@ class Group(SerializerModel, AttributesMixin):
         on_delete=models.SET_NULL,
         related_name="children",
     )
+    attributes = models.JSONField(default=dict, blank=True)
 
     objects = GroupQuerySet.as_manager()
 
-    class Meta:
-        unique_together = (
-            (
-                "name",
-                "parent",
-            ),
-        )
-        indexes = [models.Index(fields=["name"])]
-        verbose_name = _("Group")
-        verbose_name_plural = _("Groups")
-        permissions = [
-            ("add_user_to_group", _("Add user to group")),
-            ("remove_user_from_group", _("Remove user from group")),
-        ]
-
-    def __str__(self):
-        return f"Group {self.name}"
-
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.groups import GroupSerializer
@@ -233,6 +181,24 @@ class Group(SerializerModel, AttributesMixin):
             qs = Group.objects.filter(group_uuid=self.group_uuid)
         return qs.with_children_recursive()
 
+    def __str__(self):
+        return f"Group {self.name}"
+
+    class Meta:
+        unique_together = (
+            (
+                "name",
+                "parent",
+            ),
+        )
+        indexes = [models.Index(fields=["name"])]
+        verbose_name = _("Group")
+        verbose_name_plural = _("Groups")
+        permissions = [
+            ("add_user_to_group", _("Add user to group")),
+            ("remove_user_from_group", _("Remove user from group")),
+        ]
+
 
 class UserQuerySet(models.QuerySet):
     """User queryset"""
@@ -258,7 +224,7 @@ class UserManager(DjangoUserManager):
         return self.get_queryset().exclude_anonymous()
 
 
-class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
+class User(SerializerModel, GuardianUserMixin, AbstractUser):
     """authentik User model, based on django's contrib auth user model."""
 
     uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
@@ -270,30 +236,10 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
     ak_groups = models.ManyToManyField("Group", related_name="users")
     password_change_date = models.DateTimeField(auto_now_add=True)
 
+    attributes = models.JSONField(default=dict, blank=True)
+
     objects = UserManager()
 
-    class Meta:
-        verbose_name = _("User")
-        verbose_name_plural = _("Users")
-        permissions = [
-            ("reset_user_password", _("Reset Password")),
-            ("impersonate", _("Can impersonate other users")),
-            ("assign_user_permissions", _("Can assign permissions to users")),
-            ("unassign_user_permissions", _("Can unassign permissions from users")),
-            ("preview_user", _("Can preview user data sent to providers")),
-            ("view_user_applications", _("View applications the user has access to")),
-        ]
-        indexes = [
-            models.Index(fields=["last_login"]),
-            models.Index(fields=["password_change_date"]),
-            models.Index(fields=["uuid"]),
-            models.Index(fields=["path"]),
-            models.Index(fields=["type"]),
-        ]
-
-    def __str__(self):
-        return self.username
-
     @staticmethod
     def default_path() -> str:
         """Get the default user path"""
@@ -375,6 +321,25 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
         """Get avatar, depending on authentik.avatar setting"""
         return get_avatar(self)
 
+    class Meta:
+        verbose_name = _("User")
+        verbose_name_plural = _("Users")
+        permissions = [
+            ("reset_user_password", _("Reset Password")),
+            ("impersonate", _("Can impersonate other users")),
+            ("assign_user_permissions", _("Can assign permissions to users")),
+            ("unassign_user_permissions", _("Can unassign permissions from users")),
+            ("preview_user", _("Can preview user data sent to providers")),
+            ("view_user_applications", _("View applications the user has access to")),
+        ]
+        indexes = [
+            models.Index(fields=["last_login"]),
+            models.Index(fields=["password_change_date"]),
+            models.Index(fields=["uuid"]),
+            models.Index(fields=["path"]),
+            models.Index(fields=["type"]),
+        ]
+
 
 class Provider(SerializerModel):
     """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
@@ -462,16 +427,6 @@ class BackchannelProvider(Provider):
         abstract = True
 
 
-class ApplicationQuerySet(QuerySet):
-    def with_provider(self) -> "QuerySet[Application]":
-        qs = self.select_related("provider")
-        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-            if LOOKUP_SEP in subclass:
-                continue
-            qs = qs.select_related(f"provider__{subclass}")
-        return qs
-
-
 class Application(SerializerModel, PolicyBindingModel):
     """Every Application which uses authentik for authentication/identification/authorization
     needs an Application record. Other authentication types can subclass this Model to
@@ -503,8 +458,6 @@ class Application(SerializerModel, PolicyBindingModel):
     meta_description = models.TextField(default="", blank=True)
     meta_publisher = models.TextField(default="", blank=True)
 
-    objects = ApplicationQuerySet.as_manager()
-
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.applications import ApplicationSerializer
@@ -541,19 +494,16 @@ class Application(SerializerModel, PolicyBindingModel):
         return url
 
     def get_provider(self) -> Provider | None:
-        """Get casted provider instance. Needs Application queryset with_provider"""
+        """Get casted provider instance"""
         if not self.provider:
             return None
-
-        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
-            # We don't care about recursion, skip nested models
-            if LOOKUP_SEP in subclass:
-                continue
-            try:
-                return getattr(self.provider, subclass)
-            except AttributeError:
-                pass
-        return None
+        # if the Application class has been cache, self.provider is set
+        # but doing a direct query lookup will fail.
+        # In that case, just return None
+        try:
+            return Provider.objects.get_subclass(pk=self.provider.pk)
+        except Provider.DoesNotExist:
+            return None
 
     def __str__(self):
         return str(self.name)
@@ -583,19 +533,6 @@ class SourceUserMatchingModes(models.TextChoices):
     )
 
 
-class SourceGroupMatchingModes(models.TextChoices):
-    """Different modes a source can handle new/returning groups"""
-
-    IDENTIFIER = "identifier", _("Use the source-specific identifier")
-    NAME_LINK = "name_link", _(
-        "Link to a group with identical name. Can have security implications "
-        "when a group name is used with another source."
-    )
-    NAME_DENY = "name_deny", _(
-        "Use the group name, but deny enrollment when the name already exists."
-    )
-
-
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
 
@@ -605,12 +542,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     user_path_template = models.TextField(default="goauthentik.io/sources/%(slug)s")
 
     enabled = models.BooleanField(default=True)
-    user_property_mappings = models.ManyToManyField(
-        "PropertyMapping", default=None, blank=True, related_name="source_userpropertymappings_set"
-    )
-    group_property_mappings = models.ManyToManyField(
-        "PropertyMapping", default=None, blank=True, related_name="source_grouppropertymappings_set"
-    )
+    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
     icon = models.FileField(
         upload_to="source-icons/",
         default=None,
@@ -645,14 +577,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
             "a new user enrolled."
         ),
     )
-    group_matching_mode = models.TextField(
-        choices=SourceGroupMatchingModes.choices,
-        default=SourceGroupMatchingModes.IDENTIFIER,
-        help_text=_(
-            "How the source determines if an existing group should be used or "
-            "a new group created."
-        ),
-    )
 
     objects = InheritanceManager()
 
@@ -682,11 +606,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         """Return component used to edit this object"""
         raise NotImplementedError
 
-    @property
-    def property_mapping_type(self) -> "type[PropertyMapping]":
-        """Return property mapping type used by this object"""
-        raise NotImplementedError
-
     def ui_login_button(self, request: HttpRequest) -> UILoginButton | None:
         """If source uses a http-based flow, return UI Information about the login
         button. If source doesn't use http-based flow, return None."""
@@ -697,14 +616,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         user settings are available, or UserSettingSerializer."""
         return None
 
-    def get_base_user_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
-        """Get base properties for a user to build final properties upon."""
-        raise NotImplementedError
-
-    def get_base_group_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
-        """Get base properties for a group to build final properties upon."""
-        raise NotImplementedError
-
     def __str__(self):
         return str(self.name)
 
@@ -720,11 +631,6 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
                     "name",
                 ]
             ),
-            models.Index(
-                fields=[
-                    "enabled",
-                ]
-            ),
         ]
 
 
@@ -748,27 +654,6 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
         unique_together = (("user", "source"),)
 
 
-class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
-    """Connection between Group and Source."""
-
-    group = models.ForeignKey(Group, on_delete=models.CASCADE)
-    source = models.ForeignKey(Source, on_delete=models.CASCADE)
-    identifier = models.TextField()
-
-    objects = InheritanceManager()
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        """Get serializer for this model"""
-        raise NotImplementedError
-
-    def __str__(self) -> str:
-        return f"Group-source connection (group={self.group_id}, source={self.source_id})"
-
-    class Meta:
-        unique_together = (("group", "source"),)
-
-
 class ExpiringModel(models.Model):
     """Base Model which can expire, and is automatically cleaned up."""
 
@@ -898,8 +783,6 @@ class PropertyMapping(SerializerModel, ManagedModel):
         evaluator = PropertyMappingEvaluator(self, user, request, **kwargs)
         try:
             return evaluator.evaluate(self.expression)
-        except ControlFlowException as exc:
-            raise exc
         except Exception as exc:
             raise PropertyMappingExpressionException(self, exc) from exc
 

authentik/core/signals.py

@@ -52,8 +52,6 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
 @receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
     """Delete AuthenticatedSession if it exists"""
-    if not request.session or not request.session.session_key:
-        return
     AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
 
 

authentik/core/sources/flow_manager.py

@@ -4,7 +4,7 @@ from enum import Enum
 from typing import Any
 
 from django.contrib import messages
-from django.db import IntegrityError, transaction
+from django.db import IntegrityError
 from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
@@ -12,20 +12,8 @@ from django.urls import reverse
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
 
-from authentik.core.models import (
-    Group,
-    GroupSourceConnection,
-    Source,
-    SourceGroupMatchingModes,
-    SourceUserMatchingModes,
-    User,
-    UserSourceConnection,
-)
-from authentik.core.sources.mapper import SourceMapper
-from authentik.core.sources.stage import (
-    PLAN_CONTEXT_SOURCES_CONNECTION,
-    PostSourceStage,
-)
+from authentik.core.models import Source, SourceUserMatchingModes, User, UserSourceConnection
+from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostSourceStage
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow, FlowToken, Stage, in_memory_stage
@@ -48,10 +36,7 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 
-LOGGER = get_logger()
-
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
-PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 
 
 class Action(Enum):
@@ -85,69 +70,48 @@ class SourceFlowManager:
     or deny the request."""
 
     source: Source
-    mapper: SourceMapper
     request: HttpRequest
 
     identifier: str
 
-    user_connection_type: type[UserSourceConnection] = UserSourceConnection
-    group_connection_type: type[GroupSourceConnection] = GroupSourceConnection
+    connection_type: type[UserSourceConnection] = UserSourceConnection
 
-    user_info: dict[str, Any]
+    enroll_info: dict[str, Any]
     policy_context: dict[str, Any]
-    user_properties: dict[str, Any | dict[str, Any]]
-    groups_properties: dict[str, dict[str, Any | dict[str, Any]]]
 
     def __init__(
         self,
         source: Source,
         request: HttpRequest,
         identifier: str,
-        user_info: dict[str, Any],
-        policy_context: dict[str, Any],
+        enroll_info: dict[str, Any],
     ) -> None:
         self.source = source
-        self.mapper = SourceMapper(self.source)
         self.request = request
         self.identifier = identifier
-        self.user_info = user_info
+        self.enroll_info = enroll_info
         self._logger = get_logger().bind(source=source, identifier=identifier)
-        self.policy_context = policy_context
-
-        self.user_properties = self.mapper.build_object_properties(
-            object_type=User, request=request, user=None, **self.user_info
-        )
-        self.groups_properties = {
-            group_id: self.mapper.build_object_properties(
-                object_type=Group,
-                request=request,
-                user=None,
-                group_id=group_id,
-                **self.user_info,
-            )
-            for group_id in self.user_properties.setdefault("groups", [])
-        }
-        del self.user_properties["groups"]
+        self.policy_context = {}
 
     def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
         """decide which action should be taken"""
-        new_connection = self.user_connection_type(source=self.source, identifier=self.identifier)
+        new_connection = self.connection_type(source=self.source, identifier=self.identifier)
         # When request is authenticated, always link
         if self.request.user.is_authenticated:
             new_connection.user = self.request.user
-            new_connection = self.update_user_connection(new_connection, **kwargs)
+            new_connection = self.update_connection(new_connection, **kwargs)
             return Action.LINK, new_connection
 
-        existing_connections = self.user_connection_type.objects.filter(
+        existing_connections = self.connection_type.objects.filter(
             source=self.source, identifier=self.identifier
         )
         if existing_connections.exists():
             connection = existing_connections.first()
-            return Action.AUTH, self.update_user_connection(connection, **kwargs)
+            return Action.AUTH, self.update_connection(connection, **kwargs)
         # No connection exists, but we match on identifier, so enroll
         if self.source.user_matching_mode == SourceUserMatchingModes.IDENTIFIER:
             # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
+            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
 
         # Check for existing users with matching attributes
         query = Q()
@@ -156,24 +120,24 @@ class SourceFlowManager:
             SourceUserMatchingModes.EMAIL_LINK,
             SourceUserMatchingModes.EMAIL_DENY,
         ]:
-            if not self.user_properties.get("email", None):
-                self._logger.warning("Refusing to use none email")
+            if not self.enroll_info.get("email", None):
+                self._logger.warning("Refusing to use none email", source=self.source)
                 return Action.DENY, None
-            query = Q(email__exact=self.user_properties.get("email", None))
+            query = Q(email__exact=self.enroll_info.get("email", None))
         if self.source.user_matching_mode in [
             SourceUserMatchingModes.USERNAME_LINK,
             SourceUserMatchingModes.USERNAME_DENY,
         ]:
-            if not self.user_properties.get("username", None):
-                self._logger.warning("Refusing to use none username")
+            if not self.enroll_info.get("username", None):
+                self._logger.warning("Refusing to use none username", source=self.source)
                 return Action.DENY, None
-            query = Q(username__exact=self.user_properties.get("username", None))
+            query = Q(username__exact=self.enroll_info.get("username", None))
         self._logger.debug("trying to link with existing user", query=query)
         matching_users = User.objects.filter(query)
         # No matching users, always enroll
         if not matching_users.exists():
             self._logger.debug("no matching users found, enrolling")
-            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
+            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
 
         user = matching_users.first()
         if self.source.user_matching_mode in [
@@ -181,7 +145,7 @@ class SourceFlowManager:
             SourceUserMatchingModes.USERNAME_LINK,
         ]:
             new_connection.user = user
-            new_connection = self.update_user_connection(new_connection, **kwargs)
+            new_connection = self.update_connection(new_connection, **kwargs)
             return Action.LINK, new_connection
         if self.source.user_matching_mode in [
             SourceUserMatchingModes.EMAIL_DENY,
@@ -192,10 +156,10 @@ class SourceFlowManager:
         # Should never get here as default enroll case is returned above.
         return Action.DENY, None  # pragma: no cover
 
-    def update_user_connection(
+    def update_connection(
         self, connection: UserSourceConnection, **kwargs
     ) -> UserSourceConnection:  # pragma: no cover
-        """Optionally make changes to the user connection after it is looked up/created."""
+        """Optionally make changes to the connection after it is looked up/created."""
         return connection
 
     def get_flow(self, **kwargs) -> HttpResponse:
@@ -248,34 +212,28 @@ class SourceFlowManager:
 
     def _prepare_flow(
         self,
-        flow: Flow | None,
+        flow: Flow,
         connection: UserSourceConnection,
         stages: list[StageView] | None = None,
-        **flow_context,
+        **kwargs,
     ) -> HttpResponse:
         """Prepare Authentication Plan, redirect user FlowExecutor"""
-        # Ensure redirect is carried through when user was trying to
-        # authorize application
-        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
-            NEXT_ARG_NAME, "authentik_core:if-user"
-        )
-        flow_context.update(
+        kwargs.update(
             {
                 # Since we authenticate the user by their token, they have no backend set
                 PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
                 PLAN_CONTEXT_SSO: True,
                 PLAN_CONTEXT_SOURCE: self.source,
                 PLAN_CONTEXT_SOURCES_CONNECTION: connection,
-                PLAN_CONTEXT_SOURCE_GROUPS: self.groups_properties,
             }
         )
-        flow_context.update(self.policy_context)
+        kwargs.update(self.policy_context)
         if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
             token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
             self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
             plan = token.plan
             plan.context[PLAN_CONTEXT_IS_RESTORED] = token
-            plan.context.update(flow_context)
+            plan.context.update(kwargs)
             for stage in self.get_stages_to_append(flow):
                 plan.append_stage(stage)
             if stages:
@@ -294,8 +252,8 @@ class SourceFlowManager:
         final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
             NEXT_ARG_NAME, "authentik_core:if-user"
         )
-        if PLAN_CONTEXT_REDIRECT not in flow_context:
-            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect
+        if PLAN_CONTEXT_REDIRECT not in kwargs:
+            kwargs[PLAN_CONTEXT_REDIRECT] = final_redirect
 
         if not flow:
             return bad_request_message(
@@ -307,12 +265,9 @@ class SourceFlowManager:
         # We append some stages so the initial flow we get might be empty
         planner.allow_empty_flows = True
         planner.use_cache = False
-        plan = planner.plan(self.request, flow_context)
+        plan = planner.plan(self.request, kwargs)
         for stage in self.get_stages_to_append(flow):
             plan.append_stage(stage)
-        plan.append_stage(
-            in_memory_stage(GroupUpdateStage, group_connection_type=self.group_connection_type)
-        )
         if stages:
             for stage in stages:
                 plan.append_stage(stage)
@@ -354,9 +309,7 @@ class SourceFlowManager:
         # When request isn't authenticated we jump straight to auth
         if not self.request.user.is_authenticated:
             return self.handle_auth(connection)
-        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
-            return self._prepare_flow(None, connection)
-        connection.save()
+        # Connection has already been saved
         Event.new(
             EventAction.SOURCE_LINKED,
             message="Linked Source",
@@ -399,123 +352,7 @@ class SourceFlowManager:
                 )
             ],
             **{
-                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
+                PLAN_CONTEXT_PROMPT: delete_none_values(self.enroll_info),
                 PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
             },
         )
-
-
-class GroupUpdateStage(StageView):
-    """Dynamically injected stage which updates the user after enrollment/authentication."""
-
-    def get_action(
-        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
-    ) -> tuple[Action, GroupSourceConnection | None]:
-        """decide which action should be taken"""
-        new_connection = self.group_connection_type(source=self.source, identifier=group_id)
-
-        existing_connections = self.group_connection_type.objects.filter(
-            source=self.source, identifier=group_id
-        )
-        if existing_connections.exists():
-            return Action.LINK, existing_connections.first()
-        # No connection exists, but we match on identifier, so enroll
-        if self.source.group_matching_mode == SourceGroupMatchingModes.IDENTIFIER:
-            # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, new_connection
-
-        # Check for existing groups with matching attributes
-        query = Q()
-        if self.source.group_matching_mode in [
-            SourceGroupMatchingModes.NAME_LINK,
-            SourceGroupMatchingModes.NAME_DENY,
-        ]:
-            if not group_properties.get("name", None):
-                LOGGER.warning(
-                    "Refusing to use none group name", source=self.source, group_id=group_id
-                )
-                return Action.DENY, None
-            query = Q(name__exact=group_properties.get("name"))
-        LOGGER.debug(
-            "trying to link with existing group", source=self.source, query=query, group_id=group_id
-        )
-        matching_groups = Group.objects.filter(query)
-        # No matching groups, always enroll
-        if not matching_groups.exists():
-            LOGGER.debug(
-                "no matching groups found, enrolling", source=self.source, group_id=group_id
-            )
-            return Action.ENROLL, new_connection
-
-        group = matching_groups.first()
-        if self.source.group_matching_mode in [
-            SourceGroupMatchingModes.NAME_LINK,
-        ]:
-            new_connection.group = group
-            return Action.LINK, new_connection
-        if self.source.group_matching_mode in [
-            SourceGroupMatchingModes.NAME_DENY,
-        ]:
-            LOGGER.info(
-                "denying source because group exists",
-                source=self.source,
-                group=group,
-                group_id=group_id,
-            )
-            return Action.DENY, None
-        # Should never get here as default enroll case is returned above.
-        return Action.DENY, None  # pragma: no cover
-
-    def handle_group(
-        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
-    ) -> Group | None:
-        action, connection = self.get_action(group_id, group_properties)
-        if action == Action.ENROLL:
-            group = Group.objects.create(**group_properties)
-            connection.group = group
-            connection.save()
-            return group
-        elif action == Action.LINK:
-            group = connection.group
-            group.update_attributes(group_properties)
-            connection.save()
-            return group
-
-        return None
-
-    def handle_groups(self) -> bool:
-        self.source: Source = self.executor.plan.context[PLAN_CONTEXT_SOURCE]
-        self.user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
-        self.group_connection_type: GroupSourceConnection = (
-            self.executor.current_stage.group_connection_type
-        )
-
-        raw_groups: dict[str, dict[str, Any | dict[str, Any]]] = self.executor.plan.context[
-            PLAN_CONTEXT_SOURCE_GROUPS
-        ]
-        groups: list[Group] = []
-
-        for group_id, group_properties in raw_groups.items():
-            group = self.handle_group(group_id, group_properties)
-            if not group:
-                return False
-            groups.append(group)
-
-        with transaction.atomic():
-            self.user.ak_groups.remove(
-                *self.user.ak_groups.filter(groupsourceconnection__source=self.source)
-            )
-            self.user.ak_groups.add(*groups)
-
-        return True
-
-    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """Stage used after the user has been enrolled to sync their groups from source data"""
-        if self.handle_groups():
-            return self.executor.stage_ok()
-        else:
-            return self.executor.stage_invalid("Failed to update groups. Please try again later.")
-
-    def post(self, request: HttpRequest) -> HttpResponse:
-        """Wrapper for post requests"""
-        return self.get(request)

authentik/core/sources/mapper.py

@@ -1,103 +0,0 @@
-from typing import Any
-
-from django.http import HttpRequest
-from structlog.stdlib import get_logger
-
-from authentik.core.expression.exceptions import PropertyMappingExpressionException
-from authentik.core.models import Group, PropertyMapping, Source, User
-from authentik.events.models import Event, EventAction
-from authentik.lib.merge import MERGE_LIST_UNIQUE
-from authentik.lib.sync.mapper import PropertyMappingManager
-from authentik.policies.utils import delete_none_values
-
-LOGGER = get_logger()
-
-
-class SourceMapper:
-    def __init__(self, source: Source):
-        self.source = source
-
-    def get_manager(
-        self, object_type: type[User | Group], context_keys: list[str]
-    ) -> PropertyMappingManager:
-        """Get property mapping manager for this source."""
-
-        qs = PropertyMapping.objects.none()
-        if object_type == User:
-            qs = self.source.user_property_mappings.all().select_subclasses()
-        elif object_type == Group:
-            qs = self.source.group_property_mappings.all().select_subclasses()
-        qs = qs.order_by("name")
-        return PropertyMappingManager(
-            qs,
-            self.source.property_mapping_type,
-            ["source", "properties"] + context_keys,
-        )
-
-    def get_base_properties(
-        self, object_type: type[User | Group], **kwargs
-    ) -> dict[str, Any | dict[str, Any]]:
-        """Get base properties for a user or a group to build final properties upon."""
-        if object_type == User:
-            properties = self.source.get_base_user_properties(**kwargs)
-            properties.setdefault("path", self.source.get_user_path())
-            return properties
-        if object_type == Group:
-            return self.source.get_base_group_properties(**kwargs)
-        return {}
-
-    def build_object_properties(
-        self,
-        object_type: type[User | Group],
-        manager: "PropertyMappingManager | None" = None,
-        user: User | None = None,
-        request: HttpRequest | None = None,
-        **kwargs,
-    ) -> dict[str, Any | dict[str, Any]]:
-        """Build a user or group properties from the source configured property mappings."""
-
-        properties = self.get_base_properties(object_type, **kwargs)
-        if "attributes" not in properties:
-            properties["attributes"] = {}
-
-        if not manager:
-            manager = self.get_manager(object_type, list(kwargs.keys()))
-        evaluations = manager.iter_eval(
-            user=user,
-            request=request,
-            return_mapping=True,
-            source=self.source,
-            properties=properties,
-            **kwargs,
-        )
-        while True:
-            try:
-                value, mapping = next(evaluations)
-            except StopIteration:
-                break
-            except PropertyMappingExpressionException as exc:
-                Event.new(
-                    EventAction.CONFIGURATION_ERROR,
-                    message=f"Failed to evaluate property mapping: '{exc.mapping.name}'",
-                    source=self,
-                    mapping=exc.mapping,
-                ).save()
-                LOGGER.warning(
-                    "Mapping failed to evaluate",
-                    exc=exc,
-                    source=self,
-                    mapping=exc.mapping,
-                )
-                raise exc
-
-            if not value or not isinstance(value, dict):
-                LOGGER.debug(
-                    "Mapping evaluated to None or is not a dict. Skipping",
-                    source=self,
-                    mapping=mapping,
-                )
-                continue
-
-            MERGE_LIST_UNIQUE.merge(properties, value)
-
-        return delete_none_values(properties)

authentik/core/templates/base/header_js.html

@@ -10,7 +10,7 @@
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",
     };
-    window.addEventListener("DOMContentLoaded", function () {
+    window.addEventListener("DOMContentLoaded", () => {
         {% for message in messages %}
         window.dispatchEvent(
             new CustomEvent("ak-message", {

authentik/core/templates/base/skeleton.html

@@ -1,10 +1,9 @@
 {% load static %}
 {% load i18n %}
-{% load authentik_core %}
 
 <!DOCTYPE html>
 
-<html>
+<html lang="en">
     <head>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
@@ -15,8 +14,8 @@
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        {% versioned_script "dist/poly-%v.js" %}
-        {% versioned_script "dist/standalone/loading/index-%v.js" %}
+        <script src="{% static 'dist/poly.js' %}?version={{ version }}" type="module"></script>
+        <script src="{% static 'dist/standalone/loading/index.js' %}?version={{ version }}" type="module"></script>
         {% block head %}
         {% endblock %}
         <meta name="sentry-trace" content="{{ sentry_trace }}" />

authentik/core/templates/if/admin.html

@@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}
 
-{% load authentik_core %}
+{% load static %}
 
 {% block head %}
-{% versioned_script "dist/admin/AdminInterface-%v.js" %}
+<script src="{% static 'dist/admin/AdminInterface.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}

authentik/core/templates/if/flow.html

@@ -1,7 +1,6 @@
 {% extends "base/skeleton.html" %}
 
 {% load static %}
-{% load authentik_core %}
 
 {% block head_before %}
 {{ block.super }}
@@ -18,7 +17,7 @@ window.authentik.flow = {
 {% endblock %}
 
 {% block head %}
-{% versioned_script "dist/flow/FlowInterface-%v.js" %}
+<script src="{% static 'dist/flow/FlowInterface.js' %}?version={{ version }}" type="module"></script>
 <style>
 :root {
     --ak-flow-background: url("{{ flow.background_url }}");

authentik/core/templates/if/user.html

@@ -1,9 +1,9 @@
 {% extends "base/skeleton.html" %}
 
-{% load authentik_core %}
+{% load static %}
 
 {% block head %}
-{% versioned_script "dist/user/UserInterface-%v.js" %}
+<script src="{% static 'dist/user/UserInterface.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}

authentik/core/templates/login/base_full.html

@@ -71,9 +71,9 @@
                 </li>
                 {% endfor %}
                 <li>
-                    <span>
+                    <a href="https://goauthentik.io?utm_source=authentik">
                         {% trans 'Powered by authentik' %}
-                    </span>
+                    </a>
                 </li>
             </ul>
         </footer>

authentik/core/templatetags/authentik_core.py

@@ -1,21 +0,0 @@
-"""authentik core tags"""
-
-from django import template
-from django.templatetags.static import static as static_loader
-from django.utils.safestring import mark_safe
-
-from authentik import get_full_version
-
-register = template.Library()
-
-
-@register.simple_tag()
-def versioned_script(path: str) -> str:
-    """Wrapper around {% static %} tag that supports setting the version"""
-    returned_lines = [
-        (
-            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
-            '" type="module"></script>'
-        ),
-    ]
-    return mark_safe("".join(returned_lines))  # nosec

authentik/core/tests/test_property_mapping.py

@@ -3,10 +3,7 @@
 from django.test import RequestFactory, TestCase
 from guardian.shortcuts import get_anonymous_user
 
-from authentik.core.expression.exceptions import (
-    PropertyMappingExpressionException,
-    SkipObjectException,
-)
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.events.models import Event, EventAction
@@ -45,17 +42,6 @@ class TestPropertyMappings(TestCase):
         self.assertTrue(events.exists())
         self.assertEqual(len(events), 1)
 
-    def test_expression_skip(self):
-        """Test expression error"""
-        expr = "raise SkipObject"
-        mapping = PropertyMapping.objects.create(name=generate_id(), expression=expr)
-        with self.assertRaises(SkipObjectException):
-            mapping.evaluate(None, None)
-        events = Event.objects.filter(
-            action=EventAction.PROPERTY_MAPPING_EXCEPTION, context__expression=expr
-        )
-        self.assertFalse(events.exists())
-
     def test_expression_error_extended(self):
         """Test expression error (with user and http request"""
         expr = "return aaa"

authentik/core/tests/test_source_flow_manager.py

@@ -38,9 +38,7 @@ class TestSourceFlowManager(TestCase):
     def test_unauthenticated_enroll(self):
         """Test un-authenticated user enrolling"""
         request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(
-            self.source, request, self.identifier, {"info": {}}, {}
-        )
+        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
         response = flow_manager.get_flow()
@@ -54,9 +52,7 @@ class TestSourceFlowManager(TestCase):
             user=get_anonymous_user(), source=self.source, identifier=self.identifier
         )
         request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(
-            self.source, request, self.identifier, {"info": {}}, {}
-        )
+        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.AUTH)
         response = flow_manager.get_flow()
@@ -68,9 +64,7 @@ class TestSourceFlowManager(TestCase):
         """Test authenticated user linking"""
         user = User.objects.create(username="foo", email="foo@bar.baz")
         request = get_request("/", user=user)
-        flow_manager = OAuthSourceFlowManager(
-            self.source, request, self.identifier, {"info": {}}, {}
-        )
+        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
         action, connection = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
         self.assertIsNone(connection.pk)
@@ -83,9 +77,7 @@ class TestSourceFlowManager(TestCase):
 
     def test_unauthenticated_link(self):
         """Test un-authenticated user linking"""
-        flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/"), self.identifier, {"info": {}}, {}
-        )
+        flow_manager = OAuthSourceFlowManager(self.source, get_request("/"), self.identifier, {})
         action, connection = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
         self.assertIsNone(connection.pk)
@@ -98,7 +90,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without email, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -108,12 +100,7 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {
-                "info": {
-                    "email": "foo@bar.baz",
-                },
-            },
-            {},
+            {"email": "foo@bar.baz"},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -126,7 +113,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without username, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -136,10 +123,7 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {
-                "info": {"username": "foo"},
-            },
-            {},
+            {"username": "foo"},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -156,11 +140,8 @@ class TestSourceFlowManager(TestCase):
             get_request("/", user=AnonymousUser()),
             self.identifier,
             {
-                "info": {
-                    "username": "bar",
-                },
+                "username": "bar",
             },
-            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -170,10 +151,7 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {
-                "info": {"username": "foo"},
-            },
-            {},
+            {"username": "foo"},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -187,10 +165,7 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {
-                "info": {"username": "foo"},
-            },
-            {},
+            {"username": "foo"},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -216,10 +191,7 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {
-                "info": {"username": "foo"},
-            },
-            {},
+            {"username": "foo"},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)

authentik/core/tests/test_source_flow_manager_group_update_stage.py

@@ -1,237 +0,0 @@
-"""Test Source flow_manager group update stage"""
-
-from django.test import RequestFactory
-
-from authentik.core.models import Group, SourceGroupMatchingModes
-from authentik.core.sources.flow_manager import PLAN_CONTEXT_SOURCE_GROUPS, GroupUpdateStage
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.flows.models import in_memory_stage
-from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE, FlowPlan
-from authentik.flows.tests import FlowTestCase
-from authentik.flows.views.executor import FlowExecutorView
-from authentik.lib.generators import generate_id
-from authentik.sources.oauth.models import GroupOAuthSourceConnection, OAuthSource
-
-
-class TestSourceFlowManager(FlowTestCase):
-    """Test Source flow_manager group update stage"""
-
-    def setUp(self) -> None:
-        super().setUp()
-        self.factory = RequestFactory()
-        self.authentication_flow = create_test_flow()
-        self.enrollment_flow = create_test_flow()
-        self.source: OAuthSource = OAuthSource.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-            authentication_flow=self.authentication_flow,
-            enrollment_flow=self.enrollment_flow,
-        )
-        self.identifier = generate_id()
-        self.user = create_test_admin_user()
-
-    def test_nonexistant_group(self):
-        request = self.factory.get("/")
-        stage = GroupUpdateStage(
-            FlowExecutorView(
-                current_stage=in_memory_stage(
-                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
-                ),
-                plan=FlowPlan(
-                    flow_pk=generate_id(),
-                    context={
-                        PLAN_CONTEXT_SOURCE: self.source,
-                        PLAN_CONTEXT_PENDING_USER: self.user,
-                        PLAN_CONTEXT_SOURCE_GROUPS: {
-                            "group 1": {
-                                "name": "group 1",
-                            },
-                        },
-                    },
-                ),
-            ),
-            request=request,
-        )
-        self.assertTrue(stage.handle_groups())
-        self.assertTrue(Group.objects.filter(name="group 1").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
-        self.assertTrue(
-            GroupOAuthSourceConnection.objects.filter(
-                group=Group.objects.get(name="group 1"), source=self.source
-            ).exists()
-        )
-
-    def test_nonexistant_group_name_link(self):
-        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
-        self.source.save()
-
-        request = self.factory.get("/")
-        stage = GroupUpdateStage(
-            FlowExecutorView(
-                current_stage=in_memory_stage(
-                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
-                ),
-                plan=FlowPlan(
-                    flow_pk=generate_id(),
-                    context={
-                        PLAN_CONTEXT_SOURCE: self.source,
-                        PLAN_CONTEXT_PENDING_USER: self.user,
-                        PLAN_CONTEXT_SOURCE_GROUPS: {
-                            "group 1": {
-                                "name": "group 1",
-                            },
-                        },
-                    },
-                ),
-            ),
-            request=request,
-        )
-        self.assertTrue(stage.handle_groups())
-        self.assertTrue(Group.objects.filter(name="group 1").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
-        self.assertTrue(
-            GroupOAuthSourceConnection.objects.filter(
-                group=Group.objects.get(name="group 1"), source=self.source
-            ).exists()
-        )
-
-    def test_existant_group_name_link(self):
-        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
-        self.source.save()
-        group = Group.objects.create(name="group 1")
-
-        request = self.factory.get("/")
-        stage = GroupUpdateStage(
-            FlowExecutorView(
-                current_stage=in_memory_stage(
-                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
-                ),
-                plan=FlowPlan(
-                    flow_pk=generate_id(),
-                    context={
-                        PLAN_CONTEXT_SOURCE: self.source,
-                        PLAN_CONTEXT_PENDING_USER: self.user,
-                        PLAN_CONTEXT_SOURCE_GROUPS: {
-                            "group 1": {
-                                "name": "group 1",
-                            },
-                        },
-                    },
-                ),
-            ),
-            request=request,
-        )
-        self.assertTrue(stage.handle_groups())
-        self.assertTrue(Group.objects.filter(name="group 1").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
-        self.assertTrue(
-            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
-        )
-
-    def test_nonexistant_group_name_deny(self):
-        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_DENY
-        self.source.save()
-
-        request = self.factory.get("/")
-        stage = GroupUpdateStage(
-            FlowExecutorView(
-                current_stage=in_memory_stage(
-                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
-                ),
-                plan=FlowPlan(
-                    flow_pk=generate_id(),
-                    context={
-                        PLAN_CONTEXT_SOURCE: self.source,
-                        PLAN_CONTEXT_PENDING_USER: self.user,
-                        PLAN_CONTEXT_SOURCE_GROUPS: {
-                            "group 1": {
-                                "name": "group 1",
-                            },
-                        },
-                    },
-                ),
-            ),
-            request=request,
-        )
-        self.assertTrue(stage.handle_groups())
-        self.assertTrue(Group.objects.filter(name="group 1").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
-        self.assertTrue(
-            GroupOAuthSourceConnection.objects.filter(
-                group=Group.objects.get(name="group 1"), source=self.source
-            ).exists()
-        )
-
-    def test_existant_group_name_deny(self):
-        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_DENY
-        self.source.save()
-        group = Group.objects.create(name="group 1")
-
-        request = self.factory.get("/")
-        stage = GroupUpdateStage(
-            FlowExecutorView(
-                current_stage=in_memory_stage(
-                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
-                ),
-                plan=FlowPlan(
-                    flow_pk=generate_id(),
-                    context={
-                        PLAN_CONTEXT_SOURCE: self.source,
-                        PLAN_CONTEXT_PENDING_USER: self.user,
-                        PLAN_CONTEXT_SOURCE_GROUPS: {
-                            "group 1": {
-                                "name": "group 1",
-                            },
-                        },
-                    },
-                ),
-            ),
-            request=request,
-        )
-        self.assertFalse(stage.handle_groups())
-        self.assertFalse(self.user.ak_groups.filter(name="group 1").exists())
-        self.assertFalse(
-            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
-        )
-
-    def test_group_updates(self):
-        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
-        self.source.save()
-
-        other_group = Group.objects.create(name="other group")
-        old_group = Group.objects.create(name="old group")
-        new_group = Group.objects.create(name="new group")
-        self.user.ak_groups.set([other_group, old_group])
-        GroupOAuthSourceConnection.objects.create(
-            group=old_group, source=self.source, identifier=old_group.name
-        )
-        GroupOAuthSourceConnection.objects.create(
-            group=new_group, source=self.source, identifier=new_group.name
-        )
-
-        request = self.factory.get("/")
-        stage = GroupUpdateStage(
-            FlowExecutorView(
-                current_stage=in_memory_stage(
-                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
-                ),
-                plan=FlowPlan(
-                    flow_pk=generate_id(),
-                    context={
-                        PLAN_CONTEXT_SOURCE: self.source,
-                        PLAN_CONTEXT_PENDING_USER: self.user,
-                        PLAN_CONTEXT_SOURCE_GROUPS: {
-                            "new group": {
-                                "name": "new group",
-                            },
-                        },
-                    },
-                ),
-            ),
-            request=request,
-        )
-        self.assertTrue(stage.handle_groups())
-        self.assertFalse(self.user.ak_groups.filter(name="old group").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="other group").exists())
-        self.assertTrue(self.user.ak_groups.filter(name="new group").exists())
-        self.assertEqual(self.user.ak_groups.count(), 2)

authentik/core/tests/test_source_property_mappings.py

@@ -1,72 +0,0 @@
-"""Test Source Property mappings"""
-
-from django.test import TestCase
-
-from authentik.core.models import Group, PropertyMapping, Source, User
-from authentik.core.sources.mapper import SourceMapper
-from authentik.lib.generators import generate_id
-
-
-class ProxySource(Source):
-    @property
-    def property_mapping_type(self):
-        return PropertyMapping
-
-    def get_base_user_properties(self, **kwargs):
-        return {
-            "username": kwargs.get("username", None),
-            "email": kwargs.get("email", "default@authentik"),
-        }
-
-    def get_base_group_properties(self, **kwargs):
-        return {"name": kwargs.get("name", None)}
-
-    class Meta:
-        proxy = True
-
-
-class TestSourcePropertyMappings(TestCase):
-    """Test Source PropertyMappings"""
-
-    def test_base_properties(self):
-        source = ProxySource.objects.create(name=generate_id(), slug=generate_id(), enabled=True)
-        mapper = SourceMapper(source)
-
-        user_base_properties = mapper.get_base_properties(User, username="test1")
-        self.assertEqual(
-            user_base_properties,
-            {
-                "username": "test1",
-                "email": "default@authentik",
-                "path": f"goauthentik.io/sources/{source.slug}",
-            },
-        )
-
-        group_base_properties = mapper.get_base_properties(Group)
-        self.assertEqual(group_base_properties, {"name": None})
-
-    def test_build_properties(self):
-        source = ProxySource.objects.create(name=generate_id(), slug=generate_id(), enabled=True)
-        mapper = SourceMapper(source)
-
-        source.user_property_mappings.add(
-            PropertyMapping.objects.create(
-                name=generate_id(),
-                expression="""
-                    return {"username": data.get("username", None), "email": None}
-                """,
-            )
-        )
-
-        properties = mapper.build_object_properties(
-            object_type=User, user=None, request=None, username="test1", data={"username": "test2"}
-        )
-
-        self.assertEqual(
-            properties,
-            {
-                "username": "test2",
-                "path": f"goauthentik.io/sources/{source.slug}",
-                "attributes": {},
-            },
-        )

authentik/core/tests/test_token_api.py

@@ -13,8 +13,9 @@ from authentik.core.models import (
     USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME,
     Token,
     TokenIntents,
+    User,
 )
-from authentik.core.tests.utils import create_test_admin_user, create_test_user
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 
 
@@ -23,7 +24,7 @@ class TestTokenAPI(APITestCase):
 
     def setUp(self) -> None:
         super().setUp()
-        self.user = create_test_user()
+        self.user = User.objects.create(username="testuser")
         self.admin = create_test_admin_user()
         self.client.force_login(self.user)
 
@@ -153,24 +154,6 @@ class TestTokenAPI(APITestCase):
         self.assertEqual(token.expiring, True)
         self.assertNotEqual(token.expires.timestamp(), expires.timestamp())
 
-    def test_token_change_user(self):
-        """Test creating a token and then changing the user"""
-        ident = generate_id()
-        response = self.client.post(reverse("authentik_api:token-list"), {"identifier": ident})
-        self.assertEqual(response.status_code, 201)
-        token = Token.objects.get(identifier=ident)
-        self.assertEqual(token.user, self.user)
-        self.assertEqual(token.intent, TokenIntents.INTENT_API)
-        self.assertEqual(token.expiring, True)
-        self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token))
-        response = self.client.put(
-            reverse("authentik_api:token-detail", kwargs={"identifier": ident}),
-            data={"identifier": "user_token_poc_v3", "intent": "api", "user": self.admin.pk},
-        )
-        self.assertEqual(response.status_code, 400)
-        token.refresh_from_db()
-        self.assertEqual(token.user, self.user)
-
     def test_list(self):
         """Test Token List (Test normal authentication)"""
         Token.objects.all().delete()

authentik/core/urls.py

@@ -6,6 +6,7 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
+from django.views.generic import RedirectView
 
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@@ -17,15 +18,10 @@ from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSe
 from authentik.core.api.tokens import TokenViewSet
 from authentik.core.api.transactional_applications import TransactionalApplicationView
 from authentik.core.api.users import UserViewSet
-from authentik.core.views.apps import RedirectToAppLaunch
+from authentik.core.views import apps
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import (
-    BrandDefaultRedirectView,
-    InterfaceView,
-    RootRedirectView,
-)
+from authentik.core.views.interface import FlowInterfaceView, InterfaceView
 from authentik.core.views.session import EndSessionView
-from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
@@ -33,30 +29,30 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
     path(
         "",
-        login_required(RootRedirectView.as_view()),
+        login_required(
+            RedirectView.as_view(pattern_name="authentik_core:if-user", query_string=True)
+        ),
         name="root-redirect",
     ),
     path(
-        # We have to use this format since everything else uses application/o or application/saml
+        # We have to use this format since everything else uses applications/o or applications/saml
         "application/launch/<slug:application_slug>/",
-        RedirectToAppLaunch.as_view(),
+        apps.RedirectToAppLaunch.as_view(),
         name="application-launch",
     ),
     # Interfaces
     path(
         "if/admin/",
-        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
+        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/admin.html")),
         name="if-admin",
     ),
     path(
         "if/user/",
-        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
+        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/user.html")),
         name="if-user",
     ),
     path(
         "if/flow/<slug:flow_slug>/",
-        # FIXME: move this url to the flows app...also will cause all
-        # of the reverse calls to be adjusted
         ensure_csrf_cookie(FlowInterfaceView.as_view()),
         name="if-flow",
     ),

authentik/core/views/apps.py

@@ -8,6 +8,7 @@ from django.views import View
 from authentik.core.models import Application
 from authentik.flows.challenge import (
     ChallengeResponse,
+    ChallengeTypes,
     HttpChallengeResponse,
     RedirectChallenge,
 )
@@ -73,6 +74,7 @@ class RedirectToAppStage(ChallengeStageView):
             raise Http404
         return RedirectChallenge(
             instance={
+                "type": ChallengeTypes.REDIRECT.value,
                 "to": launch,
             }
         )

authentik/core/views/interface.py

@@ -3,42 +3,15 @@
 from json import dumps
 from typing import Any
 
-from django.http import HttpRequest
-from django.http.response import HttpResponse
-from django.shortcuts import redirect
-from django.utils.translation import gettext as _
-from django.views.generic.base import RedirectView, TemplateView
+from django.shortcuts import get_object_or_404
+from django.views.generic.base import TemplateView
 from rest_framework.request import Request
 
 from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
-from authentik.brands.models import Brand
-from authentik.core.models import UserTypes
-from authentik.policies.denied import AccessDeniedResponse
-
-
-class RootRedirectView(RedirectView):
-    """Root redirect view, redirect to brand's default application if set"""
-
-    pattern_name = "authentik_core:if-user"
-    query_string = True
-
-    def redirect_to_app(self, request: HttpRequest):
-        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
-            brand: Brand = request.brand
-            if brand.default_application:
-                return redirect(
-                    "authentik_core:application-launch",
-                    application_slug=brand.default_application.slug,
-                )
-        return None
-
-    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-        if redirect_response := RootRedirectView().redirect_to_app(request):
-            return redirect_response
-        return super().dispatch(request, *args, **kwargs)
+from authentik.flows.models import Flow
 
 
 class InterfaceView(TemplateView):
@@ -54,18 +27,12 @@ class InterfaceView(TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class BrandDefaultRedirectView(InterfaceView):
-    """By default redirect to default app"""
+class FlowInterfaceView(InterfaceView):
+    """Flow interface"""
 
-    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
-            brand: Brand = request.brand
-            if brand.default_application:
-                return redirect(
-                    "authentik_core:application-launch",
-                    application_slug=brand.default_application.slug,
-                )
-            response = AccessDeniedResponse(self.request)
-            response.error_message = _("Interface can only be accessed by internal users.")
-            return response
-        return super().dispatch(request, *args, **kwargs)
+    template_name = "if/flow.html"
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["inspector"] = "inspector" in self.request.GET
+        return super().get_context_data(**kwargs)

authentik/crypto/api.py

@@ -24,12 +24,13 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair

authentik/crypto/builder.py

@@ -76,7 +76,7 @@ class CertificateBuilder:
             .subject_name(
                 x509.Name(
                     [
-                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name[:64]),
+                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name),
                         x509.NameAttribute(NameOID.ORGANIZATION_NAME, "authentik"),
                         x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"),
                     ]

authentik/enterprise/api.py

@@ -13,13 +13,14 @@ from rest_framework.fields import CharField, IntegerField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
-from authentik.enterprise.models import License, LicenseUsageStatus
+from authentik.enterprise.models import License
 from authentik.rbac.decorators import permission_required
 from authentik.tenants.utils import get_unique_identifier
 
@@ -30,7 +31,7 @@ class EnterpriseRequiredMixin:
 
     def validate(self, attrs: dict) -> dict:
         """Check that a valid license exists"""
-        if LicenseKey.cached_summary().status != LicenseUsageStatus.UNLICENSED:
+        if not LicenseKey.cached_summary().has_license:
             raise ValidationError(_("Enterprise is required to create/update this object."))
         return super().validate(attrs)
 
@@ -128,7 +129,7 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
         forecast_for_months = 12
         response = LicenseForecastSerializer(
             data={
-                "internal_users": LicenseKey.get_internal_user_count(),
+                "internal_users": LicenseKey.get_default_user_count(),
                 "external_users": LicenseKey.get_external_user_count(),
                 "forecasted_internal_users": (internal_in_last_month * forecast_for_months),
                 "forecasted_external_users": (external_in_last_month * forecast_for_months),

authentik/enterprise/apps.py

@@ -25,4 +25,4 @@ class AuthentikEnterpriseConfig(EnterpriseConfig):
         """Actual enterprise check, cached"""
         from authentik.enterprise.license import LicenseKey
 
-        return LicenseKey.cached_summary().status
+        return LicenseKey.cached_summary().valid

authentik/enterprise/license.py

@@ -3,36 +3,24 @@
 from base64 import b64decode
 from binascii import Error
 from dataclasses import asdict, dataclass, field
-from datetime import UTC, datetime, timedelta
+from datetime import datetime, timedelta
 from enum import Enum
 from functools import lru_cache
 from time import mktime
 
 from cryptography.exceptions import InvalidSignature
 from cryptography.x509 import Certificate, load_der_x509_certificate, load_pem_x509_certificate
-from dacite import DaciteError, from_dict
+from dacite import from_dict
 from django.core.cache import cache
 from django.db.models.query import QuerySet
 from django.utils.timezone import now
 from jwt import PyJWTError, decode, get_unverified_header
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import (
-    ChoiceField,
-    DateTimeField,
-    IntegerField,
-)
+from rest_framework.fields import BooleanField, DateTimeField, IntegerField
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User, UserTypes
-from authentik.enterprise.models import (
-    THRESHOLD_READ_ONLY_WEEKS,
-    THRESHOLD_WARNING_ADMIN_WEEKS,
-    THRESHOLD_WARNING_EXPIRY_WEEKS,
-    THRESHOLD_WARNING_USER_WEEKS,
-    License,
-    LicenseUsage,
-    LicenseUsageStatus,
-)
+from authentik.enterprise.models import License, LicenseUsage
 from authentik.tenants.utils import get_unique_identifier
 
 CACHE_KEY_ENTERPRISE_LICENSE = "goauthentik.io/enterprise/license"
@@ -54,8 +42,6 @@ def get_license_aud() -> str:
 class LicenseFlags(Enum):
     """License flags"""
 
-    TRIAL = "trial"
-
 
 @dataclass
 class LicenseSummary:
@@ -63,8 +49,12 @@ class LicenseSummary:
 
     internal_users: int
     external_users: int
-    status: LicenseUsageStatus
+    valid: bool
+    show_admin_warning: bool
+    show_user_warning: bool
+    read_only: bool
     latest_valid: datetime
+    has_license: bool
 
 
 class LicenseSummarySerializer(PassiveSerializer):
@@ -72,8 +62,12 @@ class LicenseSummarySerializer(PassiveSerializer):
 
     internal_users = IntegerField(required=True)
     external_users = IntegerField(required=True)
-    status = ChoiceField(choices=LicenseUsageStatus.choices)
+    valid = BooleanField()
+    show_admin_warning = BooleanField()
+    show_user_warning = BooleanField()
+    read_only = BooleanField()
     latest_valid = DateTimeField()
+    has_license = BooleanField()
 
 
 @dataclass
@@ -89,7 +83,7 @@ class LicenseKey:
     flags: list[LicenseFlags] = field(default_factory=list)
 
     @staticmethod
-    def validate(jwt: str, check_expiry=True) -> "LicenseKey":
+    def validate(jwt: str) -> "LicenseKey":
         """Validate the license from a given JWT"""
         try:
             headers = get_unverified_header(jwt)
@@ -113,7 +107,6 @@ class LicenseKey:
                     our_cert.public_key(),
                     algorithms=["ES512"],
                     audience=get_license_aud(),
-                    options={"verify_exp": check_expiry},
                 ),
             )
         except PyJWTError:
@@ -123,8 +116,9 @@ class LicenseKey:
     @staticmethod
     def get_total() -> "LicenseKey":
         """Get a summarized version of all (not expired) licenses"""
+        active_licenses = License.objects.filter(expiry__gte=now())
         total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
-        for lic in License.objects.all():
+        for lic in active_licenses:
             total.internal_users += lic.internal_users
             total.external_users += lic.external_users
             exp_ts = int(mktime(lic.expiry.timetuple()))
@@ -141,7 +135,7 @@ class LicenseKey:
         return User.objects.all().exclude_anonymous().exclude(is_active=False)
 
     @staticmethod
-    def get_internal_user_count():
+    def get_default_user_count():
         """Get current default user count"""
         return LicenseKey.base_user_qs().filter(type=UserTypes.INTERNAL).count()
 
@@ -150,72 +144,59 @@ class LicenseKey:
         """Get current external user count"""
         return LicenseKey.base_user_qs().filter(type=UserTypes.EXTERNAL).count()
 
-    def _last_valid_date(self):
-        last_valid_date = (
-            LicenseUsage.objects.order_by("-record_date")
-            .filter(status=LicenseUsageStatus.VALID)
-            .first()
-        )
-        if not last_valid_date:
-            return datetime.fromtimestamp(0, UTC)
-        return last_valid_date.record_date
+    def is_valid(self) -> bool:
+        """Check if the given license body covers all users
 
-    def status(self) -> LicenseUsageStatus:
-        """Check if the given license body covers all users, and is valid."""
-        last_valid = self._last_valid_date()
-        if self.exp == 0 and not License.objects.exists():
-            return LicenseUsageStatus.UNLICENSED
-        _now = now()
-        # Check limit-exceeded based status
-        internal_users = self.get_internal_user_count()
-        external_users = self.get_external_user_count()
-        if internal_users > self.internal_users or external_users > self.external_users:
-            if last_valid < _now - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS):
-                return LicenseUsageStatus.READ_ONLY
-            if last_valid < _now - timedelta(weeks=THRESHOLD_WARNING_USER_WEEKS):
-                return LicenseUsageStatus.LIMIT_EXCEEDED_USER
-            if last_valid < _now - timedelta(weeks=THRESHOLD_WARNING_ADMIN_WEEKS):
-                return LicenseUsageStatus.LIMIT_EXCEEDED_ADMIN
-        # Check expiry based status
-        if datetime.fromtimestamp(self.exp, UTC) < _now:
-            if datetime.fromtimestamp(self.exp, UTC) < _now - timedelta(
-                weeks=THRESHOLD_READ_ONLY_WEEKS
-            ):
-                return LicenseUsageStatus.READ_ONLY
-            return LicenseUsageStatus.EXPIRED
-        # Expiry warning
-        if datetime.fromtimestamp(self.exp, UTC) <= _now + timedelta(
-            weeks=THRESHOLD_WARNING_EXPIRY_WEEKS
-        ):
-            return LicenseUsageStatus.EXPIRY_SOON
-        return LicenseUsageStatus.VALID
+        Only checks the current count, no historical data is checked"""
+        default_users = self.get_default_user_count()
+        if default_users > self.internal_users:
+            return False
+        active_users = self.get_external_user_count()
+        if active_users > self.external_users:
+            return False
+        return True
 
     def record_usage(self):
         """Capture the current validity status and metrics and save them"""
         threshold = now() - timedelta(hours=8)
-        usage = (
-            LicenseUsage.objects.order_by("-record_date").filter(record_date__gte=threshold).first()
-        )
-        if not usage:
-            usage = LicenseUsage.objects.create(
-                internal_user_count=self.get_internal_user_count(),
+        if not LicenseUsage.objects.filter(record_date__gte=threshold).exists():
+            LicenseUsage.objects.create(
+                user_count=self.get_default_user_count(),
                 external_user_count=self.get_external_user_count(),
-                status=self.status(),
+                within_limits=self.is_valid(),
             )
         summary = asdict(self.summary())
         # Also cache the latest summary for the middleware
         cache.set(CACHE_KEY_ENTERPRISE_LICENSE, summary, timeout=CACHE_EXPIRY_ENTERPRISE_LICENSE)
-        return usage
+        return summary
+
+    @staticmethod
+    def last_valid_date() -> datetime:
+        """Get the last date the license was valid"""
+        usage: LicenseUsage = (
+            LicenseUsage.filter_not_expired(within_limits=True).order_by("-record_date").first()
+        )
+        if not usage:
+            return now()
+        return usage.record_date
 
     def summary(self) -> LicenseSummary:
         """Summary of license status"""
-        status = self.status()
+        has_license = License.objects.all().count() > 0
+        last_valid = LicenseKey.last_valid_date()
+        show_admin_warning = last_valid < now() - timedelta(weeks=2)
+        show_user_warning = last_valid < now() - timedelta(weeks=4)
+        read_only = last_valid < now() - timedelta(weeks=6)
         latest_valid = datetime.fromtimestamp(self.exp)
         return LicenseSummary(
+            show_admin_warning=show_admin_warning and has_license,
+            show_user_warning=show_user_warning and has_license,
+            read_only=read_only and has_license,
             latest_valid=latest_valid,
             internal_users=self.internal_users,
             external_users=self.external_users,
-            status=status,
+            valid=self.is_valid(),
+            has_license=has_license,
         )
 
     @staticmethod
@@ -224,8 +205,4 @@ class LicenseKey:
         summary = cache.get(CACHE_KEY_ENTERPRISE_LICENSE)
         if not summary:
             return LicenseKey.get_total().summary()
-        try:
-            return from_dict(LicenseSummary, summary)
-        except DaciteError:
-            cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)
-            return LicenseKey.get_total().summary()
+        return from_dict(LicenseSummary, summary)

authentik/enterprise/middleware.py

@@ -8,7 +8,6 @@ from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
-from authentik.enterprise.models import LicenseUsageStatus
 from authentik.flows.views.executor import FlowExecutorView
 from authentik.lib.utils.reflection import class_to_path
 
@@ -44,7 +43,7 @@ class EnterpriseMiddleware:
         cached_status = LicenseKey.cached_summary()
         if not cached_status:
             return True
-        if cached_status.status == LicenseUsageStatus.READ_ONLY:
+        if cached_status.read_only:
             return False
         return True
 
@@ -54,10 +53,10 @@ class EnterpriseMiddleware:
         if request.method.lower() in ["get", "head", "options", "trace"]:
             return True
         # Always allow requests to manage licenses
-        if request.resolver_match._func_path == class_to_path(LicenseViewSet):
+        if class_to_path(request.resolver_match.func) == class_to_path(LicenseViewSet):
             return True
         # Flow executor is mounted as an API path but explicitly allowed
-        if request.resolver_match._func_path == class_to_path(FlowExecutorView):
+        if class_to_path(request.resolver_match.func) == class_to_path(FlowExecutorView):
             return True
         # Only apply these restrictions to the API
         if "authentik_api" not in request.resolver_match.app_names:

authentik/enterprise/migrations/0003_remove_licenseusage_within_limits_and_more.py

@@ -1,68 +0,0 @@
-# Generated by Django 5.0.8 on 2024-08-08 14:15
-
-from django.db import migrations, models
-from django.apps.registry import Apps
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_license_usage(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    LicenseUsage = apps.get_model("authentik_enterprise", "licenseusage")
-    db_alias = schema_editor.connection.alias
-
-    for usage in LicenseUsage.objects.using(db_alias).all():
-        usage.status = "valid" if usage.within_limits else "limit_exceeded_admin"
-        usage.save()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_enterprise", "0002_rename_users_license_internal_users_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="licenseusage",
-            name="status",
-            field=models.TextField(
-                choices=[
-                    ("unlicensed", "Unlicensed"),
-                    ("valid", "Valid"),
-                    ("expired", "Expired"),
-                    ("expiry_soon", "Expiry Soon"),
-                    ("limit_exceeded_admin", "Limit Exceeded Admin"),
-                    ("limit_exceeded_user", "Limit Exceeded User"),
-                    ("read_only", "Read Only"),
-                ],
-                default=None,
-                null=True,
-            ),
-            preserve_default=False,
-        ),
-        migrations.RunPython(migrate_license_usage),
-        migrations.RemoveField(
-            model_name="licenseusage",
-            name="within_limits",
-        ),
-        migrations.AlterField(
-            model_name="licenseusage",
-            name="status",
-            field=models.TextField(
-                choices=[
-                    ("unlicensed", "Unlicensed"),
-                    ("valid", "Valid"),
-                    ("expired", "Expired"),
-                    ("expiry_soon", "Expiry Soon"),
-                    ("limit_exceeded_admin", "Limit Exceeded Admin"),
-                    ("limit_exceeded_user", "Limit Exceeded User"),
-                    ("read_only", "Read Only"),
-                ],
-            ),
-            preserve_default=False,
-        ),
-        migrations.RenameField(
-            model_name="licenseusage",
-            old_name="user_count",
-            new_name="internal_user_count",
-        ),
-    ]

authentik/enterprise/models.py

@@ -17,17 +17,6 @@ if TYPE_CHECKING:
     from authentik.enterprise.license import LicenseKey
 
 
-def usage_expiry():
-    """Keep license usage records for 3 months"""
-    return now() + timedelta(days=30 * 3)
-
-
-THRESHOLD_WARNING_ADMIN_WEEKS = 2
-THRESHOLD_WARNING_USER_WEEKS = 4
-THRESHOLD_WARNING_EXPIRY_WEEKS = 2
-THRESHOLD_READ_ONLY_WEEKS = 6
-
-
 class License(SerializerModel):
     """An authentik enterprise license"""
 
@@ -50,7 +39,7 @@ class License(SerializerModel):
         """Get parsed license status"""
         from authentik.enterprise.license import LicenseKey
 
-        return LicenseKey.validate(self.key, check_expiry=False)
+        return LicenseKey.validate(self.key)
 
     class Meta:
         indexes = (HashIndex(fields=("key",)),)
@@ -58,23 +47,9 @@ class License(SerializerModel):
         verbose_name_plural = _("Licenses")
 
 
-class LicenseUsageStatus(models.TextChoices):
-    """License states an instance/tenant can be in"""
-
-    UNLICENSED = "unlicensed"
-    VALID = "valid"
-    EXPIRED = "expired"
-    EXPIRY_SOON = "expiry_soon"
-    # User limit exceeded, 2 week threshold, show message in admin interface
-    LIMIT_EXCEEDED_ADMIN = "limit_exceeded_admin"
-    # User limit exceeded, 4 week threshold, show message in user interface
-    LIMIT_EXCEEDED_USER = "limit_exceeded_user"
-    READ_ONLY = "read_only"
-
-    @property
-    def is_valid(self) -> bool:
-        """Quickly check if a license is valid"""
-        return self in [LicenseUsageStatus.VALID, LicenseUsageStatus.EXPIRY_SOON]
+def usage_expiry():
+    """Keep license usage records for 3 months"""
+    return now() + timedelta(days=30 * 3)
 
 
 class LicenseUsage(ExpiringModel):
@@ -84,9 +59,9 @@ class LicenseUsage(ExpiringModel):
 
     usage_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
 
-    internal_user_count = models.BigIntegerField()
+    user_count = models.BigIntegerField()
     external_user_count = models.BigIntegerField()
-    status = models.TextField(choices=LicenseUsageStatus.choices)
+    within_limits = models.BooleanField()
 
     record_date = models.DateTimeField(auto_now_add=True)
 

authentik/enterprise/policy.py

@@ -13,7 +13,7 @@ class EnterprisePolicyAccessView(PolicyAccessView):
 
     def check_license(self):
         """Check license"""
-        if not LicenseKey.get_total().status().is_valid:
+        if not LicenseKey.get_total().is_valid():
             return PolicyResult(False, _("Enterprise required to access this feature."))
         if self.request.user.type != UserTypes.INTERNAL:
             return PolicyResult(False, _("Feature only accessible for internal users."))

authentik/enterprise/providers/google_workspace/api/groups.py

@@ -1,13 +1,12 @@
 """GoogleWorkspaceProviderGroup API Views"""
 
 from rest_framework import mixins
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserGroupSerializer
-from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderGroup
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 
 
 class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
@@ -31,7 +30,6 @@ class GoogleWorkspaceProviderGroupSerializer(ModelSerializer):
 
 class GoogleWorkspaceProviderGroupViewSet(
     mixins.CreateModelMixin,
-    OutgoingSyncConnectionCreateMixin,
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
     UsedByMixin,

authentik/enterprise/providers/google_workspace/api/users.py

@@ -1,13 +1,12 @@
 """GoogleWorkspaceProviderUser API Views"""
 
 from rest_framework import mixins
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.google_workspace.models import GoogleWorkspaceProviderUser
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 
 
 class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
@@ -31,7 +30,6 @@ class GoogleWorkspaceProviderUserSerializer(ModelSerializer):
 
 class GoogleWorkspaceProviderUserViewSet(
     mixins.CreateModelMixin,
-    OutgoingSyncConnectionCreateMixin,
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
     UsedByMixin,

authentik/enterprise/providers/google_workspace/clients/groups.py

@@ -214,7 +214,3 @@ class GoogleWorkspaceGroupClient(
             google_id=google_id,
             attributes=group,
         )
-
-    def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):
-        group = self.directory_service.groups().get(connection.google_id)
-        connection.attributes = group

authentik/enterprise/providers/google_workspace/clients/users.py

@@ -119,7 +119,3 @@ class GoogleWorkspaceUserClient(GoogleWorkspaceSyncClient[User, GoogleWorkspaceP
             google_id=email,
             attributes=user,
         )
-
-    def update_single_attribute(self, connection: GoogleWorkspaceProviderUser):
-        user = self.directory_service.users().get(connection.google_id)
-        connection.attributes = user

authentik/enterprise/providers/google_workspace/models.py

@@ -31,58 +31,6 @@ def default_scopes() -> list[str]:
     ]
 
 
-class GoogleWorkspaceProviderUser(SerializerModel):
-    """Mapping of a user and provider to a Google user ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    google_id = models.TextField()
-    user = models.ForeignKey(User, on_delete=models.CASCADE)
-    provider = models.ForeignKey("GoogleWorkspaceProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.google_workspace.api.users import (
-            GoogleWorkspaceProviderUserSerializer,
-        )
-
-        return GoogleWorkspaceProviderUserSerializer
-
-    class Meta:
-        verbose_name = _("Google Workspace Provider User")
-        verbose_name_plural = _("Google Workspace Provider Users")
-        unique_together = (("google_id", "user", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Google Workspace Provider User {self.user_id} to {self.provider_id}"
-
-
-class GoogleWorkspaceProviderGroup(SerializerModel):
-    """Mapping of a group and provider to a Google group ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    google_id = models.TextField()
-    group = models.ForeignKey(Group, on_delete=models.CASCADE)
-    provider = models.ForeignKey("GoogleWorkspaceProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.google_workspace.api.groups import (
-            GoogleWorkspaceProviderGroupSerializer,
-        )
-
-        return GoogleWorkspaceProviderGroupSerializer
-
-    class Meta:
-        verbose_name = _("Google Workspace Provider Group")
-        verbose_name_plural = _("Google Workspace Provider Groups")
-        unique_together = (("google_id", "group", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Google Workspace Provider Group {self.group_id} to {self.provider_id}"
-
-
 class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
     """Sync users from authentik into Google Workspace."""
 
@@ -111,16 +59,15 @@ class GoogleWorkspaceProvider(OutgoingSyncProvider, BackchannelProvider):
     )
 
     def client_for_model(
-        self,
-        model: type[User | Group | GoogleWorkspaceProviderUser | GoogleWorkspaceProviderGroup],
+        self, model: type[User | Group]
     ) -> BaseOutgoingSyncClient[User | Group, Any, Any, Self]:
-        if issubclass(model, User | GoogleWorkspaceProviderUser):
+        if issubclass(model, User):
             from authentik.enterprise.providers.google_workspace.clients.users import (
                 GoogleWorkspaceUserClient,
             )
 
             return GoogleWorkspaceUserClient(self)
-        if issubclass(model, Group | GoogleWorkspaceProviderGroup):
+        if issubclass(model, Group):
             from authentik.enterprise.providers.google_workspace.clients.groups import (
                 GoogleWorkspaceGroupClient,
             )
@@ -197,3 +144,55 @@ class GoogleWorkspaceProviderMapping(PropertyMapping):
     class Meta:
         verbose_name = _("Google Workspace Provider Mapping")
         verbose_name_plural = _("Google Workspace Provider Mappings")
+
+
+class GoogleWorkspaceProviderUser(SerializerModel):
+    """Mapping of a user and provider to a Google user ID"""
+
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    google_id = models.TextField()
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    provider = models.ForeignKey(GoogleWorkspaceProvider, on_delete=models.CASCADE)
+    attributes = models.JSONField(default=dict)
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.enterprise.providers.google_workspace.api.users import (
+            GoogleWorkspaceProviderUserSerializer,
+        )
+
+        return GoogleWorkspaceProviderUserSerializer
+
+    class Meta:
+        verbose_name = _("Google Workspace Provider User")
+        verbose_name_plural = _("Google Workspace Provider Users")
+        unique_together = (("google_id", "user", "provider"),)
+
+    def __str__(self) -> str:
+        return f"Google Workspace Provider User {self.user_id} to {self.provider_id}"
+
+
+class GoogleWorkspaceProviderGroup(SerializerModel):
+    """Mapping of a group and provider to a Google group ID"""
+
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    google_id = models.TextField()
+    group = models.ForeignKey(Group, on_delete=models.CASCADE)
+    provider = models.ForeignKey(GoogleWorkspaceProvider, on_delete=models.CASCADE)
+    attributes = models.JSONField(default=dict)
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.enterprise.providers.google_workspace.api.groups import (
+            GoogleWorkspaceProviderGroupSerializer,
+        )
+
+        return GoogleWorkspaceProviderGroupSerializer
+
+    class Meta:
+        verbose_name = _("Google Workspace Provider Group")
+        verbose_name_plural = _("Google Workspace Provider Groups")
+        unique_together = (("google_id", "group", "provider"),)
+
+    def __str__(self) -> str:
+        return f"Google Workspace Provider Group {self.group_id} to {self.provider_id}"

authentik/enterprise/providers/microsoft_entra/api/groups.py

@@ -1,13 +1,12 @@
 """MicrosoftEntraProviderGroup API Views"""
 
 from rest_framework import mixins
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserGroupSerializer
-from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderGroup
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 
 
 class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
@@ -31,7 +30,6 @@ class MicrosoftEntraProviderGroupSerializer(ModelSerializer):
 
 class MicrosoftEntraProviderGroupViewSet(
     mixins.CreateModelMixin,
-    OutgoingSyncConnectionCreateMixin,
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
     UsedByMixin,

authentik/enterprise/providers/microsoft_entra/api/users.py

@@ -1,13 +1,12 @@
 """MicrosoftEntraProviderUser API Views"""
 
 from rest_framework import mixins
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.providers.microsoft_entra.models import MicrosoftEntraProviderUser
-from authentik.lib.sync.outgoing.api import OutgoingSyncConnectionCreateMixin
 
 
 class MicrosoftEntraProviderUserSerializer(ModelSerializer):
@@ -30,7 +29,6 @@ class MicrosoftEntraProviderUserSerializer(ModelSerializer):
 
 
 class MicrosoftEntraProviderUserViewSet(
-    OutgoingSyncConnectionCreateMixin,
     mixins.CreateModelMixin,
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,

authentik/enterprise/providers/microsoft_entra/clients/groups.py

@@ -226,7 +226,3 @@ class MicrosoftEntraGroupClient(
             microsoft_id=group.id,
             attributes=self.entity_as_dict(group),
         )
-
-    def update_single_attribute(self, connection: MicrosoftEntraProviderGroup):
-        data = self._request(self.client.groups.by_group_id(connection.microsoft_id).get())
-        connection.attributes = self.entity_as_dict(data)

authentik/enterprise/providers/microsoft_entra/clients/users.py

@@ -66,26 +66,6 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
             microsoft_user.delete()
         return response
 
-    def get_select_fields(self) -> list[str]:
-        """All fields that should be selected when we fetch user data."""
-        # TODO: Make this customizable in the future
-        return [
-            # Default fields
-            "businessPhones",
-            "displayName",
-            "givenName",
-            "jobTitle",
-            "mail",
-            "mobilePhone",
-            "officeLocation",
-            "preferredLanguage",
-            "surname",
-            "userPrincipalName",
-            "id",
-            # Required for logging into M365 using authentik
-            "onPremisesImmutableId",
-        ]
-
     def create(self, user: User):
         """Create user from scratch and create a connection object"""
         microsoft_user = self.to_schema(user, None)
@@ -95,12 +75,12 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
                 response = self._request(self.client.users.post(microsoft_user))
             except ObjectExistsSyncException:
                 # user already exists in microsoft entra, so we can connect them manually
+                query_params = UsersRequestBuilder.UsersRequestBuilderGetQueryParameters()(
+                    filter=f"mail eq '{microsoft_user.mail}'",
+                )
                 request_configuration = (
                     UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
-                        query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
-                            filter=f"mail eq '{microsoft_user.mail}'",
-                            select=self.get_select_fields(),
-                        ),
+                        query_parameters=query_params,
                     )
                 )
                 user_data = self._request(self.client.users.get(request_configuration))
@@ -119,6 +99,7 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
             except TransientSyncException as exc:
                 raise exc
             else:
+                print(self.entity_as_dict(response))
                 return MicrosoftEntraProviderUser.objects.create(
                     provider=self.provider,
                     user=user,
@@ -139,12 +120,7 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
 
     def discover(self):
         """Iterate through all users and connect them with authentik users if possible"""
-        request_configuration = UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
-            query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
-                select=self.get_select_fields(),
-            ),
-        )
-        users = self._request(self.client.users.get(request_configuration))
+        users = self._request(self.client.users.get())
         next_link = True
         while next_link:
             for user in users.value:
@@ -165,14 +141,3 @@ class MicrosoftEntraUserClient(MicrosoftEntraSyncClient[User, MicrosoftEntraProv
             microsoft_id=user.id,
             attributes=self.entity_as_dict(user),
         )
-
-    def update_single_attribute(self, connection: MicrosoftEntraProviderUser):
-        request_configuration = UsersRequestBuilder.UsersRequestBuilderGetRequestConfiguration(
-            query_parameters=UsersRequestBuilder.UsersRequestBuilderGetQueryParameters(
-                select=self.get_select_fields(),
-            ),
-        )
-        data = self._request(
-            self.client.users.by_user_id(connection.microsoft_id).get(request_configuration)
-        )
-        connection.attributes = self.entity_as_dict(data)

authentik/enterprise/providers/microsoft_entra/models.py

@@ -22,58 +22,6 @@ from authentik.lib.sync.outgoing.base import BaseOutgoingSyncClient
 from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction, OutgoingSyncProvider
 
 
-class MicrosoftEntraProviderUser(SerializerModel):
-    """Mapping of a user and provider to a Microsoft user ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    microsoft_id = models.TextField()
-    user = models.ForeignKey(User, on_delete=models.CASCADE)
-    provider = models.ForeignKey("MicrosoftEntraProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.microsoft_entra.api.users import (
-            MicrosoftEntraProviderUserSerializer,
-        )
-
-        return MicrosoftEntraProviderUserSerializer
-
-    class Meta:
-        verbose_name = _("Microsoft Entra Provider User")
-        verbose_name_plural = _("Microsoft Entra Provider User")
-        unique_together = (("microsoft_id", "user", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Microsoft Entra Provider User {self.user_id} to {self.provider_id}"
-
-
-class MicrosoftEntraProviderGroup(SerializerModel):
-    """Mapping of a group and provider to a Microsoft group ID"""
-
-    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    microsoft_id = models.TextField()
-    group = models.ForeignKey(Group, on_delete=models.CASCADE)
-    provider = models.ForeignKey("MicrosoftEntraProvider", on_delete=models.CASCADE)
-    attributes = models.JSONField(default=dict)
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.enterprise.providers.microsoft_entra.api.groups import (
-            MicrosoftEntraProviderGroupSerializer,
-        )
-
-        return MicrosoftEntraProviderGroupSerializer
-
-    class Meta:
-        verbose_name = _("Microsoft Entra Provider Group")
-        verbose_name_plural = _("Microsoft Entra Provider Groups")
-        unique_together = (("microsoft_id", "group", "provider"),)
-
-    def __str__(self) -> str:
-        return f"Microsoft Entra Provider Group {self.group_id} to {self.provider_id}"
-
-
 class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
     """Sync users from authentik into Microsoft Entra."""
 
@@ -100,16 +48,15 @@ class MicrosoftEntraProvider(OutgoingSyncProvider, BackchannelProvider):
     )
 
     def client_for_model(
-        self,
-        model: type[User | Group | MicrosoftEntraProviderUser | MicrosoftEntraProviderGroup],
+        self, model: type[User | Group]
     ) -> BaseOutgoingSyncClient[User | Group, Any, Any, Self]:
-        if issubclass(model, User | MicrosoftEntraProviderUser):
+        if issubclass(model, User):
             from authentik.enterprise.providers.microsoft_entra.clients.users import (
                 MicrosoftEntraUserClient,
             )
 
             return MicrosoftEntraUserClient(self)
-        if issubclass(model, Group | MicrosoftEntraProviderGroup):
+        if issubclass(model, Group):
             from authentik.enterprise.providers.microsoft_entra.clients.groups import (
                 MicrosoftEntraGroupClient,
             )
@@ -186,3 +133,55 @@ class MicrosoftEntraProviderMapping(PropertyMapping):
     class Meta:
         verbose_name = _("Microsoft Entra Provider Mapping")
         verbose_name_plural = _("Microsoft Entra Provider Mappings")
+
+
+class MicrosoftEntraProviderUser(SerializerModel):
+    """Mapping of a user and provider to a Microsoft user ID"""
+
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    microsoft_id = models.TextField()
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    provider = models.ForeignKey(MicrosoftEntraProvider, on_delete=models.CASCADE)
+    attributes = models.JSONField(default=dict)
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.enterprise.providers.microsoft_entra.api.users import (
+            MicrosoftEntraProviderUserSerializer,
+        )
+
+        return MicrosoftEntraProviderUserSerializer
+
+    class Meta:
+        verbose_name = _("Microsoft Entra Provider User")
+        verbose_name_plural = _("Microsoft Entra Provider User")
+        unique_together = (("microsoft_id", "user", "provider"),)
+
+    def __str__(self) -> str:
+        return f"Microsoft Entra Provider User {self.user_id} to {self.provider_id}"
+
+
+class MicrosoftEntraProviderGroup(SerializerModel):
+    """Mapping of a group and provider to a Microsoft group ID"""
+
+    id = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    microsoft_id = models.TextField()
+    group = models.ForeignKey(Group, on_delete=models.CASCADE)
+    provider = models.ForeignKey(MicrosoftEntraProvider, on_delete=models.CASCADE)
+    attributes = models.JSONField(default=dict)
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        from authentik.enterprise.providers.microsoft_entra.api.groups import (
+            MicrosoftEntraProviderGroupSerializer,
+        )
+
+        return MicrosoftEntraProviderGroupSerializer
+
+    class Meta:
+        verbose_name = _("Microsoft Entra Provider Group")
+        verbose_name_plural = _("Microsoft Entra Provider Groups")
+        unique_together = (("microsoft_id", "group", "provider"),)
+
+    def __str__(self) -> str:
+        return f"Microsoft Entra Provider Group {self.group_id} to {self.provider_id}"

authentik/enterprise/providers/microsoft_entra/tests/test_users.py

@@ -3,18 +3,16 @@
 from unittest.mock import AsyncMock, MagicMock, patch
 
 from azure.identity.aio import ClientSecretCredential
-from django.urls import reverse
+from django.test import TestCase
 from msgraph.generated.models.group_collection_response import GroupCollectionResponse
 from msgraph.generated.models.organization import Organization
 from msgraph.generated.models.organization_collection_response import OrganizationCollectionResponse
 from msgraph.generated.models.user import User as MSUser
 from msgraph.generated.models.user_collection_response import UserCollectionResponse
 from msgraph.generated.models.verified_domain import VerifiedDomain
-from rest_framework.test import APITestCase
 
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application, Group, User
-from authentik.core.tests.utils import create_test_admin_user
 from authentik.enterprise.providers.microsoft_entra.models import (
     MicrosoftEntraProvider,
     MicrosoftEntraProviderMapping,
@@ -27,12 +25,11 @@ from authentik.lib.sync.outgoing.models import OutgoingSyncDeleteAction
 from authentik.tenants.models import Tenant
 
 
-class MicrosoftEntraUserTests(APITestCase):
+class MicrosoftEntraUserTests(TestCase):
     """Microsoft Entra User tests"""
 
     @apply_blueprint("system/providers-microsoft-entra.yaml")
     def setUp(self) -> None:
-
         # Delete all users and groups as the mocked HTTP responses only return one ID
         # which will cause errors with multiple users
         Tenant.objects.update(avatars="none")
@@ -374,45 +371,3 @@ class MicrosoftEntraUserTests(APITestCase):
             )
             self.assertFalse(Event.objects.filter(action=EventAction.SYSTEM_EXCEPTION).exists())
             user_list.assert_called_once()
-
-    def test_connect_manual(self):
-        """test manual user connection"""
-        uid = generate_id()
-        self.app.backchannel_providers.remove(self.provider)
-        admin = create_test_admin_user()
-        different_user = User.objects.create(
-            username=uid,
-            email=f"{uid}@goauthentik.io",
-        )
-        self.app.backchannel_providers.add(self.provider)
-        with (
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.models.MicrosoftEntraProvider.microsoft_credentials",
-                MagicMock(return_value={"credentials": self.creds}),
-            ),
-            patch(
-                "msgraph.generated.organization.organization_request_builder.OrganizationRequestBuilder.get",
-                AsyncMock(
-                    return_value=OrganizationCollectionResponse(
-                        value=[
-                            Organization(verified_domains=[VerifiedDomain(name="goauthentik.io")])
-                        ]
-                    )
-                ),
-            ),
-            patch(
-                "authentik.enterprise.providers.microsoft_entra.clients.users.MicrosoftEntraUserClient.update_single_attribute",
-                MagicMock(),
-            ) as user_get,
-        ):
-            self.client.force_login(admin)
-            response = self.client.post(
-                reverse("authentik_api:microsoftentraprovideruser-list"),
-                data={
-                    "microsoft_id": generate_id(),
-                    "user": different_user.pk,
-                    "provider": self.provider.pk,
-                },
-            )
-            self.assertEqual(response.status_code, 201)
-            user_get.assert_called_once()

authentik/enterprise/providers/rac/api/connection_tokens.py

@@ -3,12 +3,12 @@
 from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.rac.api.endpoints import EndpointSerializer
 from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
@@ -34,12 +34,6 @@ class ConnectionTokenSerializer(EnterpriseRequiredMixin, ModelSerializer):
         ]
 
 
-class ConnectionTokenOwnerFilter(OwnerFilter):
-    """Owner filter for connection tokens (checks session's user)"""
-
-    owner_key = "session__user"
-
-
 class ConnectionTokenViewSet(
     mixins.RetrieveModelMixin,
     mixins.UpdateModelMixin,
@@ -56,9 +50,4 @@ class ConnectionTokenViewSet(
     search_fields = ["endpoint__name", "provider__name"]
     ordering = ["endpoint__name", "provider__name"]
     permission_classes = [OwnerSuperuserPermissions]
-    filter_backends = [
-        ConnectionTokenOwnerFilter,
-        DjangoFilterBackend,
-        OrderingFilter,
-        SearchFilter,
-    ]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]

authentik/enterprise/providers/rac/api/endpoints.py

@@ -8,11 +8,11 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Provider
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer