release: 2023.8.7

security: fix CVE-2024-23647 (cherry-pick #8345 ) (#8346 )
security: fix CVE-2024-23647 (#8345) * security: fix CVE-2024-23647 * add tests * add website --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>
2024-01-29 17:44:35 +01:00 · 2024-01-29 17:42:07 +01:00 · 2024-01-09 18:44:21 +01:00 · 2024-01-09 18:43:56 +01:00 · 2023-11-21 19:51:16 +01:00 · 2023-11-21 19:51:11 +01:00
612 changed files with 22324 additions and 10481 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.6.1
+current_version = 2023.8.7
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
--- a/.dockerignore
+++ b/.dockerignore
@ -7,3 +7,4 @@ build/**
 build_docs/**
 Dockerfile
 authentik/enterprise
+blueprints/local
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@ -14,7 +14,7 @@ runs:
      run: |
        pipx install poetry || true
        sudo apt update
-        sudo apt install -y libxmlsec1-dev pkg-config gettext
+        sudo apt install -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
    - name: Setup python and restore poetry
      uses: actions/setup-python@v3
      with:
@ -23,7 +23,7 @@ runs:
    - name: Setup node
      uses: actions/setup-node@v3
      with:
-        node-version: "20"
+        node-version: "20.5"
        cache: "npm"
        cache-dependency-path: web/package-lock.json
    - name: Setup dependencies
--- a/.github/cherry-pick-bot.yml
+++ b/.github/cherry-pick-bot.yml
@ -0,0 +1,2 @@
+enabled: true
+preservePullRequestTitle: true
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -8,6 +8,8 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "ci:"
+    labels:
+      - dependencies
  - package-ecosystem: gomod
    directory: "/"
    schedule:
@ -16,11 +18,15 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "core:"
+    labels:
+      - dependencies
  - package-ecosystem: npm
    directory: "/web"
    schedule:
      interval: daily
      time: "04:00"
+    labels:
+      - dependencies
    open-pull-requests-limit: 10
    commit-message:
      prefix: "web:"
@ -32,10 +38,18 @@ updates:
        patterns:
          - "@babel/*"
          - "babel-*"
+      eslint:
+        patterns:
+          - "@typescript-eslint/eslint-*"
+          - "eslint"
+          - "eslint-*"
      storybook:
        patterns:
          - "@storybook/*"
          - "*storybook*"
+      esbuild:
+        patterns:
+          - "@esbuild/*"
  - package-ecosystem: npm
    directory: "/website"
    schedule:
@ -44,6 +58,8 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "website:"
+    labels:
+      - dependencies
    groups:
      docusaurus:
        patterns:
@ -56,6 +72,8 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "core:"
+    labels:
+      - dependencies
  - package-ecosystem: docker
    directory: "/"
    schedule:
@ -64,3 +82,5 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "core:"
+    labels:
+      - dependencies
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,23 +1,19 @@
 <!--
-👋 Hello there! Welcome.
+👋 Hi there! Welcome.

-Please check the [Contributing guidelines](https://goauthentik.io/developer-docs/#how-can-i-contribute).
+Please check the Contributing guidelines: https://goauthentik.io/developer-docs/#how-can-i-contribute
 -->

 ## Details

-   **Does this resolve an issue?**
-    Resolves #
+<!--
+Explain what this PR changes, what the rationale behind the change is, if any new requirements are introduced or any breaking changes caused by this PR.

-## Changes
+Ideally also link an Issue for context that this PR will close using `closes #`
+-->
+REPLACE ME

-### New Features
-
-   Adds feature which does x, y, and z.
-
-### Breaking Changes
-
-   Adds breaking change which causes \<issue\>.
+---

 ## Checklist

--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -11,6 +11,7 @@ on:
  pull_request:
    branches:
      - main
+      - version-*

 env:
  POSTGRES_DB: authentik
@ -88,8 +89,8 @@ jobs:
      fail-fast: false
      matrix:
        psql:
-          - 11-alpine
          - 12-alpine
+          - 15-alpine
    steps:
      - uses: actions/checkout@v3
      - name: Setup authentik env
@ -184,6 +185,9 @@ jobs:
  build:
    needs: ci-core-mark
    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
    timeout-minutes: 120
    steps:
      - uses: actions/checkout@v3
@ -229,6 +233,9 @@ jobs:
  build-arm64:
    needs: ci-core-mark
    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
    timeout-minutes: 120
    steps:
      - uses: actions/checkout@v3
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -9,6 +9,7 @@ on:
  pull_request:
    branches:
      - main
+      - version-*

 jobs:
  lint-golint:
@ -63,6 +64,9 @@ jobs:
          - ldap
          - radius
    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
    steps:
      - uses: actions/checkout@v3
        with:
@ -120,9 +124,9 @@ jobs:
      - uses: actions/setup-go@v4
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "20.5"
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - name: Generate API
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -9,15 +9,16 @@ on:
  pull_request:
    branches:
      - main
+      - version-*

 jobs:
  lint-eslint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "20.5"
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
@ -30,10 +31,10 @@ jobs:
  lint-build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "20.5"
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
@ -46,10 +47,10 @@ jobs:
  lint-prettier:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "20.5"
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
@ -62,10 +63,10 @@ jobs:
  lint-lit-analyse:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "20.5"
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
@ -94,10 +95,10 @@ jobs:
      - ci-web-mark
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "20.5"
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -9,15 +9,16 @@ on:
  pull_request:
    branches:
      - main
+      - version-*

 jobs:
  lint-prettier:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "20.5"
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
@ -28,10 +29,10 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "20.5"
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
@ -49,10 +50,10 @@ jobs:
          - build
          - build-docs-only
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "20.5"
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
--- a/.github/workflows/gha-cache-cleanup.yml
+++ b/.github/workflows/gha-cache-cleanup.yml
@ -0,0 +1,34 @@
+---
+# See https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#force-deleting-cache-entries
+name: Cleanup cache after PR is closed
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Cleanup
+        run: |
+          gh extension install actions/gh-actions-cache
+
+          REPO=${{ github.repository }}
+          BRANCH="refs/pull/${{ github.event.pull_request.number }}/merge"
+
+          echo "Fetching list of cache key"
+          cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )
+
+          # Setting this to not fail the workflow while deleting cache keys.
+          set +e
+          echo "Deleting caches..."
+          for cacheKey in $cacheKeysForPR; do
+              gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
+          done
+          echo "Done"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/image-compress.yml
+++ b/.github/workflows/image-compress.yml
@ -0,0 +1,61 @@
+---
+name: authentik-compress-images
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "**.jpg"
+      - "**.jpeg"
+      - "**.png"
+      - "**.webp"
+  pull_request:
+    paths:
+      - "**.jpg"
+      - "**.jpeg"
+      - "**.png"
+      - "**.webp"
+  workflow_dispatch:
+
+jobs:
+  compress:
+    name: compress
+    runs-on: ubuntu-latest
+    # Don't run on forks. Token will not be available. Will run on main and open a PR anyway
+    if: |
+      github.repository == 'goauthentik/authentik' &&
+      (github.event_name != 'pull_request' ||
+       github.event.pull_request.head.repo.full_name == github.repository)
+    steps:
+      - id: generate_token
+        uses: tibdex/github-app-token@v1
+        with:
+          app_id: ${{ secrets.GH_APP_ID }}
+          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v3
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+      - name: Compress images
+        id: compress
+        uses: calibreapp/image-actions@main
+        with:
+          githubToken: ${{ steps.generate_token.outputs.token }}
+          compressOnly: ${{ github.event_name != 'pull_request' }}
+      - uses: peter-evans/create-pull-request@v5
+        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
+        id: cpr
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          title: "*: Auto compress images"
+          branch-suffix: timestamp
+          commit-messsage: "*: compress images"
+          body: ${{ steps.compress.outputs.markdown }}
+          delete-branch: true
+          signoff: true
+      - uses: peter-evans/enable-pull-request-automerge@v3
+        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
+          merge-method: squash
--- a/.github/workflows/publish-source-docs.yml
+++ b/.github/workflows/publish-source-docs.yml
@ -0,0 +1,31 @@
+name: authentik-publish-source-docs
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  POSTGRES_DB: authentik
+  POSTGRES_USER: authentik
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+
+jobs:
+  publish-source-docs:
+    runs-on: ubuntu-latest
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v3
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+      - name: generate docs
+        run: |
+          poetry run make migrate
+          poetry run ak build_source_docs
+      - name: Publish
+        uses: netlify/actions/cli@master
+        with:
+          args: deploy --dir=source_docs --prod
+        env:
+          NETLIFY_SITE_ID: eb246b7b-1d83-4f69-89f7-01a936b4ca59
+          NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@ -6,6 +6,7 @@ on:
  workflow_dispatch:

 permissions:
+  # Needed to be able to push to the next branch
  contents: write

 jobs:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -7,6 +7,9 @@ on:
 jobs:
  build-server:
    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
    steps:
      - uses: actions/checkout@v3
      - name: Set up QEMU
@ -47,6 +50,9 @@ jobs:
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
  build-outpost:
    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
    strategy:
      fail-fast: false
      matrix:
@ -96,6 +102,9 @@ jobs:
  build-outpost-binary:
    timeout-minutes: 120
    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload binaries to the release
+      contents: write
    strategy:
      fail-fast: false
      matrix:
@ -110,9 +119,9 @@ jobs:
      - uses: actions/setup-go@v4
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "20.5"
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - name: Build web
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@ -6,8 +6,8 @@ on:
  workflow_dispatch:

 permissions:
+  # Needed to update issues and PRs
  issues: write
-  pull-requests: write

 jobs:
  stale:
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@ -1,4 +1,5 @@
 # Rename transifex pull requests to have a correct naming
+# Also enables auto squash-merge
 name: authentik-translation-transifex-rename

 on:
@ -37,3 +38,8 @@ jobs:
            -H "X-GitHub-Api-Version: 2022-11-28" \
            https://api.github.com/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }} \
            -d "{\"title\":\"translate: ${{ steps.title.outputs.title }}\"}"
+      - uses: peter-evans/enable-pull-request-automerge@v3
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          pull-request-number: ${{ github.event.pull_request.number }}
+          merge-method: squash
--- a/.github/workflows/web-api-publish.yml
+++ b/.github/workflows/web-api-publish.yml
@ -17,9 +17,9 @@ jobs:
      - uses: actions/checkout@v3
        with:
          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/setup-node@v3.7.0
+      - uses: actions/setup-node@v3
        with:
-          node-version: "20"
+          node-version: "20.5"
          registry-url: "https://registry.npmjs.org"
      - name: Generate API Client
        run: make gen-client-ts
--- a/.gitignore
+++ b/.gitignore
@ -205,3 +205,4 @@ data/
 # Local Netlify folder
 .netlify
 .ruff_cache
+source_docs/
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -31,7 +31,8 @@
        "!Format sequence",
        "!Condition sequence",
        "!Env sequence",
-        "!Env scalar"
+        "!Env scalar",
+        "!If sequence"
    ],
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
--- a/21
+++ b/21
@ -1,5 +1,5 @@
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/node:20 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:20.5 as website-builder

 COPY ./website /work/website/
 COPY ./blueprints /work/blueprints/
@ -10,7 +10,7 @@ WORKDIR /work/website
 RUN npm ci --include=dev && npm run build-docs-only

 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/node:20 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:20.5 as web-builder

 COPY ./web /work/web/
 COPY ./website /work/website/
@ -20,7 +20,7 @@ WORKDIR /work/web
 RUN npm ci --include=dev && npm run build

 # Stage 3: Poetry to requirements.txt export
-FROM docker.io/python:3.11.4-slim-bullseye AS poetry-locker
+FROM docker.io/python:3.11.5-slim-bookworm AS poetry-locker

 WORKDIR /work
 COPY ./pyproject.toml /work
@ -31,7 +31,7 @@ RUN pip install --no-cache-dir poetry && \
    poetry export -f requirements.txt --dev --output requirements-dev.txt

 # Stage 4: Build go proxy
-FROM docker.io/golang:1.20.6-bullseye AS go-builder
+FROM docker.io/golang:1.21.0-bookworm AS go-builder

 WORKDIR /work

@ -39,12 +39,13 @@ COPY --from=web-builder /work/web/robots.txt /work/web/robots.txt
 COPY --from=web-builder /work/web/security.txt /work/web/security.txt

 COPY ./cmd /work/cmd
+COPY ./authentik/lib /work/authentik/lib
 COPY ./web/static.go /work/web/static.go
 COPY ./internal /work/internal
 COPY ./go.mod /work/go.mod
 COPY ./go.sum /work/go.sum

-RUN go build -o /work/authentik ./cmd/server/
+RUN go build -o /work/bin/authentik ./cmd/server/

 # Stage 5: MaxMind GeoIP
 FROM ghcr.io/maxmind/geoipupdate:v6.0 as geoip
@ -61,7 +62,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 6: Run
-FROM docker.io/python:3.11.4-slim-bullseye AS final-image
+FROM docker.io/python:3.11.5-slim-bookworm AS final-image

 ARG GIT_BUILD_HASH
 ARG VERSION
@ -81,13 +82,13 @@ COPY --from=geoip /usr/share/GeoIP /geoip

 RUN apt-get update && \
    # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev && \
+    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev python3-dev && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libxmlsec1-openssl libmaxminddb0 && \
+    apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
    pip install --no-cache-dir -r /requirements.txt && \
-    apt-get remove --purge -y build-essential pkg-config libxmlsec1-dev && \
+    apt-get remove --purge -y build-essential pkg-config libxmlsec1-dev libpq-dev python3-dev && \
    apt-get autoremove --purge -y && \
    apt-get clean && \
    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
@ -104,7 +105,7 @@ COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
-COPY --from=go-builder /work/authentik /bin/authentik
+COPY --from=go-builder /work/bin/authentik /bin/authentik
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
 COPY --from=website-builder /work/website/help/ /website/help/
--- a/6
+++ b/6
@ -140,13 +140,15 @@ web-watch:
 	touch web/dist/.gitkeep
 	cd web && npm run watch

+web-storybook-watch:
+	cd web && npm run storybook
+
 web-lint-fix:
 	cd web && npm run prettier

 web-lint:
 	cd web && npm run lint
-	# TODO: The analyzer hasn't run correctly in awhile.
-	# cd web && npm run lit-analyse
+	cd web && npm run lit-analyse

 web-check-compile:
 	cd web && npm run tsc
--- a/SECURITY.md
+++ b/SECURITY.md
@ -16,8 +16,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version | Supported |
 | --- | --- |
-| 2023.5.x | ✅ |
 | 2023.6.x | ✅ |
+| 2023.8.x | ✅ |

 ## Reporting a Vulnerability

@ -27,6 +27,8 @@ To report a vulnerability, send an email to [security@goauthentik.io](mailto:se

 authentik reserves the right to reclassify CVSS as necessary. To determine severity, we will use the CVSS calculator from NVD (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The calculated CVSS score will then be translated into one of the following categories:

+| Score | Severity |
+| --- | --- |
 | 0.0 | None |
 | 0.1 – 3.9 | Low |
 | 4.0 – 6.9 | Medium |
--- a/authentik/init.py
+++ b/authentik/init.py
@ -1,8 +1,8 @@
-"""authentik"""
+"""authentik root module"""
 from os import environ
 from typing import Optional

-__version__ = "2023.6.1"
+__version__ = "2023.8.7"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/api/pagination.py
+++ b/authentik/api/pagination.py
@ -2,6 +2,43 @@
 from rest_framework import pagination
 from rest_framework.response import Response

+PAGINATION_COMPONENT_NAME = "Pagination"
+PAGINATION_SCHEMA = {
+    "type": "object",
+    "properties": {
+        "next": {
+            "type": "number",
+        },
+        "previous": {
+            "type": "number",
+        },
+        "count": {
+            "type": "number",
+        },
+        "current": {
+            "type": "number",
+        },
+        "total_pages": {
+            "type": "number",
+        },
+        "start_index": {
+            "type": "number",
+        },
+        "end_index": {
+            "type": "number",
+        },
+    },
+    "required": [
+        "next",
+        "previous",
+        "count",
+        "current",
+        "total_pages",
+        "start_index",
+        "end_index",
+    ],
+}
+

 class Pagination(pagination.PageNumberPagination):
    """Pagination which includes total pages and current page"""
@ -35,41 +72,7 @@ class Pagination(pagination.PageNumberPagination):
        return {
            "type": "object",
            "properties": {
-                "pagination": {
-                    "type": "object",
-                    "properties": {
-                        "next": {
-                            "type": "number",
-                        },
-                        "previous": {
-                            "type": "number",
-                        },
-                        "count": {
-                            "type": "number",
-                        },
-                        "current": {
-                            "type": "number",
-                        },
-                        "total_pages": {
-                            "type": "number",
-                        },
-                        "start_index": {
-                            "type": "number",
-                        },
-                        "end_index": {
-                            "type": "number",
-                        },
-                    },
-                    "required": [
-                        "next",
-                        "previous",
-                        "count",
-                        "current",
-                        "total_pages",
-                        "start_index",
-                        "end_index",
-                    ],
-                },
+                "pagination": {"$ref": f"#/components/schemas/{PAGINATION_COMPONENT_NAME}"},
                "results": schema,
            },
            "required": ["pagination", "results"],
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -1,5 +1,6 @@
 """Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
 from django.utils.translation import gettext_lazy as _
+from drf_spectacular.generators import SchemaGenerator
 from drf_spectacular.plumbing import (
    ResolvedComponent,
    build_array_type,
@ -8,6 +9,9 @@ from drf_spectacular.plumbing import (
 )
 from drf_spectacular.settings import spectacular_settings
 from drf_spectacular.types import OpenApiTypes
+from rest_framework.settings import api_settings
+
+from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA


 def build_standard_type(obj, **kwargs):
@ -28,7 +32,7 @@ GENERIC_ERROR = build_object_type(
 VALIDATION_ERROR = build_object_type(
    description=_("Validation Error"),
    properties={
-        "non_field_errors": build_array_type(build_standard_type(OpenApiTypes.STR)),
+        api_settings.NON_FIELD_ERRORS_KEY: build_array_type(build_standard_type(OpenApiTypes.STR)),
        "code": build_standard_type(OpenApiTypes.STR),
    },
    required=[],
@ -36,7 +40,19 @@ VALIDATION_ERROR = build_object_type(
 )


-def postprocess_schema_responses(result, generator, **kwargs):  # noqa: W0613
+def create_component(generator: SchemaGenerator, name, schema, type_=ResolvedComponent.SCHEMA):
+    """Register a component and return a reference to it."""
+    component = ResolvedComponent(
+        name=name,
+        type=type_,
+        schema=schema,
+        object=name,
+    )
+    generator.registry.register_on_missing(component)
+    return component
+
+
+def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):  # noqa: W0613
    """Workaround to set a default response for endpoints.
    Workaround suggested at
    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
@ -44,19 +60,10 @@ def postprocess_schema_responses(result, generator, **kwargs):  # noqa: W0613
    <https://github.com/tfranzel/drf-spectacular/issues/101>.
    """

-    def create_component(name, schema, type_=ResolvedComponent.SCHEMA):
-        """Register a component and return a reference to it."""
-        component = ResolvedComponent(
-            name=name,
-            type=type_,
-            schema=schema,
-            object=name,
-        )
-        generator.registry.register_on_missing(component)
-        return component
+    create_component(generator, PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA)

-    generic_error = create_component("GenericError", GENERIC_ERROR)
-    validation_error = create_component("ValidationError", VALIDATION_ERROR)
+    generic_error = create_component(generator, "GenericError", GENERIC_ERROR)
+    validation_error = create_component(generator, "ValidationError", VALIDATION_ERROR)

    for path in result["paths"].values():
        for method in path.values():
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@ -93,10 +93,10 @@ class ConfigView(APIView):
                    "traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
                },
                "capabilities": self.get_capabilities(),
-                "cache_timeout": int(CONFIG.get("redis.cache_timeout")),
-                "cache_timeout_flows": int(CONFIG.get("redis.cache_timeout_flows")),
-                "cache_timeout_policies": int(CONFIG.get("redis.cache_timeout_policies")),
-                "cache_timeout_reputation": int(CONFIG.get("redis.cache_timeout_reputation")),
+                "cache_timeout": CONFIG.get_int("redis.cache_timeout"),
+                "cache_timeout_flows": CONFIG.get_int("redis.cache_timeout_flows"),
+                "cache_timeout_policies": CONFIG.get_int("redis.cache_timeout_policies"),
+                "cache_timeout_reputation": CONFIG.get_int("redis.cache_timeout_reputation"),
            }
        )

--- a/authentik/blueprints/tests/fixtures/conditional_fields.yaml
+++ b/authentik/blueprints/tests/fixtures/conditional_fields.yaml
@ -45,3 +45,8 @@ entries:
    attrs:
      name: "%(uid)s"
      password: "%(uid)s"
+  - model: authentik_core.user
+    identifiers:
+      username: "%(uid)s-no-password"
+    attrs:
+      name: "%(uid)s"
--- a/authentik/blueprints/tests/fixtures/state_absent.yaml
+++ b/authentik/blueprints/tests/fixtures/state_absent.yaml
@ -7,7 +7,5 @@ entries:
      state: absent
    - identifiers:
          name: "%(id)s"
-          expression: |
-            return True
      model: authentik_policies_expression.expressionpolicy
      state: absent
--- a/authentik/blueprints/tests/fixtures/tags.yaml
+++ b/authentik/blueprints/tests/fixtures/tags.yaml
@ -9,6 +9,8 @@ context:
    mapping:
      key1: value
      key2: 2
+    context1: context-nested-value
+    context2: !Context context1
 entries:
    - model: !Format ["%s", authentik_sources_oauth.oauthsource]
      state: !Format ["%s", present]
@ -34,6 +36,7 @@ entries:
      model: authentik_policies_expression.expressionpolicy
    - attrs:
          attributes:
+              env_null: !Env [bar-baz, null]
              policy_pk1:
                  !Format [
                      "%s-%s",
@ -97,6 +100,7 @@ entries:
                      [list, with, items, !Format ["foo-%s", !Context foo]],
                  ]
              if_true_simple: !If [!Context foo, true, text]
+              if_short: !If [!Context foo]
              if_false_simple: !If [null, false, 2]
              enumerate_mapping_to_mapping: !Enumerate [
                  !Context mapping,
@ -141,6 +145,7 @@ entries:
                      ]
                  ]
              ]
+              nested_context: !Context context2
      identifiers:
          name: test
      conditions:
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -155,6 +155,7 @@ class TestBlueprintsV1(TransactionTestCase):
                    },
                    "if_false_complex": ["list", "with", "items", "foo-bar"],
                    "if_true_simple": True,
+                    "if_short": True,
                    "if_false_simple": 2,
                    "enumerate_mapping_to_mapping": {
                        "prefix-key1": "other-prefix-value",
@ -211,8 +212,10 @@ class TestBlueprintsV1(TransactionTestCase):
                            ],
                        },
                    },
+                    "nested_context": "context-nested-value",
+                    "env_null": None,
                }
-            )
+            ).exists()
        )
        self.assertTrue(
            OAuthSource.objects.filter(
--- a/authentik/blueprints/tests/test_v1_conditional_fields.py
+++ b/authentik/blueprints/tests/test_v1_conditional_fields.py
@ -51,3 +51,9 @@ class TestBlueprintsV1ConditionalFields(TransactionTestCase):
        user: User = User.objects.filter(username=self.uid).first()
        self.assertIsNotNone(user)
        self.assertTrue(user.check_password(self.uid))
+
+    def test_user_null(self):
+        """Test user"""
+        user: User = User.objects.filter(username=f"{self.uid}-no-password").first()
+        self.assertIsNotNone(user)
+        self.assertFalse(user.has_usable_password())
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -223,11 +223,11 @@ class Env(YAMLTag):
        if isinstance(node, ScalarNode):
            self.key = node.value
        if isinstance(node, SequenceNode):
-            self.key = node.value[0].value
-            self.default = node.value[1].value
+            self.key = loader.construct_object(node.value[0])
+            self.default = loader.construct_object(node.value[1])

    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        return getenv(self.key, self.default)
+        return getenv(self.key) or self.default


 class Context(YAMLTag):
@ -242,13 +242,15 @@ class Context(YAMLTag):
        if isinstance(node, ScalarNode):
            self.key = node.value
        if isinstance(node, SequenceNode):
-            self.key = node.value[0].value
-            self.default = node.value[1].value
+            self.key = loader.construct_object(node.value[0])
+            self.default = loader.construct_object(node.value[1])

    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        value = self.default
        if self.key in blueprint.context:
            value = blueprint.context[self.key]
+        if isinstance(value, YAMLTag):
+            return value.resolve(entry, blueprint)
        return value


@ -260,7 +262,7 @@ class Format(YAMLTag):

    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
        super().__init__()
-        self.format_string = node.value[0].value
+        self.format_string = loader.construct_object(node.value[0])
        self.args = []
        for raw_node in node.value[1:]:
            self.args.append(loader.construct_object(raw_node))
@ -339,7 +341,7 @@ class Condition(YAMLTag):

    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
        super().__init__()
-        self.mode = node.value[0].value
+        self.mode = loader.construct_object(node.value[0])
        self.args = []
        for raw_node in node.value[1:]:
            self.args.append(loader.construct_object(raw_node))
@ -372,8 +374,12 @@ class If(YAMLTag):
    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
        super().__init__()
        self.condition = loader.construct_object(node.value[0])
-        self.when_true = loader.construct_object(node.value[1])
-        self.when_false = loader.construct_object(node.value[2])
+        if len(node.value) == 1:
+            self.when_true = True
+            self.when_false = False
+        else:
+            self.when_true = loader.construct_object(node.value[1])
+            self.when_false = loader.construct_object(node.value[2])

    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
        if isinstance(self.condition, YAMLTag):
@ -410,7 +416,7 @@ class Enumerate(YAMLTag, YAMLTagContext):
    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
        super().__init__()
        self.iterable = loader.construct_object(node.value[0])
-        self.output_body = node.value[1].value
+        self.output_body = loader.construct_object(node.value[1])
        self.item_body = loader.construct_object(node.value[2])
        self.__current_context: tuple[Any, Any] = tuple()

--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -35,6 +35,7 @@ from authentik.core.models import (
    Source,
    UserSourceConnection,
 )
+from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
 from authentik.outposts.models import OutpostServiceConnection
@ -199,9 +200,6 @@ class Importer:
        serializer_kwargs = {}
        model_instance = existing_models.first()
        if not isinstance(model(), BaseMetaModel) and model_instance:
-            if entry.get_state(self.__import) == BlueprintEntryDesiredState.CREATED:
-                self.logger.debug("instance exists, skipping")
-                return None
            self.logger.debug(
                "initialise serializer with instance",
                model=model,
@ -212,7 +210,9 @@ class Importer:
            serializer_kwargs["partial"] = True
        else:
            self.logger.debug(
-                "initialised new serializer instance", model=model, **updated_identifiers
+                "initialised new serializer instance",
+                model=model,
+                **cleanse_dict(updated_identifiers),
            )
            model_instance = model()
            # pk needs to be set on the model instance otherwise a new one will be generated
@ -268,21 +268,34 @@ class Importer:
            try:
                serializer = self._validate_single(entry)
            except EntryInvalidError as exc:
+                # For deleting objects we don't need the serializer to be valid
+                if entry.get_state(self.__import) == BlueprintEntryDesiredState.ABSENT:
+                    continue
                self.logger.warning(f"entry invalid: {exc}", entry=entry, error=exc)
                return False
            if not serializer:
                continue

            state = entry.get_state(self.__import)
-            if state in [
-                BlueprintEntryDesiredState.PRESENT,
-                BlueprintEntryDesiredState.CREATED,
-            ]:
-                model = serializer.save()
+            if state in [BlueprintEntryDesiredState.PRESENT, BlueprintEntryDesiredState.CREATED]:
+                instance = serializer.instance
+                if (
+                    instance
+                    and not instance._state.adding
+                    and state == BlueprintEntryDesiredState.CREATED
+                ):
+                    self.logger.debug(
+                        "instance exists, skipping",
+                        model=model,
+                        instance=instance,
+                        pk=instance.pk,
+                    )
+                else:
+                    instance = serializer.save()
+                    self.logger.debug("updated model", model=instance)
                if "pk" in entry.identifiers:
-                    self.__pk_map[entry.identifiers["pk"]] = model.pk
-                entry._state = BlueprintEntryState(model)
-                self.logger.debug("updated model", model=model)
+                    self.__pk_map[entry.identifiers["pk"]] = instance.pk
+                entry._state = BlueprintEntryState(instance)
            elif state == BlueprintEntryDesiredState.ABSENT:
                instance: Optional[Model] = serializer.instance
                if instance.pk:
@ -309,5 +322,6 @@ class Importer:
                self.logger.debug("Blueprint validation failed")
        for log in logs:
            getattr(self.logger, log.get("log_level"))(**log)
+        self.logger.debug("Finished blueprint import validation")
        self.__import = orig_import
        return successful, logs
--- a/authentik/blueprints/v1/meta/apply_blueprint.py
+++ b/authentik/blueprints/v1/meta/apply_blueprint.py
@ -31,7 +31,7 @@ class ApplyBlueprintMetaSerializer(PassiveSerializer):
        required = attrs["required"]
        instance = BlueprintInstance.objects.filter(**identifiers).first()
        if not instance and required:
-            raise ValidationError("Required blueprint does not exist")
+            raise ValidationError({"identifiers": "Required blueprint does not exist"})
        self.blueprint_instance = instance
        return super().validate(attrs)

--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -49,7 +49,7 @@ class GroupSerializer(ModelSerializer):
    users_obj = ListSerializer(
        child=GroupMemberSerializer(), read_only=True, source="users", required=False
    )
-    parent_name = CharField(source="parent.name", read_only=True)
+    parent_name = CharField(source="parent.name", read_only=True, allow_null=True)

    num_pk = IntegerField(read_only=True)

--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -47,7 +47,7 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
            attrs.setdefault("user", request.user)
        attrs.setdefault("intent", TokenIntents.INTENT_API)
        if attrs.get("intent") not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
-            raise ValidationError(f"Invalid intent {attrs.get('intent')}")
+            raise ValidationError({"intent": f"Invalid intent {attrs.get('intent')}"})
        return attrs

    class Meta:
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -15,7 +15,13 @@ from django.utils.http import urlencode
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
-from django_filters.filters import BooleanFilter, CharFilter, ModelMultipleChoiceFilter, UUIDFilter
+from django_filters.filters import (
+    BooleanFilter,
+    CharFilter,
+    ModelMultipleChoiceFilter,
+    MultipleChoiceFilter,
+    UUIDFilter,
+)
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import (
@ -117,27 +123,35 @@ class UserSerializer(ModelSerializer):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
-            self.fields["password"] = CharField(required=False)
+            self.fields["password"] = CharField(required=False, allow_null=True)

    def create(self, validated_data: dict) -> User:
        """If this serializer is used in the blueprint context, we allow for
        directly setting a password. However should be done via the `set_password`
        method instead of directly setting it like rest_framework."""
+        password = validated_data.pop("password", None)
        instance: User = super().create(validated_data)
-        if SERIALIZER_CONTEXT_BLUEPRINT in self.context and "password" in validated_data:
-            instance.set_password(validated_data["password"])
-            instance.save()
+        self._set_password(instance, password)
        return instance

    def update(self, instance: User, validated_data: dict) -> User:
        """Same as `create` above, set the password directly if we're in a blueprint
        context"""
+        password = validated_data.pop("password", None)
        instance = super().update(instance, validated_data)
-        if SERIALIZER_CONTEXT_BLUEPRINT in self.context and "password" in validated_data:
-            instance.set_password(validated_data["password"])
-            instance.save()
+        self._set_password(instance, password)
        return instance

+    def _set_password(self, instance: User, password: Optional[str]):
+        """Set password of user if we're in a blueprint context, and if it's an empty
+        string then use an unusable password"""
+        if SERIALIZER_CONTEXT_BLUEPRINT in self.context and password:
+            instance.set_password(password)
+            instance.save()
+        if len(instance.password) == 0:
+            instance.set_unusable_password()
+            instance.save()
+
    def validate_path(self, path: str) -> str:
        """Validate path"""
        if path[:1] == "/" or path[-1] == "/":
@ -201,7 +215,7 @@ class UserSelfSerializer(ModelSerializer):
    )
    def get_groups(self, _: User):
        """Return only the group names a user is member of"""
-        for group in self.instance.ak_groups.all():
+        for group in self.instance.all_groups().order_by("name"):
            yield {
                "name": group.name,
                "pk": group.pk,
@ -300,11 +314,11 @@ class UsersFilter(FilterSet):
    is_superuser = BooleanFilter(field_name="ak_groups", lookup_expr="is_superuser")
    uuid = UUIDFilter(field_name="uuid")

-    path = CharFilter(
-        field_name="path",
-    )
+    path = CharFilter(field_name="path")
    path_startswith = CharFilter(field_name="path", lookup_expr="startswith")

+    type = MultipleChoiceFilter(choices=UserTypes.choices, field_name="type")
+
    groups_by_name = ModelMultipleChoiceFilter(
        field_name="ak_groups__name",
        to_field_name="name",
--- a/authentik/core/management/commands/build_source_docs.py
+++ b/authentik/core/management/commands/build_source_docs.py
@ -0,0 +1,21 @@
+"""Build source docs"""
+from pathlib import Path
+
+from django.core.management.base import BaseCommand
+from pdoc import pdoc
+from pdoc.render import configure
+
+
+class Command(BaseCommand):
+    """Build source docs"""
+
+    def handle(self, **options):
+        configure(
+            docformat="markdown",
+            mermaid=True,
+            logo="https://goauthentik.io/img/icon_top_brand_colour.svg",
+        )
+        pdoc(
+            "authentik",
+            output_directory=Path("./source_docs"),
+        )
--- a/authentik/core/management/commands/worker.py
+++ b/authentik/core/management/commands/worker.py
@ -26,7 +26,6 @@ class Command(BaseCommand):
            no_color=False,
            quiet=True,
            optimization="fair",
-            max_tasks_per_child=1,
            autoscale=(3, 1),
            task_events=True,
            beat=True,
--- a/authentik/core/migrations/0002_auto_20200523_1133_squashed_0011_provider_name_temp.py
+++ b/authentik/core/migrations/0002_auto_20200523_1133_squashed_0011_provider_name_temp.py
@ -1,55 +1,11 @@
 # Generated by Django 3.2.8 on 2021-10-10 16:16

-from os import environ
-
 import django.db.models.deletion
-from django.apps.registry import Apps
-from django.conf import settings
 from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor

 import authentik.core.models


-def create_default_user(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from django.contrib.auth.hashers import make_password
-
-    User = apps.get_model("authentik_core", "User")
-    db_alias = schema_editor.connection.alias
-
-    akadmin, _ = User.objects.using(db_alias).get_or_create(
-        username="akadmin",
-        email=environ.get("AUTHENTIK_BOOTSTRAP_EMAIL", "root@localhost"),
-        name="authentik Default Admin",
-    )
-    password = None
-    if "TF_BUILD" in environ or settings.TEST:
-        password = "akadmin"  # noqa # nosec
-    if "AUTHENTIK_BOOTSTRAP_PASSWORD" in environ:
-        password = environ["AUTHENTIK_BOOTSTRAP_PASSWORD"]
-    if password:
-        akadmin.password = make_password(password)
-    else:
-        akadmin.password = make_password(None)
-    akadmin.save()
-
-
-def create_default_admin_group(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
-    Group = apps.get_model("authentik_core", "Group")
-    User = apps.get_model("authentik_core", "User")
-
-    # Creates a default admin group
-    group, _ = Group.objects.using(db_alias).get_or_create(
-        is_superuser=True,
-        defaults={
-            "name": "authentik Admins",
-        },
-    )
-    group.users.set(User.objects.filter(username="akadmin"))
-    group.save()
-
-
 class Migration(migrations.Migration):
    replaces = [
        ("authentik_core", "0002_auto_20200523_1133"),
@ -119,9 +75,6 @@ class Migration(migrations.Migration):
            model_name="user",
            name="is_staff",
        ),
-        migrations.RunPython(
-            code=create_default_user,
-        ),
        migrations.AddField(
            model_name="user",
            name="is_superuser",
@ -201,9 +154,6 @@ class Migration(migrations.Migration):
                default=False, help_text="Users added to this group will be superusers."
            ),
        ),
-        migrations.RunPython(
-            code=create_default_admin_group,
-        ),
        migrations.AlterModelManagers(
            name="user",
            managers=[
--- a/authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py
+++ b/authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py
@ -1,7 +1,6 @@
 # Generated by Django 3.2.8 on 2021-10-10 16:12

 import uuid
-from os import environ

 import django.db.models.deletion
 from django.apps.registry import Apps
@ -35,29 +34,6 @@ def fix_duplicates(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
        Token.objects.using(db_alias).filter(identifier=ident["identifier"]).delete()


-def create_default_user_token(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from authentik.core.models import TokenIntents
-
-    User = apps.get_model("authentik_core", "User")
-    Token = apps.get_model("authentik_core", "Token")
-
-    db_alias = schema_editor.connection.alias
-
-    akadmin = User.objects.using(db_alias).filter(username="akadmin")
-    if not akadmin.exists():
-        return
-    if "AUTHENTIK_BOOTSTRAP_TOKEN" not in environ:
-        return
-    key = environ["AUTHENTIK_BOOTSTRAP_TOKEN"]
-    Token.objects.using(db_alias).create(
-        identifier="authentik-bootstrap-token",
-        user=akadmin.first(),
-        intent=TokenIntents.INTENT_API,
-        expiring=False,
-        key=key,
-    )
-
-
 class Migration(migrations.Migration):
    replaces = [
        ("authentik_core", "0018_auto_20210330_1345"),
@ -214,9 +190,6 @@ class Migration(migrations.Migration):
                "verbose_name_plural": "Authenticated Sessions",
            },
        ),
-        migrations.RunPython(
-            code=create_default_user_token,
-        ),
        migrations.AlterField(
            model_name="token",
            name="intent",
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -60,7 +60,7 @@ def default_token_key():
    """Default token key"""
    # We use generate_id since the chars in the key should be easy
    # to use in Emails (for verification) and URLs (for recovery)
-    return generate_id(int(CONFIG.get("default_token_length")))
+    return generate_id(CONFIG.get_int("default_token_length"))


 class UserTypes(models.TextChoices):
@ -79,7 +79,7 @@ class UserTypes(models.TextChoices):


 class Group(SerializerModel):
-    """Custom Group model which supports a basic hierarchy"""
+    """Group model which supports a basic hierarchy and has attributes"""

    group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)

@ -113,27 +113,7 @@ class Group(SerializerModel):

    def is_member(self, user: "User") -> bool:
        """Recursively check if `user` is member of us, or any parent."""
-        query = """
-        WITH RECURSIVE parents AS (
-            SELECT authentik_core_group.*, 0 AS relative_depth
-            FROM authentik_core_group
-            WHERE authentik_core_group.group_uuid = %s
-
-            UNION ALL
-
-            SELECT authentik_core_group.*, parents.relative_depth - 1
-            FROM authentik_core_group,parents
-            WHERE (
-                authentik_core_group.parent_id = parents.group_uuid and
-                parents.relative_depth > -20
-            )
-        )
-        SELECT group_uuid
-        FROM parents
-        GROUP BY group_uuid;
-        """
-        groups = Group.objects.raw(query, [self.group_uuid])
-        return user.ak_groups.filter(pk__in=[group.pk for group in groups]).exists()
+        return user.all_groups().filter(group_uuid=self.group_uuid).exists()

    def __str__(self):
        return f"Group {self.name}"
@ -148,15 +128,15 @@ class Group(SerializerModel):


 class UserManager(DjangoUserManager):
-    """Custom user manager that doesn't assign is_superuser and is_staff"""
+    """User manager that doesn't assign is_superuser and is_staff"""

    def create_user(self, username, email=None, password=None, **extra_fields):
-        """Custom user manager that doesn't assign is_superuser and is_staff"""
+        """User manager that doesn't assign is_superuser and is_staff"""
        return self._create_user(username, email, password, **extra_fields)


 class User(SerializerModel, GuardianUserMixin, AbstractUser):
-    """Custom User model to allow easier adding of user-based settings"""
+    """authentik User model, based on django's contrib auth user model."""

    uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
    name = models.TextField(help_text=_("User's display name."))
@ -176,13 +156,45 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
        """Get the default user path"""
        return User._meta.get_field("path").default

+    def all_groups(self) -> QuerySet[Group]:
+        """Recursively get all groups this user is a member of.
+        At least one query is done to get the direct groups of the user, with groups
+        there are at most 3 queries done"""
+        direct_groups = list(
+            x for x in self.ak_groups.all().values_list("pk", flat=True).iterator()
+        )
+        if len(direct_groups) < 1:
+            return Group.objects.none()
+        query = """
+        WITH RECURSIVE parents AS (
+            SELECT authentik_core_group.*, 0 AS relative_depth
+            FROM authentik_core_group
+            WHERE authentik_core_group.group_uuid = ANY(%s)
+
+            UNION ALL
+
+            SELECT authentik_core_group.*, parents.relative_depth + 1
+            FROM authentik_core_group, parents
+            WHERE (
+                authentik_core_group.group_uuid = parents.parent_id and
+                parents.relative_depth < 20
+            )
+        )
+        SELECT group_uuid
+        FROM parents
+        GROUP BY group_uuid, name
+        ORDER BY name;
+        """
+        group_pks = [group.pk for group in Group.objects.raw(query, [direct_groups]).iterator()]
+        return Group.objects.filter(pk__in=group_pks)
+
    def group_attributes(self, request: Optional[HttpRequest] = None) -> dict[str, Any]:
        """Get a dictionary containing the attributes from all groups the user belongs to,
        including the users attributes"""
        final_attributes = {}
        if request and hasattr(request, "tenant"):
            always_merger.merge(final_attributes, request.tenant.attributes)
-        for group in self.ak_groups.all().order_by("name"):
+        for group in self.all_groups().order_by("name"):
            always_merger.merge(final_attributes, group.attributes)
        always_merger.merge(final_attributes, self.attributes)
        return final_attributes
@ -196,7 +208,7 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
    @cached_property
    def is_superuser(self) -> bool:
        """Get supseruser status based on membership in a group with superuser status"""
-        return self.ak_groups.filter(is_superuser=True).exists()
+        return self.all_groups().filter(is_superuser=True).exists()

    @property
    def is_staff(self) -> bool:
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -78,7 +78,6 @@
        </main>
        {% endblock %}
        <footer class="pf-c-login__footer">
-            <p></p>
            <ul class="pf-c-list pf-m-inline">
                {% for link in footer_links %}
                <li>
--- a/authentik/core/tests/test_groups.py
+++ b/authentik/core/tests/test_groups.py
@ -13,7 +13,9 @@ class TestGroups(TestCase):
        user = User.objects.create(username=generate_id())
        user2 = User.objects.create(username=generate_id())
        group = Group.objects.create(name=generate_id())
+        other_group = Group.objects.create(name=generate_id())
        group.users.add(user)
+        other_group.users.add(user)
        self.assertTrue(group.is_member(user))
        self.assertFalse(group.is_member(user2))

@ -21,22 +23,26 @@ class TestGroups(TestCase):
        """Test parent membership"""
        user = User.objects.create(username=generate_id())
        user2 = User.objects.create(username=generate_id())
-        first = Group.objects.create(name=generate_id())
-        second = Group.objects.create(name=generate_id(), parent=first)
-        second.users.add(user)
-        self.assertTrue(first.is_member(user))
-        self.assertFalse(first.is_member(user2))
+        parent = Group.objects.create(name=generate_id())
+        child = Group.objects.create(name=generate_id(), parent=parent)
+        child.users.add(user)
+        self.assertTrue(child.is_member(user))
+        self.assertTrue(parent.is_member(user))
+        self.assertFalse(child.is_member(user2))
+        self.assertFalse(parent.is_member(user2))

    def test_group_membership_parent_extra(self):
        """Test parent membership"""
        user = User.objects.create(username=generate_id())
        user2 = User.objects.create(username=generate_id())
-        first = Group.objects.create(name=generate_id())
-        second = Group.objects.create(name=generate_id(), parent=first)
+        parent = Group.objects.create(name=generate_id())
+        second = Group.objects.create(name=generate_id(), parent=parent)
        third = Group.objects.create(name=generate_id(), parent=second)
        second.users.add(user)
-        self.assertTrue(first.is_member(user))
-        self.assertFalse(first.is_member(user2))
+        self.assertTrue(parent.is_member(user))
+        self.assertFalse(parent.is_member(user2))
+        self.assertTrue(second.is_member(user))
+        self.assertFalse(second.is_member(user2))
        self.assertFalse(third.is_member(user))
        self.assertFalse(third.is_member(user2))

--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -28,6 +28,19 @@ class TestUsersAPI(APITestCase):
        self.admin = create_test_admin_user()
        self.user = User.objects.create(username="test-user")

+    def test_filter_type(self):
+        """Test API filtering by type"""
+        self.client.force_login(self.admin)
+        user = create_test_admin_user(type=UserTypes.EXTERNAL)
+        response = self.client.get(
+            reverse("authentik_api:user-list"),
+            data={
+                "type": UserTypes.EXTERNAL,
+                "username": user.username,
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+
    def test_metrics(self):
        """Test user's metrics"""
        self.client.force_login(self.admin)
--- a/authentik/core/tests/utils.py
+++ b/authentik/core/tests/utils.py
@ -21,7 +21,7 @@ def create_test_flow(
    )


-def create_test_admin_user(name: Optional[str] = None) -> User:
+def create_test_admin_user(name: Optional[str] = None, **kwargs) -> User:
    """Generate a test-admin user"""
    uid = generate_id(20) if not name else name
    group = Group.objects.create(name=uid, is_superuser=True)
@ -29,6 +29,7 @@ def create_test_admin_user(name: Optional[str] = None) -> User:
        username=uid,
        name=uid,
        email=f"{uid}@goauthentik.io",
+        **kwargs,
    )
    user.set_password(uid)
    user.save()
@ -36,12 +37,12 @@ def create_test_admin_user(name: Optional[str] = None) -> User:
    return user


-def create_test_tenant() -> Tenant:
+def create_test_tenant(**kwargs) -> Tenant:
    """Generate a test tenant, removing all other tenants to make sure this one
    matches."""
    uid = generate_id(20)
    Tenant.objects.all().delete()
-    return Tenant.objects.create(domain=uid, default=True)
+    return Tenant.objects.create(domain=uid, default=True, **kwargs)


 def create_test_cert(use_ec_private_key=False) -> CertificateKeyPair:
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -189,6 +189,8 @@ class CertificateKeyPairFilter(FilterSet):

    def filter_has_key(self, queryset, name, value):  # pragma: no cover
        """Only return certificate-key pairs with keys"""
+        if not value:
+            return queryset
        return queryset.exclude(key_data__exact="")

    class Meta:
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -128,8 +128,26 @@ class TestCrypto(APITestCase):
        response = self.client.get(
            reverse(
                "authentik_api:certificatekeypair-list",
-            )
-            + f"?name={cert.name}"
+            ),
+            data={"name": cert.name},
+        )
+        self.assertEqual(200, response.status_code)
+        body = loads(response.content.decode())
+        api_cert = [x for x in body["results"] if x["name"] == cert.name][0]
+        self.assertEqual(api_cert["fingerprint_sha1"], cert.fingerprint_sha1)
+        self.assertEqual(api_cert["fingerprint_sha256"], cert.fingerprint_sha256)
+
+    def test_list_has_key_false(self):
+        """Test API List with has_key set to false"""
+        cert = create_test_cert()
+        cert.key_data = ""
+        cert.save()
+        self.client.force_login(create_test_admin_user())
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-list",
+            ),
+            data={"name": cert.name, "has_key": False},
        )
        self.assertEqual(200, response.status_code)
        body = loads(response.content.decode())
@ -144,8 +162,8 @@ class TestCrypto(APITestCase):
        response = self.client.get(
            reverse(
                "authentik_api:certificatekeypair-list",
-            )
-            + f"?name={cert.name}&include_details=false"
+            ),
+            data={"name": cert.name, "include_details": False},
        )
        self.assertEqual(200, response.status_code)
        body = loads(response.content.decode())
@ -168,8 +186,8 @@ class TestCrypto(APITestCase):
            reverse(
                "authentik_api:certificatekeypair-view-certificate",
                kwargs={"pk": keypair.pk},
-            )
-            + "?download",
+            ),
+            data={"download": True},
        )
        self.assertEqual(200, response.status_code)
        self.assertIn("Content-Disposition", response)
@ -189,8 +207,8 @@ class TestCrypto(APITestCase):
            reverse(
                "authentik_api:certificatekeypair-view-private-key",
                kwargs={"pk": keypair.pk},
-            )
-            + "?download",
+            ),
+            data={"download": True},
        )
        self.assertEqual(200, response.status_code)
        self.assertIn("Content-Disposition", response)
@ -200,7 +218,7 @@ class TestCrypto(APITestCase):
        self.client.force_login(create_test_admin_user())
        keypair = create_test_cert()
        provider = OAuth2Provider.objects.create(
-            name="test",
+            name=generate_id(),
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=create_test_flow(),
--- a/authentik/enterprise/api.py
+++ b/authentik/enterprise/api.py
@ -35,13 +35,13 @@ class LicenseSerializer(ModelSerializer):
            "name",
            "key",
            "expiry",
-            "users",
+            "internal_users",
            "external_users",
        ]
        extra_kwargs = {
            "name": {"read_only": True},
            "expiry": {"read_only": True},
-            "users": {"read_only": True},
+            "internal_users": {"read_only": True},
            "external_users": {"read_only": True},
        }

@ -49,7 +49,7 @@ class LicenseSerializer(ModelSerializer):
 class LicenseSummary(PassiveSerializer):
    """Serializer for license status"""

-    users = IntegerField(required=True)
+    internal_users = IntegerField(required=True)
    external_users = IntegerField(required=True)
    valid = BooleanField()
    show_admin_warning = BooleanField()
@ -62,9 +62,9 @@ class LicenseSummary(PassiveSerializer):
 class LicenseForecastSerializer(PassiveSerializer):
    """Serializer for license forecast"""

-    users = IntegerField(required=True)
+    internal_users = IntegerField(required=True)
    external_users = IntegerField(required=True)
-    forecasted_users = IntegerField(required=True)
+    forecasted_internal_users = IntegerField(required=True)
    forecasted_external_users = IntegerField(required=True)


@ -111,7 +111,7 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
        latest_valid = datetime.fromtimestamp(total.exp)
        response = LicenseSummary(
            data={
-                "users": total.users,
+                "internal_users": total.internal_users,
                "external_users": total.external_users,
                "valid": total.is_valid(),
                "show_admin_warning": show_admin_warning,
@ -135,8 +135,8 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
    def forecast(self, request: Request) -> Response:
        """Forecast how many users will be required in a year"""
        last_month = now() - timedelta(days=30)
-        # Forecast for default users
-        users_in_last_month = User.objects.filter(
+        # Forecast for internal users
+        internal_in_last_month = User.objects.filter(
            type=UserTypes.INTERNAL, date_joined__gte=last_month
        ).count()
        # Forecast for external users
@ -144,9 +144,9 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
        forecast_for_months = 12
        response = LicenseForecastSerializer(
            data={
-                "users": LicenseKey.get_default_user_count(),
+                "internal_users": LicenseKey.get_default_user_count(),
                "external_users": LicenseKey.get_external_user_count(),
-                "forecasted_users": (users_in_last_month * forecast_for_months),
+                "forecasted_internal_users": (internal_in_last_month * forecast_for_months),
                "forecasted_external_users": (external_in_last_month * forecast_for_months),
            }
        )
--- a/authentik/enterprise/migrations/0002_rename_users_license_internal_users_and_more.py
+++ b/authentik/enterprise/migrations/0002_rename_users_license_internal_users_and_more.py
@ -0,0 +1,36 @@
+# Generated by Django 4.2.4 on 2023-08-23 10:06
+
+import django.contrib.postgres.indexes
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_enterprise", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="license",
+            old_name="users",
+            new_name="internal_users",
+        ),
+        migrations.AlterField(
+            model_name="license",
+            name="key",
+            field=models.TextField(),
+        ),
+        migrations.AddIndex(
+            model_name="license",
+            index=django.contrib.postgres.indexes.HashIndex(
+                fields=["key"], name="authentik_e_key_523e13_hash"
+            ),
+        ),
+        migrations.AlterModelOptions(
+            name="licenseusage",
+            options={
+                "verbose_name": "License Usage",
+                "verbose_name_plural": "License Usage Records",
+            },
+        ),
+    ]
--- a/authentik/enterprise/models.py
+++ b/authentik/enterprise/models.py
@ -11,9 +11,11 @@ from uuid import uuid4
 from cryptography.exceptions import InvalidSignature
 from cryptography.x509 import Certificate, load_der_x509_certificate, load_pem_x509_certificate
 from dacite import from_dict
+from django.contrib.postgres.indexes import HashIndex
 from django.db import models
 from django.db.models.query import QuerySet
 from django.utils.timezone import now
+from django.utils.translation import gettext as _
 from guardian.shortcuts import get_anonymous_user
 from jwt import PyJWTError, decode, get_unverified_header
 from rest_framework.exceptions import ValidationError
@ -46,8 +48,8 @@ class LicenseKey:
    exp: int

    name: str
-    users: int
-    external_users: int
+    internal_users: int = 0
+    external_users: int = 0
    flags: list[LicenseFlags] = field(default_factory=list)

    @staticmethod
@ -87,7 +89,7 @@ class LicenseKey:
        active_licenses = License.objects.filter(expiry__gte=now())
        total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
        for lic in active_licenses:
-            total.users += lic.users
+            total.internal_users += lic.internal_users
            total.external_users += lic.external_users
            exp_ts = int(mktime(lic.expiry.timetuple()))
            if total.exp == 0:
@ -123,7 +125,7 @@ class LicenseKey:

        Only checks the current count, no historical data is checked"""
        default_users = self.get_default_user_count()
-        if default_users > self.users:
+        if default_users > self.internal_users:
            return False
        active_users = self.get_external_user_count()
        if active_users > self.external_users:
@ -153,11 +155,11 @@ class License(models.Model):
    """An authentik enterprise license"""

    license_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    key = models.TextField(unique=True)
+    key = models.TextField()

    name = models.TextField()
    expiry = models.DateTimeField()
-    users = models.BigIntegerField()
+    internal_users = models.BigIntegerField()
    external_users = models.BigIntegerField()

    @property
@ -165,6 +167,9 @@ class License(models.Model):
        """Get parsed license status"""
        return LicenseKey.validate(self.key)

+    class Meta:
+        indexes = (HashIndex(fields=("key",)),)
+

 def usage_expiry():
    """Keep license usage records for 3 months"""
@ -183,3 +188,7 @@ class LicenseUsage(ExpiringModel):
    within_limits = models.BooleanField()

    record_date = models.DateTimeField(auto_now_add=True)
+
+    class Meta:
+        verbose_name = _("License Usage")
+        verbose_name_plural = _("License Usage Records")
--- a/authentik/enterprise/signals.py
+++ b/authentik/enterprise/signals.py
@ -13,6 +13,6 @@ def pre_save_license(sender: type[License], instance: License, **_):
    """Extract data from license jwt and save it into model"""
    status = instance.status
    instance.name = status.name
-    instance.users = status.users
+    instance.internal_users = status.internal_users
    instance.external_users = status.external_users
    instance.expiry = datetime.fromtimestamp(status.exp, tz=get_current_timezone())
--- a/authentik/enterprise/tests/test_license.py
+++ b/authentik/enterprise/tests/test_license.py
@ -23,7 +23,7 @@ class TestEnterpriseLicense(TestCase):
                aud="",
                exp=_exp,
                name=generate_id(),
-                users=100,
+                internal_users=100,
                external_users=100,
            )
        ),
@ -32,7 +32,7 @@ class TestEnterpriseLicense(TestCase):
        """Check license verification"""
        lic = License.objects.create(key=generate_id())
        self.assertTrue(lic.status.is_valid())
-        self.assertEqual(lic.users, 100)
+        self.assertEqual(lic.internal_users, 100)

    def test_invalid(self):
        """Test invalid license"""
@ -46,7 +46,7 @@ class TestEnterpriseLicense(TestCase):
                aud="",
                exp=_exp,
                name=generate_id(),
-                users=100,
+                internal_users=100,
                external_users=100,
            )
        ),
@ -58,7 +58,7 @@ class TestEnterpriseLicense(TestCase):
        lic2 = License.objects.create(key=generate_id())
        self.assertTrue(lic2.status.is_valid())
        total = LicenseKey.get_total()
-        self.assertEqual(total.users, 200)
+        self.assertEqual(total.internal_users, 200)
        self.assertEqual(total.external_users, 200)
        self.assertEqual(total.exp, _exp)
        self.assertTrue(total.is_valid())
--- a/authentik/events/api/events.py
+++ b/authentik/events/api/events.py
@ -4,7 +4,7 @@ from json import loads

 import django_filters
 from django.db.models.aggregates import Count
-from django.db.models.fields.json import KeyTextTransform
+from django.db.models.fields.json import KeyTextTransform, KeyTransform
 from django.db.models.functions import ExtractDay
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
@ -134,11 +134,11 @@ class EventViewSet(ModelViewSet):
        """Get the top_n events grouped by user count"""
        filtered_action = request.query_params.get("action", EventAction.LOGIN)
        top_n = int(request.query_params.get("top_n", "15"))
-        return Response(
+        events = (
            get_objects_for_user(request.user, "authentik_events.view_event")
            .filter(action=filtered_action)
            .exclude(context__authorized_application=None)
-            .annotate(application=KeyTextTransform("authorized_application", "context"))
+            .annotate(application=KeyTransform("authorized_application", "context"))
            .annotate(user_pk=KeyTextTransform("pk", "user"))
            .values("application")
            .annotate(counted_events=Count("application"))
@ -146,6 +146,7 @@ class EventViewSet(ModelViewSet):
            .values("unique_users", "application", "counted_events")
            .order_by("-counted_events")[:top_n]
        )
+        return Response(EventTopPerUserSerializer(instance=events, many=True).data)

    @extend_schema(
        methods=["GET"],
--- a/authentik/events/api/notification_transports.py
+++ b/authentik/events/api/notification_transports.py
@ -39,7 +39,7 @@ class NotificationTransportSerializer(ModelSerializer):
        mode = attrs.get("mode")
        if mode in [TransportMode.WEBHOOK, TransportMode.WEBHOOK_SLACK]:
            if "webhook_url" not in attrs or attrs.get("webhook_url", "") == "":
-                raise ValidationError("Webhook URL may not be empty.")
+                raise ValidationError({"webhook_url": "Webhook URL may not be empty."})
        return attrs

    class Meta:
--- a/authentik/flows/migrations/0026_alter_flow_options.py
+++ b/authentik/flows/migrations/0026_alter_flow_options.py
@ -0,0 +1,25 @@
+# Generated by Django 4.2.6 on 2023-10-10 17:18
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_flows", "0025_alter_flowstagebinding_evaluate_on_plan_and_more"),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name="flow",
+            options={
+                "permissions": [
+                    ("export_flow", "Can export a Flow"),
+                    ("inspect_flow", "Can inspect a Flow's execution"),
+                    ("view_flow_cache", "View Flow's cache metrics"),
+                    ("clear_flow_cache", "Clear Flow's cache metrics"),
+                ],
+                "verbose_name": "Flow",
+                "verbose_name_plural": "Flows",
+            },
+        ),
+    ]
--- a/authentik/flows/migrations/0027_auto_20231028_1424.py
+++ b/authentik/flows/migrations/0027_auto_20231028_1424.py
@ -0,0 +1,34 @@
+# Generated by Django 4.2.6 on 2023-10-28 14:24
+
+from django.apps.registry import Apps
+from django.db import migrations
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from guardian.shortcuts import get_anonymous_user
+
+    Flow = apps.get_model("authentik_flows", "Flow")
+    User = apps.get_model("authentik_core", "User")
+
+    db_alias = schema_editor.connection.alias
+
+    users = User.objects.using(db_alias).exclude(username="akadmin")
+    try:
+        users = users.exclude(pk=get_anonymous_user().pk)
+    # pylint: disable=broad-except
+    except Exception:  # nosec
+        pass
+
+    if users.exists():
+        Flow.objects.filter(slug="initial-setup").update(authentication="require_superuser")
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_flows", "0026_alter_flow_options"),
+    ]
+
+    operations = [
+        migrations.RunPython(set_oobe_flow_authentication),
+    ]
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -33,7 +33,7 @@ PLAN_CONTEXT_SOURCE = "source"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
-CACHE_TIMEOUT = int(CONFIG.get("redis.cache_timeout_flows"))
+CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_flows")
 CACHE_PREFIX = "goauthentik.io/flows/planner/"


--- a/authentik/lib/config.go
+++ b/authentik/lib/config.go
@ -0,0 +1,10 @@
+package lib
+
+import _ "embed"
+
+//go:embed default.yml
+var defaultConfig []byte
+
+func DefaultConfig() []byte {
+	return defaultConfig
+}
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -213,6 +213,14 @@ class ConfigLoader:
        attr: Attr = get_path_from_dict(root, path, sep=sep, default=Attr(default))
        return attr.value

+    def get_int(self, path: str, default=0) -> int:
+        """Wrapper for get that converts value into int"""
+        try:
+            return int(self.get(path, default))
+        except ValueError as exc:
+            self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
+            return default
+
    def get_bool(self, path: str, default=False) -> bool:
        """Wrapper for get that converts value into boolean"""
        return str(self.get(path, default)).lower() == "true"
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -11,7 +11,11 @@ postgresql:
 listen:
  listen_http: 0.0.0.0:9000
  listen_https: 0.0.0.0:9443
+  listen_ldap: 0.0.0.0:3389
+  listen_ldaps: 0.0.0.0:6636
+  listen_radius: 0.0.0.0:1812
  listen_metrics: 0.0.0.0:9300
+  listen_debug: 0.0.0.0:9900
  trusted_proxy_cidrs:
    - 127.0.0.0/8
    - 10.0.0.0/8
@ -32,6 +36,9 @@ redis:
  cache_timeout_policies: 300
  cache_timeout_reputation: 300

+paths:
+  media: ./media
+
 debug: false
 remote_debug: false

@ -77,6 +84,9 @@ ldap:
  tls:
    ciphers: null

+reputation:
+  expiry: 86400
+
 cookie_domain: null
 disable_update_check: false
 disable_startup_analytics: false
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -112,7 +112,7 @@ class BaseEvaluator:
    @staticmethod
    def expr_is_group_member(user: User, **group_filters) -> bool:
        """Check if `user` is member of group with name `group_name`"""
-        return user.ak_groups.filter(**group_filters).exists()
+        return user.all_groups().filter(**group_filters).exists()

    @staticmethod
    def expr_user_by(**filters) -> Optional[User]:
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -98,7 +98,7 @@ def traces_sampler(sampling_context: dict) -> float:
 def before_send(event: dict, hint: dict) -> Optional[dict]:
    """Check if error is database error, and ignore if so"""
    # pylint: disable=no-name-in-module
-    from psycopg2.errors import Error
+    from psycopg.errors import Error

    ignored_classes = (
        # Inbuilt types
--- a/authentik/lib/tests/test_config.py
+++ b/authentik/lib/tests/test_config.py
@ -79,3 +79,15 @@ class TestConfig(TestCase):
        config.update_from_file(file2_name)
        unlink(file_name)
        unlink(file2_name)
+
+    def test_get_int(self):
+        """Test get_int"""
+        config = ConfigLoader()
+        config.set("foo", 1234)
+        self.assertEqual(config.get_int("foo"), 1234)
+
+    def test_get_int_invalid(self):
+        """Test get_int"""
+        config = ConfigLoader()
+        config.set("foo", "bar")
+        self.assertEqual(config.get_int("foo", 1234), 1234)
--- a/authentik/policies/process.py
+++ b/authentik/policies/process.py
@ -19,7 +19,7 @@ from authentik.policies.types import CACHE_PREFIX, PolicyRequest, PolicyResult
 LOGGER = get_logger()

 FORK_CTX = get_context("fork")
-CACHE_TIMEOUT = int(CONFIG.get("redis.cache_timeout_policies"))
+CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_policies")
 PROCESS_CLASS = FORK_CTX.Process


--- a/authentik/policies/reputation/api.py
+++ b/authentik/policies/reputation/api.py
@ -1,5 +1,7 @@
 """Reputation policy API Views"""
+from django.utils.translation import gettext_lazy as _
 from rest_framework import mixins
+from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet

@ -11,6 +13,11 @@ from authentik.policies.reputation.models import Reputation, ReputationPolicy
 class ReputationPolicySerializer(PolicySerializer):
    """Reputation Policy Serializer"""

+    def validate(self, attrs: dict) -> dict:
+        if not attrs.get("check_ip", False) and not attrs.get("check_username", False):
+            raise ValidationError(_("Either IP or Username must be checked"))
+        return super().validate(attrs)
+
    class Meta:
        model = ReputationPolicy
        fields = PolicySerializer.Meta.fields + [
--- a/authentik/policies/reputation/migrations/0005_reputation_expires_reputation_expiring.py
+++ b/authentik/policies/reputation/migrations/0005_reputation_expires_reputation_expiring.py
@ -0,0 +1,33 @@
+# Generated by Django 4.2.4 on 2023-08-31 10:42
+
+from django.db import migrations, models
+
+import authentik.policies.reputation.models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_policies_reputation", "0004_reputationpolicy_authentik_p_policy__8f0d70_idx"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="reputation",
+            name="expires",
+            field=models.DateTimeField(
+                default=authentik.policies.reputation.models.reputation_expiry
+            ),
+        ),
+        migrations.AddField(
+            model_name="reputation",
+            name="expiring",
+            field=models.BooleanField(default=True),
+        ),
+        migrations.AlterModelOptions(
+            name="reputation",
+            options={
+                "verbose_name": "Reputation Score",
+                "verbose_name_plural": "Reputation Scores",
+            },
+        ),
+    ]
--- a/authentik/policies/reputation/models.py
+++ b/authentik/policies/reputation/models.py
@ -1,13 +1,17 @@
 """authentik reputation request policy"""
+from datetime import timedelta
 from uuid import uuid4

 from django.db import models
 from django.db.models import Sum
 from django.db.models.query_utils import Q
+from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from rest_framework.serializers import BaseSerializer
 from structlog import get_logger

+from authentik.core.models import ExpiringModel
+from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.http import get_client_ip
 from authentik.policies.models import Policy
@ -17,6 +21,11 @@ LOGGER = get_logger()
 CACHE_KEY_PREFIX = "goauthentik.io/policies/reputation/scores/"


+def reputation_expiry():
+    """Reputation expiry"""
+    return now() + timedelta(seconds=CONFIG.get_int("reputation.expiry"))
+
+
 class ReputationPolicy(Policy):
    """Return true if request IP/target username's score is below a certain threshold"""

@ -59,7 +68,7 @@ class ReputationPolicy(Policy):
        verbose_name_plural = _("Reputation Policies")


-class Reputation(SerializerModel):
+class Reputation(ExpiringModel, SerializerModel):
    """Reputation for user and or IP."""

    reputation_uuid = models.UUIDField(primary_key=True, unique=True, default=uuid4)
@ -69,6 +78,8 @@ class Reputation(SerializerModel):
    ip_geo_data = models.JSONField(default=dict)
    score = models.BigIntegerField(default=0)

+    expires = models.DateTimeField(default=reputation_expiry)
+
    updated = models.DateTimeField(auto_now_add=True)

    @property
@ -81,4 +92,6 @@ class Reputation(SerializerModel):
        return f"Reputation {self.identifier}/{self.ip} @ {self.score}"

    class Meta:
+        verbose_name = _("Reputation Score")
+        verbose_name_plural = _("Reputation Scores")
        unique_together = ("identifier", "ip")
--- a/authentik/policies/reputation/signals.py
+++ b/authentik/policies/reputation/signals.py
@ -13,7 +13,7 @@ from authentik.policies.reputation.tasks import save_reputation
 from authentik.stages.identification.signals import identification_failed

 LOGGER = get_logger()
-CACHE_TIMEOUT = int(CONFIG.get("redis.cache_timeout_reputation"))
+CACHE_TIMEOUT = CONFIG.get_int("redis.cache_timeout_reputation")


 def update_score(request: HttpRequest, identifier: str, amount: int):
--- a/authentik/policies/reputation/tests.py
+++ b/authentik/policies/reputation/tests.py
@ -3,6 +3,8 @@ from django.core.cache import cache
 from django.test import RequestFactory, TestCase

 from authentik.core.models import User
+from authentik.lib.generators import generate_id
+from authentik.policies.reputation.api import ReputationPolicySerializer
 from authentik.policies.reputation.models import CACHE_KEY_PREFIX, Reputation, ReputationPolicy
 from authentik.policies.reputation.tasks import save_reputation
 from authentik.policies.types import PolicyRequest
@ -61,3 +63,8 @@ class TestReputationPolicy(TestCase):
            name="reputation-test", threshold=0
        )
        self.assertTrue(policy.passes(request).passing)
+
+    def test_api(self):
+        """Test API Validation"""
+        no_toggle = ReputationPolicySerializer(data={"name": generate_id(), "threshold": -5})
+        self.assertFalse(no_toggle.is_valid())
--- a/authentik/providers/oauth2/id_token.py
+++ b/authentik/providers/oauth2/id_token.py
@ -1,6 +1,6 @@
 """id_token utils"""
 from dataclasses import asdict, dataclass, field
-from typing import TYPE_CHECKING, Any, Optional
+from typing import TYPE_CHECKING, Any, Optional, Union

 from django.db import models
 from django.http import HttpRequest
@ -57,7 +57,7 @@ class IDToken:
    # Subject, https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.2
    sub: Optional[str] = None
    # Audience, https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.3
-    aud: Optional[str] = None
+    aud: Optional[Union[str, list[str]]] = None
    # Expiration time, https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.4
    exp: Optional[int] = None
    # Issued at, https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.6
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -2,6 +2,7 @@
 import base64
 import binascii
 import json
+from dataclasses import asdict
 from functools import cached_property
 from hashlib import sha256
 from typing import Any, Optional
@ -358,7 +359,7 @@ class AccessToken(SerializerModel, ExpiringModel, BaseGrantModel):
    @id_token.setter
    def id_token(self, value: IDToken):
        self.token = value.to_access_token(self.provider)
-        self._id_token = json.dumps(value.to_dict())
+        self._id_token = json.dumps(asdict(value))

    @property
    def at_hash(self):
@ -400,7 +401,7 @@ class RefreshToken(SerializerModel, ExpiringModel, BaseGrantModel):

    @id_token.setter
    def id_token(self, value: IDToken):
-        self._id_token = json.dumps(value.to_dict())
+        self._id_token = json.dumps(asdict(value))

    @property
    def serializer(self) -> Serializer:
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -85,6 +85,25 @@ class TestAuthorize(OAuthTestCase):
            )
            OAuthAuthorizationParams.from_request(request)

+    def test_blocked_redirect_uri(self):
+        """test missing/invalid redirect URI"""
+        OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=create_test_flow(),
+            redirect_uris="data:local.invalid",
+        )
+        with self.assertRaises(RedirectUriError):
+            request = self.factory.get(
+                "/",
+                data={
+                    "response_type": "code",
+                    "client_id": "test",
+                    "redirect_uri": "data:localhost",
+                },
+            )
+            OAuthAuthorizationParams.from_request(request)
+
    def test_invalid_redirect_uri_empty(self):
        """test missing/invalid redirect URI"""
        provider = OAuth2Provider.objects.create(
--- a/authentik/providers/oauth2/tests/test_token_cc.py
+++ b/authentik/providers/oauth2/tests/test_token_cc.py
@ -151,6 +151,14 @@ class TestTokenClientCredentials(OAuthTestCase):
        )
        self.assertEqual(jwt["given_name"], self.user.name)
        self.assertEqual(jwt["preferred_username"], self.user.username)
+        jwt = decode(
+            body["id_token"],
+            key=self.provider.signing_key.public_key,
+            algorithms=[alg],
+            audience=self.provider.client_id,
+        )
+        self.assertEqual(jwt["given_name"], self.user.name)
+        self.assertEqual(jwt["preferred_username"], self.user.username)

    def test_successful_password(self):
        """test successful (password grant)"""
--- a/authentik/providers/oauth2/tests/test_token_pkce.py
+++ b/authentik/providers/oauth2/tests/test_token_pkce.py
@ -0,0 +1,258 @@
+"""Test token view"""
+from base64 import b64encode, urlsafe_b64encode
+from hashlib import sha256
+
+from django.test import RequestFactory
+from django.urls import reverse
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.flows.challenge import ChallengeTypes
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.constants import GRANT_TYPE_AUTHORIZATION_CODE
+from authentik.providers.oauth2.models import AuthorizationCode, OAuth2Provider
+from authentik.providers.oauth2.tests.utils import OAuthTestCase
+
+
+class TestTokenPKCE(OAuthTestCase):
+    """Test token view"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.factory = RequestFactory()
+        self.app = Application.objects.create(name=generate_id(), slug="test")
+
+    def test_pkce_missing_in_authorize(self):
+        """Test PKCE with code_challenge in authorize request
+        and missing verifier in token request"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        challenge = generate_id()
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                "code_challenge": challenge,
+                "code_challenge_method": "S256",
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                # Missing the code_verifier here
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertJSONEqual(
+            response.content,
+            {
+                "error": "invalid_grant",
+                "error_description": (
+                    "The provided authorization grant or refresh token is invalid, expired, "
+                    "revoked, does not match the redirection URI used in the authorization "
+                    "request, or was issued to another client"
+                ),
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+
+    def test_pkce_missing_in_token(self):
+        """Test PKCE with missing code_challenge in authorization request but verifier
+        set in token request"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                # "code_challenge": challenge,
+                # "code_challenge_method": "S256",
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                "code_verifier": generate_id(),
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertJSONEqual(
+            response.content,
+            {
+                "error": "invalid_grant",
+                "error_description": (
+                    "The provided authorization grant or refresh token is invalid, expired, "
+                    "revoked, does not match the redirection URI used in the authorization "
+                    "request, or was issued to another client"
+                ),
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+
+    def test_pkce_correct_s256(self):
+        """Test full with pkce"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        verifier = generate_id()
+        challenge = (
+            urlsafe_b64encode(sha256(verifier.encode("ascii")).digest())
+            .decode("utf-8")
+            .replace("=", "")
+        )
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                "code_challenge": challenge,
+                "code_challenge_method": "S256",
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                "code_verifier": verifier,
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_pkce_correct_plain(self):
+        """Test full with pkce"""
+        flow = create_test_flow()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+            access_code_validity="seconds=100",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_id()
+        user = create_test_admin_user()
+        self.client.force_login(user)
+        verifier = generate_id()
+        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+                "code_challenge": verifier,
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            response.content.decode(),
+            {
+                "component": "xak-flow-redirect",
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                "code_verifier": verifier,
+                "redirect_uri": "foo://localhost",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        self.assertEqual(response.status_code, 200)
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -74,6 +74,7 @@ PLAN_CONTEXT_PARAMS = "goauthentik.io/providers/oauth2/params"
 SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"

 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
+FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}


@dataclass(slots=True)
@ -174,6 +175,10 @@ class OAuthAuthorizationParams:
        self.check_scope()
        self.check_nonce()
        self.check_code_challenge()
+        if self.request:
+            raise AuthorizeError(
+                self.redirect_uri, "request_not_supported", self.grant_type, self.state
+            )

    def check_redirect_uri(self):
        """Redirect URI validation."""
@ -211,10 +216,9 @@ class OAuthAuthorizationParams:
                    expected=allowed_redirect_urls,
                )
                raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
-        if self.request:
-            raise AuthorizeError(
-                self.redirect_uri, "request_not_supported", self.grant_type, self.state
-            )
+        # Check against forbidden schemes
+        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
+            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)

    def check_scope(self):
        """Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
@ -375,7 +379,9 @@ class AuthorizationFlowInitView(PolicyAccessView):
            ):
                self.request.session[SESSION_KEY_LAST_LOGIN_UID] = login_uid
                return self.handle_no_permission()
-        scope_descriptions = UserInfoView().get_scope_descriptions(self.params.scope)
+        scope_descriptions = UserInfoView().get_scope_descriptions(
+            self.params.scope, self.params.provider
+        )
        # Regardless, we start the planner and return to it
        planner = FlowPlanner(self.provider.authorization_flow)
        planner.allow_empty_flows = True
--- a/authentik/providers/oauth2/views/device_init.py
+++ b/authentik/providers/oauth2/views/device_init.py
@ -55,7 +55,7 @@ def validate_code(code: int, request: HttpRequest) -> Optional[HttpResponse]:
    if not app:
        return None

-    scope_descriptions = UserInfoView().get_scope_descriptions(token.scope)
+    scope_descriptions = UserInfoView().get_scope_descriptions(token.scope, token.provider)
    planner = FlowPlanner(token.provider.authorization_flow)
    planner.allow_empty_flows = True
    try:
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -6,6 +6,7 @@ from hashlib import sha256
 from re import error as RegexError
 from re import fullmatch
 from typing import Any, Optional
+from urllib.parse import urlparse

 from django.http import HttpRequest, HttpResponse
 from django.utils import timezone
@ -53,6 +54,7 @@ from authentik.providers.oauth2.models import (
    RefreshToken,
 )
 from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
+from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
 from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS

@ -204,6 +206,10 @@ class TokenParams:
                ).from_http(request)
                raise TokenError("invalid_client")

+        # Check against forbidden schemes
+        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
+            raise TokenError("invalid_request")
+
        self.authorization_code = AuthorizationCode.objects.filter(code=raw_code).first()
        if not self.authorization_code:
            LOGGER.warning("Code does not exist", code=raw_code)
@ -221,7 +227,10 @@ class TokenParams:
            raise TokenError("invalid_grant")

        # Validate PKCE parameters.
-        if self.code_verifier:
+        if self.authorization_code.code_challenge:
+            # Authorization code had PKCE but we didn't get one
+            if not self.code_verifier:
+                raise TokenError("invalid_grant")
            if self.authorization_code.code_challenge_method == PKCE_METHOD_S256:
                new_code_challenge = (
                    urlsafe_b64encode(sha256(self.code_verifier.encode("ascii")).digest())
@ -234,6 +243,10 @@ class TokenParams:
            if new_code_challenge != self.authorization_code.code_challenge:
                LOGGER.warning("Code challenge not matching")
                raise TokenError("invalid_grant")
+        # Token request had a code_verifier but code did not have a code challenge
+        # Prevent downgrade
+        if not self.authorization_code.code_challenge and self.code_verifier:
+            raise TokenError("invalid_grant")

    def __post_init_refresh(self, raw_token: str, request: HttpRequest):
        if not raw_token:
--- a/authentik/providers/oauth2/views/userinfo.py
+++ b/authentik/providers/oauth2/views/userinfo.py
@ -40,10 +40,14 @@ class UserInfoView(View):

    token: Optional[RefreshToken]

-    def get_scope_descriptions(self, scopes: list[str]) -> list[PermissionDict]:
+    def get_scope_descriptions(
+        self, scopes: list[str], provider: OAuth2Provider
+    ) -> list[PermissionDict]:
        """Get a list of all Scopes's descriptions"""
        scope_descriptions = []
-        for scope in ScopeMapping.objects.filter(scope_name__in=scopes).order_by("scope_name"):
+        for scope in ScopeMapping.objects.filter(scope_name__in=scopes, provider=provider).order_by(
+            "scope_name"
+        ):
            scope_descriptions.append(PermissionDict(id=scope.scope_name, name=scope.description))
        # GitHub Compatibility Scopes are handled differently, since they required custom paths
        # Hence they don't exist as Scope objects
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@ -59,7 +59,9 @@ class ProxyProviderSerializer(ProviderSerializer):
            attrs.get("mode", ProxyMode.PROXY) == ProxyMode.PROXY
            and attrs.get("internal_host", "") == ""
        ):
-            raise ValidationError(_("Internal host cannot be empty when forward auth is disabled."))
+            raise ValidationError(
+                {"internal_host": _("Internal host cannot be empty when forward auth is disabled.")}
+            )
        return attrs

    def create(self, validated_data: dict):
--- a/authentik/providers/proxy/tests.py
+++ b/authentik/providers/proxy/tests.py
@ -69,7 +69,7 @@ class ProxyProviderTests(APITestCase):
        self.assertEqual(response.status_code, 400)
        self.assertJSONEqual(
            response.content.decode(),
-            {"non_field_errors": ["Internal host cannot be empty when forward auth is disabled."]},
+            {"internal_host": ["Internal host cannot be empty when forward auth is disabled."]},
        )

    def test_create_defaults(self):
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@ -13,10 +13,9 @@ from rest_framework.decorators import action
 from rest_framework.fields import CharField, FileField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.permissions import AllowAny
-from rest_framework.relations import SlugRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ValidationError
+from rest_framework.serializers import PrimaryKeyRelatedField, ValidationError
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

@ -168,10 +167,8 @@ class SAMLProviderImportSerializer(PassiveSerializer):
    """Import saml provider from XML Metadata"""

    name = CharField(required=True)
-    # Using SlugField because https://github.com/OpenAPITools/openapi-generator/issues/3278
-    authorization_flow = SlugRelatedField(
+    authorization_flow = PrimaryKeyRelatedField(
        queryset=Flow.objects.filter(designation=FlowDesignation.AUTHORIZATION),
-        slug_field="slug",
    )
    file = FileField()

--- a/authentik/providers/saml/processors/metadata.py
+++ b/authentik/providers/saml/processors/metadata.py
@ -171,6 +171,8 @@ class MetadataProcessor:
            entity_descriptor, f"{{{NS_SAML_METADATA}}}IDPSSODescriptor"
        )
        idp_sso_descriptor.attrib["protocolSupportEnumeration"] = NS_SAML_PROTOCOL
+        if self.provider.verification_kp:
+            idp_sso_descriptor.attrib["WantAuthnRequestsSigned"] = "true"

        signing_descriptor = self.get_signing_key_descriptor()
        if signing_descriptor is not None:
--- a/authentik/providers/saml/tests/test_api.py
+++ b/authentik/providers/saml/tests/test_api.py
@ -89,7 +89,7 @@ class TestSAMLProviderAPI(APITestCase):
                {
                    "file": metadata,
                    "name": generate_id(),
-                    "authorization_flow": create_test_flow(FlowDesignation.AUTHORIZATION).slug,
+                    "authorization_flow": create_test_flow(FlowDesignation.AUTHORIZATION).pk,
                },
                format="multipart",
            )
@ -106,7 +106,7 @@ class TestSAMLProviderAPI(APITestCase):
                {
                    "file": metadata,
                    "name": generate_id(),
-                    "authorization_flow": create_test_flow().slug,
+                    "authorization_flow": create_test_flow().pk,
                },
                format="multipart",
            )
--- a/authentik/providers/saml/tests/test_metadata.py
+++ b/authentik/providers/saml/tests/test_metadata.py
@ -12,7 +12,7 @@ from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.metadata import MetadataProcessor
 from authentik.providers.saml.processors.metadata_parser import ServiceProviderMetadataParser
-from authentik.sources.saml.processors.constants import NS_MAP
+from authentik.sources.saml.processors.constants import NS_MAP, NS_SAML_METADATA


 class TestServiceProviderMetadataParser(TestCase):
@ -55,6 +55,24 @@ class TestServiceProviderMetadataParser(TestCase):
        schema = etree.XMLSchema(etree.parse("schemas/saml-schema-metadata-2.0.xsd"))  # nosec
        self.assertTrue(schema.validate(metadata))

+    def test_schema_want_authn_requests_signed(self):
+        """Test metadata generation with WantAuthnRequestsSigned"""
+        cert = create_test_cert()
+        provider = SAMLProvider.objects.create(
+            name=generate_id(),
+            authorization_flow=self.flow,
+            verification_kp=cert,
+        )
+        Application.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+            provider=provider,
+        )
+        request = self.factory.get("/")
+        metadata = lxml_from_string(MetadataProcessor(provider, request).build_entity_descriptor())
+        idp_sso_descriptor = metadata.findall(f"{{{NS_SAML_METADATA}}}IDPSSODescriptor")[0]
+        self.assertEqual(idp_sso_descriptor.attrib["WantAuthnRequestsSigned"], "true")
+
    def test_simple(self):
        """Test simple metadata without Signing"""
        metadata = ServiceProviderMetadataParser().parse(load_fixture("fixtures/simple.xml"))
--- a/authentik/providers/scim/clients/base.py
+++ b/authentik/providers/scim/clients/base.py
@ -68,7 +68,7 @@ class SCIMClient(Generic[T, SchemaType]):
        """Get Service provider config"""
        default_config = ServiceProviderConfiguration.default()
        try:
-            return ServiceProviderConfiguration.parse_obj(
+            return ServiceProviderConfiguration.model_validate(
                self._request("GET", "/ServiceProviderConfig")
            )
        except (ValidationError, SCIMRequestException) as exc:
--- a/authentik/providers/scim/clients/group.py
+++ b/authentik/providers/scim/clients/group.py
@ -74,7 +74,7 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
        if not raw_scim_group:
            raise StopSync(ValueError("No group mappings configured"), obj)
        try:
-            scim_group = SCIMGroupSchema.parse_obj(delete_none_values(raw_scim_group))
+            scim_group = SCIMGroupSchema.model_validate(delete_none_values(raw_scim_group))
        except ValidationError as exc:
            raise StopSync(exc, obj) from exc
        if not scim_group.externalId:
@ -99,7 +99,8 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
        response = self._request(
            "POST",
            "/Groups",
-            data=scim_group.json(
+            json=scim_group.model_dump(
+                mode="json",
                exclude_unset=True,
            ),
        )
@ -113,7 +114,8 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
            return self._request(
                "PUT",
                f"/Groups/{scim_group.id}",
-                data=scim_group.json(
+                json=scim_group.model_dump(
+                    mode="json",
                    exclude_unset=True,
                ),
            )
@ -160,7 +162,13 @@ class SCIMGroupClient(SCIMClient[Group, SCIMGroupSchema]):
        *ops: PatchOperation,
    ):
        req = PatchRequest(Operations=ops)
-        self._request("PATCH", f"/Groups/{group_id}", data=req.json())
+        self._request(
+            "PATCH",
+            f"/Groups/{group_id}",
+            json=req.model_dump(
+                mode="json",
+            ),
+        )

    def _patch_add_users(self, group: Group, users_set: set[int]):
        """Add users in users_set to group"""
--- a/authentik/providers/scim/clients/schema.py
+++ b/authentik/providers/scim/clients/schema.py
@ -52,7 +52,7 @@ class ServiceProviderConfiguration(BaseServiceProviderConfiguration):
 class PatchRequest(BasePatchRequest):
    """PatchRequest which correctly sets schemas"""

-    schemas: tuple[str] = ["urn:ietf:params:scim:api:messages:2.0:PatchOp"]
+    schemas: tuple[str] = ("urn:ietf:params:scim:api:messages:2.0:PatchOp",)


 class SCIMError(BaseSCIMError):
--- a/authentik/providers/scim/clients/user.py
+++ b/authentik/providers/scim/clients/user.py
@ -64,7 +64,7 @@ class SCIMUserClient(SCIMClient[User, SCIMUserSchema]):
        if not raw_scim_user:
            raise StopSync(ValueError("No user mappings configured"), obj)
        try:
-            scim_user = SCIMUserSchema.parse_obj(delete_none_values(raw_scim_user))
+            scim_user = SCIMUserSchema.model_validate(delete_none_values(raw_scim_user))
        except ValidationError as exc:
            raise StopSync(exc, obj) from exc
        if not scim_user.externalId:
@ -77,7 +77,8 @@ class SCIMUserClient(SCIMClient[User, SCIMUserSchema]):
        response = self._request(
            "POST",
            "/Users",
-            data=scim_user.json(
+            json=scim_user.model_dump(
+                mode="json",
                exclude_unset=True,
            ),
        )
@ -90,7 +91,8 @@ class SCIMUserClient(SCIMClient[User, SCIMUserSchema]):
        self._request(
            "PUT",
            f"/Users/{connection.id}",
-            data=scim_user.json(
+            json=scim_user.model_dump(
+                mode="json",
                exclude_unset=True,
            ),
        )
--- a/authentik/providers/scim/signals.py
+++ b/authentik/providers/scim/signals.py
@ -23,6 +23,8 @@ def post_save_provider(sender: type[Model], instance, created: bool, **_):
@receiver(post_save, sender=Group)
 def post_save_scim(sender: type[Model], instance: User | Group, created: bool, **_):
    """Post save handler"""
+    if not SCIMProvider.objects.filter(backchannel_application__isnull=False).exists():
+        return
    scim_signal_direct.delay(class_to_path(instance.__class__), instance.pk, PatchOp.add.value)


@ -30,6 +32,8 @@ def post_save_scim(sender: type[Model], instance: User | Group, created: bool, *
@receiver(pre_delete, sender=Group)
 def pre_delete_scim(sender: type[Model], instance: User | Group, **_):
    """Pre-delete handler"""
+    if not SCIMProvider.objects.filter(backchannel_application__isnull=False).exists():
+        return
    scim_signal_direct.delay(class_to_path(instance.__class__), instance.pk, PatchOp.remove.value)


@ -40,6 +44,8 @@ def m2m_changed_scim(
    """Sync group membership"""
    if action not in ["post_add", "post_remove"]:
        return
+    if not SCIMProvider.objects.filter(backchannel_application__isnull=False).exists():
+        return
    # reverse: instance is a Group, pk_set is a list of user pks
    # non-reverse: instance is a User, pk_set is a list of groups
    if reverse:
--- a/authentik/providers/scim/tests/test_membership.py
+++ b/authentik/providers/scim/tests/test_membership.py
@ -47,6 +47,7 @@ class SCIMMembershipTests(TestCase):
    def test_member_add(self):
        """Test member add"""
        config = ServiceProviderConfiguration.default()
+        # pylint: disable=assigning-non-slot
        config.patch.supported = True
        user_scim_id = generate_id()
        group_scim_id = generate_id()
@ -60,7 +61,7 @@ class SCIMMembershipTests(TestCase):
        with Mocker() as mocker:
            mocker.get(
                "https://localhost/ServiceProviderConfig",
-                json=config.dict(),
+                json=config.model_dump(),
            )
            mocker.post(
                "https://localhost/Users",
@ -104,7 +105,7 @@ class SCIMMembershipTests(TestCase):
        with Mocker() as mocker:
            mocker.get(
                "https://localhost/ServiceProviderConfig",
-                json=config.dict(),
+                json=config.model_dump(),
            )
            mocker.patch(
                f"https://localhost/Groups/{group_scim_id}",
@ -131,6 +132,7 @@ class SCIMMembershipTests(TestCase):
    def test_member_remove(self):
        """Test member remove"""
        config = ServiceProviderConfiguration.default()
+        # pylint: disable=assigning-non-slot
        config.patch.supported = True
        user_scim_id = generate_id()
        group_scim_id = generate_id()
@ -144,7 +146,7 @@ class SCIMMembershipTests(TestCase):
        with Mocker() as mocker:
            mocker.get(
                "https://localhost/ServiceProviderConfig",
-                json=config.dict(),
+                json=config.model_dump(),
            )
            mocker.post(
                "https://localhost/Users",
@ -188,7 +190,7 @@ class SCIMMembershipTests(TestCase):
        with Mocker() as mocker:
            mocker.get(
                "https://localhost/ServiceProviderConfig",
-                json=config.dict(),
+                json=config.model_dump(),
            )
            mocker.patch(
                f"https://localhost/Groups/{group_scim_id}",
@ -215,7 +217,7 @@ class SCIMMembershipTests(TestCase):
        with Mocker() as mocker:
            mocker.get(
                "https://localhost/ServiceProviderConfig",
-                json=config.dict(),
+                json=config.model_dump(),
            )
            mocker.patch(
                f"https://localhost/Groups/{group_scim_id}",
--- a/authentik/root/celery.py
+++ b/authentik/root/celery.py
@ -44,7 +44,11 @@ def config_loggers(*args, **kwargs):
 def after_task_publish_hook(sender=None, headers=None, body=None, **kwargs):
    """Log task_id after it was published"""
    info = headers if "task" in headers else body
-    LOGGER.info("Task published", task_id=info.get("id", ""), task_name=info.get("task", ""))
+    LOGGER.info(
+        "Task published",
+        task_id=info.get("id", "").replace("-", ""),
+        task_name=info.get("task", ""),
+    )


@task_prerun.connect
@ -59,7 +63,9 @@ def task_prerun_hook(task_id: str, task, *args, **kwargs):
 def task_postrun_hook(task_id, task, *args, retval=None, state=None, **kwargs):
    """Log task_id on worker"""
    CTX_TASK_ID.set(...)
-    LOGGER.info("Task finished", task_id=task_id, task_name=task.__name__, state=state)
+    LOGGER.info(
+        "Task finished", task_id=task_id.replace("-", ""), task_name=task.__name__, state=state
+    )


@task_failure.connect
--- a/authentik/root/install_id.py
+++ b/authentik/root/install_id.py
@ -2,7 +2,7 @@
 from functools import lru_cache
 from uuid import uuid4

-from psycopg2 import connect
+from psycopg import connect

 from authentik.lib.config import CONFIG

@ -30,7 +30,7 @@ def get_install_id_raw():
        user=CONFIG.get("postgresql.user"),
        password=CONFIG.get("postgresql.password"),
        host=CONFIG.get("postgresql.host"),
-        port=int(CONFIG.get("postgresql.port")),
+        port=CONFIG.get_int("postgresql.port"),
        sslmode=CONFIG.get("postgresql.sslmode"),
        sslrootcert=CONFIG.get("postgresql.sslrootcert"),
        sslcert=CONFIG.get("postgresql.sslcert"),
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -190,14 +190,14 @@ if CONFIG.get_bool("redis.tls", False):
 _redis_url = (
    f"{_redis_protocol_prefix}:"
    f"{quote_plus(CONFIG.get('redis.password'))}@{quote_plus(CONFIG.get('redis.host'))}:"
-    f"{int(CONFIG.get('redis.port'))}"
+    f"{CONFIG.get_int('redis.port')}"
 )

 CACHES = {
    "default": {
        "BACKEND": "django_redis.cache.RedisCache",
        "LOCATION": f"{_redis_url}/{CONFIG.get('redis.db')}",
-        "TIMEOUT": int(CONFIG.get("redis.cache_timeout", 300)),
+        "TIMEOUT": CONFIG.get_int("redis.cache_timeout", 300),
        "OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
        "KEY_PREFIX": "authentik_cache",
    }
@ -274,7 +274,7 @@ DATABASES = {
        "NAME": CONFIG.get("postgresql.name"),
        "USER": CONFIG.get("postgresql.user"),
        "PASSWORD": CONFIG.get("postgresql.password"),
-        "PORT": int(CONFIG.get("postgresql.port")),
+        "PORT": CONFIG.get_int("postgresql.port"),
        "SSLMODE": CONFIG.get("postgresql.sslmode"),
        "SSLROOTCERT": CONFIG.get("postgresql.sslrootcert"),
        "SSLCERT": CONFIG.get("postgresql.sslcert"),
@ -293,12 +293,12 @@ if CONFIG.get_bool("postgresql.use_pgbouncer", False):
 # loads the config directly from CONFIG
 # See authentik/stages/email/models.py, line 105
 EMAIL_HOST = CONFIG.get("email.host")
-EMAIL_PORT = int(CONFIG.get("email.port"))
+EMAIL_PORT = CONFIG.get_int("email.port")
 EMAIL_HOST_USER = CONFIG.get("email.username")
 EMAIL_HOST_PASSWORD = CONFIG.get("email.password")
 EMAIL_USE_TLS = CONFIG.get_bool("email.use_tls", False)
 EMAIL_USE_SSL = CONFIG.get_bool("email.use_ssl", False)
-EMAIL_TIMEOUT = int(CONFIG.get("email.timeout"))
+EMAIL_TIMEOUT = CONFIG.get_int("email.timeout")
 DEFAULT_FROM_EMAIL = CONFIG.get("email.from")
 SERVER_EMAIL = DEFAULT_FROM_EMAIL
 EMAIL_SUBJECT_PREFIX = "[authentik] "
@ -411,7 +411,7 @@ LOGGING = {
        "json": {
            "()": structlog.stdlib.ProcessorFormatter,
            "processor": structlog.processors.JSONRenderer(sort_keys=True),
-            "foreign_pre_chain": LOG_PRE_CHAIN,
+            "foreign_pre_chain": LOG_PRE_CHAIN + [structlog.processors.dict_tracebacks],
        },
        "console": {
            "()": structlog.stdlib.ProcessorFormatter,
--- a/authentik/sources/ldap/api.py
+++ b/authentik/sources/ldap/api.py
@ -44,7 +44,11 @@ class LDAPSourceSerializer(SourceSerializer):
                sources = sources.exclude(pk=self.instance.pk)
            if sources.exists():
                raise ValidationError(
-                    "Only a single LDAP Source with password synchronization is allowed"
+                    {
+                        "sync_users_password": (
+                            "Only a single LDAP Source with password synchronization is allowed"
+                        )
+                    }
                )
        return super().validate(attrs)

--- a/authentik/sources/ldap/sync/base.py
+++ b/authentik/sources/ldap/sync/base.py
@ -93,7 +93,7 @@ class BaseLDAPSynchronizer:
        types_only=False,
        get_operational_attributes=False,
        controls=None,
-        paged_size=int(CONFIG.get("ldap.page_size", 50)),
+        paged_size=CONFIG.get_int("ldap.page_size", 50),
        paged_criticality=False,
    ):
        """Search in pages, returns each page"""
--- a/authentik/sources/ldap/sync/groups.py
+++ b/authentik/sources/ldap/sync/groups.py
@ -18,6 +18,9 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
        return "groups"

    def get_objects(self, **kwargs) -> Generator:
+        if not self._source.sync_groups:
+            self.message("Group syncing is disabled for this Source")
+            return iter(())
        return self.search_paginator(
            search_base=self.base_dn_groups,
            search_filter=self._source.group_object_filter,
--- a/authentik/sources/ldap/sync/membership.py
+++ b/authentik/sources/ldap/sync/membership.py
@ -24,6 +24,9 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
        return "membership"

    def get_objects(self, **kwargs) -> Generator:
+        if not self._source.sync_groups:
+            self.message("Group syncing is disabled for this Source")
+            return iter(())
        return self.search_paginator(
            search_base=self.base_dn_groups,
            search_filter=self._source.group_object_filter,
--- a/authentik/sources/ldap/sync/users.py
+++ b/authentik/sources/ldap/sync/users.py
@ -20,6 +20,9 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
        return "users"

    def get_objects(self, **kwargs) -> Generator:
+        if not self._source.sync_users:
+            self.message("User syncing is disabled for this Source")
+            return iter(())
        return self.search_paginator(
            search_base=self.base_dn_users,
            search_filter=self._source.user_object_filter,
--- a/Show More
+++ b/Show More