web: update the type names for routes.

While writing up the commit message for the previous commit, I realized that I didn't really like
the typenames as they're outlaid in `routeUtils`.  This is much more explicit, describing the
four types of routes we have: ListRoute, ViewRoute, InternalRedirect, ExternalRedirect.

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.4.0
+current_version = 2024.2.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@@ -17,20 +17,12 @@ optional_value = final
 
 [bumpversion:file:pyproject.toml]
 
-[bumpversion:file:uv.lock]
-
-[bumpversion:file:package.json]
-
 [bumpversion:file:docker-compose.yml]
 
 [bumpversion:file:schema.yml]
 
-[bumpversion:file:blueprints/schema.json]
-
 [bumpversion:file:authentik/__init__.py]
 
 [bumpversion:file:internal/constants/constants.go]
 
 [bumpversion:file:web/src/common/constants.ts]
-
-[bumpversion:file:lifecycle/aws/template.yaml]

.github/FUNDING.yml

@@ -1 +1 @@
-custom: https://goauthentik.io/pricing/
+github: [BeryJu]

.github/ISSUE_TEMPLATE/bug_report.md

@@ -28,11 +28,7 @@ Output of docker-compose logs or kubectl logs respectively
 
 **Version and Deployment (please complete the following information):**
 
-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
--->
-
--   authentik version: [e.g. 2025.2.0]
+-   authentik version: [e.g. 2021.8.5]
 -   Deployment: [e.g. docker-compose, helm]
 
 **Additional context**

.github/ISSUE_TEMPLATE/docs_issue.md

@@ -1,22 +0,0 @@
----
-name: Documentation issue
-about: Suggest an improvement or report a problem
-title: ""
-labels: documentation
-assignees: ""
----
-
-**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
-A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
-
-**Provide the URL or link to the exact page in the documentation to which you are referring.**
-If there are multiple pages, list them all, and be sure to state the header or section where the content is.
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Additional context**
-Add any other context or screenshots about the documentation issue here.
-
-**Consider opening a PR!**
-If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).

.github/ISSUE_TEMPLATE/question.md

@@ -20,12 +20,7 @@ Output of docker-compose logs or kubectl logs respectively
 
 **Version and Deployment (please complete the following information):**
 
-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
--->
-
-
--   authentik version: [e.g. 2025.2.0]
+-   authentik version: [e.g. 2021.8.5]
 -   Deployment: [e.g. docker-compose, helm]
 
 **Additional context**

.github/actions/comment-pr-instructions/action.yml

@@ -35,6 +35,14 @@ runs:
             AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
             ```
 
+            For arm64, use these values:
+
+            ```shell
+            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
+            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
+            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
+            ```
+
             Afterwards, run the upgrade commands from the latest release notes.
           </details>
           <details>
@@ -46,10 +54,20 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}
+            image:
+                repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}
+            ```
+
+            For arm64, use these values:
+
+            ```yaml
+            authentik:
+                outposts:
+                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
+            image:
+                repository: ghcr.io/goauthentik/dev-server
+                tag: ${{ inputs.tag }}-arm64
             ```
 
             Afterwards, run the upgrade commands from the latest release notes.

.github/actions/docker-push-variables/action.yml

@@ -9,14 +9,11 @@ inputs:
   image-arch:
     required: false
     description: "Docker image arch"
-  release:
-    required: true
-    description: "True if this is a release build, false if this is a dev/PR build"
 
 outputs:
-  shouldPush:
-    description: "Whether to push the image or not"
-    value: ${{ steps.ev.outputs.shouldPush }}
+  shouldBuild:
+    description: "Whether to build image or not"
+    value: ${{ steps.ev.outputs.shouldBuild }}
 
   sha:
     description: "sha"
@@ -32,24 +29,9 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
-  imageTagsJSON:
-    description: "Docker image tags, as a JSON array"
-    value: ${{ steps.ev.outputs.imageTagsJSON }}
-  attestImageNames:
-    description: "Docker image names used for attestation"
-    value: ${{ steps.ev.outputs.attestImageNames }}
-  cacheTo:
-    description: "cache-to value for the docker build step"
-    value: ${{ steps.ev.outputs.cacheTo }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}
-  imageMainName:
-    description: "Docker image main name"
-    value: ${{ steps.ev.outputs.imageMainName }}
-  imageBuildArgs:
-    description: "Docker image build args"
-    value: ${{ steps.ev.outputs.imageBuildArgs }}
 
 runs:
   using: "composite"
@@ -60,8 +42,6 @@ runs:
       env:
         IMAGE_NAME: ${{ inputs.image-name }}
         IMAGE_ARCH: ${{ inputs.image-arch }}
-        RELEASE: ${{ inputs.release }}
         PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-        REF: ${{ github.ref }}
       run: |
         python3 ${{ github.action_path }}/push_vars.py

.github/actions/docker-push-variables/push_vars.py

@@ -2,25 +2,17 @@
 
 import configparser
 import os
-from json import dumps
 from time import time
 
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
 
-# Decide if we should push the image or not
-should_push = True
-if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
-    # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available
-    should_push = False
-if os.environ.get("GITHUB_REPOSITORY").lower() == "goauthentik/authentik-internal":
-    # Don't push on the internal repo
-    should_push = False
+should_build = str(os.environ.get("DOCKER_USERNAME", None) is not None).lower()
 
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
     branch_name = os.environ["GITHUB_HEAD_REF"]
-safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-").replace("'", "-")
+safe_branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
 
 image_names = os.getenv("IMAGE_NAME").split(",")
 image_arch = os.getenv("IMAGE_ARCH") or None
@@ -44,11 +36,12 @@ if is_release:
         ]
         if not prerelease:
             image_tags += [
+                f"{name}:latest",
                 f"{name}:{version_family}",
             ]
 else:
     suffix = ""
-    if image_arch:
+    if image_arch and image_arch != "amd64":
         suffix = f"-{image_arch}"
     for name in image_names:
         image_tags += [
@@ -57,44 +50,13 @@ else:
             f"{name}:gh-{safe_branch_name}-{int(time())}-{sha[:7]}{suffix}",  # Use by FluxCD
         ]
 
-image_main_tag = image_tags[0].split(":")[-1]
-
-
-def get_attest_image_names(image_with_tags: list[str]):
-    """Attestation only for GHCR"""
-    image_tags = []
-    for image_name in set(name.split(":")[0] for name in image_with_tags):
-        if not image_name.startswith("ghcr.io"):
-            continue
-        image_tags.append(image_name)
-    return ",".join(set(image_tags))
-
-
-# Generate `cache-to` param
-cache_to = ""
-if should_push:
-    _cache_tag = "buildcache"
-    if image_arch:
-        _cache_tag += f"-{image_arch}"
-    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
-
-
-image_build_args = []
-if os.getenv("RELEASE", "false").lower() == "true":
-    image_build_args = [f"VERSION={os.getenv('REF')}"]
-else:
-    image_build_args = [f"GIT_BUILD_HASH={sha}"]
-image_build_args = "\n".join(image_build_args)
+image_main_tag = image_tags[0]
+image_tags_rendered = ",".join(image_tags)
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
-    print(f"shouldPush={str(should_push).lower()}", file=_output)
-    print(f"sha={sha}", file=_output)
-    print(f"version={version}", file=_output)
-    print(f"prerelease={prerelease}", file=_output)
-    print(f"imageTags={','.join(image_tags)}", file=_output)
-    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
-    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
-    print(f"imageMainTag={image_main_tag}", file=_output)
-    print(f"imageMainName={image_tags[0]}", file=_output)
-    print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={image_build_args}", file=_output)
+    print("shouldBuild=%s" % should_build, file=_output)
+    print("sha=%s" % sha, file=_output)
+    print("version=%s" % version, file=_output)
+    print("prerelease=%s" % prerelease, file=_output)
+    print("imageTags=%s" % image_tags_rendered, file=_output)
+    print("imageMainTag=%s" % image_main_tag, file=_output)

.github/actions/docker-push-variables/test.sh

@@ -1,18 +1,7 @@
 #!/bin/bash -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-# Non-pushing PR
 GITHUB_OUTPUT=/dev/stdout \
     GITHUB_REF=ref \
     GITHUB_SHA=sha \
     IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
-    GITHUB_REPOSITORY=goauthentik/authentik \
-    python $SCRIPT_DIR/push_vars.py
-
-# Pushing PR/main
-GITHUB_OUTPUT=/dev/stdout \
-    GITHUB_REF=ref \
-    GITHUB_SHA=sha \
-    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
-    GITHUB_REPOSITORY=goauthentik/authentik \
-    DOCKER_USERNAME=foo \
     python $SCRIPT_DIR/push_vars.py

.github/actions/setup/action.yml

@@ -9,44 +9,36 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Install apt deps
+    - name: Install poetry & deps
       shell: bash
       run: |
+        pipx install poetry || true
         sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
-    - name: Install uv
-      uses: astral-sh/setup-uv@v5
-      with:
-        enable-cache: true
-    - name: Setup python
-      uses: actions/setup-python@v5
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+    - name: Setup python and restore poetry
+      uses: actions/setup-python@v4
       with:
         python-version-file: "pyproject.toml"
-    - name: Install Python deps
-      shell: bash
-      run: uv sync --all-extras --dev --frozen
+        cache: "poetry"
     - name: Setup node
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@v3
       with:
         node-version-file: web/package.json
         cache: "npm"
         cache-dependency-path: web/package-lock.json
     - name: Setup go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v4
       with:
         go-version-file: "go.mod"
-    - name: Setup docker cache
-      uses: ScribeMD/docker-cache@0.5.0
-      with:
-        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/docker-compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
     - name: Setup dependencies
       shell: bash
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
-        docker compose -f .github/actions/setup/docker-compose.yml up -d
+        docker-compose -f .github/actions/setup/docker-compose.yml up -d
+        poetry install
         cd web && npm ci
     - name: Generate config
-      shell: uv run python {0}
+      shell: poetry run python {0}
       run: |
         from authentik.lib.generators import generate_id
         from yaml import safe_dump

.github/actions/setup/docker-compose.yml

@@ -1,3 +1,5 @@
+version: "3.7"
+
 services:
   postgresql:
     image: docker.io/library/postgres:${PSQL_TAG:-16}
@@ -11,7 +13,7 @@ services:
       - 5432:5432
     restart: always
   redis:
-    image: docker.io/library/redis:7
+    image: docker.io/library/redis
     ports:
       - 6379:6379
     restart: always

.github/codespell-words.txt

@@ -1,32 +1,6 @@
-akadmin
-asgi
-assertIn
-authentik
-authn
-crate
-docstrings
-entra
-goauthentik
-gunicorn
-hass
-jwe
-jwks
 keypair
 keypairs
-kubernetes
-oidc
-ontext
-openid
-passwordless
-plex
-saml
-scim
-singed
-slo
-sso
-totp
-traefik
-# https://github.com/codespell-project/codespell/issues/1224
-upToDate
+hass
 warmup
-webauthn
+ontext
+singed

.github/dependabot.yml

@@ -21,9 +21,7 @@ updates:
     labels:
       - dependencies
   - package-ecosystem: npm
-    directories:
-      - "/web"
-      - "/web/sfe"
+    directory: "/web"
     schedule:
       interval: daily
       time: "04:00"
@@ -32,6 +30,7 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "web:"
+    # TODO: deduplicate these groups
     groups:
       sentry:
         patterns:
@@ -43,11 +42,9 @@ updates:
           - "babel-*"
       eslint:
         patterns:
-          - "@eslint/*"
           - "@typescript-eslint/*"
-          - "eslint-*"
           - "eslint"
-          - "typescript-eslint"
+          - "eslint-*"
       storybook:
         patterns:
           - "@storybook/*"
@@ -55,16 +52,42 @@ updates:
       esbuild:
         patterns:
           - "@esbuild/*"
-          - "esbuild*"
       rollup:
         patterns:
           - "@rollup/*"
           - "rollup-*"
-          - "rollup*"
-      swc:
+  - package-ecosystem: npm
+    directory: "/tests/wdio"
+    schedule:
+      interval: daily
+      time: "04:00"
+    labels:
+      - dependencies
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "web:"
+    # TODO: deduplicate these groups
+    groups:
+      sentry:
         patterns:
-          - "@swc/*"
-          - "swc-*"
+          - "@sentry/*"
+          - "@spotlightjs/*"
+      babel:
+        patterns:
+          - "@babel/*"
+          - "babel-*"
+      eslint:
+        patterns:
+          - "@typescript-eslint/*"
+          - "eslint"
+          - "eslint-*"
+      storybook:
+        patterns:
+          - "@storybook/*"
+          - "*storybook*"
+      esbuild:
+        patterns:
+          - "@esbuild/*"
       wdio:
         patterns:
           - "@wdio/*"
@@ -82,23 +105,7 @@ updates:
       docusaurus:
         patterns:
           - "@docusaurus/*"
-      build:
-        patterns:
-          - "@swc/*"
-          - "swc-*"
-          - "lightningcss*"
-          - "@rspack/binding*"
-  - package-ecosystem: npm
-    directory: "/lifecycle/aws"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "lifecycle/aws:"
-    labels:
-      - dependencies
-  - package-ecosystem: uv
+  - package-ecosystem: pip
     directory: "/"
     schedule:
       interval: daily
@@ -118,15 +125,3 @@ updates:
       prefix: "core:"
     labels:
       - dependencies
-  - package-ecosystem: docker-compose
-    directories:
-      # - /scripts # Maybe
-      - /tests/e2e
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "core:"
-    labels:
-      - dependencies

.github/pull_request_template.md

@@ -1,7 +1,7 @@
 <!--
 👋 Hi there! Welcome.
 
-Please check the Contributing guidelines: https://docs.goauthentik.io/docs/developer-docs/#how-can-i-contribute
+Please check the Contributing guidelines: https://goauthentik.io/developer-docs/#how-can-i-contribute
 -->
 
 ## Details

.github/workflows/_reusable-docker-build-single.yaml

@@ -1,96 +0,0 @@
-# Re-usable workflow for a single-architecture build
-name: Single-arch Container build
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        required: true
-        type: string
-      image_arch:
-        required: true
-        type: string
-      runs-on:
-        required: true
-        type: string
-      registry_dockerhub:
-        default: false
-        type: boolean
-      registry_ghcr:
-        default: false
-        type: boolean
-      release:
-        default: false
-        type: boolean
-    outputs:
-      image-digest:
-        value: ${{ jobs.build.outputs.image-digest }}
-
-jobs:
-  build:
-    name: Build ${{ inputs.image_arch }}
-    runs-on: ${{ inputs.runs-on }}
-    outputs:
-      image-digest: ${{ steps.push.outputs.digest }}
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.6.0
-      - uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-          image-arch: ${{ inputs.image_arch }}
-          release: ${{ inputs.release }}
-      - name: Login to Docker Hub
-        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
-        if: ${{ inputs.release }}
-        run: |
-          mkdir -p ./gen-ts-api
-          mkdir -p ./gen-go-api
-      - name: generate ts client
-        if: ${{ !inputs.release }}
-        run: make gen-client-ts
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          build-args: |
-            ${{ steps.ev.outputs.imageBuildArgs }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          platforms: linux/${{ inputs.image_arch }}
-          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
-          cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true

.github/workflows/_reusable-docker-build.yaml

@@ -1,104 +0,0 @@
-# Re-usable workflow for a multi-architecture build
-name: Multi-arch container build
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        required: true
-        type: string
-      registry_dockerhub:
-        default: false
-        type: boolean
-      registry_ghcr:
-        default: true
-        type: boolean
-      release:
-        default: false
-        type: boolean
-    outputs: {}
-
-jobs:
-  build-server-amd64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
-    secrets: inherit
-    with:
-      image_name: ${{ inputs.image_name }}
-      image_arch: amd64
-      runs-on: ubuntu-latest
-      registry_dockerhub: ${{ inputs.registry_dockerhub }}
-      registry_ghcr: ${{ inputs.registry_ghcr }}
-      release: ${{ inputs.release }}
-  build-server-arm64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
-    secrets: inherit
-    with:
-      image_name: ${{ inputs.image_name }}
-      image_arch: arm64
-      runs-on: ubuntu-22.04-arm
-      registry_dockerhub: ${{ inputs.registry_dockerhub }}
-      registry_ghcr: ${{ inputs.registry_ghcr }}
-      release: ${{ inputs.release }}
-  get-tags:
-    runs-on: ubuntu-latest
-    needs:
-      - build-server-amd64
-      - build-server-arm64
-    outputs:
-      tags: ${{ steps.ev.outputs.imageTagsJSON }}
-      shouldPush: ${{ steps.ev.outputs.shouldPush }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-  merge-server:
-    runs-on: ubuntu-latest
-    if: ${{ needs.get-tags.outputs.shouldPush == 'true' }}
-    needs:
-      - get-tags
-      - build-server-amd64
-      - build-server-arm64
-    strategy:
-      fail-fast: false
-      matrix:
-        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-      - name: Login to Docker Hub
-        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@v2
-        id: build
-        with:
-          tags: ${{ matrix.tag }}
-          sources: |
-            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
-            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true

.github/workflows/api-py-publish.yml

@@ -1,65 +0,0 @@
-name: authentik-api-py-publish
-on:
-  push:
-    branches: [main]
-    paths:
-      - "schema.yml"
-  workflow_dispatch:
-jobs:
-  build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    permissions:
-      id-token: write
-    steps:
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Install poetry & deps
-        shell: bash
-        run: |
-          pipx install poetry || true
-          sudo apt-get update
-          sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
-      - name: Setup python and restore poetry
-        uses: actions/setup-python@v5
-        with:
-          python-version-file: "pyproject.toml"
-      - name: Generate API Client
-        run: make gen-client-py
-      - name: Publish package
-        working-directory: gen-py-api/
-        run: |
-          poetry build
-      - name: Publish package to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          packages-dir: gen-py-api/dist/
-      # We can't easily upgrade the API client being used due to poetry being poetry
-      # so we'll have to rely on dependabot
-      # - name: Upgrade /
-      #   run: |
-      #     export VERSION=$(cd gen-py-api && poetry version -s)
-      #     poetry add "authentik_client=$VERSION" --allow-prereleases --lock
-      # - uses: peter-evans/create-pull-request@v6
-      #   id: cpr
-      #   with:
-      #     token: ${{ steps.generate_token.outputs.token }}
-      #     branch: update-root-api-client
-      #     commit-message: "root: bump API Client version"
-      #     title: "root: bump API Client version"
-      #     body: "root: bump API Client version"
-      #     delete-branch: true
-      #     signoff: true
-      #     # ID from https://api.github.com/users/authentik-automation[bot]
-      #     author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-      # - uses: peter-evans/enable-pull-request-automerge@v3
-      #   with:
-      #     token: ${{ steps.generate_token.outputs.token }}
-      #     pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-      #     merge-method: squash

.github/workflows/ci-aws-cfn.yml

@@ -1,46 +0,0 @@
-name: authentik-ci-aws-cfn
-
-on:
-  push:
-    branches:
-      - main
-      - next
-      - version-*
-  pull_request:
-    branches:
-      - main
-      - version-*
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  check-changes-applied:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: lifecycle/aws/package.json
-          cache: "npm"
-          cache-dependency-path: lifecycle/aws/package-lock.json
-      - working-directory: lifecycle/aws/
-        run: |
-          npm ci
-      - name: Check changes have been applied
-        run: |
-          uv run make aws-cfn
-          git diff --exit-code
-  ci-aws-cfn-mark:
-    if: always()
-    needs:
-      - check-changes-applied
-    runs-on: ubuntu-latest
-    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}

.github/workflows/ci-main-daily.yml

@@ -1,28 +0,0 @@
----
-name: authentik-ci-main-daily
-
-on:
-  workflow_dispatch:
-  schedule:
-    # Every night at 3am
-    - cron: "0 3 * * *"
-
-jobs:
-  test-container:
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        version:
-          - docs
-          - version-2025-2
-          - version-2024-12
-    steps:
-      - uses: actions/checkout@v4
-      - run: |
-          current="$(pwd)"
-          dir="/tmp/authentik/${{ matrix.version }}"
-          mkdir -p $dir
-          cd $dir
-          wget https://${{ matrix.version }}.goauthentik.io/docker-compose.yml
-          ${current}/scripts/test_docker.sh

.github/workflows/ci-main.yml

@@ -7,6 +7,8 @@ on:
       - main
       - next
       - version-*
+    paths-ignore:
+      - website/**
   pull_request:
     branches:
       - main
@@ -34,7 +36,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run job
-        run: uv run make ci-${{ matrix.job }}
+        run: poetry run make ci-${{ matrix.job }}
   test-migrations:
     runs-on: ubuntu-latest
     steps:
@@ -42,33 +44,25 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: run migrations
-        run: uv run python -m lifecycle.migrate
-  test-make-seed:
-    runs-on: ubuntu-latest
-    steps:
-      - id: seed
-        run: |
-          echo "seed=$(printf "%d\n" "0x$(openssl rand -hex 4)")" >> "$GITHUB_OUTPUT"
-    outputs:
-      seed: ${{ steps.seed.outputs.seed }}
+        run: poetry run python -m lifecycle.migrate
   test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    timeout-minutes: 20
-    needs: test-make-seed
     strategy:
       fail-fast: false
       matrix:
         psql:
+          - 12-alpine
           - 15-alpine
           - 16-alpine
-        run_id: [1, 2, 3, 4, 5]
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: checkout stable
         run: |
+          # Delete all poetry envs
+          rm -rf /home/runner/.cache/pypoetry
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
@@ -81,7 +75,7 @@ jobs:
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: run migrations to stable
-        run: uv run python -m lifecycle.migrate
+        run: poetry run python -m lifecycle.migrate
       - name: checkout current code
         run: |
           set -x
@@ -89,34 +83,32 @@ jobs:
           git reset --hard HEAD
           git clean -d -fx .
           git checkout $GITHUB_SHA
+          # Delete previous poetry env
+          rm -rf /home/runner/.cache/pypoetry/virtualenvs/*
       - name: Setup authentik env (ensure latest deps are installed)
         uses: ./.github/actions/setup
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: migrate to latest
         run: |
-          uv run python -m lifecycle.migrate
+          poetry run python -m lifecycle.migrate
       - name: run tests
         env:
           # Test in the main database that we just migrated from the previous stable version
           AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
-          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
-          CI_RUN_ID: ${{ matrix.run_id }}
-          CI_TOTAL_RUNS: "5"
         run: |
-          uv run make ci-test
+          poetry run make test
   test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-unittest - PostgreSQL ${{ matrix.psql }}
     runs-on: ubuntu-latest
-    timeout-minutes: 20
-    needs: test-make-seed
+    timeout-minutes: 30
     strategy:
       fail-fast: false
       matrix:
         psql:
+          - 12-alpine
           - 15-alpine
           - 16-alpine
-        run_id: [1, 2, 3, 4, 5]
     steps:
       - uses: actions/checkout@v4
       - name: Setup authentik env
@@ -124,23 +116,14 @@ jobs:
         with:
           postgresql_version: ${{ matrix.psql }}
       - name: run unittest
-        env:
-          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
-          CI_RUN_ID: ${{ matrix.run_id }}
-          CI_TOTAL_RUNS: "5"
         run: |
-          uv run make ci-test
+          poetry run make test
+          poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           flags: unit
           token: ${{ secrets.CODECOV_TOKEN }}
-      - if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@v1
-        with:
-          flags: unit
-          file: unittest.xml
-          token: ${{ secrets.CODECOV_TOKEN }}
   test-integration:
     runs-on: ubuntu-latest
     timeout-minutes: 30
@@ -149,22 +132,16 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.12.0
+        uses: helm/kind-action@v1.9.0
       - name: run integration
         run: |
-          uv run coverage run manage.py test tests/integration
-          uv run coverage xml
+          poetry run coverage run manage.py test tests/integration
+          poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           flags: integration
           token: ${{ secrets.CODECOV_TOKEN }}
-      - if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@v1
-        with:
-          flags: integration
-          file: unittest.xml
-          token: ${{ secrets.CODECOV_TOKEN }}
   test-e2e:
     name: test-e2e (${{ matrix.job.name }})
     runs-on: ubuntu-latest
@@ -185,8 +162,6 @@ jobs:
             glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
           - name: radius
             glob: tests/e2e/test_provider_radius*
-          - name: scim
-            glob: tests/e2e/test_source_scim*
           - name: flows
             glob: tests/e2e/test_flows*
     steps:
@@ -195,7 +170,7 @@ jobs:
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
         run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
+          docker-compose -f tests/e2e/docker-compose.yml up -d
       - id: cache-web
         uses: actions/cache@v4
         with:
@@ -210,21 +185,14 @@ jobs:
           npm run build
       - name: run e2e
         run: |
-          uv run coverage run manage.py test ${{ matrix.job.glob }}
-          uv run coverage xml
+          poetry run coverage run manage.py test ${{ matrix.job.glob }}
+          poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           flags: e2e
           token: ${{ secrets.CODECOV_TOKEN }}
-      - if: ${{ !cancelled() }}
-        uses: codecov/test-results-action@v1
-        with:
-          flags: e2e
-          file: unittest.xml
-          token: ${{ secrets.CODECOV_TOKEN }}
   ci-core-mark:
-    if: always()
     needs:
       - lint
       - test-migrations
@@ -234,22 +202,59 @@ jobs:
       - test-e2e
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark
   build:
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - amd64
+          - arm64
     needs: ci-core-mark
-    uses: ./.github/workflows/_reusable-docker-build.yaml
-    secrets: inherit
-    with:
-      image_name: ghcr.io/goauthentik/dev-server
-      release: false
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.0.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/dev-server
+          image-arch: ${{ matrix.arch }}
+      - name: Login to Container Registry
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: generate ts client
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+          build-args: |
+            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: linux/${{ matrix.arch }}
   pr-comment:
     needs:
       - build
@@ -271,7 +276,6 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
         uses: ./.github/actions/comment-pr-instructions
         with:
-          tag: ${{ steps.ev.outputs.imageMainTag }}
+          tag: gh-${{ steps.ev.outputs.imageMainTag }}

.github/workflows/ci-outpost.yml

@@ -29,9 +29,9 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v7
+        uses: golangci/golangci-lint-action@v4
         with:
-          version: latest
+          version: v1.54.2
           args: --timeout 5000s --verbose
           skip-cache: true
   test-unittest:
@@ -49,15 +49,12 @@ jobs:
         run: |
           go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
   ci-outpost-mark:
-    if: always()
     needs:
       - lint-golint
       - test-unittest
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark
   build-container:
     timeout-minutes: 120
     needs:
@@ -72,17 +69,14 @@ jobs:
           - rac
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -93,7 +87,7 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -102,25 +96,17 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v5
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           platforms: linux/amd64,linux/arm64
           context: .
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
   build-binary:
     timeout-minutes: 120
     needs:

.github/workflows/ci-web.yml

@@ -12,23 +12,14 @@ on:
       - version-*
 
 jobs:
-  lint:
+  lint-eslint:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        command:
-          - lint
-          - lint:lockfile
-          - tsc
-          - prettier-check
         project:
           - web
-        include:
-          - command: tsc
-            project: web
-          - command: lit-analyse
-            project: web
+          - tests/wdio
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -37,14 +28,83 @@ jobs:
           cache: "npm"
           cache-dependency-path: ${{ matrix.project }}/package-lock.json
       - working-directory: ${{ matrix.project }}/
-        run: |
-          npm ci
+        run: npm ci
       - name: Generate API
         run: make gen-client-ts
-      - name: Lint
+      - name: Eslint
         working-directory: ${{ matrix.project }}/
-        run: npm run ${{ matrix.command }}
+        run: npm run lint
+  lint-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: TSC
+        working-directory: web/
+        run: npm run tsc
+  lint-prettier:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        project:
+          - web
+          - tests/wdio
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: ${{ matrix.project }}/package.json
+          cache: "npm"
+          cache-dependency-path: ${{ matrix.project }}/package-lock.json
+      - working-directory: ${{ matrix.project }}/
+        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
+      - name: prettier
+        working-directory: ${{ matrix.project }}/
+        run: npm run prettier-check
+  lint-lit-analyse:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - working-directory: web/
+        run: |
+          npm ci
+          # lit-analyse doesn't understand path rewrites, so make it
+          # belive it's an actual module
+          cd node_modules/@goauthentik
+          ln -s ../../src/ web
+      - name: Generate API
+        run: make gen-client-ts
+      - name: lit-analyse
+        working-directory: web/
+        run: npm run lit-analyse
+  ci-web-mark:
+    needs:
+      - lint-eslint
+      - lint-prettier
+      - lint-lit-analyse
+      - lint-build
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo mark
   build:
+    needs:
+      - ci-web-mark
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -60,31 +120,3 @@ jobs:
       - name: build
         working-directory: web/
         run: npm run build
-  ci-web-mark:
-    if: always()
-    needs:
-      - build
-      - lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
-  test:
-    needs:
-      - ci-web-mark
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
-      - name: Generate API
-        run: make gen-client-ts
-      - name: test
-        working-directory: web/
-        run: npm run test || exit 0

.github/workflows/ci-website.yml

@@ -12,21 +12,20 @@ on:
       - version-*
 
 jobs:
-  lint:
+  lint-prettier:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint:lockfile
-          - prettier-check
     steps:
       - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
       - working-directory: website/
         run: npm ci
-      - name: Lint
+      - name: prettier
         working-directory: website/
-        run: npm run ${{ matrix.command }}
+        run: npm run prettier-check
   test:
     runs-on: ubuntu-latest
     steps:
@@ -62,13 +61,10 @@ jobs:
         working-directory: website/
         run: npm run ${{ matrix.job }}
   ci-website-mark:
-    if: always()
     needs:
-      - lint
+      - lint-prettier
       - test
       - build
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark

.github/workflows/gen-update-webauthn-mds.yml

@@ -1,44 +0,0 @@
-name: authentik-gen-update-webauthn-mds
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "30 1 1,15 * *"
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - id: generate_token
-        uses: tibdex/github-app-token@v2
-        with:
-          app_id: ${{ secrets.GH_APP_ID }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - run: uv run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@v7
-        id: cpr
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          branch: update-fido-mds-client
-          commit-message: "stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs"
-          title: "stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs"
-          body: "stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs"
-          delete-branch: true
-          signoff: true
-          # ID from https://api.github.com/users/authentik-automation[bot]
-          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
-      - uses: peter-evans/enable-pull-request-automerge@v3
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
-          merge-method: squash

.github/workflows/ghcr-retention.yml

@@ -7,7 +7,6 @@ on:
 
 jobs:
   clean-ghcr:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     name: Delete old unused container images
     runs-on: ubuntu-latest
     steps:

.github/workflows/image-compress.yml

@@ -42,7 +42,7 @@ jobs:
         with:
           githubToken: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@v7
+      - uses: peter-evans/create-pull-request@v6
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         id: cpr
         with:

.github/workflows/packages-npm-publish.yml

@@ -1,45 +0,0 @@
-name: authentik-packages-npm-publish
-on:
-  push:
-    branches: [main]
-    paths:
-      - packages/docusaurus-config/**
-      - packages/eslint-config/**
-      - packages/prettier-config/**
-      - packages/tsconfig/**
-  workflow_dispatch:
-jobs:
-  publish:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        package:
-          - docusaurus-config
-          - eslint-config
-          - prettier-config
-          - tsconfig
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: packages/${{ matrix.package }}/package.json
-          registry-url: "https://registry.npmjs.org"
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
-        with:
-          files: |
-            packages/${{ matrix.package }}/package.json
-      - name: Publish package
-        if: steps.changed-files.outputs.any_changed == 'true'
-        working-directory: packages/${{ matrix.package}}
-        run: |
-          npm ci
-          npm run build
-          npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

.github/workflows/publish-source-docs.yml

@@ -12,7 +12,6 @@ env:
 
 jobs:
   publish-source-docs:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:
@@ -21,8 +20,8 @@ jobs:
         uses: ./.github/actions/setup
       - name: generate docs
         run: |
-          uv run make migrate
-          uv run ak build_source_docs
+          poetry run make migrate
+          poetry run ak build_source_docs
       - name: Publish
         uses: netlify/actions/cli@master
         with:

.github/workflows/release-next-branch.yml

@@ -11,7 +11,6 @@ permissions:
 
 jobs:
   update-next:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     environment: internal-production
     steps:

.github/workflows/release-publish.yml

@@ -7,27 +7,53 @@ on:
 
 jobs:
   build-server:
-    uses: ./.github/workflows/_reusable-docker-build.yaml
-    secrets: inherit
+    runs-on: ubuntu-latest
     permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    with:
-      image_name: ghcr.io/goauthentik/server,beryju/authentik
-      release: true
-      registry_dockerhub: true
-      registry_ghcr: true
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.0.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/server,beryju/authentik
+      - name: Docker Login Registry
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty clients
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
+      - name: Build Docker Image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          platforms: linux/amd64,linux/arm64
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
       packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -42,7 +68,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
+        uses: docker/setup-qemu-action@v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -68,22 +94,13 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
+        uses: docker/build-push-action@v5
         with:
           push: true
-          build-args: |
-            VERSION=${{ github.ref }}
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
@@ -128,27 +145,6 @@ jobs:
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           tag: ${{ github.ref }}
-  upload-aws-cfn-template:
-    permissions:
-      # Needed for AWS login
-      id-token: write
-      contents: read
-    needs:
-      - build-server
-      - build-outpost
-    env:
-      AWS_REGION: eu-central-1
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
-          aws-region: ${{ env.AWS_REGION }}
-      - name: Upload template
-        run: |
-          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
-          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
   test-release:
     needs:
       - build-server
@@ -159,12 +155,12 @@ jobs:
       - uses: actions/checkout@v4
       - name: Run test suite in final docker images
         run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
-          docker compose pull -q
-          docker compose up --no-start
-          docker compose start postgresql redis
-          docker compose run -u root server test-all
+          echo "PG_PASS=$(openssl rand -base64 32)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
+          docker-compose pull -q
+          docker-compose up --no-start
+          docker-compose start postgresql redis
+          docker-compose run -u root server test-all
   sentry-release:
     needs:
       - build-server
@@ -182,11 +178,11 @@ jobs:
           image-name: ghcr.io/goauthentik/server
       - name: Get static files from docker image
         run: |
-          docker pull ${{ steps.ev.outputs.imageMainName }}
-          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
+          docker pull ${{ steps.ev.outputs.imageMainTag }}
+          container=$(docker container create ${{ steps.ev.outputs.imageMainTag }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@v3
+        uses: getsentry/action-release@v1
         continue-on-error: true
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

.github/workflows/release-tag.yml

@@ -14,7 +14,16 @@ jobs:
       - uses: actions/checkout@v4
       - name: Pre-release test
         run: |
-          make test-docker
+          echo "PG_PASS=$(openssl rand -base64 32)" >> .env
+          echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
+          docker buildx install
+          mkdir -p ./gen-ts-api
+          docker build -t testing:latest .
+          echo "AUTHENTIK_IMAGE=testing" >> .env
+          echo "AUTHENTIK_TAG=latest" >> .env
+          docker-compose up --no-start
+          docker-compose start postgresql redis
+          docker-compose run -u root server test-all
       - id: generate_token
         uses: tibdex/github-app-token@v2
         with:

.github/workflows/repo-mirror.yml

@@ -1,21 +0,0 @@
-name: "authentik-repo-mirror"
-
-on: [push, delete]
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: pixta-dev/repository-mirroring-action@v1
-        with:
-          target_repo_url:
-            git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key:
-            ${{ secrets.GH_MIRROR_KEY }}
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-stale.yml

@@ -1,8 +1,8 @@
-name: "authentik-repo-stale"
+name: 'authentik-repo-stale'
 
 on:
   schedule:
-    - cron: "30 1 * * *"
+    - cron: '30 1 * * *'
   workflow_dispatch:
 
 permissions:
@@ -11,7 +11,6 @@ permissions:
 
 jobs:
   stale:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
@@ -24,8 +23,8 @@ jobs:
           repo-token: ${{ steps.generate_token.outputs.token }}
           days-before-stale: 60
           days-before-close: 7
-          exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question,status/reviewing
-          stale-issue-label: status/stale
+          exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question
+          stale-issue-label: wontfix
           stale-issue-message: >
             This issue has been automatically marked as stale because it has not had
             recent activity. It will be closed if no further activity occurs. Thank you

.github/workflows/semgrep.yml

@@ -1,27 +0,0 @@
-name: authentik-semgrep
-on:
-  workflow_dispatch: {}
-  pull_request: {}
-  push:
-    branches:
-      - main
-      - master
-    paths:
-      - .github/workflows/semgrep.yml
-  schedule:
-    # random HH:MM to avoid a load spike on GitHub Actions at 00:00
-    - cron: '12 15 * * *'
-jobs:
-  semgrep:
-    name: semgrep/ci
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    env:
-      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
-    container:
-      image: semgrep/semgrep
-    if: (github.actor != 'dependabot[bot]')
-    steps:
-      - uses: actions/checkout@v4
-      - run: semgrep ci

.github/workflows/translation-extract-compile.yml

@@ -1,13 +1,9 @@
 ---
-name: authentik-translate-extract-compile
+name: authentik-backend-translate-extract-compile
 on:
   schedule:
     - cron: "0 0 * * *" # every day at midnight
   workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-      - version-*
 
 env:
   POSTGRES_DB: authentik
@@ -19,31 +15,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
-        if: ${{ github.event_name != 'pull_request' }}
         uses: tibdex/github-app-token@v2
         with:
           app_id: ${{ secrets.GH_APP_ID }}
           private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - uses: actions/checkout@v4
-        if: ${{ github.event_name != 'pull_request' }}
         with:
           token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@v4
-        if: ${{ github.event_name == 'pull_request' }}
       - name: Setup authentik env
         uses: ./.github/actions/setup
-      - name: Generate API
-        run: make gen-client-ts
       - name: run extract
         run: |
-          uv run make i18n-extract
+          poetry run make i18n-extract
       - name: run compile
         run: |
-          uv run ak compilemessages
+          poetry run ak compilemessages
           make web-check-compile
       - name: Create Pull Request
-        if: ${{ github.event_name != 'pull_request' }}
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@v6
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: extract-compile-backend-translation

.github/workflows/web-api-publish.yml

@@ -1,4 +1,4 @@
-name: authentik-api-ts-publish
+name: authentik-web-api-publish
 on:
   push:
     branches: [main]
@@ -7,7 +7,6 @@ on:
   workflow_dispatch:
 jobs:
   build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token
@@ -32,16 +31,11 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
-        working-directory: web
+        working-directory: web/
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
-      - name: Upgrade /web/packages/sfe
-        working-directory: web/packages/sfe
-        run: |
-          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
-          npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@v7
+      - uses: peter-evans/create-pull-request@v6
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.gitignore

@@ -11,10 +11,6 @@ local_settings.py
 db.sqlite3
 media
 
-# Node
-
-node_modules
-
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@@ -37,7 +33,6 @@ eggs/
 lib64/
 parts/
 dist/
-out/
 sdist/
 var/
 wheels/
@@ -214,6 +209,3 @@ source_docs/
 
 ### Golang ###
 /vendor/
-
-### Docker ###
-docker-compose.override.yml

.prettierignore

@@ -1,47 +0,0 @@
-# Prettier Ignorefile
-
-## Static Files
-**/LICENSE
-
-authentik/stages/**/*
-
-## Build asset directories
-coverage
-dist
-out
-.docusaurus
-website/docs/developer-docs/api/**/*
-
-## Environment
-*.env
-
-## Secrets
-*.secrets
-
-## Yarn
-.yarn/**/*
-
-## Node
-node_modules
-coverage
-
-## Configs
-*.log
-*.yaml
-*.yml
-
-# Templates
-# TODO: Rename affected files to *.template.* or similar.
-*.html
-*.mdx
-*.md
-
-## Import order matters
-poly.ts
-src/locale-codes.ts
-src/locales/
-
-# Storybook
-storybook-static/
-.storybook/css-import-maps*
-

.vscode/extensions.json

@@ -2,7 +2,6 @@
     "recommendations": [
         "bashmish.es6-string-css",
         "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
-        "charliermarsh.ruff",
         "dbaeumer.vscode-eslint",
         "EditorConfig.EditorConfig",
         "esbenp.prettier-vscode",
@@ -11,10 +10,10 @@
         "Gruntfuggly.todo-tree",
         "mechatroner.rainbow-csv",
         "ms-python.black-formatter",
-        "ms-python.black-formatter",
-        "ms-python.debugpy",
+        "charliermarsh.ruff",
         "ms-python.python",
         "ms-python.vscode-pylance",
+        "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
         "unifiedjs.vscode-mdx",

.vscode/launch.json

@@ -2,76 +2,26 @@
     "version": "0.2.0",
     "configurations": [
         {
-            "name": "Debug: Attach Server Core",
-            "type": "debugpy",
+            "name": "Python: PDB attach Server",
+            "type": "python",
             "request": "attach",
             "connect": {
                 "host": "localhost",
-                "port": 9901
+                "port": 6800
             },
-            "pathMappings": [
-                {
-                    "localRoot": "${workspaceFolder}",
-                    "remoteRoot": "."
-                }
-            ],
+            "justMyCode": true,
             "django": true
         },
         {
-            "name": "Debug: Attach Worker",
-            "type": "debugpy",
+            "name": "Python: PDB attach Worker",
+            "type": "python",
             "request": "attach",
             "connect": {
                 "host": "localhost",
-                "port": 9901
+                "port": 6900
             },
-            "pathMappings": [
-                {
-                    "localRoot": "${workspaceFolder}",
-                    "remoteRoot": "."
-                }
-            ],
+            "justMyCode": true,
             "django": true
         },
-        {
-            "name": "Debug: Start Server Router",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/server",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start LDAP Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/ldap",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start Proxy Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/proxy",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start RAC Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/rac",
-            "cwd": "${workspaceFolder}"
-        },
-        {
-            "name": "Debug: Start Radius Outpost",
-            "type": "go",
-            "request": "launch",
-            "mode": "auto",
-            "program": "${workspaceFolder}/cmd/radius",
-            "cwd": "${workspaceFolder}"
-        }
     ]
 }

.vscode/settings.json

@@ -1,22 +1,40 @@
 {
+    "cSpell.words": [
+        "akadmin",
+        "asgi",
+        "authentik",
+        "authn",
+        "goauthentik",
+        "jwks",
+        "oidc",
+        "openid",
+        "plex",
+        "saml",
+        "totp",
+        "webauthn",
+        "traefik",
+        "passwordless",
+        "kubernetes",
+        "sso",
+        "slo",
+        "scim",
+    ],
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
-        "!Condition sequence",
-        "!Context scalar",
-        "!Enumerate sequence",
-        "!Env scalar",
         "!Find sequence",
-        "!Format sequence",
-        "!If sequence",
-        "!Index scalar",
         "!KeyOf scalar",
-        "!Value scalar",
-        "!AtIndex scalar"
+        "!Context scalar",
+        "!Context sequence",
+        "!Format sequence",
+        "!Condition sequence",
+        "!Env sequence",
+        "!Env scalar",
+        "!If sequence"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",
-    "typescript.tsdk": "./node_modules/typescript/lib",
+    "typescript.tsdk": "./web/node_modules/typescript/lib",
     "typescript.enablePromptUseWorkspaceTsdk": true,
     "yaml.schemas": {
         "./blueprints/schema.json": "blueprints/**/*.yaml"
@@ -29,6 +47,10 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": ["-count=1"],
-    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"]
+    "go.testFlags": [
+        "-count=1"
+    ],
+    "github-actions.workflows.pinned.workflows": [
+        ".github/workflows/ci-main.yml"
+    ]
 }

.vscode/tasks.json

@@ -2,91 +2,85 @@
     "version": "2.0.0",
     "tasks": [
         {
-            "label": "authentik/core: make",
-            "command": "uv",
+            "label": "authentik[core]: format & test",
+            "command": "poetry",
+            "args": [
+                "run",
+                "make"
+            ],
+            "group": "build",
+        },
+        {
+            "label": "authentik[core]: run",
+            "command": "poetry",
             "args": [
                 "run",
                 "make",
-                "lint-fix",
-                "lint"
-            ],
-            "presentation": {
-                "panel": "new"
-            },
-            "group": "test"
-        },
-        {
-            "label": "authentik/core: run",
-            "command": "uv",
-            "args": [
                 "run",
-                "ak",
-                "server"
             ],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            }
+            },
         },
         {
-            "label": "authentik/web: make",
+            "label": "authentik[web]: format",
             "command": "make",
-            "args": [
-                "web"
-            ],
-            "group": "build"
+            "args": ["web"],
+            "group": "build",
         },
         {
-            "label": "authentik/web: watch",
+            "label": "authentik[web]: watch",
             "command": "make",
-            "args": [
-                "web-watch"
-            ],
+            "args": ["web-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            }
+            },
         },
         {
             "label": "authentik: install",
             "command": "make",
-            "args": [
-                "install",
-                "-j4"
-            ],
-            "group": "build"
+            "args": ["install"],
+            "group": "build",
         },
         {
-            "label": "authentik/website: make",
-            "command": "make",
+            "label": "authentik: i18n-extract",
+            "command": "poetry",
             "args": [
-                "website"
+                "run",
+                "make",
+                "i18n-extract"
             ],
-            "group": "build"
+            "group": "build",
         },
         {
-            "label": "authentik/website: watch",
+            "label": "authentik[website]: format",
             "command": "make",
-            "args": [
-                "website-watch"
-            ],
+            "args": ["website"],
+            "group": "build",
+        },
+        {
+            "label": "authentik[website]: watch",
+            "command": "make",
+            "args": ["website-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            }
+            },
         },
         {
-            "label": "authentik/api: generate",
-            "command": "uv",
+            "label": "authentik[api]: generate",
+            "command": "poetry",
             "args": [
                 "run",
                 "make",
                 "gen"
             ],
             "group": "build"
-        }
+        },
     ]
 }

CODEOWNERS

@@ -10,30 +10,19 @@ schemas/                        @goauthentik/backend
 scripts/                        @goauthentik/backend
 tests/                          @goauthentik/backend
 pyproject.toml                  @goauthentik/backend
-uv.lock                         @goauthentik/backend
+poetry.lock                     @goauthentik/backend
 go.mod                          @goauthentik/backend
 go.sum                          @goauthentik/backend
 # Infrastructure
 .github/                        @goauthentik/infrastructure
-lifecycle/aws/                  @goauthentik/infrastructure
 Dockerfile                      @goauthentik/infrastructure
 *Dockerfile                     @goauthentik/infrastructure
 .dockerignore                   @goauthentik/infrastructure
 docker-compose.yml              @goauthentik/infrastructure
-Makefile                        @goauthentik/infrastructure
-.editorconfig                   @goauthentik/infrastructure
-CODEOWNERS                      @goauthentik/infrastructure
-# Web packages
-packages/                       @goauthentik/frontend
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
-# Locale
-locale/                         @goauthentik/backend @goauthentik/frontend
-web/xliff/                      @goauthentik/backend @goauthentik/frontend
 # Docs & Website
 website/                        @goauthentik/docs
-CODE_OF_CONDUCT.md              @goauthentik/docs
 # Security
-SECURITY.md                     @goauthentik/security @goauthentik/docs
-website/docs/security/          @goauthentik/security @goauthentik/docs
+website/docs/security/          @goauthentik/security

CODE_OF_CONDUCT.md

@@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socioeconomic status,
+identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, religion, or sexual identity
 and orientation.
 

CONTRIBUTING.md

@@ -1 +1 @@
-website/docs/developer-docs/index.md
+website/developer-docs/index.md

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:21 as website-builder
 
 ENV NODE_ENV=production
 
@@ -20,22 +20,17 @@ COPY ./SECURITY.md /work/
 RUN npm run build-bundled
 
 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/node:21 as web-builder
 
-ARG GIT_BUILD_HASH
-ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 ENV NODE_ENV=production
 
 WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
-    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
     --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
-COPY ./package.json /work
 COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
@@ -43,7 +38,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 
 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.22.1-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -54,11 +49,6 @@ ARG GOARCH=$TARGETARCH
 
 WORKDIR /go/src/goauthentik.io
 
-RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
-    dpkg --add-architecture arm64 && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends crossbuild-essential-arm64 gcc-aarch64-linux-gnu
-
 RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
     --mount=type=bind,target=/go/src/goauthentik.io/go.sum,src=./go.sum \
     --mount=type=cache,target=/go/pkg/mod \
@@ -73,17 +63,17 @@ COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
 
+ENV CGO_ENABLED=0
+
 RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     --mount=type=cache,id=go-build-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/root/.cache/go-build \
-    if [ "$TARGETARCH" = "arm64" ]; then export CC=aarch64-linux-gnu-gcc && export CC_FOR_TARGET=gcc-aarch64-linux-gnu; fi && \
-    CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
-    go build -o /go/authentik ./cmd/server
+    GOARM="${TARGETVARIANT#v}" go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v6.1 as geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
-ENV GEOIPUPDATE_VERBOSE="1"
+ENV GEOIPUPDATE_VERBOSE="true"
 ENV GEOIPUPDATE_ACCOUNT_ID_FILE="/run/secrets/GEOIPUPDATE_ACCOUNT_ID"
 ENV GEOIPUPDATE_LICENSE_KEY_FILE="/run/secrets/GEOIPUPDATE_LICENSE_KEY"
 
@@ -93,80 +83,53 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     mkdir -p /usr/share/GeoIP && \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
-# Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.2 AS uv
-# Stage 6: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base
+# Stage 5: Python dependencies
+FROM docker.io/python:3.12.2-slim-bookworm AS python-deps
 
-ENV VENV_PATH="/ak-root/.venv" \
-    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
-    UV_COMPILE_BYTECODE=1 \
-    UV_LINK_MODE=copy \
-    UV_NATIVE_TLS=1 \
-    UV_PYTHON_DOWNLOADS=0
+WORKDIR /ak-root/poetry
 
-WORKDIR /ak-root/
-
-COPY --from=uv /uv /uvx /bin/
-
-# Stage 7: Python dependencies
-FROM python-base AS python-deps
-
-ARG TARGETARCH
-ARG TARGETVARIANT
+ENV VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false \
+    PATH="/ak-root/venv/bin:$PATH"
 
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 
-ENV PATH="/root/.cargo/bin:$PATH"
-
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
-    apt-get install -y --no-install-recommends \
-    # Build essentials
-    build-essential pkg-config libffi-dev git \
-    # cryptography
-    curl \
-    # libxml
-    libxslt-dev zlib1g-dev \
-    # postgresql
-    libpq-dev \
-    # python-kadmin-rs
-    clang libkrb5-dev sccache \
-    # xmlsec
-    libltdl-dev && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y
+    apt-get install -y --no-install-recommends build-essential pkg-config libxmlsec1-dev zlib1g-dev libpq-dev
 
-ENV UV_NO_BINARY_PACKAGE="cryptography lxml python-kadmin-rs xmlsec"
+RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
+    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
+    --mount=type=cache,target=/root/.cache/pip \
+    --mount=type=cache,target=/root/.cache/pypoetry \
+    python -m venv /ak-root/venv/ && \
+    bash -c "source ${VENV_PATH}/bin/activate && \
+        pip3 install --upgrade pip && \
+        pip3 install poetry && \
+        poetry install --only=main --no-ansi --no-interaction --no-root"
 
-RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
-    --mount=type=bind,target=uv.lock,src=uv.lock \
-    --mount=type=cache,target=/root/.cache/uv \
-    uv sync --frozen --no-install-project --no-dev
+# Stage 6: Run
+FROM docker.io/python:3.12.2-slim-bookworm AS final-image
 
-# Stage 8: Run
-FROM python-base AS final-image
-
-ARG VERSION
 ARG GIT_BUILD_HASH
+ARG VERSION
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
-LABEL org.opencontainers.image.url=https://goauthentik.io
-LABEL org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info."
-LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
-LABEL org.opencontainers.image.version=${VERSION}
-LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
+LABEL org.opencontainers.image.url https://goauthentik.io
+LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info.
+LABEL org.opencontainers.image.source https://github.com/goauthentik/authentik
+LABEL org.opencontainers.image.version ${VERSION}
+LABEL org.opencontainers.image.revision ${GIT_BUILD_HASH}
 
 WORKDIR /
 
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
-    apt-get upgrade -y && \
     # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
+    apt-get install -y --no-install-recommends libpq5 openssl libxmlsec1-openssl libmaxminddb0 ca-certificates && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
-    pip3 install --no-cache-dir --upgrade pip && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
     adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
@@ -177,16 +140,15 @@ RUN apt-get update && \
 
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
-COPY ./uv.lock /
+COPY ./poetry.lock /
 COPY ./schemas /schemas
 COPY ./locale /locale
 COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
-COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
-COPY --from=python-deps /ak-root/.venv /ak-root/.venv
+COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
 COPY --from=website-builder /work/website/build/ /website/help/
@@ -197,7 +159,9 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
     PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
-    GOFIPS=1
+    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
+    VENV_PATH="/ak-root/venv" \
+    POETRY_VIRTUALENVS_CREATE=false
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
 

Makefile

@@ -1,21 +1,33 @@
 .PHONY: gen dev-reset all clean test web website
 
-SHELL := /usr/bin/env bash
-.SHELLFLAGS += ${SHELLFLAGS} -e -o pipefail
+.SHELLFLAGS += ${SHELLFLAGS} -e
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
-NPM_VERSION = $(shell python -m scripts.generate_semver)
+NPM_VERSION = $(shell python -m scripts.npm_version)
 PY_SOURCES = authentik tests scripts lifecycle .github
 DOCKER_IMAGE ?= "authentik:test"
 
-GEN_API_TS = gen-ts-api
-GEN_API_PY = gen-py-api
-GEN_API_GO = gen-go-api
+GEN_API_TS = "gen-ts-api"
+GEN_API_GO = "gen-go-api"
 
-pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/null)
-pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
-pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)
+pg_user := $(shell python -m authentik.lib.config postgresql.user 2>/dev/null)
+pg_host := $(shell python -m authentik.lib.config postgresql.host 2>/dev/null)
+pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
+
+CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
+		-I .github/codespell-words.txt \
+		-S 'web/src/locales/**' \
+		authentik \
+		internal \
+		cmd \
+		web/src \
+		website/src \
+		website/blog \
+		website/developer-docs \
+		website/docs \
+		website/integrations \
+		website/src
 
 all: lint-fix lint test gen web  ## Lint, build, and test everything
 
@@ -29,41 +41,42 @@ help:  ## Show this help
 		sort
 	@echo ""
 
-go-test:
+test-go:
 	go test -timeout 0 -v -race -cover ./...
 
+test-docker:  ## Run all tests in a docker-compose
+	echo "PG_PASS=$(openssl rand -base64 32)" >> .env
+	echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 32)" >> .env
+	docker-compose pull -q
+	docker-compose up --no-start
+	docker-compose start postgresql redis
+	docker-compose run -u root server test-all
+	rm -f .env
+
 test: ## Run the server tests and produce a coverage report (locally)
-	uv run coverage run manage.py test --keepdb authentik
-	uv run coverage html
-	uv run coverage report
+	coverage run manage.py test --keepdb authentik
+	coverage html
+	coverage report
 
-lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
-	uv run black $(PY_SOURCES)
-	uv run ruff check --fix $(PY_SOURCES)
-
-lint-codespell:  ## Reports spelling errors.
-	uv run codespell -w
+lint-fix:  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+	black $(PY_SOURCES)
+	ruff check --fix $(PY_SOURCES)
+	codespell -w $(CODESPELL_ARGS)
 
 lint: ## Lint the python and golang sources
-	uv run bandit -c pyproject.toml -r $(PY_SOURCES)
+	bandit -r $(PY_SOURCES) -x node_modules
 	golangci-lint run -v
 
 core-install:
-	uv sync --frozen
+	poetry install
 
 migrate: ## Run the Authentik Django server's migrations
-	uv run python -m lifecycle.migrate
+	python -m lifecycle.migrate
 
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 
-aws-cfn:
-	cd lifecycle/aws && npm run aws-cfn
-
-run:  ## Run the main authentik server process
-	uv run ak server
-
 core-i18n-extract:
-	uv run ak makemessages \
+	ak makemessages \
 		--add-location file \
 		--no-obsolete \
 		--ignore web \
@@ -94,11 +107,11 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema > blueprints/schema.json
+		ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak spectacular --file schema.yml
+		ak spectacular --file schema.yml
 
 gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
 	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
@@ -118,48 +131,49 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	npx prettier --write diff.md
 
 gen-clean-ts:  ## Remove generated API client for Typescript
-	rm -rf ${PWD}/${GEN_API_TS}/
-	rm -rf ${PWD}/web/node_modules/@goauthentik/api/
+	rm -rf ./${GEN_API_TS}/
+	rm -rf ./web/node_modules/@goauthentik/api/
 
-gen-clean-go:  ## Remove generated API client for Go
-	mkdir -p ${PWD}/${GEN_API_GO}
-ifneq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
-	make -C ${PWD}/${GEN_API_GO} clean
-else
-	rm -rf ${PWD}/${GEN_API_GO}
-endif
+gen-clean-go:  ## Remove generated API client for Go
+	rm -rf ./${GEN_API_GO}/
 
-gen-clean-py:  ## Remove generated API client for Python
-	rm -rf ${PWD}/${GEN_API_PY}/
-
-gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients
+gen-clean: gen-clean-ts gen-clean-go  ## Remove generated API clients
 
 gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
-    ./scripts/gen-client-ts.mjs
-
-    npm i --prefix ${GEN_API_TS}
-
-    cd ./${GEN_API_TS} && npm link
-    cd ./web && npm link @goauthentik/api
-
-gen-client-py: gen-clean-py ## Build and install the authentik API for Python
-    ./scripts/gen-client-py.mjs
-
-	pip install ./${GEN_API_PY}
+	docker run \
+		--rm -v ${PWD}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		-i /local/schema.yml \
+		-g typescript-fetch \
+		-o /local/${GEN_API_TS} \
+		-c /local/scripts/api-ts-config.yaml \
+		--additional-properties=npmVersion=${NPM_VERSION} \
+		--git-repo-id authentik \
+		--git-user-id goauthentik
+	mkdir -p web/node_modules/@goauthentik/api
+	cd ./${GEN_API_TS} && npm i
+	\cp -rf ./${GEN_API_TS}/* web/node_modules/@goauthentik/api
 
 gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
-	mkdir -p ${PWD}/${GEN_API_GO}
-ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
-	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
-else
-	cd ${PWD}/${GEN_API_GO} && git pull
-endif
-	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
-	make -C ${PWD}/${GEN_API_GO} build
+	mkdir -p ./${GEN_API_GO} ./${GEN_API_GO}/templates
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/config.yaml -O ./${GEN_API_GO}/config.yaml
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/README.mustache -O ./${GEN_API_GO}/templates/README.mustache
+	wget https://raw.githubusercontent.com/goauthentik/client-go/main/templates/go.mod.mustache -O ./${GEN_API_GO}/templates/go.mod.mustache
+	cp schema.yml ./${GEN_API_GO}/
+	docker run \
+		--rm -v ${PWD}/${GEN_API_GO}:/local \
+		--user ${UID}:${GID} \
+		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		-i /local/schema.yml \
+		-g go \
+		-o /local/ \
+		-c /local/config.yaml
 	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}
+	rm -rf ./${GEN_API_GO}/config.yaml ./${GEN_API_GO}/templates/
 
 gen-dev-config:  ## Generate a local development config file
-	uv run scripts/generate_config.py
+	python -m scripts.generate_config
 
 gen: gen-build gen-client-ts
 
@@ -175,9 +189,6 @@ web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting is
 web-install:  ## Install the necessary libraries to build the Authentik UI
 	cd web && npm ci
 
-web-test: ## Run tests for the Authentik UI
-	cd web && npm run test
-
 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
 	rm -rf web/dist/
 	mkdir web/dist/
@@ -209,7 +220,7 @@ website: website-lint-fix website-build  ## Automatically fix formatting issues
 website-install:
 	cd website && npm ci
 
-website-lint-fix: lint-codespell
+website-lint-fix:
 	cd website && npm run prettier
 
 website-build:
@@ -223,12 +234,8 @@ website-watch:  ## Build and watch the documentation website, updating automatic
 #########################
 
 docker:  ## Build a docker image of the current source tree
-	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}
 
-test-docker:
-	BUILD=true ${PWD}/scripts/test_docker.sh
-
 #########################
 ## CI
 #########################
@@ -240,10 +247,16 @@ ci--meta-debug:
 	node --version
 
 ci-black: ci--meta-debug
-	uv run black --check $(PY_SOURCES)
+	black --check $(PY_SOURCES)
 
 ci-ruff: ci--meta-debug
-	uv run ruff check $(PY_SOURCES)
+	ruff check $(PY_SOURCES)
 
 ci-codespell: ci--meta-debug
-	uv run codespell -s
+	codespell $(CODESPELL_ARGS) -s
+
+ci-bandit: ci--meta-debug
+	bandit -r $(PY_SOURCES)
+
+ci-pending-migrations: ci--meta-debug
+	ak makemigrations --check

README.md

@@ -15,9 +15,7 @@
 
 ## What is authentik?
 
-authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols.
-
-Our [enterprise offer](https://goauthentik.io/pricing) can also be used as a self-hosted replacement for large-scale deployments of Okta/Auth0, Entra ID, Ping Identity, or other legacy IdPs for employees and B2B2C use.
+authentik is an open-source Identity Provider that emphasizes flexibility and versatility. It can be seamlessly integrated into existing environments to support new protocols. authentik is also a great solution for implementing sign-up, recovery, and other similar features in your application, saving you the hassle of dealing with them.
 
 ## Installation
 
@@ -27,14 +25,14 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 
 ## Screenshots
 
-| Light                                                       | Dark                                                       |
-| ----------------------------------------------------------- | ---------------------------------------------------------- |
-| ![](https://docs.goauthentik.io/img/screen_apps_light.jpg)  | ![](https://docs.goauthentik.io/img/screen_apps_dark.jpg)  |
-| ![](https://docs.goauthentik.io/img/screen_admin_light.jpg) | ![](https://docs.goauthentik.io/img/screen_admin_dark.jpg) |
+| Light                                                  | Dark                                                  |
+| ------------------------------------------------------ | ----------------------------------------------------- |
+| ![](https://goauthentik.io/img/screen_apps_light.jpg)  | ![](https://goauthentik.io/img/screen_apps_dark.jpg)  |
+| ![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg) |
 
 ## Development
 
-See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
+See [Developer Documentation](https://goauthentik.io/developer-docs/?utm_source=github)
 
 ## Security
 

SECURITY.md

@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 
 ## Independent audits and pentests
 
-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specific audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
 
 ## What authentik classifies as a CVE
 
@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version   | Supported |
-| --------- | --------- |
-| 2025.2.x  | ✅        |
-| 2025.4.x  | ✅        |
+| Version | Supported |
+| --- | --- |
+| 2023.6.x | ✅ |
+| 2023.8.x | ✅ |
 
 ## Reporting a Vulnerability
 
@@ -31,12 +31,12 @@ To report a vulnerability, send an email to [security@goauthentik.io](mailto:se
 
 authentik reserves the right to reclassify CVSS as necessary. To determine severity, we will use the CVSS calculator from NVD (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The calculated CVSS score will then be translated into one of the following categories:
 
-| Score      | Severity |
-| ---------- | -------- |
-| 0.0        | None     |
-| 0.1 – 3.9  | Low      |
-| 4.0 – 6.9  | Medium   |
-| 7.0 – 8.9  | High     |
+| Score | Severity |
+| --- | --- |
+| 0.0 | None |
+| 0.1 – 3.9 | Low |
+| 4.0 – 6.9 | Medium |
+| 7.0 – 8.9 | High |
 | 9.0 – 10.0 | Critical |
 
 ## Disclosure process

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2025.4.0"
+__version__ = "2024.2.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 
@@ -16,5 +16,5 @@ def get_full_version() -> str:
     """Get full version, with build hash appended"""
     version = __version__
     if (build_hash := get_build_hash()) != "":
-        return f"{version}+{build_hash}"
+        version += "." + build_hash
     return version

authentik/admin/api/system.py

@@ -2,23 +2,18 @@
 
 import platform
 from datetime import datetime
-from ssl import OPENSSL_VERSION
 from sys import version as python_version
 from typing import TypedDict
 
-from cryptography.hazmat.backends.openssl.backend import backend
-from django.conf import settings
 from django.utils.timezone import now
-from django.views.debug import SafeExceptionReporterFilter
 from drf_spectacular.utils import extend_schema
+from gunicorn import version_info as gunicorn_version
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from authentik import get_full_version
 from authentik.core.api.utils import PassiveSerializer
-from authentik.enterprise.license import LicenseKey
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import get_env
 from authentik.outposts.apps import MANAGED_OUTPOST
@@ -30,13 +25,11 @@ class RuntimeDict(TypedDict):
     """Runtime information"""
 
     python_version: str
+    gunicorn_version: str
     environment: str
     architecture: str
     platform: str
     uname: str
-    openssl_version: str
-    openssl_fips_enabled: bool | None
-    authentik_version: str
 
 
 class SystemInfoSerializer(PassiveSerializer):
@@ -54,16 +47,10 @@ class SystemInfoSerializer(PassiveSerializer):
     def get_http_headers(self, request: Request) -> dict[str, str]:
         """Get HTTP Request headers"""
         headers = {}
-        raw_session = request._request.COOKIES.get(settings.SESSION_COOKIE_NAME)
         for key, value in request.META.items():
             if not isinstance(value, str):
                 continue
-            actual_value = value
-            if raw_session is not None and raw_session in actual_value:
-                actual_value = actual_value.replace(
-                    raw_session, SafeExceptionReporterFilter.cleansed_substitute
-                )
-            headers[key] = actual_value
+            headers[key] = value
         return headers
 
     def get_http_host(self, request: Request) -> str:
@@ -77,15 +64,11 @@ class SystemInfoSerializer(PassiveSerializer):
     def get_runtime(self, request: Request) -> RuntimeDict:
         """Get versions"""
         return {
-            "architecture": platform.machine(),
-            "authentik_version": get_full_version(),
-            "environment": get_env(),
-            "openssl_fips_enabled": (
-                backend._fips_enabled if LicenseKey.get_total().status().is_valid else None
-            ),
-            "openssl_version": OPENSSL_VERSION,
-            "platform": platform.platform(),
             "python_version": python_version,
+            "gunicorn_version": ".".join(str(x) for x in gunicorn_version),
+            "environment": get_env(),
+            "architecture": platform.machine(),
+            "platform": platform.platform(),
             "uname": " ".join(platform.uname()),
         }
 

authentik/admin/api/version.py

@@ -10,9 +10,8 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from authentik import __version__, get_build_hash
-from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
+from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
-from authentik.outposts.models import Outpost
 
 
 class VersionSerializer(PassiveSerializer):
@@ -20,10 +19,8 @@ class VersionSerializer(PassiveSerializer):
 
     version_current = SerializerMethodField()
     version_latest = SerializerMethodField()
-    version_latest_valid = SerializerMethodField()
     build_hash = SerializerMethodField()
     outdated = SerializerMethodField()
-    outpost_outdated = SerializerMethodField()
 
     def get_build_hash(self, _) -> str:
         """Get build hash, if version is not latest or released"""
@@ -41,23 +38,10 @@ class VersionSerializer(PassiveSerializer):
             return __version__
         return version_in_cache
 
-    def get_version_latest_valid(self, _) -> bool:
-        """Check if latest version is valid"""
-        return cache.get(VERSION_CACHE_KEY) != VERSION_NULL
-
     def get_outdated(self, instance) -> bool:
         """Check if we're running the latest version"""
         return parse(self.get_version_current(instance)) < parse(self.get_version_latest(instance))
 
-    def get_outpost_outdated(self, _) -> bool:
-        """Check if any outpost is outdated/has a version mismatch"""
-        any_outdated = False
-        for outpost in Outpost.objects.all():
-            for state in outpost.state:
-                if state.version_outdated:
-                    any_outdated = True
-        return any_outdated
-
 
 class VersionView(APIView):
     """Get running and latest version."""

authentik/admin/api/version_history.py

@@ -1,33 +0,0 @@
-from rest_framework.permissions import IsAdminUser
-from rest_framework.viewsets import ReadOnlyModelViewSet
-
-from authentik.admin.models import VersionHistory
-from authentik.core.api.utils import ModelSerializer
-
-
-class VersionHistorySerializer(ModelSerializer):
-    """VersionHistory Serializer"""
-
-    class Meta:
-        model = VersionHistory
-        fields = [
-            "id",
-            "timestamp",
-            "version",
-            "build",
-        ]
-
-
-class VersionHistoryViewSet(ReadOnlyModelViewSet):
-    """VersionHistory Viewset"""
-
-    queryset = VersionHistory.objects.all()
-    serializer_class = VersionHistorySerializer
-    permission_classes = [IsAdminUser]
-    filterset_fields = [
-        "version",
-        "build",
-    ]
-    search_fields = ["version", "build"]
-    ordering = ["-timestamp"]
-    pagination_class = None

authentik/admin/api/workers.py

@@ -1,16 +1,12 @@
 """authentik administration overview"""
 
-from socket import gethostname
-
 from django.conf import settings
 from drf_spectacular.utils import extend_schema, inline_serializer
-from packaging.version import parse
-from rest_framework.fields import BooleanField, CharField
+from rest_framework.fields import IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from authentik import get_full_version
 from authentik.rbac.permissions import HasPermission
 from authentik.root.celery import CELERY_APP
 
@@ -20,38 +16,11 @@ class WorkerView(APIView):
 
     permission_classes = [HasPermission("authentik_rbac.view_system_info")]
 
-    @extend_schema(
-        responses=inline_serializer(
-            "Worker",
-            fields={
-                "worker_id": CharField(),
-                "version": CharField(),
-                "version_matching": BooleanField(),
-            },
-            many=True,
-        )
-    )
+    @extend_schema(responses=inline_serializer("Workers", fields={"count": IntegerField()}))
     def get(self, request: Request) -> Response:
         """Get currently connected worker count."""
-        raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
-        our_version = parse(get_full_version())
-        response = []
-        for worker in raw:
-            key = list(worker.keys())[0]
-            version = worker[key].get("version")
-            version_matching = False
-            if version:
-                version_matching = parse(version) == our_version
-            response.append(
-                {"worker_id": key, "version": version, "version_matching": version_matching}
-            )
+        count = len(CELERY_APP.control.ping(timeout=0.5))
         # In debug we run with `task_always_eager`, so tasks are ran on the main process
         if settings.DEBUG:  # pragma: no cover
-            response.append(
-                {
-                    "worker_id": f"authentik-debug@{gethostname()}",
-                    "version": get_full_version(),
-                    "version_matching": True,
-                }
-            )
-        return Response(response)
+            count += 1
+        return Response({"count": count})

authentik/admin/apps.py

@@ -1,10 +1,11 @@
 """authentik admin app config"""
 
-from prometheus_client import Info
+from prometheus_client import Gauge, Info
 
 from authentik.blueprints.apps import ManagedAppConfig
 
 PROM_INFO = Info("authentik_version", "Currently running authentik version")
+GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
 
 
 class AuthentikAdminConfig(ManagedAppConfig):

authentik/admin/models.py

@@ -1,22 +0,0 @@
-"""authentik admin models"""
-
-from django.db import models
-from django.utils.translation import gettext_lazy as _
-
-
-class VersionHistory(models.Model):
-    id = models.BigAutoField(primary_key=True)
-    timestamp = models.DateTimeField()
-    version = models.TextField()
-    build = models.TextField()
-
-    class Meta:
-        managed = False
-        db_table = "authentik_version_history"
-        ordering = ("-timestamp",)
-        verbose_name = _("Version history")
-        verbose_name_plural = _("Version history")
-        default_permissions = []
-
-    def __str__(self):
-        return f"{self.version}.{self.build} ({self.timestamp})"

authentik/admin/signals.py

@@ -1,35 +1,14 @@
 """admin signals"""
 
 from django.dispatch import receiver
-from packaging.version import parse
-from prometheus_client import Gauge
 
-from authentik import get_full_version
+from authentik.admin.apps import GAUGE_WORKERS
 from authentik.root.celery import CELERY_APP
 from authentik.root.monitoring import monitoring_set
 
-GAUGE_WORKERS = Gauge(
-    "authentik_admin_workers",
-    "Currently connected workers, their versions and if they are the same version as authentik",
-    ["version", "version_matched"],
-)
-
-
-_version = parse(get_full_version())
-
 
 @receiver(monitoring_set)
 def monitoring_set_workers(sender, **kwargs):
     """Set worker gauge"""
-    raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
-    worker_version_count = {}
-    for worker in raw:
-        key = list(worker.keys())[0]
-        version = worker[key].get("version")
-        version_matching = False
-        if version:
-            version_matching = parse(version) == _version
-        worker_version_count.setdefault(version, {"count": 0, "matching": version_matching})
-        worker_version_count[version]["count"] += 1
-    for version, stats in worker_version_count.items():
-        GAUGE_WORKERS.labels(version, stats["matching"]).set(stats["count"])
+    count = len(CELERY_APP.control.ping(timeout=0.5))
+    GAUGE_WORKERS.set(count)

authentik/admin/tasks.py

@@ -1,8 +1,10 @@
 """authentik admin tasks"""
 
+import re
+
 from django.core.cache import cache
+from django.core.validators import URLValidator
 from django.db import DatabaseError, InternalError, ProgrammingError
-from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
 from structlog.stdlib import get_logger
@@ -16,9 +18,10 @@ from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
-VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
+# Chop of the first ^ because we want to search the entire string
+URL_FINDER = URLValidator.regex.pattern[1:]
 LOCAL_VERSION = parse(__version__)
 
 
@@ -52,7 +55,7 @@ def clear_update_notifications():
 def update_latest_version(self: SystemTask):
     """Update latest version info"""
     if CONFIG.get_bool("disable_update_check"):
-        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
+        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
         self.set_status(TaskStatus.WARNING, "Version check disabled.")
         return
     try:
@@ -74,18 +77,12 @@ def update_latest_version(self: SystemTask):
                 context__new_version=upstream_version,
             ).exists():
                 return
-            Event.new(
-                EventAction.UPDATE_AVAILABLE,
-                message=_(
-                    "New version {version} available!".format(
-                        version=upstream_version,
-                    )
-                ),
-                new_version=upstream_version,
-                changelog=data.get("stable", {}).get("changelog_url"),
-            ).save()
+            event_dict = {"new_version": upstream_version}
+            if match := re.search(URL_FINDER, data.get("stable", {}).get("changelog", "")):
+                event_dict["message"] = f"Changelog: {match.group()}"
+            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
     except (RequestException, IndexError) as exc:
-        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
+        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
         self.set_error(exc)
 
 

authentik/admin/tests/test_api.py

@@ -34,7 +34,7 @@ class TestAdminAPI(TestCase):
         response = self.client.get(reverse("authentik_api:admin_workers"))
         self.assertEqual(response.status_code, 200)
         body = loads(response.content)
-        self.assertEqual(len(body), 0)
+        self.assertEqual(body["count"], 0)
 
     def test_metrics(self):
         """Test metrics API"""

authentik/admin/tests/test_tasks.py

@@ -17,7 +17,6 @@ RESPONSE_VALID = {
     "stable": {
         "version": "99999999.9999999",
         "changelog": "See https://goauthentik.io/test",
-        "changelog_url": "https://goauthentik.io/test",
         "reason": "bugfix",
     },
 }
@@ -36,7 +35,7 @@ class TestAdminTasks(TestCase):
                 Event.objects.filter(
                     action=EventAction.UPDATE_AVAILABLE,
                     context__new_version="99999999.9999999",
-                    context__message="New version 99999999.9999999 available!",
+                    context__message="Changelog: https://goauthentik.io/test",
                 ).exists()
             )
             # test that a consecutive check doesn't create a duplicate event
@@ -46,7 +45,7 @@ class TestAdminTasks(TestCase):
                     Event.objects.filter(
                         action=EventAction.UPDATE_AVAILABLE,
                         context__new_version="99999999.9999999",
-                        context__message="New version 99999999.9999999 available!",
+                        context__message="Changelog: https://goauthentik.io/test",
                     )
                 ),
                 1,

authentik/admin/urls.py

@@ -6,7 +6,6 @@ from authentik.admin.api.meta import AppsViewSet, ModelViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
-from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.admin.api.workers import WorkerView
 
 api_urlpatterns = [
@@ -18,7 +17,6 @@ api_urlpatterns = [
         name="admin_metrics",
     ),
     path("admin/version/", VersionView.as_view(), name="admin_version"),
-    ("admin/version/history", VersionHistoryViewSet, "version_history"),
     path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
     path("admin/system/", SystemView.as_view(), name="admin_system"),
 ]

authentik/api/apps.py

@@ -10,3 +10,26 @@ class AuthentikAPIConfig(AppConfig):
     label = "authentik_api"
     mountpoint = "api/"
     verbose_name = "authentik API"
+
+    def ready(self) -> None:
+        from drf_spectacular.extensions import OpenApiAuthenticationExtension
+
+        from authentik.api.authentication import TokenAuthentication
+
+        # Class is defined here as it needs to be created early enough that drf-spectacular will
+        # find it, but also won't cause any import issues
+
+        class TokenSchema(OpenApiAuthenticationExtension):
+            """Auth schema"""
+
+            target_class = TokenAuthentication
+            name = "authentik"
+
+            def get_security_definition(self, auto_schema):
+                """Auth schema"""
+                return {
+                    "type": "apiKey",
+                    "in": "header",
+                    "name": "Authorization",
+                    "scheme": "bearer",
+                }

authentik/api/authentication.py

@@ -4,7 +4,6 @@ from hmac import compare_digest
 from typing import Any
 
 from django.conf import settings
-from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
@@ -103,14 +102,3 @@ class TokenAuthentication(BaseAuthentication):
             return None
 
         return (user, None)  # pragma: no cover
-
-
-class TokenSchema(OpenApiAuthenticationExtension):
-    """Auth schema"""
-
-    target_class = TokenAuthentication
-    name = "authentik"
-
-    def get_security_definition(self, auto_schema):
-        """Auth schema"""
-        return {"type": "http", "scheme": "bearer"}

authentik/api/authorization.py

@@ -0,0 +1,67 @@
+"""API Authorization"""
+
+from django.conf import settings
+from django.db.models import Model
+from django.db.models.query import QuerySet
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework.authentication import get_authorization_header
+from rest_framework.filters import BaseFilterBackend
+from rest_framework.permissions import BasePermission
+from rest_framework.request import Request
+
+from authentik.api.authentication import validate_auth
+from authentik.rbac.filters import ObjectFilter
+
+
+class OwnerFilter(BaseFilterBackend):
+    """Filter objects by their owner"""
+
+    owner_key = "user"
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        if request.user.is_superuser:
+            return queryset
+        return queryset.filter(**{self.owner_key: request.user})
+
+
+class SecretKeyFilter(DjangoFilterBackend):
+    """Allow access to all objects when authenticated with secret key as token.
+
+    Replaces both DjangoFilterBackend and ObjectFilter"""
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        auth_header = get_authorization_header(request)
+        token = validate_auth(auth_header)
+        if token and token == settings.SECRET_KEY:
+            return queryset
+        queryset = ObjectFilter().filter_queryset(request, queryset, view)
+        return super().filter_queryset(request, queryset, view)
+
+
+class OwnerPermissions(BasePermission):
+    """Authorize requests by an object's owner matching the requesting user"""
+
+    owner_key = "user"
+
+    def has_permission(self, request: Request, view) -> bool:
+        """If the user is authenticated, we allow all requests here. For listing, the
+        object-level permissions are done by the filter backend"""
+        return request.user.is_authenticated
+
+    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
+        """Check if the object's owner matches the currently logged in user"""
+        if not hasattr(obj, self.owner_key):
+            return False
+        owner = getattr(obj, self.owner_key)
+        if owner != request.user:
+            return False
+        return True
+
+
+class OwnerSuperuserPermissions(OwnerPermissions):
+    """Similar to OwnerPermissions, except always allow access for superusers"""
+
+    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
+        if request.user.is_superuser:
+            return True
+        return super().has_object_permission(request, view, obj)

authentik/api/schema.py

@@ -12,7 +12,6 @@ from drf_spectacular.settings import spectacular_settings
 from drf_spectacular.types import OpenApiTypes
 from rest_framework.settings import api_settings
 
-from authentik.api.apps import AuthentikAPIConfig
 from authentik.api.pagination import PAGINATION_COMPONENT_NAME, PAGINATION_SCHEMA
 
 
@@ -102,12 +101,3 @@ def postprocess_schema_responses(result, generator: SchemaGenerator, **kwargs):
             comp = result["components"]["schemas"][component]
             comp["additionalProperties"] = {}
     return result
-
-
-def preprocess_schema_exclude_non_api(endpoints, **kwargs):
-    """Filter out all API Views which are not mounted under /api"""
-    return [
-        (path, path_regex, method, callback)
-        for path, path_regex, method, callback in endpoints
-        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
-    ]

authentik/api/templates/api/browser.html

@@ -1,13 +1,13 @@
 {% extends "base/skeleton.html" %}
 
-{% load authentik_core %}
+{% load static %}
 
 {% block title %}
 API Browser - {{ brand.branding_title }}
 {% endblock %}
 
 {% block head %}
-<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
+<script src="{% static 'dist/standalone/api-browser/index.js' %}?version={{ version }}" type="module"></script>
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}

authentik/blueprints/api.py

@@ -7,7 +7,7 @@ from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, DateTimeField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ListSerializer
+from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.blueprints.models import BlueprintInstance
@@ -15,7 +15,7 @@ from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
+from authentik.core.api.utils import JSONDictField, PassiveSerializer
 from authentik.rbac.decorators import permission_required
 
 
@@ -51,11 +51,9 @@ class BlueprintInstanceSerializer(ModelSerializer):
         context = self.instance.context if self.instance else {}
         valid, logs = Importer.from_string(content, context).validate()
         if not valid:
+            text_logs = "\n".join([x["event"] for x in logs])
             raise ValidationError(
-                [
-                    _("Failed to validate blueprint"),
-                    *[f"- {x.event}" for x in logs],
-                ]
+                _("Failed to validate blueprint: {logs}".format_map({"logs": text_logs}))
             )
         return content
 

authentik/blueprints/apps.py

@@ -8,8 +8,6 @@ from django.apps import AppConfig
 from django.db import DatabaseError, InternalError, ProgrammingError
 from structlog.stdlib import BoundLogger, get_logger
 
-from authentik.root.signals import startup
-
 
 class ManagedAppConfig(AppConfig):
     """Basic reconciliation logic for apps"""
@@ -25,12 +23,9 @@ class ManagedAppConfig(AppConfig):
 
     def ready(self) -> None:
         self.import_related()
-        startup.connect(self._on_startup_callback, dispatch_uid=self.label)
-        return super().ready()
-
-    def _on_startup_callback(self, sender, **_):
         self._reconcile_global()
         self._reconcile_tenant()
+        return super().ready()
 
     def import_related(self):
         """Automatically import related modules which rely on just being imported

authentik/blueprints/management/commands/apply_blueprint.py

@@ -23,11 +23,9 @@ class Command(BaseCommand):
                 for blueprint_path in options.get("blueprints", []):
                     content = BlueprintInstance(path=blueprint_path).retrieve()
                     importer = Importer.from_string(content)
-                    valid, logs = importer.validate()
+                    valid, _ = importer.validate()
                     if not valid:
-                        self.stderr.write("Blueprint invalid")
-                        for log in logs:
-                            self.stderr.write(f"\t{log.logger}: {log.event}: {log.attributes}")
+                        self.stderr.write("blueprint invalid")
                         sys_exit(1)
                     importer.apply()
 

authentik/blueprints/management/commands/blueprint_shell.py

@@ -1,68 +0,0 @@
-"""Test and debug Blueprints"""
-
-import atexit
-import readline
-from pathlib import Path
-from pprint import pformat
-from sys import exit as sysexit
-from textwrap import indent
-
-from django.core.management.base import BaseCommand, no_translations
-from structlog.stdlib import get_logger
-from yaml import load
-
-from authentik.blueprints.v1.common import BlueprintLoader, EntryInvalidError
-from authentik.core.management.commands.shell import get_banner_text
-from authentik.lib.utils.errors import exception_to_string
-
-LOGGER = get_logger()
-
-
-class Command(BaseCommand):
-    """Test and debug Blueprints"""
-
-    lines = []
-
-    def __init__(self, *args, **kwargs) -> None:
-        super().__init__(*args, **kwargs)
-        histfolder = Path("~").expanduser() / Path(".local/share/authentik")
-        histfolder.mkdir(parents=True, exist_ok=True)
-        histfile = histfolder / Path("blueprint_shell_history")
-        readline.parse_and_bind("tab: complete")
-        readline.parse_and_bind("set editing-mode vi")
-
-        try:
-            readline.read_history_file(str(histfile))
-        except FileNotFoundError:
-            pass
-
-        atexit.register(readline.write_history_file, str(histfile))
-
-    @no_translations
-    def handle(self, *args, **options):
-        """Interactively debug blueprint files"""
-        self.stdout.write(get_banner_text("Blueprint shell"))
-        self.stdout.write("Type '.eval' to evaluate previously entered statement(s).")
-
-        def do_eval():
-            yaml_input = "\n".join([line for line in self.lines if line])
-            data = load(yaml_input, BlueprintLoader)
-            self.stdout.write(pformat(data))
-            self.lines = []
-
-        while True:
-            try:
-                line = input("> ")
-                if line == ".eval":
-                    do_eval()
-                else:
-                    self.lines.append(line)
-            except EntryInvalidError as exc:
-                self.stdout.write("Failed to evaluate expression:")
-                self.stdout.write(indent(exception_to_string(exc), prefix="  "))
-            except EOFError:
-                break
-            except KeyboardInterrupt:
-                self.stdout.write()
-                sysexit(0)
-        self.stdout.write()

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -4,14 +4,12 @@ from json import dumps
 from typing import Any
 
 from django.core.management.base import BaseCommand, no_translations
-from django.db.models import Model, fields
-from drf_jsonschema_serializer.convert import converter, field_to_converter
+from django.db.models import Model
+from drf_jsonschema_serializer.convert import field_to_converter
 from rest_framework.fields import Field, JSONField, UUIDField
-from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
-from authentik import __version__
 from authentik.blueprints.v1.common import BlueprintEntryDesiredState
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT, is_model_allowed
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
@@ -20,23 +18,6 @@ from authentik.lib.models import SerializerModel
 LOGGER = get_logger()
 
 
-@converter
-class PrimaryKeyRelatedFieldConverter:
-    """Custom primary key field converter which is aware of non-integer based PKs
-
-    This is not an exhaustive fix for other non-int PKs, however in authentik we either
-    use UUIDs or ints"""
-
-    field_class = PrimaryKeyRelatedField
-
-    def convert(self, field: PrimaryKeyRelatedField):
-        model: Model = field.queryset.model
-        pk_field = model._meta.pk
-        if isinstance(pk_field, fields.UUIDField):
-            return {"type": "string", "format": "uuid"}
-        return {"type": "integer"}
-
-
 class Command(BaseCommand):
     """Generate JSON Schema for blueprints"""
 
@@ -48,7 +29,7 @@ class Command(BaseCommand):
             "$schema": "http://json-schema.org/draft-07/schema",
             "$id": "https://goauthentik.io/blueprints/schema.json",
             "type": "object",
-            "title": f"authentik {__version__} Blueprint schema",
+            "title": "authentik Blueprint schema",
             "required": ["version", "entries"],
             "properties": {
                 "version": {
@@ -113,20 +94,17 @@ class Command(BaseCommand):
             )
             model_path = f"{model._meta.app_label}.{model._meta.model_name}"
             self.schema["properties"]["entries"]["items"]["oneOf"].append(
-                self.template_entry(model_path, model, serializer)
+                self.template_entry(model_path, serializer)
             )
 
-    def template_entry(self, model_path: str, model: type[Model], serializer: Serializer) -> dict:
+    def template_entry(self, model_path: str, serializer: Serializer) -> dict:
         """Template entry for a single model"""
         model_schema = self.to_jsonschema(serializer)
         model_schema["required"] = []
         def_name = f"model_{model_path}"
         def_path = f"#/$defs/{def_name}"
         self.schema["$defs"][def_name] = model_schema
-        def_name_perm = f"model_{model_path}_permissions"
-        def_path_perm = f"#/$defs/{def_name_perm}"
-        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
-        template = {
+        return {
             "type": "object",
             "required": ["model", "identifiers"],
             "properties": {
@@ -138,16 +116,10 @@ class Command(BaseCommand):
                     "default": "present",
                 },
                 "conditions": {"type": "array", "items": {"type": "boolean"}},
-                "permissions": {"$ref": def_path_perm},
                 "attrs": {"$ref": def_path},
                 "identifiers": {"$ref": def_path},
             },
         }
-        # Meta models don't require identifiers, as there's no matching database model to find
-        if issubclass(model, BaseMetaModel):
-            del template["properties"]["identifiers"]
-            template["required"].remove("identifiers")
-        return template
 
     def field_to_jsonschema(self, field: Field) -> dict:
         """Convert a single field to json schema"""
@@ -194,20 +166,3 @@ class Command(BaseCommand):
         if required:
             result["required"] = required
         return result
-
-    def model_permissions(self, model: type[Model]) -> dict:
-        perms = [x[0] for x in model._meta.permissions]
-        for action in model._meta.default_permissions:
-            perms.append(f"{action}_{model._meta.model_name}")
-        return {
-            "type": "array",
-            "items": {
-                "type": "object",
-                "required": ["permission"],
-                "properties": {
-                    "permission": {"type": "string", "enum": perms},
-                    "user": {"type": "integer"},
-                    "role": {"type": "string"},
-                },
-            },
-        }

authentik/blueprints/migrations/0001_initial.py

@@ -29,7 +29,9 @@ def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
         if version != 1:
             return
         blueprint_file.seek(0)
-    instance = BlueprintInstance.objects.using(db_alias).filter(path=path).first()
+    instance: BlueprintInstance = (
+        BlueprintInstance.objects.using(db_alias).filter(path=path).first()
+    )
     rel_path = path.relative_to(Path(CONFIG.get("blueprints_dir")))
     meta = None
     if metadata:

authentik/blueprints/tests/__init__.py

@@ -39,7 +39,7 @@ def reconcile_app(app_name: str):
         def wrapper(*args, **kwargs):
             config = apps.get_app_config(app_name)
             if isinstance(config, ManagedAppConfig):
-                config._on_startup_callback(None)
+                config.ready()
             return func(*args, **kwargs)
 
         return wrapper

authentik/blueprints/tests/fixtures/rbac_object.yaml

@@ -1,24 +0,0 @@
-version: 1
-entries:
-  - model: authentik_core.user
-    id: user
-    identifiers:
-      username: "%(id)s"
-    attrs:
-      name: "%(id)s"
-  - model: authentik_rbac.role
-    id: role
-    identifiers:
-      name: "%(id)s"
-  - model: authentik_flows.flow
-    identifiers:
-      slug: "%(id)s"
-    attrs:
-      designation: authentication
-      name: foo
-      title: foo
-    permissions:
-      - permission: view_flow
-        user: !KeyOf user
-      - permission: view_flow
-        role: !KeyOf role

authentik/blueprints/tests/fixtures/rbac_role.yaml

@@ -1,8 +0,0 @@
-version: 1
-entries:
-  - model: authentik_rbac.role
-    identifiers:
-      name: "%(id)s"
-    attrs:
-      permissions:
-        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/fixtures/rbac_user.yaml

@@ -1,9 +0,0 @@
-version: 1
-entries:
-  - model: authentik_core.user
-    identifiers:
-      username: "%(id)s"
-    attrs:
-      name: "%(id)s"
-      permissions:
-        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/fixtures/tags.yaml

@@ -146,10 +146,6 @@ entries:
                   ]
               ]
               nested_context: !Context context2
-              at_index_sequence: !AtIndex [!Context sequence, 0]
-              at_index_sequence_default: !AtIndex [!Context sequence, 100, "non existent"]
-              at_index_mapping: !AtIndex [!Context mapping, "key2"]
-              at_index_mapping_default: !AtIndex [!Context mapping, "invalid", "non existent"]
       identifiers:
           name: test
       conditions:

authentik/blueprints/tests/test_packaged.py

@@ -27,8 +27,7 @@ def blueprint_tester(file_name: Path) -> Callable:
         base = Path("blueprints/")
         rel_path = Path(file_name).relative_to(base)
         importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
-        validation, logs = importer.validate()
-        self.assertTrue(validation, logs)
+        self.assertTrue(importer.validate()[0])
         self.assertTrue(importer.apply())
 
     return tester

authentik/blueprints/tests/test_v1.py

@@ -215,10 +215,6 @@ class TestBlueprintsV1(TransactionTestCase):
                     },
                     "nested_context": "context-nested-value",
                     "env_null": None,
-                    "at_index_sequence": "foo",
-                    "at_index_sequence_default": "non existent",
-                    "at_index_mapping": 2,
-                    "at_index_mapping_default": "non existent",
                 }
             ).exists()
         )

authentik/blueprints/tests/test_v1_api.py

@@ -78,5 +78,5 @@ class TestBlueprintsV1API(APITestCase):
         self.assertEqual(res.status_code, 400)
         self.assertJSONEqual(
             res.content.decode(),
-            {"content": ["Failed to validate blueprint", "- Invalid blueprint version"]},
+            {"content": ["Failed to validate blueprint: Invalid blueprint version"]},
         )

authentik/blueprints/tests/test_v1_rbac.py

@@ -1,57 +0,0 @@
-"""Test blueprints v1"""
-
-from django.test import TransactionTestCase
-from guardian.shortcuts import get_perms
-
-from authentik.blueprints.v1.importer import Importer
-from authentik.core.models import User
-from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import load_fixture
-from authentik.rbac.models import Role
-
-
-class TestBlueprintsV1RBAC(TransactionTestCase):
-    """Test Blueprints rbac attribute"""
-
-    def test_user_permission(self):
-        """Test permissions"""
-        uid = generate_id()
-        import_yaml = load_fixture("fixtures/rbac_user.yaml", id=uid)
-
-        importer = Importer.from_string(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        user = User.objects.filter(username=uid).first()
-        self.assertIsNotNone(user)
-        self.assertTrue(user.has_perms(["authentik_blueprints.view_blueprintinstance"]))
-
-    def test_role_permission(self):
-        """Test permissions"""
-        uid = generate_id()
-        import_yaml = load_fixture("fixtures/rbac_role.yaml", id=uid)
-
-        importer = Importer.from_string(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        role = Role.objects.filter(name=uid).first()
-        self.assertIsNotNone(role)
-        self.assertEqual(
-            list(role.group.permissions.all().values_list("codename", flat=True)),
-            ["view_blueprintinstance"],
-        )
-
-    def test_object_permission(self):
-        """Test permissions"""
-        uid = generate_id()
-        import_yaml = load_fixture("fixtures/rbac_object.yaml", id=uid)
-
-        importer = Importer.from_string(import_yaml)
-        self.assertTrue(importer.validate()[0])
-        self.assertTrue(importer.apply())
-        flow = Flow.objects.filter(slug=uid).first()
-        user = User.objects.filter(username=uid).first()
-        role = Role.objects.filter(name=uid).first()
-        self.assertIsNotNone(flow)
-        self.assertEqual(get_perms(user, flow), ["view_flow"])
-        self.assertEqual(get_perms(role.group, flow), ["view_flow"])

authentik/blueprints/v1/common.py

@@ -1,7 +1,7 @@
 """transfer common classes"""
 
 from collections import OrderedDict
-from collections.abc import Generator, Iterable, Mapping
+from collections.abc import Iterable, Mapping
 from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
@@ -24,10 +24,6 @@ from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.models import PolicyBindingModel
 
 
-class UNSET:
-    """Used to test whether a key has not been set."""
-
-
 def get_attrs(obj: SerializerModel) -> dict[str, Any]:
     """Get object's attributes via their serializer, and convert it to a normal dict"""
     serializer: Serializer = obj.serializer(obj)
@@ -62,15 +58,6 @@ class BlueprintEntryDesiredState(Enum):
     MUST_CREATED = "must_created"
 
 
-@dataclass
-class BlueprintEntryPermission:
-    """Describe object-level permissions"""
-
-    permission: Union[str, "YAMLTag"]
-    user: Union[int, "YAMLTag", None] = field(default=None)
-    role: Union[str, "YAMLTag", None] = field(default=None)
-
-
 @dataclass
 class BlueprintEntry:
     """Single entry of a blueprint"""
@@ -82,14 +69,13 @@ class BlueprintEntry:
     conditions: list[Any] = field(default_factory=list)
     identifiers: dict[str, Any] = field(default_factory=dict)
     attrs: dict[str, Any] | None = field(default_factory=dict)
-    permissions: list[BlueprintEntryPermission] = field(default_factory=list)
 
     id: str | None = None
 
     _state: BlueprintEntryState = field(default_factory=BlueprintEntryState)
 
     def __post_init__(self, *args, **kwargs) -> None:
-        self.__tag_contexts: list[YAMLTagContext] = []
+        self.__tag_contexts: list["YAMLTagContext"] = []
 
     @staticmethod
     def from_model(model: SerializerModel, *extra_identifier_names: str) -> "BlueprintEntry":
@@ -164,17 +150,6 @@ class BlueprintEntry:
         """Get the blueprint model, with yaml tags resolved if present"""
         return str(self.tag_resolver(self.model, blueprint))
 
-    def get_permissions(
-        self, blueprint: "Blueprint"
-    ) -> Generator[BlueprintEntryPermission, None, None]:
-        """Get permissions of this entry, with all yaml tags resolved"""
-        for perm in self.permissions:
-            yield BlueprintEntryPermission(
-                permission=self.tag_resolver(perm.permission, blueprint),
-                user=self.tag_resolver(perm.user, blueprint),
-                role=self.tag_resolver(perm.role, blueprint),
-            )
-
     def check_all_conditions_match(self, blueprint: "Blueprint") -> bool:
         """Check all conditions of this entry match (evaluate to True)"""
         return all(self.tag_resolver(self.conditions, blueprint))
@@ -202,9 +177,6 @@ class Blueprint:
 class YAMLTag:
     """Base class for all YAML Tags"""
 
-    def __repr__(self) -> str:
-        return str(self.resolve(BlueprintEntry(""), Blueprint()))
-
     def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
         """Implement yaml tag logic"""
         raise NotImplementedError
@@ -335,10 +307,7 @@ class Find(YAMLTag):
         else:
             model_name = self.model_name
 
-        try:
-            model_class = apps.get_model(*model_name.split("."))
-        except LookupError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+        model_class = apps.get_model(*model_name.split("."))
 
         query = Q()
         for cond in self.conditions:
@@ -563,53 +532,6 @@ class Value(EnumeratedItem):
             raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry) from exc
 
 
-class AtIndex(YAMLTag):
-    """Get value at index of a sequence or mapping"""
-
-    obj: YAMLTag | dict | list | tuple
-    attribute: int | str | YAMLTag
-    default: Any | UNSET
-
-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
-        super().__init__()
-        self.obj = loader.construct_object(node.value[0])
-        self.attribute = loader.construct_object(node.value[1])
-        if len(node.value) == 2:  # noqa: PLR2004
-            self.default = UNSET
-        else:
-            self.default = loader.construct_object(node.value[2])
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        if isinstance(self.obj, YAMLTag):
-            obj = self.obj.resolve(entry, blueprint)
-        else:
-            obj = self.obj
-        if isinstance(self.attribute, YAMLTag):
-            attribute = self.attribute.resolve(entry, blueprint)
-        else:
-            attribute = self.attribute
-
-        if isinstance(obj, list | tuple):
-            try:
-                return obj[attribute]
-            except TypeError as exc:
-                raise EntryInvalidError.from_entry(
-                    f"Invalid index for list: {attribute}", entry
-                ) from exc
-            except IndexError as exc:
-                if self.default is UNSET:
-                    raise EntryInvalidError.from_entry(
-                        f"Index out of range: {attribute}", entry
-                    ) from exc
-                return self.default
-        if attribute in obj:
-            return obj[attribute]
-        else:
-            if self.default is UNSET:
-                raise EntryInvalidError.from_entry(f"Key does not exist: {attribute}", entry)
-            return self.default
-
-
 class BlueprintDumper(SafeDumper):
     """Dump dataclasses to yaml"""
 
@@ -634,11 +556,7 @@ class BlueprintDumper(SafeDumper):
 
             def factory(items):
                 final_dict = dict(items)
-                # Remove internal state variables
                 final_dict.pop("_state", None)
-                # Future-proof to only remove the ID if we don't set a value
-                if "id" in final_dict and final_dict.get("id") is None:
-                    final_dict.pop("id")
                 return final_dict
 
             data = asdict(data, dict_factory=factory)
@@ -660,7 +578,6 @@ class BlueprintLoader(SafeLoader):
         self.add_constructor("!Enumerate", Enumerate)
         self.add_constructor("!Value", Value)
         self.add_constructor("!Index", Index)
-        self.add_constructor("!AtIndex", AtIndex)
 
 
 class EntryInvalidError(SentryIgnoredException):

authentik/blueprints/v1/importer.py

@@ -16,10 +16,11 @@ from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from guardian.models import UserObjectPermission
-from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
 from structlog.stdlib import BoundLogger, get_logger
+from structlog.testing import capture_logs
+from structlog.types import EventDict
 from yaml import load
 
 from authentik.blueprints.v1.common import (
@@ -33,54 +34,28 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
 from authentik.core.models import (
     AuthenticatedSession,
-    GroupSourceConnection,
     PropertyMapping,
     Provider,
-    Session,
     Source,
-    User,
     UserSourceConnection,
 )
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsage
-from authentik.enterprise.providers.google_workspace.models import (
-    GoogleWorkspaceProviderGroup,
-    GoogleWorkspaceProviderUser,
-)
-from authentik.enterprise.providers.microsoft_entra.models import (
-    MicrosoftEntraProviderGroup,
-    MicrosoftEntraProviderUser,
-)
-from authentik.enterprise.providers.ssf.models import StreamEvent
-from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
-    EndpointDevice,
-    EndpointDeviceConnection,
-)
-from authentik.events.logs import LogEvent, capture_logs
+from authentik.enterprise.providers.rac.models import ConnectionToken
 from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
-from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    AuthorizationCode,
-    DeviceToken,
-    RefreshToken,
-)
-from authentik.providers.rac.models import ConnectionToken
-from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
-from authentik.rbac.models import Role
-from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
-from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
+from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
+from authentik.providers.scim.models import SCIMGroup, SCIMUser
 from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
-# Update website/docs/customize/blueprints/v1/models.md when used
+# Update website/developer-docs/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
 
 
@@ -103,20 +78,17 @@ def excluded_models() -> list[type[Model]]:
         Source,
         PropertyMapping,
         UserSourceConnection,
-        GroupSourceConnection,
         Stage,
         OutpostServiceConnection,
         Policy,
         PolicyBindingModel,
         # Classes that have other dependencies
-        Session,
         AuthenticatedSession,
         # Classes which are only internally managed
-        # FIXME: these shouldn't need to be explicitly listed, but rather based off of a mixin
         FlowToken,
         LicenseUsage,
-        SCIMProviderGroup,
-        SCIMProviderUser,
+        SCIMGroup,
+        SCIMUser,
         Tenant,
         SystemTask,
         ConnectionToken,
@@ -124,17 +96,6 @@ def excluded_models() -> list[type[Model]]:
         AccessToken,
         RefreshToken,
         Reputation,
-        WebAuthnDeviceType,
-        SCIMSourceUser,
-        SCIMSourceGroup,
-        GoogleWorkspaceProviderUser,
-        GoogleWorkspaceProviderGroup,
-        MicrosoftEntraProviderUser,
-        MicrosoftEntraProviderGroup,
-        EndpointDevice,
-        EndpointDeviceConnection,
-        DeviceToken,
-        StreamEvent,
     )
 
 
@@ -158,16 +119,6 @@ def transaction_rollback():
         pass
 
 
-def rbac_models() -> dict:
-    models = {}
-    for app in get_apps():
-        for model in app.get_models():
-            if not is_model_allowed(model):
-                continue
-            models[model._meta.model_name] = app.label
-    return models
-
-
 class Importer:
     """Import Blueprint from raw dict or YAML/JSON"""
 
@@ -186,10 +137,7 @@ class Importer:
 
     def default_context(self):
         """Default context"""
-        return {
-            "goauthentik.io/enterprise/licensed": LicenseKey.get_total().status().is_valid,
-            "goauthentik.io/rbac/models": rbac_models(),
-        }
+        return {"goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid()}
 
     @staticmethod
     def from_string(yaml_input: str, context: dict | None = None) -> "Importer":
@@ -213,7 +161,7 @@ class Importer:
 
         def updater(value) -> Any:
             if value in self.__pk_map:
-                self.logger.debug("Updating reference in entry", value=value)
+                self.logger.debug("updating reference in entry", value=value)
                 return self.__pk_map[value]
             return value
 
@@ -249,17 +197,14 @@ class Importer:
 
         return main_query | sub_query
 
-    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:  # noqa: PLR0915
+    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:
         """Validate a single entry"""
         if not entry.check_all_conditions_match(self._import):
             self.logger.debug("One or more conditions of this entry are not fulfilled, skipping")
             return None
 
         model_app_label, model_name = entry.get_model(self._import).split(".")
-        try:
-            model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
-        except LookupError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+        model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
         # Don't use isinstance since we don't want to check for inheritance
         if not is_model_allowed(model):
             raise EntryInvalidError.from_entry(f"Model {model} not allowed", entry)
@@ -303,13 +248,9 @@ class Importer:
 
         serializer_kwargs = {}
         model_instance = existing_models.first()
-        if (
-            not isinstance(model(), BaseMetaModel)
-            and model_instance
-            and entry.state != BlueprintEntryDesiredState.MUST_CREATED
-        ):
+        if not isinstance(model(), BaseMetaModel) and model_instance:
             self.logger.debug(
-                "Initialise serializer with instance",
+                "initialise serializer with instance",
                 model=model,
                 instance=model_instance,
                 pk=model_instance.pk,
@@ -317,17 +258,16 @@ class Importer:
             serializer_kwargs["instance"] = model_instance
             serializer_kwargs["partial"] = True
         elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
-            msg = (
-                f"State is set to {BlueprintEntryDesiredState.MUST_CREATED.value} "
-                "and object exists already",
-            )
             raise EntryInvalidError.from_entry(
-                ValidationError({k: msg for k in entry.identifiers.keys()}, "unique"),
+                (
+                    f"state is set to {BlueprintEntryDesiredState.MUST_CREATED} "
+                    "and object exists already",
+                ),
                 entry,
             )
         else:
             self.logger.debug(
-                "Initialised new serializer instance",
+                "initialised new serializer instance",
                 model=model,
                 **cleanse_dict(updated_identifiers),
             )
@@ -339,7 +279,10 @@ class Importer:
         try:
             full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
         except ValueError as exc:
-            raise EntryInvalidError.from_entry(exc, entry) from exc
+            raise EntryInvalidError.from_entry(
+                exc,
+                entry,
+            ) from exc
         always_merger.merge(full_data, updated_identifiers)
         serializer_kwargs["data"] = full_data
 
@@ -360,15 +303,6 @@ class Importer:
             ) from exc
         return serializer
 
-    def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
-        """Apply object-level permissions for an entry"""
-        for perm in entry.get_permissions(self._import):
-            if perm.user is not None:
-                assign_perm(perm.permission, User.objects.get(pk=perm.user), instance)
-            if perm.role is not None:
-                role = Role.objects.get(pk=perm.role)
-                role.assign_permission(perm.permission, obj=instance)
-
     def apply(self) -> bool:
         """Apply (create/update) models yaml, in database transaction"""
         try:
@@ -390,7 +324,7 @@ class Importer:
                 model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
             except LookupError:
                 self.logger.warning(
-                    "App or Model does not exist", app=model_app_label, model=model_name
+                    "app or model does not exist", app=model_app_label, model=model_name
                 )
                 return False
             # Validate each single entry
@@ -402,7 +336,7 @@ class Importer:
                 if entry.get_state(self._import) == BlueprintEntryDesiredState.ABSENT:
                     serializer = exc.serializer
                 else:
-                    self.logger.warning(f"Entry invalid: {exc}", entry=entry, error=exc)
+                    self.logger.warning(f"entry invalid: {exc}", entry=entry, error=exc)
                     if raise_errors:
                         raise exc
                     return False
@@ -422,42 +356,43 @@ class Importer:
                     and state == BlueprintEntryDesiredState.CREATED
                 ):
                     self.logger.debug(
-                        "Instance exists, skipping",
+                        "instance exists, skipping",
                         model=model,
                         instance=instance,
                         pk=instance.pk,
                     )
                 else:
                     instance = serializer.save()
-                    self.logger.debug("Updated model", model=instance)
+                    self.logger.debug("updated model", model=instance)
                 if "pk" in entry.identifiers:
                     self.__pk_map[entry.identifiers["pk"]] = instance.pk
                 entry._state = BlueprintEntryState(instance)
-                self._apply_permissions(instance, entry)
             elif state == BlueprintEntryDesiredState.ABSENT:
                 instance: Model | None = serializer.instance
                 if instance.pk:
                     instance.delete()
-                    self.logger.debug("Deleted model", mode=instance)
+                    self.logger.debug("deleted model", mode=instance)
                     continue
-                self.logger.debug("Entry to delete with no instance, skipping")
+                self.logger.debug("entry to delete with no instance, skipping")
         return True
 
-    def validate(self, raise_validation_errors=False) -> tuple[bool, list[LogEvent]]:
+    def validate(self, raise_validation_errors=False) -> tuple[bool, list[EventDict]]:
         """Validate loaded blueprint export, ensure all models are allowed
         and serializers have no errors"""
         self.logger.debug("Starting blueprint import validation")
         orig_import = deepcopy(self._import)
         if self._import.version != 1:
             self.logger.warning("Invalid blueprint version")
-            return False, [LogEvent("Invalid blueprint version", log_level="warning", logger=None)]
+            return False, [{"event": "Invalid blueprint version"}]
         with (
             transaction_rollback(),
             capture_logs() as logs,
         ):
             successful = self._apply_models(raise_errors=raise_validation_errors)
             if not successful:
-                self.logger.warning("Blueprint validation failed")
+                self.logger.debug("Blueprint validation failed")
+        for log in logs:
+            getattr(self.logger, log.get("log_level"))(**log)
         self.logger.debug("Finished blueprint import validation")
         self._import = orig_import
         return successful, logs

authentik/blueprints/v1/tasks.py

@@ -30,7 +30,6 @@ from authentik.blueprints.v1.common import BlueprintLoader, BlueprintMetadata, E
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.labels import LABEL_AUTHENTIK_INSTANTIATE
 from authentik.blueprints.v1.oci import OCI_PREFIX
-from authentik.events.logs import capture_logs
 from authentik.events.models import TaskStatus
 from authentik.events.system_tasks import SystemTask, prefill_task
 from authentik.events.utils import sanitize_dict
@@ -159,7 +158,7 @@ def blueprints_discovery(self: SystemTask, path: str | None = None):
         check_blueprint_v1_file(blueprint)
         count += 1
     self.set_status(
-        TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=count))
+        TaskStatus.SUCCESSFUL, _("Successfully imported %(count)d files." % {"count": count})
     )
 
 
@@ -212,15 +211,14 @@ def apply_blueprint(self: SystemTask, instance_pk: str):
         if not valid:
             instance.status = BlueprintInstanceStatus.ERROR
             instance.save()
-            self.set_status(TaskStatus.ERROR, *logs)
+            self.set_status(TaskStatus.ERROR, *[x["event"] for x in logs])
+            return
+        applied = importer.apply()
+        if not applied:
+            instance.status = BlueprintInstanceStatus.ERROR
+            instance.save()
+            self.set_status(TaskStatus.ERROR, "Failed to apply")
             return
-        with capture_logs() as logs:
-            applied = importer.apply()
-            if not applied:
-                instance.status = BlueprintInstanceStatus.ERROR
-                instance.save()
-                self.set_status(TaskStatus.ERROR, *logs)
-                return
         instance.status = BlueprintInstanceStatus.SUCCESSFUL
         instance.last_applied_hash = file_hash
         instance.last_applied = now()

authentik/brands/api.py

@@ -11,20 +11,21 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer, PassiveSerializer
-from authentik.rbac.filters import SecretKeyFilter
+from authentik.core.api.utils import PassiveSerializer
 from authentik.tenants.utils import get_current_tenant
 
 
 class FooterLinkSerializer(PassiveSerializer):
     """Links returned in Config API"""
 
-    href = CharField(read_only=True, allow_null=True)
+    href = CharField(read_only=True)
     name = CharField(read_only=True)
 
 
@@ -49,15 +50,12 @@ class BrandSerializer(ModelSerializer):
             "branding_title",
             "branding_logo",
             "branding_favicon",
-            "branding_custom_css",
-            "branding_default_flow_background",
             "flow_authentication",
             "flow_invalidation",
             "flow_recovery",
             "flow_unenrollment",
             "flow_user_settings",
             "flow_device_code",
-            "default_application",
             "web_certificate",
             "attributes",
         ]
@@ -86,9 +84,8 @@ class CurrentBrandSerializer(PassiveSerializer):
 
     matched_domain = CharField(source="domain")
     branding_title = CharField()
-    branding_logo = CharField(source="branding_logo_url")
-    branding_favicon = CharField(source="branding_favicon_url")
-    branding_custom_css = CharField()
+    branding_logo = CharField()
+    branding_favicon = CharField()
     ui_footer_links = ListField(
         child=FooterLinkSerializer(),
         read_only=True,
@@ -128,7 +125,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
         "branding_title",
         "branding_logo",
         "branding_favicon",
-        "branding_default_flow_background",
         "flow_authentication",
         "flow_invalidation",
         "flow_recovery",

authentik/brands/apps.py

@@ -9,6 +9,3 @@ class AuthentikBrandsConfig(AppConfig):
     name = "authentik.brands"
     label = "authentik_brands"
     verbose_name = "authentik Brands"
-    mountpoints = {
-        "authentik.brands.urls_root": "",
-    }

authentik/brands/middleware.py

@@ -4,7 +4,7 @@ from collections.abc import Callable
 
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
-from django.utils.translation import override
+from django.utils.translation import activate
 
 from authentik.brands.utils import get_brand_for_request
 
@@ -18,14 +18,10 @@ class BrandMiddleware:
         self.get_response = get_response
 
     def __call__(self, request: HttpRequest) -> HttpResponse:
-        locale_to_set = None
         if not hasattr(request, "brand"):
             brand = get_brand_for_request(request)
             request.brand = brand
             locale = brand.default_locale
             if locale != "":
-                locale_to_set = locale
-        if locale_to_set:
-            with override(locale_to_set):
-                return self.get_response(request)
+                activate(locale)
         return self.get_response(request)

authentik/brands/migrations/0006_brand_authentik_b_domain_b9b24a_idx_and_more.py

@@ -1,21 +0,0 @@
-# Generated by Django 5.0.4 on 2024-04-18 18:56
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0005_tenantuuid_to_branduuid"),
-    ]
-
-    operations = [
-        migrations.AddIndex(
-            model_name="brand",
-            index=models.Index(fields=["domain"], name="authentik_b_domain_b9b24a_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="brand",
-            index=models.Index(fields=["default"], name="authentik_b_default_3ccf12_idx"),
-        ),
-    ]

authentik/brands/migrations/0007_brand_default_application.py

@@ -1,26 +0,0 @@
-# Generated by Django 5.0.6 on 2024-07-04 20:32
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0006_brand_authentik_b_domain_b9b24a_idx_and_more"),
-        ("authentik_core", "0035_alter_group_options_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="default_application",
-            field=models.ForeignKey(
-                default=None,
-                help_text="When set, external users will be redirected to this application after authenticating.",
-                null=True,
-                on_delete=django.db.models.deletion.SET_DEFAULT,
-                to="authentik_core.application",
-            ),
-        ),
-    ]

authentik/brands/migrations/0008_brand_branding_custom_css.py

@@ -1,35 +0,0 @@
-# Generated by Django 5.0.12 on 2025-02-22 01:51
-
-from pathlib import Path
-from django.db import migrations, models
-from django.apps.registry import Apps
-
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    Brand = apps.get_model("authentik_brands", "brand")
-
-    db_alias = schema_editor.connection.alias
-
-    path = Path("/web/dist/custom.css")
-    if not path.exists():
-        return
-    css = path.read_text()
-    Brand.objects.using(db_alias).all().update(branding_custom_css=css)
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0007_brand_default_application"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="branding_custom_css",
-            field=models.TextField(blank=True, default=""),
-        ),
-        migrations.RunPython(migrate_custom_css),
-    ]

authentik/brands/migrations/0009_brand_branding_default_flow_background.py

@@ -1,18 +0,0 @@
-# Generated by Django 5.0.13 on 2025-03-19 22:54
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0008_brand_branding_custom_css"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="branding_default_flow_background",
-            field=models.TextField(default="/static/dist/assets/images/flow_background.jpg"),
-        ),
-    ]

authentik/brands/models.py

@@ -3,14 +3,12 @@
 from uuid import uuid4
 
 from django.db import models
-from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
-from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 
 LOGGER = get_logger()
@@ -33,10 +31,6 @@ class Brand(SerializerModel):
 
     branding_logo = models.TextField(default="/static/dist/assets/icons/icon_left_brand.svg")
     branding_favicon = models.TextField(default="/static/dist/assets/icons/icon.png")
-    branding_custom_css = models.TextField(default="", blank=True)
-    branding_default_flow_background = models.TextField(
-        default="/static/dist/assets/images/flow_background.jpg"
-    )
 
     flow_authentication = models.ForeignKey(
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_authentication"
@@ -57,16 +51,6 @@ class Brand(SerializerModel):
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
     )
 
-    default_application = models.ForeignKey(
-        "authentik_core.Application",
-        null=True,
-        default=None,
-        on_delete=models.SET_DEFAULT,
-        help_text=_(
-            "When set, external users will be redirected to this application after authenticating."
-        ),
-    )
-
     web_certificate = models.ForeignKey(
         CertificateKeyPair,
         null=True,
@@ -76,24 +60,6 @@ class Brand(SerializerModel):
     )
     attributes = models.JSONField(default=dict, blank=True)
 
-    def branding_logo_url(self) -> str:
-        """Get branding_logo with the correct prefix"""
-        if self.branding_logo.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.branding_logo
-        return self.branding_logo
-
-    def branding_favicon_url(self) -> str:
-        """Get branding_favicon with the correct prefix"""
-        if self.branding_favicon.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.branding_favicon
-        return self.branding_favicon
-
-    def branding_default_flow_background_url(self) -> str:
-        """Get branding_default_flow_background with the correct prefix"""
-        if self.branding_default_flow_background.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.branding_default_flow_background
-        return self.branding_default_flow_background
-
     @property
     def serializer(self) -> Serializer:
         from authentik.brands.api import BrandSerializer
@@ -118,17 +84,3 @@ class Brand(SerializerModel):
     class Meta:
         verbose_name = _("Brand")
         verbose_name_plural = _("Brands")
-        indexes = [
-            models.Index(fields=["domain"]),
-            models.Index(fields=["default"]),
-        ]
-
-
-class WebfingerProvider(models.Model):
-    """Provider which supports webfinger discovery"""
-
-    class Meta:
-        abstract = True
-
-    def webfinger(self, resource: str, request: HttpRequest) -> dict:
-        raise NotImplementedError()

authentik/brands/tests.py

@@ -5,11 +5,7 @@ from rest_framework.test import APITestCase
 
 from authentik.brands.api import Themes
 from authentik.brands.models import Brand
-from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
-from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.models import OAuth2Provider
-from authentik.providers.saml.models import SAMLProvider
 
 
 class TestBrands(APITestCase):
@@ -24,7 +20,6 @@ class TestBrands(APITestCase):
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
                 "branding_title": "authentik",
-                "branding_custom_css": "",
                 "matched_domain": brand.domain,
                 "ui_footer_links": [],
                 "ui_theme": Themes.AUTOMATIC,
@@ -44,7 +39,6 @@ class TestBrands(APITestCase):
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
                 "branding_title": "custom",
-                "branding_custom_css": "",
                 "matched_domain": "bar.baz",
                 "ui_footer_links": [],
                 "ui_theme": Themes.AUTOMATIC,
@@ -61,7 +55,6 @@ class TestBrands(APITestCase):
                 "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
                 "branding_favicon": "/static/dist/assets/icons/icon.png",
                 "branding_title": "authentik",
-                "branding_custom_css": "",
                 "matched_domain": "fallback",
                 "ui_footer_links": [],
                 "ui_theme": Themes.AUTOMATIC,
@@ -82,69 +75,3 @@ class TestBrands(APITestCase):
             reverse("authentik_api:brand-list"), data={"domain": "bar", "default": True}
         )
         self.assertEqual(response.status_code, 400)
-
-    def test_webfinger_no_app(self):
-        """Test Webfinger"""
-        create_test_brand()
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
-        )
-
-    def test_webfinger_not_supported(self):
-        """Test Webfinger"""
-        brand = create_test_brand()
-        provider = SAMLProvider.objects.create(
-            name=generate_id(),
-        )
-        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-        brand.default_application = app
-        brand.save()
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
-        )
-
-    def test_webfinger_oidc(self):
-        """Test Webfinger"""
-        brand = create_test_brand()
-        provider = OAuth2Provider.objects.create(
-            name=generate_id(),
-        )
-        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
-        brand.default_application = app
-        brand.save()
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_brands:webfinger")).content.decode(),
-            {
-                "links": [
-                    {
-                        "href": f"http://testserver/application/o/{app.slug}/",
-                        "rel": "http://openid.net/specs/connect/1.0/issuer",
-                    }
-                ],
-                "subject": None,
-            },
-        )
-
-    def test_branding_url(self):
-        """Test branding attributes return correct values"""
-        brand = create_test_brand()
-        brand.branding_default_flow_background = "https://goauthentik.io/img/icon.png"
-        brand.branding_favicon = "https://goauthentik.io/img/icon.png"
-        brand.branding_logo = "https://goauthentik.io/img/icon.png"
-        brand.save()
-        self.assertEqual(
-            brand.branding_default_flow_background_url(), "https://goauthentik.io/img/icon.png"
-        )
-        self.assertJSONEqual(
-            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
-            {
-                "branding_logo": "https://goauthentik.io/img/icon.png",
-                "branding_favicon": "https://goauthentik.io/img/icon.png",
-                "branding_title": "authentik",
-                "branding_custom_css": "",
-                "matched_domain": brand.domain,
-                "ui_footer_links": [],
-                "ui_theme": Themes.AUTOMATIC,
-                "default_locale": "",
-            },
-        )

authentik/brands/urls_root.py

@@ -1,9 +0,0 @@
-"""authentik brand root URLs"""
-
-from django.urls import path
-
-from authentik.brands.views.webfinger import WebFingerView
-
-urlpatterns = [
-    path(".well-known/webfinger", WebFingerView.as_view(), name="webfinger"),
-]

authentik/brands/utils.py

@@ -5,7 +5,7 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from sentry_sdk import get_current_span
+from sentry_sdk.hub import Hub
 
 from authentik import get_full_version
 from authentik.brands.models import Brand
@@ -33,7 +33,7 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
     brand = getattr(request, "brand", DEFAULT_BRAND)
     tenant = getattr(request, "tenant", Tenant())
     trace = ""
-    span = get_current_span()
+    span = Hub.current.scope.span
     if span:
         trace = span.to_traceparent()
     return {

authentik/brands/views/webfinger.py

@@ -1,29 +0,0 @@
-from typing import Any
-
-from django.http import HttpRequest, HttpResponse, JsonResponse
-from django.views import View
-
-from authentik.brands.models import Brand, WebfingerProvider
-from authentik.core.models import Application
-
-
-class WebFingerView(View):
-    """Webfinger endpoint"""
-
-    def get(self, request: HttpRequest) -> HttpResponse:
-        brand: Brand = request.brand
-        if not brand.default_application:
-            return JsonResponse({})
-        application: Application = brand.default_application
-        provider = application.get_provider()
-        if not provider or not isinstance(provider, WebfingerProvider):
-            return JsonResponse({})
-        webfinger_data = provider.webfinger(request.GET.get("resource"), request)
-        return JsonResponse(webfinger_data)
-
-    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-        response = super().dispatch(request, *args, **kwargs)
-        # RFC7033 spec
-        response["Access-Control-Allow-Origin"] = "*"
-        response["Content-Type"] = "application/jrd+json"
-        return response

authentik/core/api/application_entitlements.py

@@ -1,58 +0,0 @@
-"""Application Roles API Viewset"""
-
-from django.http import HttpRequest
-from django.utils.translation import gettext_lazy as _
-from rest_framework.exceptions import ValidationError
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
-from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
-from authentik.core.models import (
-    Application,
-    ApplicationEntitlement,
-)
-
-
-class ApplicationEntitlementSerializer(ModelSerializer):
-    """ApplicationEntitlement Serializer"""
-
-    def validate_app(self, app: Application) -> Application:
-        """Ensure user has permission to view"""
-        request: HttpRequest = self.context.get("request")
-        if not request and SERIALIZER_CONTEXT_BLUEPRINT in self.context:
-            return app
-        user = request.user
-        if user.has_perm("view_application", app) or user.has_perm(
-            "authentik_core.view_application"
-        ):
-            return app
-        raise ValidationError(_("User does not have access to application."), code="invalid")
-
-    class Meta:
-        model = ApplicationEntitlement
-        fields = [
-            "pbm_uuid",
-            "name",
-            "app",
-            "attributes",
-        ]
-
-
-class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
-    """ApplicationEntitlement Viewset"""
-
-    queryset = ApplicationEntitlement.objects.all()
-    serializer_class = ApplicationEntitlementSerializer
-    search_fields = [
-        "pbm_uuid",
-        "name",
-        "app",
-        "attributes",
-    ]
-    filterset_fields = [
-        "pbm_uuid",
-        "name",
-        "app",
-    ]
-    ordering = ["name"]

authentik/core/api/applications.py

@@ -17,18 +17,18 @@ from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodFiel
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
+from structlog.testing import capture_logs
 
 from authentik.admin.api.metrics import CoordinateSerializer
-from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
-from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
+from authentik.events.utils import sanitize_dict
 from authentik.lib.utils.file import (
     FilePathSerializer,
     FileUploadSerializer,
@@ -37,19 +37,16 @@ from authentik.lib.utils.file import (
 )
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
-from authentik.policies.types import CACHE_PREFIX, PolicyResult
+from authentik.policies.types import PolicyResult
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()
 
 
-def user_app_cache_key(user_pk: str, page_number: int | None = None) -> str:
+def user_app_cache_key(user_pk: str) -> str:
     """Cache key where application list for user is saved"""
-    key = f"{CACHE_PREFIX}app_access/{user_pk}"
-    if page_number:
-        key += f"/{page_number}"
-    return key
+    return f"goauthentik.io/core/app_access/{user_pk}"
 
 
 class ApplicationSerializer(ModelSerializer):
@@ -103,12 +100,7 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
     """Application Viewset"""
 
-    queryset = (
-        Application.objects.all()
-        .with_provider()
-        .prefetch_related("policies")
-        .prefetch_related("backchannel_providers")
-    )
+    queryset = Application.objects.all().prefetch_related("provider")
     serializer_class = ApplicationSerializer
     search_fields = [
         "name",
@@ -152,15 +144,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 applications.append(application)
         return applications
 
-    def _filter_applications_with_launch_url(
-        self, pagined_apps: Iterator[Application]
-    ) -> list[Application]:
-        applications = []
-        for app in pagined_apps:
-            if app.get_launch_url():
-                applications.append(app)
-        return applications
-
     @extend_schema(
         parameters=[
             OpenApiParameter(
@@ -199,9 +182,9 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         if request.user.is_superuser:
             log_messages = []
             for log in logs:
-                if log.attributes.get("process", "") == "PolicyProcess":
+                if log.get("process", "") == "PolicyProcess":
                     continue
-                log_messages.append(LogEventSerializer(log).data)
+                log_messages.append(sanitize_dict(log))
             result.log_messages = log_messages
             response = PolicyTestResultSerializer(result)
         return Response(response.data)
@@ -218,11 +201,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.INT,
             ),
-            OpenApiParameter(
-                name="only_with_launch_url",
-                location=OpenApiParameter.QUERY,
-                type=OpenApiTypes.BOOL,
-            ),
         ]
     )
     def list(self, request: Request) -> Response:
@@ -235,13 +213,8 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         if superuser_full_list and request.user.is_superuser:
             return super().list(request)
 
-        only_with_launch_url = str(
-            request.query_params.get("only_with_launch_url", "false")
-        ).lower()
-
         queryset = self._filter_queryset_for_list(self.get_queryset())
-        paginator: Pagination = self.paginator
-        paginated_apps = paginator.paginate_queryset(queryset, request)
+        pagined_apps = self.paginate_queryset(queryset)
 
         if "for_user" in request.query_params:
             try:
@@ -255,29 +228,23 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                     raise ValidationError({"for_user": "User not found"})
             except ValueError as exc:
                 raise ValidationError from exc
-            allowed_applications = self._get_allowed_applications(paginated_apps, user=for_user)
+            allowed_applications = self._get_allowed_applications(pagined_apps, user=for_user)
             serializer = self.get_serializer(allowed_applications, many=True)
             return self.get_paginated_response(serializer.data)
 
         allowed_applications = []
         if not should_cache:
-            allowed_applications = self._get_allowed_applications(paginated_apps)
+            allowed_applications = self._get_allowed_applications(pagined_apps)
         if should_cache:
-            allowed_applications = cache.get(
-                user_app_cache_key(self.request.user.pk, paginator.page.number)
-            )
+            allowed_applications = cache.get(user_app_cache_key(self.request.user.pk))
             if not allowed_applications:
-                LOGGER.debug("Caching allowed application list", page=paginator.page.number)
-                allowed_applications = self._get_allowed_applications(paginated_apps)
+                LOGGER.debug("Caching allowed application list")
+                allowed_applications = self._get_allowed_applications(pagined_apps)
                 cache.set(
-                    user_app_cache_key(self.request.user.pk, paginator.page.number),
+                    user_app_cache_key(self.request.user.pk),
                     allowed_applications,
                     timeout=86400,
                 )
-
-        if only_with_launch_url == "true":
-            allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
-
         serializer = self.get_serializer(allowed_applications, many=True)
         return self.get_paginated_response(serializer.data)
 

authentik/core/api/authenticated_sessions.py

@@ -2,15 +2,18 @@
 
 from typing import TypedDict
 
+from django_filters.rest_framework import DjangoFilterBackend
+from guardian.utils import get_anonymous_user
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
+from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
-from rest_framework.serializers import CharField, DateTimeField, IPAddressField
+from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 
+from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR, ASNDict
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR, GeoIPDict
@@ -55,11 +58,6 @@ class UserAgentDict(TypedDict):
 class AuthenticatedSessionSerializer(ModelSerializer):
     """AuthenticatedSession Serializer"""
 
-    expires = DateTimeField(source="session.expires", read_only=True)
-    last_ip = IPAddressField(source="session.last_ip", read_only=True)
-    last_user_agent = CharField(source="session.last_user_agent", read_only=True)
-    last_used = DateTimeField(source="session.last_used", read_only=True)
-
     current = SerializerMethodField()
     user_agent = SerializerMethodField()
     geo_ip = SerializerMethodField()
@@ -68,19 +66,19 @@ class AuthenticatedSessionSerializer(ModelSerializer):
     def get_current(self, instance: AuthenticatedSession) -> bool:
         """Check if session is currently active session"""
         request: Request = self.context["request"]
-        return request._request.session.session_key == instance.session.session_key
+        return request._request.session.session_key == instance.session_key
 
     def get_user_agent(self, instance: AuthenticatedSession) -> UserAgentDict:
         """Get parsed user agent"""
-        return user_agent_parser.Parse(instance.session.last_user_agent)
+        return user_agent_parser.Parse(instance.last_user_agent)
 
     def get_geo_ip(self, instance: AuthenticatedSession) -> GeoIPDict | None:  # pragma: no cover
         """Get GeoIP Data"""
-        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.session.last_ip)
+        return GEOIP_CONTEXT_PROCESSOR.city_dict(instance.last_ip)
 
     def get_asn(self, instance: AuthenticatedSession) -> ASNDict | None:  # pragma: no cover
         """Get ASN Data"""
-        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.session.last_ip)
+        return ASN_CONTEXT_PROCESSOR.asn_dict(instance.last_ip)
 
     class Meta:
         model = AuthenticatedSession
@@ -96,7 +94,6 @@ class AuthenticatedSessionSerializer(ModelSerializer):
             "last_used",
             "expires",
         ]
-        extra_args = {"uuid": {"read_only": True}}
 
 
 class AuthenticatedSessionViewSet(
@@ -108,10 +105,16 @@ class AuthenticatedSessionViewSet(
 ):
     """AuthenticatedSession Viewset"""
 
-    lookup_field = "uuid"
-    queryset = AuthenticatedSession.objects.select_related("session").all()
+    queryset = AuthenticatedSession.objects.all()
     serializer_class = AuthenticatedSessionSerializer
-    search_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
-    filterset_fields = ["user__username", "session__last_ip", "session__last_user_agent"]
+    search_fields = ["user__username", "last_ip", "last_user_agent"]
+    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
     ordering = ["user__username"]
-    owner_field = "user"
+    permission_classes = [OwnerSuperuserPermissions]
+    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
+
+    def get_queryset(self):
+        user = self.request.user if self.request else get_anonymous_user()
+        if user.is_superuser:
+            return super().get_queryset()
+        return super().get_queryset().filter(user=user.pk)

authentik/core/api/devices.py

@@ -1,55 +1,30 @@
 """Authenticator Devices API Views"""
 
-from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
-from guardian.shortcuts import get_objects_for_user
-from rest_framework.fields import (
-    BooleanField,
-    CharField,
-    DateTimeField,
-    SerializerMethodField,
-)
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.fields import BooleanField, CharField, IntegerField, SerializerMethodField
+from rest_framework.permissions import IsAdminUser, IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 
 from authentik.core.api.utils import MetaNameSerializer
-from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
-from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
 
 
 class DeviceSerializer(MetaNameSerializer):
     """Serializer for Duo authenticator devices"""
 
-    pk = CharField()
+    pk = IntegerField()
     name = CharField()
     type = SerializerMethodField()
     confirmed = BooleanField()
-    created = DateTimeField(read_only=True)
-    last_updated = DateTimeField(read_only=True)
-    last_used = DateTimeField(read_only=True, allow_null=True)
-    extra_description = SerializerMethodField()
 
     def get_type(self, instance: Device) -> str:
         """Get type of device"""
         return instance._meta.label
 
-    def get_extra_description(self, instance: Device) -> str:
-        """Get extra description"""
-        if isinstance(instance, WebAuthnDevice):
-            return (
-                instance.device_type.description
-                if instance.device_type
-                else _("Extra description not available")
-            )
-        if isinstance(instance, EndpointDevice):
-            return instance.data.get("deviceSignals", {}).get("deviceModel")
-        return ""
-
 
 class DeviceViewSet(ViewSet):
     """Viewset for authenticator devices"""
@@ -68,14 +43,12 @@ class AdminDeviceViewSet(ViewSet):
     """Viewset for authenticator devices"""
 
     serializer_class = DeviceSerializer
-    permission_classes = []
+    permission_classes = [IsAdminUser]
 
     def get_devices(self, **kwargs):
         """Get all devices in all child classes"""
         for model in device_classes():
-            device_set = get_objects_for_user(
-                self.request.user, f"{model._meta.app_label}.view_{model._meta.model_name}", model
-            ).filter(**kwargs)
+            device_set = model.objects.filter(**kwargs)
             yield from device_set
 
     @extend_schema(