ci: setup action: remove unused dependencies on poetry install (cherry-pick #12365) (#12371)

ci: setup action: remove unused dependencies on poetry install (#12365)

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.6.0
+current_version = 2024.10.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/actions/comment-pr-instructions/action.yml

@@ -54,9 +54,10 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            image:
-                repository: ghcr.io/goauthentik/dev-server
-                tag: ${{ inputs.tag }}
+            global:
+                image:
+                    repository: ghcr.io/goauthentik/dev-server
+                    tag: ${{ inputs.tag }}
             ```
 
             For arm64, use these values:
@@ -65,9 +66,10 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            image:
-                repository: ghcr.io/goauthentik/dev-server
-                tag: ${{ inputs.tag }}-arm64
+            global:
+                image:
+                    repository: ghcr.io/goauthentik/dev-server
+                    tag: ${{ inputs.tag }}-arm64
             ```
 
             Afterwards, run the upgrade commands from the latest release notes.

.github/actions/docker-push-variables/action.yml

@@ -29,9 +29,15 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
+  attestImageNames:
+    description: "Docker image names used for attestation"
+    value: ${{ steps.ev.outputs.attestImageNames }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}
+  imageMainName:
+    description: "Docker image main name"
+    value: ${{ steps.ev.outputs.imageMainName }}
 
 runs:
   using: "composite"

.github/actions/docker-push-variables/push_vars.py

@@ -7,7 +7,7 @@ from time import time
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
 
-should_build = str(os.environ.get("DOCKER_USERNAME", None) is not None).lower()
+should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
 
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
@@ -50,13 +50,25 @@ else:
             f"{name}:gh-{safe_branch_name}-{int(time())}-{sha[:7]}{suffix}",  # Use by FluxCD
         ]
 
-image_main_tag = image_tags[0]
-image_tags_rendered = ",".join(image_tags)
+image_main_tag = image_tags[0].split(":")[-1]
+
+
+def get_attest_image_names(image_with_tags: list[str]):
+    """Attestation only for GHCR"""
+    image_tags = []
+    for image_name in set(name.split(":")[0] for name in image_with_tags):
+        if not image_name.startswith("ghcr.io"):
+            continue
+        image_tags.append(image_name)
+    return ",".join(set(image_tags))
+
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldBuild={should_build}", file=_output)
     print(f"sha={sha}", file=_output)
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)
-    print(f"imageTags={image_tags_rendered}", file=_output)
+    print(f"imageTags={','.join(image_tags)}", file=_output)
+    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
     print(f"imageMainTag={image_main_tag}", file=_output)
+    print(f"imageMainName={image_tags[0]}", file=_output)

.github/actions/setup/action.yml

@@ -14,7 +14,7 @@ runs:
       run: |
         pipx install poetry || true
         sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
     - name: Setup python and restore poetry
       uses: actions/setup-python@v5
       with:
@@ -35,7 +35,7 @@ runs:
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install
+        poetry install --sync
         cd web && npm ci
     - name: Generate config
       shell: poetry run python {0}

.github/dependabot.yml

@@ -21,7 +21,9 @@ updates:
     labels:
       - dependencies
   - package-ecosystem: npm
-    directory: "/web"
+    directories:
+      - "/web"
+      - "/web/sfe"
     schedule:
       interval: daily
       time: "04:00"
@@ -30,7 +32,6 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "web:"
-    # TODO: deduplicate these groups
     groups:
       sentry:
         patterns:
@@ -42,9 +43,11 @@ updates:
           - "babel-*"
       eslint:
         patterns:
+          - "@eslint/*"
           - "@typescript-eslint/*"
-          - "eslint"
           - "eslint-*"
+          - "eslint"
+          - "typescript-eslint"
       storybook:
         patterns:
           - "@storybook/*"
@@ -52,42 +55,16 @@ updates:
       esbuild:
         patterns:
           - "@esbuild/*"
+          - "esbuild*"
       rollup:
         patterns:
           - "@rollup/*"
           - "rollup-*"
-  - package-ecosystem: npm
-    directory: "/tests/wdio"
-    schedule:
-      interval: daily
-      time: "04:00"
-    labels:
-      - dependencies
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "web:"
-    # TODO: deduplicate these groups
-    groups:
-      sentry:
+          - "rollup*"
+      swc:
         patterns:
-          - "@sentry/*"
-          - "@spotlightjs/*"
-      babel:
-        patterns:
-          - "@babel/*"
-          - "babel-*"
-      eslint:
-        patterns:
-          - "@typescript-eslint/*"
-          - "eslint"
-          - "eslint-*"
-      storybook:
-        patterns:
-          - "@storybook/*"
-          - "*storybook*"
-      esbuild:
-        patterns:
-          - "@esbuild/*"
+          - "@swc/*"
+          - "swc-*"
       wdio:
         patterns:
           - "@wdio/*"

.github/pull_request_template.md

@@ -1,7 +1,7 @@
 <!--
 👋 Hi there! Welcome.
 
-Please check the Contributing guidelines: https://goauthentik.io/developer-docs/#how-can-i-contribute
+Please check the Contributing guidelines: https://docs.goauthentik.io/docs/developer-docs/#how-can-i-contribute
 -->
 
 ## Details

.github/workflows/api-ts-publish.yml

@@ -31,11 +31,16 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
-        working-directory: web/
+        working-directory: web
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@v6
+      - name: Upgrade /web/packages/sfe
+        working-directory: web/packages/sfe
+        run: |
+          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
+          npm i @goauthentik/api@$VERSION
+      - uses: peter-evans/create-pull-request@v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/ci-main.yml

@@ -120,6 +120,12 @@ jobs:
         with:
           flags: unit
           token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: unit
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
   test-integration:
     runs-on: ubuntu-latest
     timeout-minutes: 30
@@ -138,6 +144,12 @@ jobs:
         with:
           flags: integration
           token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: integration
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
   test-e2e:
     name: test-e2e (${{ matrix.job.name }})
     runs-on: ubuntu-latest
@@ -168,7 +180,7 @@ jobs:
         uses: ./.github/actions/setup
       - name: Setup e2e env (chrome, etc)
         run: |
-          docker compose -f tests/e2e/docker-compose.yml up -d
+          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
       - id: cache-web
         uses: actions/cache@v4
         with:
@@ -190,6 +202,12 @@ jobs:
         with:
           flags: e2e
           token: ${{ secrets.CODECOV_TOKEN }}
+      - if: ${{ !cancelled() }}
+        uses: codecov/test-results-action@v1
+        with:
+          flags: e2e
+          file: unittest.xml
+          token: ${{ secrets.CODECOV_TOKEN }}
   ci-core-mark:
     needs:
       - lint
@@ -213,13 +231,16 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -241,6 +262,7 @@ jobs:
         run: make gen-client-ts
       - name: Build Docker Image
         uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           secrets: |
@@ -251,8 +273,15 @@ jobs:
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
           platforms: linux/${{ matrix.arch }}
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   pr-comment:
     needs:
       - build
@@ -274,6 +303,7 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: ./.github/actions/comment-pr-instructions
         with:
-          tag: gh-${{ steps.ev.outputs.imageMainTag }}
+          tag: ${{ steps.ev.outputs.imageMainTag }}

.github/workflows/ci-outpost.yml

@@ -31,7 +31,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.54.2
+          version: latest
           args: --timeout 5000s --verbose
           skip-cache: true
   test-unittest:
@@ -71,12 +71,15 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -96,6 +99,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: Build Docker Image
+        id: push
         uses: docker/build-push-action@v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
@@ -106,7 +110,14 @@ jobs:
           platforms: linux/amd64,linux/arm64
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache,mode=max
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-binary:
     timeout-minutes: 120
     needs:

.github/workflows/ci-web.yml

@@ -24,20 +24,11 @@ jobs:
           - prettier-check
         project:
           - web
-          - tests/wdio
         include:
+          - command: tsc
+            project: web
           - command: lit-analyse
             project: web
-            extra_setup: |
-              # lit-analyse doesn't understand path rewrites, so make it
-              # belive it's an actual module
-              cd node_modules/@goauthentik
-              ln -s ../../src/ web
-        exclude:
-          - command: lint:lockfile
-            project: tests/wdio
-          - command: tsc
-            project: tests/wdio
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -48,21 +39,12 @@ jobs:
       - working-directory: ${{ matrix.project }}/
         run: |
           npm ci
-          ${{ matrix.extra_setup }}
       - name: Generate API
         run: make gen-client-ts
       - name: Lint
         working-directory: ${{ matrix.project }}/
         run: npm run ${{ matrix.command }}
-  ci-web-mark:
-    needs:
-      - lint
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo mark
   build:
-    needs:
-      - ci-web-mark
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -78,6 +60,13 @@ jobs:
       - name: build
         working-directory: web/
         run: npm run build
+  ci-web-mark:
+    needs:
+      - build
+      - lint
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo mark
   test:
     needs:
       - ci-web-mark
@@ -95,4 +84,4 @@ jobs:
         run: make gen-client-ts
       - name: test
         working-directory: web/
-        run: npm run test
+        run: npm run test || exit 0

.github/workflows/gen-update-webauthn-mds.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - run: poetry run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         id: cpr
         with:
           token: ${{ steps.generate_token.outputs.token }}

.github/workflows/image-compress.yml

@@ -42,7 +42,7 @@ jobs:
         with:
           githubToken: ${{ steps.generate_token.outputs.token }}
           compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@v6
+      - uses: peter-evans/create-pull-request@v7
         if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
         id: cpr
         with:

.github/workflows/release-publish.yml

@@ -11,10 +11,13 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -41,19 +44,31 @@ jobs:
           mkdir -p ./gen-go-api
       - name: Build Docker Image
         uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           push: true
           secrets: |
             GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          build-args: |
+            VERSION=${{ github.ref }}
           tags: ${{ steps.ev.outputs.imageTags }}
           platforms: linux/amd64,linux/arm64
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -68,7 +83,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -95,12 +110,21 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         uses: docker/build-push-action@v6
+        id: push
         with:
           push: true
+          build-args: |
+            VERSION=${{ github.ref }}
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
@@ -178,8 +202,8 @@ jobs:
           image-name: ghcr.io/goauthentik/server
       - name: Get static files from docker image
         run: |
-          docker pull ${{ steps.ev.outputs.imageMainTag }}
-          container=$(docker container create ${{ steps.ev.outputs.imageMainTag }})
+          docker pull ${{ steps.ev.outputs.imageMainName }}
+          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
         uses: getsentry/action-release@v1

.github/workflows/release-tag.yml

@@ -18,7 +18,7 @@ jobs:
           echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
           docker buildx install
           mkdir -p ./gen-ts-api
-          docker build -t testing:latest .
+          docker build --no-cache -t testing:latest .
           echo "AUTHENTIK_IMAGE=testing" >> .env
           echo "AUTHENTIK_TAG=latest" >> .env
           docker compose up --no-start

.github/workflows/translation-extract-compile.yml

@@ -32,7 +32,7 @@ jobs:
           poetry run ak compilemessages
           make web-check-compile
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: ${{ steps.generate_token.outputs.token }}
           branch: extract-compile-backend-translation

.vscode/extensions.json

@@ -16,6 +16,6 @@
         "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx",
+        "unifiedjs.vscode-mdx"
     ]
 }

.vscode/launch.json

@@ -22,6 +22,6 @@
             },
             "justMyCode": true,
             "django": true
-        },
+        }
     ]
 }

.vscode/settings.json

@@ -6,6 +6,7 @@
         "authn",
         "entra",
         "goauthentik",
+        "jwe",
         "jwks",
         "kubernetes",
         "oidc",
@@ -18,20 +19,21 @@
         "sso",
         "totp",
         "traefik",
-        "webauthn",
+        "webauthn"
     ],
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
-        "!Find sequence",
-        "!KeyOf scalar",
-        "!Context scalar",
-        "!Context sequence",
-        "!Format sequence",
         "!Condition sequence",
-        "!Env sequence",
+        "!Context scalar",
+        "!Enumerate sequence",
         "!Env scalar",
-        "!If sequence"
+        "!Find sequence",
+        "!Format sequence",
+        "!If sequence",
+        "!Index scalar",
+        "!KeyOf scalar",
+        "!Value scalar"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",
@@ -48,9 +50,7 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": [
-        "-count=1"
-    ],
+    "go.testFlags": ["-count=1"],
     "github-actions.workflows.pinned.workflows": [
         ".github/workflows/ci-main.yml"
     ]

.vscode/tasks.json

@@ -2,85 +2,67 @@
     "version": "2.0.0",
     "tasks": [
         {
-            "label": "authentik[core]: format & test",
+            "label": "authentik/core: make",
             "command": "poetry",
-            "args": [
-                "run",
-                "make"
-            ],
-            "group": "build",
+            "args": ["run", "make", "lint-fix", "lint"],
+            "presentation": {
+                "panel": "new"
+            },
+            "group": "test"
         },
         {
-            "label": "authentik[core]: run",
+            "label": "authentik/core: run",
             "command": "poetry",
-            "args": [
-                "run",
-                "make",
-                "run",
-            ],
+            "args": ["run", "ak", "server"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            },
+            }
         },
         {
-            "label": "authentik[web]: format",
+            "label": "authentik/web: make",
             "command": "make",
             "args": ["web"],
-            "group": "build",
+            "group": "build"
         },
         {
-            "label": "authentik[web]: watch",
+            "label": "authentik/web: watch",
             "command": "make",
             "args": ["web-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            },
+            }
         },
         {
             "label": "authentik: install",
             "command": "make",
-            "args": ["install"],
-            "group": "build",
+            "args": ["install", "-j4"],
+            "group": "build"
         },
         {
-            "label": "authentik: i18n-extract",
-            "command": "poetry",
-            "args": [
-                "run",
-                "make",
-                "i18n-extract"
-            ],
-            "group": "build",
-        },
-        {
-            "label": "authentik[website]: format",
+            "label": "authentik/website: make",
             "command": "make",
             "args": ["website"],
-            "group": "build",
+            "group": "build"
         },
         {
-            "label": "authentik[website]: watch",
+            "label": "authentik/website: watch",
             "command": "make",
             "args": ["website-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            },
+            }
         },
         {
-            "label": "authentik[api]: generate",
+            "label": "authentik/api: generate",
             "command": "poetry",
-            "args": [
-                "run",
-                "make",
-                "gen"
-            ],
+            "args": ["run", "make", "gen"],
             "group": "build"
-        },
+        }
     ]
 }

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/node:22 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS website-builder
 
 ENV NODE_ENV=production
 
@@ -20,7 +20,7 @@ COPY ./SECURITY.md /work/
 RUN npm run build-bundled
 
 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/node:22 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 AS web-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -30,6 +30,7 @@ WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
+    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
     --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
     --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
@@ -42,7 +43,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 
 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -79,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 as geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
@@ -93,7 +94,10 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.3-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
+
+ARG TARGETARCH
+ARG TARGETVARIANT
 
 WORKDIR /ak-root/poetry
 
@@ -106,7 +110,7 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloa
 RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apt \
     apt-get update && \
     # Required for installing pip packages
-    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev
+    apt-get install -y --no-install-recommends build-essential pkg-config libpq-dev libkrb5-dev
 
 RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
@@ -120,24 +124,24 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     pip install --force-reinstall /wheels/*"
 
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.3-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
 
-ARG GIT_BUILD_HASH
 ARG VERSION
+ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
-LABEL org.opencontainers.image.url https://goauthentik.io
-LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info.
-LABEL org.opencontainers.image.source https://github.com/goauthentik/authentik
-LABEL org.opencontainers.image.version ${VERSION}
-LABEL org.opencontainers.image.revision ${GIT_BUILD_HASH}
+LABEL org.opencontainers.image.url=https://goauthentik.io
+LABEL org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info."
+LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
+LABEL org.opencontainers.image.version=${VERSION}
+LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
 
 WORKDIR /
 
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
     # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
     apt-get clean && \
@@ -157,6 +161,7 @@ COPY ./tests /tests
 COPY ./manage.py /
 COPY ./blueprints /blueprints
 COPY ./lifecycle/ /lifecycle
+COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/

Makefile

@@ -19,14 +19,13 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
-		-S 'website/developer-docs/api/reference/**' \
+		-S 'website/docs/developer-docs/api/reference/**' \
 		authentik \
 		internal \
 		cmd \
 		web/src \
 		website/src \
 		website/blog \
-		website/developer-docs \
 		website/docs \
 		website/integrations \
 		website/src
@@ -43,7 +42,7 @@ help:  ## Show this help
 		sort
 	@echo ""
 
-test-go:
+go-test:
 	go test -timeout 0 -v -race -cover ./...
 
 test-docker:  ## Run all tests in a docker-compose
@@ -210,6 +209,9 @@ web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting is
 web-install:  ## Install the necessary libraries to build the Authentik UI
 	cd web && npm ci
 
+web-test: ## Run tests for the Authentik UI
+	cd web && npm run test
+
 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
 	rm -rf web/dist/
 	mkdir web/dist/

README.md

@@ -15,7 +15,9 @@
 
 ## What is authentik?
 
-authentik is an open-source Identity Provider that emphasizes flexibility and versatility. It can be seamlessly integrated into existing environments to support new protocols. authentik is also a great solution for implementing sign-up, recovery, and other similar features in your application, saving you the hassle of dealing with them.
+authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols.
+
+Our [enterprise offer](https://goauthentik.io/pricing) can also be used as a self-hosted replacement for large-scale deployments of Okta/Auth0, Entra ID, Ping Identity, or other legacy IdPs for employees and B2B2C use.
 
 ## Installation
 
@@ -32,7 +34,7 @@ For bigger setups, there is a Helm Chart [here](https://github.com/goauthentik/h
 
 ## Development
 
-See [Developer Documentation](https://goauthentik.io/developer-docs/?utm_source=github)
+See [Developer Documentation](https://docs.goauthentik.io/docs/developer-docs/?utm_source=github)
 
 ## Security
 

SECURITY.md

@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 (.x being the latest patch release for each version)
 
-| Version  | Supported |
-| -------- | --------- |
-| 2024.4.x | ✅        |
-| 2024.6.x | ✅        |
+| Version   | Supported |
+| --------- | --------- |
+| 2024.8.x  | ✅        |
+| 2024.10.x | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.6.0"
+__version__ = "2024.10.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/system.py

@@ -73,7 +73,7 @@ class SystemInfoSerializer(PassiveSerializer):
             "authentik_version": get_full_version(),
             "environment": get_env(),
             "openssl_fips_enabled": (
-                backend._fips_enabled if LicenseKey.get_total().is_valid() else None
+                backend._fips_enabled if LicenseKey.get_total().status().is_valid else None
             ),
             "openssl_version": OPENSSL_VERSION,
             "platform": platform.platform(),

authentik/admin/api/version.py

@@ -12,6 +12,7 @@ from rest_framework.views import APIView
 from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
+from authentik.outposts.models import Outpost
 
 
 class VersionSerializer(PassiveSerializer):
@@ -22,6 +23,7 @@ class VersionSerializer(PassiveSerializer):
     version_latest_valid = SerializerMethodField()
     build_hash = SerializerMethodField()
     outdated = SerializerMethodField()
+    outpost_outdated = SerializerMethodField()
 
     def get_build_hash(self, _) -> str:
         """Get build hash, if version is not latest or released"""
@@ -47,6 +49,15 @@ class VersionSerializer(PassiveSerializer):
         """Check if we're running the latest version"""
         return parse(self.get_version_current(instance)) < parse(self.get_version_latest(instance))
 
+    def get_outpost_outdated(self, _) -> bool:
+        """Check if any outpost is outdated/has a version mismatch"""
+        any_outdated = False
+        for outpost in Outpost.objects.all():
+            for state in outpost.state:
+                if state.version_outdated:
+                    any_outdated = True
+        return any_outdated
+
 
 class VersionView(APIView):
     """Get running and latest version."""

authentik/admin/api/version_history.py

@@ -0,0 +1,33 @@
+from rest_framework.permissions import IsAdminUser
+from rest_framework.viewsets import ReadOnlyModelViewSet
+
+from authentik.admin.models import VersionHistory
+from authentik.core.api.utils import ModelSerializer
+
+
+class VersionHistorySerializer(ModelSerializer):
+    """VersionHistory Serializer"""
+
+    class Meta:
+        model = VersionHistory
+        fields = [
+            "id",
+            "timestamp",
+            "version",
+            "build",
+        ]
+
+
+class VersionHistoryViewSet(ReadOnlyModelViewSet):
+    """VersionHistory Viewset"""
+
+    queryset = VersionHistory.objects.all()
+    serializer_class = VersionHistorySerializer
+    permission_classes = [IsAdminUser]
+    filterset_fields = [
+        "version",
+        "build",
+    ]
+    search_fields = ["version", "build"]
+    ordering = ["-timestamp"]
+    pagination_class = None

authentik/admin/models.py

@@ -0,0 +1,22 @@
+"""authentik admin models"""
+
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+
+class VersionHistory(models.Model):
+    id = models.BigAutoField(primary_key=True)
+    timestamp = models.DateTimeField()
+    version = models.TextField()
+    build = models.TextField()
+
+    class Meta:
+        managed = False
+        db_table = "authentik_version_history"
+        ordering = ("-timestamp",)
+        verbose_name = _("Version history")
+        verbose_name_plural = _("Version history")
+        default_permissions = []
+
+    def __str__(self):
+        return f"{self.version}.{self.build} ({self.timestamp})"

authentik/admin/tasks.py

@@ -1,10 +1,8 @@
 """authentik admin tasks"""
 
-import re
-
 from django.core.cache import cache
-from django.core.validators import URLValidator
 from django.db import DatabaseError, InternalError, ProgrammingError
+from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
 from structlog.stdlib import get_logger
@@ -21,8 +19,6 @@ LOGGER = get_logger()
 VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
-# Chop of the first ^ because we want to search the entire string
-URL_FINDER = URLValidator.regex.pattern[1:]
 LOCAL_VERSION = parse(__version__)
 
 
@@ -78,10 +74,16 @@ def update_latest_version(self: SystemTask):
                 context__new_version=upstream_version,
             ).exists():
                 return
-            event_dict = {"new_version": upstream_version}
-            if match := re.search(URL_FINDER, data.get("stable", {}).get("changelog", "")):
-                event_dict["message"] = f"Changelog: {match.group()}"
-            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
+            Event.new(
+                EventAction.UPDATE_AVAILABLE,
+                message=_(
+                    "New version {version} available!".format(
+                        version=upstream_version,
+                    )
+                ),
+                new_version=upstream_version,
+                changelog=data.get("stable", {}).get("changelog_url"),
+            ).save()
     except (RequestException, IndexError) as exc:
         cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
         self.set_error(exc)

authentik/admin/tests/test_tasks.py

@@ -17,6 +17,7 @@ RESPONSE_VALID = {
     "stable": {
         "version": "99999999.9999999",
         "changelog": "See https://goauthentik.io/test",
+        "changelog_url": "https://goauthentik.io/test",
         "reason": "bugfix",
     },
 }
@@ -35,7 +36,7 @@ class TestAdminTasks(TestCase):
                 Event.objects.filter(
                     action=EventAction.UPDATE_AVAILABLE,
                     context__new_version="99999999.9999999",
-                    context__message="Changelog: https://goauthentik.io/test",
+                    context__message="New version 99999999.9999999 available!",
                 ).exists()
             )
             # test that a consecutive check doesn't create a duplicate event
@@ -45,7 +46,7 @@ class TestAdminTasks(TestCase):
                     Event.objects.filter(
                         action=EventAction.UPDATE_AVAILABLE,
                         context__new_version="99999999.9999999",
-                        context__message="Changelog: https://goauthentik.io/test",
+                        context__message="New version 99999999.9999999 available!",
                     )
                 ),
                 1,

authentik/admin/urls.py

@@ -6,6 +6,7 @@ from authentik.admin.api.meta import AppsViewSet, ModelViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
+from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.admin.api.workers import WorkerView
 
 api_urlpatterns = [
@@ -17,6 +18,7 @@ api_urlpatterns = [
         name="admin_metrics",
     ),
     path("admin/version/", VersionView.as_view(), name="admin_version"),
+    ("admin/version/history", VersionHistoryViewSet, "version_history"),
     path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
     path("admin/system/", SystemView.as_view(), name="admin_system"),
 ]

authentik/api/templates/api/browser.html

@@ -7,7 +7,7 @@ API Browser - {{ brand.branding_title }}
 {% endblock %}
 
 {% block head %}
-{% versioned_script "dist/standalone/api-browser/index-%v.js" %}
+<script src="{% versioned_script 'dist/standalone/api-browser/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#151515" media="(prefers-color-scheme: dark)">
 {% endblock %}

authentik/blueprints/api.py

@@ -51,9 +51,11 @@ class BlueprintInstanceSerializer(ModelSerializer):
         context = self.instance.context if self.instance else {}
         valid, logs = Importer.from_string(content, context).validate()
         if not valid:
-            text_logs = "\n".join([x["event"] for x in logs])
             raise ValidationError(
-                _("Failed to validate blueprint: {logs}".format_map({"logs": text_logs}))
+                [
+                    _("Failed to validate blueprint"),
+                    *[f"- {x.event}" for x in logs],
+                ]
             )
         return content
 

authentik/blueprints/management/commands/apply_blueprint.py

@@ -23,9 +23,11 @@ class Command(BaseCommand):
                 for blueprint_path in options.get("blueprints", []):
                     content = BlueprintInstance(path=blueprint_path).retrieve()
                     importer = Importer.from_string(content)
-                    valid, _ = importer.validate()
+                    valid, logs = importer.validate()
                     if not valid:
-                        self.stderr.write("blueprint invalid")
+                        self.stderr.write("Blueprint invalid")
+                        for log in logs:
+                            self.stderr.write(f"\t{log.logger}: {log.event}: {log.attributes}")
                         sys_exit(1)
                     importer.apply()
 

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -113,16 +113,19 @@ class Command(BaseCommand):
             )
             model_path = f"{model._meta.app_label}.{model._meta.model_name}"
             self.schema["properties"]["entries"]["items"]["oneOf"].append(
-                self.template_entry(model_path, serializer)
+                self.template_entry(model_path, model, serializer)
             )
 
-    def template_entry(self, model_path: str, serializer: Serializer) -> dict:
+    def template_entry(self, model_path: str, model: type[Model], serializer: Serializer) -> dict:
         """Template entry for a single model"""
         model_schema = self.to_jsonschema(serializer)
         model_schema["required"] = []
         def_name = f"model_{model_path}"
         def_path = f"#/$defs/{def_name}"
         self.schema["$defs"][def_name] = model_schema
+        def_name_perm = f"model_{model_path}_permissions"
+        def_path_perm = f"#/$defs/{def_name_perm}"
+        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
         return {
             "type": "object",
             "required": ["model", "identifiers"],
@@ -135,6 +138,7 @@ class Command(BaseCommand):
                     "default": "present",
                 },
                 "conditions": {"type": "array", "items": {"type": "boolean"}},
+                "permissions": {"$ref": def_path_perm},
                 "attrs": {"$ref": def_path},
                 "identifiers": {"$ref": def_path},
             },
@@ -185,3 +189,20 @@ class Command(BaseCommand):
         if required:
             result["required"] = required
         return result
+
+    def model_permissions(self, model: type[Model]) -> dict:
+        perms = [x[0] for x in model._meta.permissions]
+        for action in model._meta.default_permissions:
+            perms.append(f"{action}_{model._meta.model_name}")
+        return {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": ["permission"],
+                "properties": {
+                    "permission": {"type": "string", "enum": perms},
+                    "user": {"type": "integer"},
+                    "role": {"type": "string"},
+                },
+            },
+        }

authentik/blueprints/migrations/0001_initial.py

@@ -29,9 +29,7 @@ def check_blueprint_v1_file(BlueprintInstance: type, db_alias, path: Path):
         if version != 1:
             return
         blueprint_file.seek(0)
-    instance: BlueprintInstance = (
-        BlueprintInstance.objects.using(db_alias).filter(path=path).first()
-    )
+    instance = BlueprintInstance.objects.using(db_alias).filter(path=path).first()
     rel_path = path.relative_to(Path(CONFIG.get("blueprints_dir")))
     meta = None
     if metadata:

authentik/blueprints/tests/fixtures/rbac_object.yaml

@@ -0,0 +1,24 @@
+version: 1
+entries:
+  - model: authentik_core.user
+    id: user
+    identifiers:
+      username: "%(id)s"
+    attrs:
+      name: "%(id)s"
+  - model: authentik_rbac.role
+    id: role
+    identifiers:
+      name: "%(id)s"
+  - model: authentik_flows.flow
+    identifiers:
+      slug: "%(id)s"
+    attrs:
+      designation: authentication
+      name: foo
+      title: foo
+    permissions:
+      - permission: view_flow
+        user: !KeyOf user
+      - permission: view_flow
+        role: !KeyOf role

authentik/blueprints/tests/fixtures/rbac_role.yaml

@@ -0,0 +1,8 @@
+version: 1
+entries:
+  - model: authentik_rbac.role
+    identifiers:
+      name: "%(id)s"
+    attrs:
+      permissions:
+        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/fixtures/rbac_user.yaml

@@ -0,0 +1,9 @@
+version: 1
+entries:
+  - model: authentik_core.user
+    identifiers:
+      username: "%(id)s"
+    attrs:
+      name: "%(id)s"
+      permissions:
+        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/test_packaged.py

@@ -27,7 +27,8 @@ def blueprint_tester(file_name: Path) -> Callable:
         base = Path("blueprints/")
         rel_path = Path(file_name).relative_to(base)
         importer = Importer.from_string(BlueprintInstance(path=str(rel_path)).retrieve())
-        self.assertTrue(importer.validate()[0])
+        validation, logs = importer.validate()
+        self.assertTrue(validation, logs)
         self.assertTrue(importer.apply())
 
     return tester

authentik/blueprints/tests/test_v1_api.py

@@ -78,5 +78,5 @@ class TestBlueprintsV1API(APITestCase):
         self.assertEqual(res.status_code, 400)
         self.assertJSONEqual(
             res.content.decode(),
-            {"content": ["Failed to validate blueprint: Invalid blueprint version"]},
+            {"content": ["Failed to validate blueprint", "- Invalid blueprint version"]},
         )

authentik/blueprints/tests/test_v1_rbac.py

@@ -0,0 +1,57 @@
+"""Test blueprints v1"""
+
+from django.test import TransactionTestCase
+from guardian.shortcuts import get_perms
+
+from authentik.blueprints.v1.importer import Importer
+from authentik.core.models import User
+from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
+from authentik.rbac.models import Role
+
+
+class TestBlueprintsV1RBAC(TransactionTestCase):
+    """Test Blueprints rbac attribute"""
+
+    def test_user_permission(self):
+        """Test permissions"""
+        uid = generate_id()
+        import_yaml = load_fixture("fixtures/rbac_user.yaml", id=uid)
+
+        importer = Importer.from_string(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        user = User.objects.filter(username=uid).first()
+        self.assertIsNotNone(user)
+        self.assertTrue(user.has_perms(["authentik_blueprints.view_blueprintinstance"]))
+
+    def test_role_permission(self):
+        """Test permissions"""
+        uid = generate_id()
+        import_yaml = load_fixture("fixtures/rbac_role.yaml", id=uid)
+
+        importer = Importer.from_string(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        role = Role.objects.filter(name=uid).first()
+        self.assertIsNotNone(role)
+        self.assertEqual(
+            list(role.group.permissions.all().values_list("codename", flat=True)),
+            ["view_blueprintinstance"],
+        )
+
+    def test_object_permission(self):
+        """Test permissions"""
+        uid = generate_id()
+        import_yaml = load_fixture("fixtures/rbac_object.yaml", id=uid)
+
+        importer = Importer.from_string(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        flow = Flow.objects.filter(slug=uid).first()
+        user = User.objects.filter(username=uid).first()
+        role = Role.objects.filter(name=uid).first()
+        self.assertIsNotNone(flow)
+        self.assertEqual(get_perms(user, flow), ["view_flow"])
+        self.assertEqual(get_perms(role.group, flow), ["view_flow"])

authentik/blueprints/v1/common.py

@@ -1,7 +1,7 @@
 """transfer common classes"""
 
 from collections import OrderedDict
-from collections.abc import Iterable, Mapping
+from collections.abc import Generator, Iterable, Mapping
 from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
@@ -58,6 +58,15 @@ class BlueprintEntryDesiredState(Enum):
     MUST_CREATED = "must_created"
 
 
+@dataclass
+class BlueprintEntryPermission:
+    """Describe object-level permissions"""
+
+    permission: Union[str, "YAMLTag"]
+    user: Union[int, "YAMLTag", None] = field(default=None)
+    role: Union[str, "YAMLTag", None] = field(default=None)
+
+
 @dataclass
 class BlueprintEntry:
     """Single entry of a blueprint"""
@@ -69,6 +78,7 @@ class BlueprintEntry:
     conditions: list[Any] = field(default_factory=list)
     identifiers: dict[str, Any] = field(default_factory=dict)
     attrs: dict[str, Any] | None = field(default_factory=dict)
+    permissions: list[BlueprintEntryPermission] = field(default_factory=list)
 
     id: str | None = None
 
@@ -150,6 +160,17 @@ class BlueprintEntry:
         """Get the blueprint model, with yaml tags resolved if present"""
         return str(self.tag_resolver(self.model, blueprint))
 
+    def get_permissions(
+        self, blueprint: "Blueprint"
+    ) -> Generator[BlueprintEntryPermission, None, None]:
+        """Get permissions of this entry, with all yaml tags resolved"""
+        for perm in self.permissions:
+            yield BlueprintEntryPermission(
+                permission=self.tag_resolver(perm.permission, blueprint),
+                user=self.tag_resolver(perm.user, blueprint),
+                role=self.tag_resolver(perm.role, blueprint),
+            )
+
     def check_all_conditions_match(self, blueprint: "Blueprint") -> bool:
         """Check all conditions of this entry match (evaluate to True)"""
         return all(self.tag_resolver(self.conditions, blueprint))
@@ -307,7 +328,10 @@ class Find(YAMLTag):
         else:
             model_name = self.model_name
 
-        model_class = apps.get_model(*model_name.split("."))
+        try:
+            model_class = apps.get_model(*model_name.split("."))
+        except LookupError as exc:
+            raise EntryInvalidError.from_entry(exc, entry) from exc
 
         query = Q()
         for cond in self.conditions:

authentik/blueprints/v1/importer.py

@@ -16,6 +16,7 @@ from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from guardian.models import UserObjectPermission
+from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
 from structlog.stdlib import BoundLogger, get_logger
@@ -32,9 +33,11 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
 from authentik.core.models import (
     AuthenticatedSession,
+    GroupSourceConnection,
     PropertyMapping,
     Provider,
     Source,
+    User,
     UserSourceConnection,
 )
 from authentik.enterprise.license import LicenseKey
@@ -48,23 +51,29 @@ from authentik.enterprise.providers.microsoft_entra.models import (
     MicrosoftEntraProviderUser,
 )
 from authentik.enterprise.providers.rac.models import ConnectionToken
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
+    EndpointDevice,
+    EndpointDeviceConnection,
+)
 from authentik.events.logs import LogEvent, capture_logs
 from authentik.events.models import SystemTask
 from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
+from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
+from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
 
 # Context set when the serializer is created in a blueprint context
-# Update website/developer-docs/blueprints/v1/models.md when used
+# Update website/docs/customize/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
 
 
@@ -87,6 +96,7 @@ def excluded_models() -> list[type[Model]]:
         Source,
         PropertyMapping,
         UserSourceConnection,
+        GroupSourceConnection,
         Stage,
         OutpostServiceConnection,
         Policy,
@@ -113,6 +123,8 @@ def excluded_models() -> list[type[Model]]:
         GoogleWorkspaceProviderGroup,
         MicrosoftEntraProviderUser,
         MicrosoftEntraProviderGroup,
+        EndpointDevice,
+        EndpointDeviceConnection,
     )
 
 
@@ -136,6 +148,16 @@ def transaction_rollback():
         pass
 
 
+def rbac_models() -> dict:
+    models = {}
+    for app in get_apps():
+        for model in app.get_models():
+            if not is_model_allowed(model):
+                continue
+            models[model._meta.model_name] = app.label
+    return models
+
+
 class Importer:
     """Import Blueprint from raw dict or YAML/JSON"""
 
@@ -154,7 +176,10 @@ class Importer:
 
     def default_context(self):
         """Default context"""
-        return {"goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid()}
+        return {
+            "goauthentik.io/enterprise/licensed": LicenseKey.get_total().status().is_valid,
+            "goauthentik.io/rbac/models": rbac_models(),
+        }
 
     @staticmethod
     def from_string(yaml_input: str, context: dict | None = None) -> "Importer":
@@ -214,14 +239,17 @@ class Importer:
 
         return main_query | sub_query
 
-    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:
+    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:  # noqa: PLR0915
         """Validate a single entry"""
         if not entry.check_all_conditions_match(self._import):
             self.logger.debug("One or more conditions of this entry are not fulfilled, skipping")
             return None
 
         model_app_label, model_name = entry.get_model(self._import).split(".")
-        model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
+        try:
+            model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
+        except LookupError as exc:
+            raise EntryInvalidError.from_entry(exc, entry) from exc
         # Don't use isinstance since we don't want to check for inheritance
         if not is_model_allowed(model):
             raise EntryInvalidError.from_entry(f"Model {model} not allowed", entry)
@@ -296,10 +324,7 @@ class Importer:
         try:
             full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
         except ValueError as exc:
-            raise EntryInvalidError.from_entry(
-                exc,
-                entry,
-            ) from exc
+            raise EntryInvalidError.from_entry(exc, entry) from exc
         always_merger.merge(full_data, updated_identifiers)
         serializer_kwargs["data"] = full_data
 
@@ -320,6 +345,15 @@ class Importer:
             ) from exc
         return serializer
 
+    def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
+        """Apply object-level permissions for an entry"""
+        for perm in entry.get_permissions(self._import):
+            if perm.user is not None:
+                assign_perm(perm.permission, User.objects.get(pk=perm.user), instance)
+            if perm.role is not None:
+                role = Role.objects.get(pk=perm.role)
+                role.assign_permission(perm.permission, obj=instance)
+
     def apply(self) -> bool:
         """Apply (create/update) models yaml, in database transaction"""
         try:
@@ -384,6 +418,7 @@ class Importer:
                 if "pk" in entry.identifiers:
                     self.__pk_map[entry.identifiers["pk"]] = instance.pk
                 entry._state = BlueprintEntryState(instance)
+                self._apply_permissions(instance, entry)
             elif state == BlueprintEntryDesiredState.ABSENT:
                 instance: Model | None = serializer.instance
                 if instance.pk:
@@ -400,7 +435,7 @@ class Importer:
         orig_import = deepcopy(self._import)
         if self._import.version != 1:
             self.logger.warning("Invalid blueprint version")
-            return False, [{"event": "Invalid blueprint version"}]
+            return False, [LogEvent("Invalid blueprint version", log_level="warning", logger=None)]
         with (
             transaction_rollback(),
             capture_logs() as logs,

authentik/brands/api.py

@@ -24,7 +24,7 @@ from authentik.tenants.utils import get_current_tenant
 class FooterLinkSerializer(PassiveSerializer):
     """Links returned in Config API"""
 
-    href = CharField(read_only=True)
+    href = CharField(read_only=True, allow_null=True)
     name = CharField(read_only=True)
 
 
@@ -55,6 +55,7 @@ class BrandSerializer(ModelSerializer):
             "flow_unenrollment",
             "flow_user_settings",
             "flow_device_code",
+            "default_application",
             "web_certificate",
             "attributes",
         ]

authentik/brands/apps.py

@@ -9,3 +9,6 @@ class AuthentikBrandsConfig(AppConfig):
     name = "authentik.brands"
     label = "authentik_brands"
     verbose_name = "authentik Brands"
+    mountpoints = {
+        "authentik.brands.urls_root": "",
+    }

authentik/brands/middleware.py

@@ -4,7 +4,7 @@ from collections.abc import Callable
 
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
-from django.utils.translation import activate
+from django.utils.translation import override
 
 from authentik.brands.utils import get_brand_for_request
 
@@ -18,10 +18,12 @@ class BrandMiddleware:
         self.get_response = get_response
 
     def __call__(self, request: HttpRequest) -> HttpResponse:
+        locale_to_set = None
         if not hasattr(request, "brand"):
             brand = get_brand_for_request(request)
             request.brand = brand
             locale = brand.default_locale
             if locale != "":
-                activate(locale)
-        return self.get_response(request)
+                locale_to_set = locale
+        with override(locale_to_set):
+            return self.get_response(request)

authentik/brands/migrations/0007_brand_default_application.py

@@ -0,0 +1,26 @@
+# Generated by Django 5.0.6 on 2024-07-04 20:32
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_brands", "0006_brand_authentik_b_domain_b9b24a_idx_and_more"),
+        ("authentik_core", "0035_alter_group_options_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="brand",
+            name="default_application",
+            field=models.ForeignKey(
+                default=None,
+                help_text="When set, external users will be redirected to this application after authenticating.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.application",
+            ),
+        ),
+    ]

authentik/brands/models.py

@@ -3,6 +3,7 @@
 from uuid import uuid4
 
 from django.db import models
+from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
@@ -51,6 +52,16 @@ class Brand(SerializerModel):
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
     )
 
+    default_application = models.ForeignKey(
+        "authentik_core.Application",
+        null=True,
+        default=None,
+        on_delete=models.SET_DEFAULT,
+        help_text=_(
+            "When set, external users will be redirected to this application after authenticating."
+        ),
+    )
+
     web_certificate = models.ForeignKey(
         CertificateKeyPair,
         null=True,
@@ -88,3 +99,13 @@ class Brand(SerializerModel):
             models.Index(fields=["domain"]),
             models.Index(fields=["default"]),
         ]
+
+
+class WebfingerProvider(models.Model):
+    """Provider which supports webfinger discovery"""
+
+    class Meta:
+        abstract = True
+
+    def webfinger(self, resource: str, request: HttpRequest) -> dict:
+        raise NotImplementedError()

authentik/brands/tests.py

@@ -5,7 +5,11 @@ from rest_framework.test import APITestCase
 
 from authentik.brands.api import Themes
 from authentik.brands.models import Brand
+from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.saml.models import SAMLProvider
 
 
 class TestBrands(APITestCase):
@@ -75,3 +79,45 @@ class TestBrands(APITestCase):
             reverse("authentik_api:brand-list"), data={"domain": "bar", "default": True}
         )
         self.assertEqual(response.status_code, 400)
+
+    def test_webfinger_no_app(self):
+        """Test Webfinger"""
+        create_test_brand()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
+        )
+
+    def test_webfinger_not_supported(self):
+        """Test Webfinger"""
+        brand = create_test_brand()
+        provider = SAMLProvider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        brand.default_application = app
+        brand.save()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
+        )
+
+    def test_webfinger_oidc(self):
+        """Test Webfinger"""
+        brand = create_test_brand()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        brand.default_application = app
+        brand.save()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_brands:webfinger")).content.decode(),
+            {
+                "links": [
+                    {
+                        "href": f"http://testserver/application/o/{app.slug}/",
+                        "rel": "http://openid.net/specs/connect/1.0/issuer",
+                    }
+                ],
+                "subject": None,
+            },
+        )

authentik/brands/urls_root.py

@@ -0,0 +1,9 @@
+"""authentik brand root URLs"""
+
+from django.urls import path
+
+from authentik.brands.views.webfinger import WebFingerView
+
+urlpatterns = [
+    path(".well-known/webfinger", WebFingerView.as_view(), name="webfinger"),
+]

authentik/brands/utils.py

@@ -5,7 +5,7 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from sentry_sdk.hub import Hub
+from sentry_sdk import get_current_span
 
 from authentik import get_full_version
 from authentik.brands.models import Brand
@@ -33,7 +33,7 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
     brand = getattr(request, "brand", DEFAULT_BRAND)
     tenant = getattr(request, "tenant", Tenant())
     trace = ""
-    span = Hub.current.scope.span
+    span = get_current_span()
     if span:
         trace = span.to_traceparent()
     return {

authentik/brands/views/webfinger.py

@@ -0,0 +1,29 @@
+from typing import Any
+
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.views import View
+
+from authentik.brands.models import Brand, WebfingerProvider
+from authentik.core.models import Application
+
+
+class WebFingerView(View):
+    """Webfinger endpoint"""
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        brand: Brand = request.brand
+        if not brand.default_application:
+            return JsonResponse({})
+        application: Application = brand.default_application
+        provider = application.get_provider()
+        if not provider or not isinstance(provider, WebfingerProvider):
+            return JsonResponse({})
+        webfinger_data = provider.webfinger(request.GET.get("resource"), request)
+        return JsonResponse(webfinger_data)
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        response = super().dispatch(request, *args, **kwargs)
+        # RFC7033 spec
+        response["Access-Control-Allow-Origin"] = "*"
+        response["Content-Type"] = "application/jrd+json"
+        return response

authentik/core/api/applications.py

@@ -103,7 +103,12 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
     """Application Viewset"""
 
-    queryset = Application.objects.all().prefetch_related("provider").prefetch_related("policies")
+    queryset = (
+        Application.objects.all()
+        .with_provider()
+        .prefetch_related("policies")
+        .prefetch_related("backchannel_providers")
+    )
     serializer_class = ApplicationSerializer
     search_fields = [
         "name",
@@ -147,6 +152,15 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 applications.append(application)
         return applications
 
+    def _filter_applications_with_launch_url(
+        self, pagined_apps: Iterator[Application]
+    ) -> list[Application]:
+        applications = []
+        for app in pagined_apps:
+            if app.get_launch_url():
+                applications.append(app)
+        return applications
+
     @extend_schema(
         parameters=[
             OpenApiParameter(
@@ -204,6 +218,11 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.INT,
             ),
+            OpenApiParameter(
+                name="only_with_launch_url",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
+            ),
         ]
     )
     def list(self, request: Request) -> Response:
@@ -216,6 +235,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         if superuser_full_list and request.user.is_superuser:
             return super().list(request)
 
+        only_with_launch_url = str(
+            request.query_params.get("only_with_launch_url", "false")
+        ).lower()
+
         queryset = self._filter_queryset_for_list(self.get_queryset())
         paginator: Pagination = self.paginator
         paginated_apps = paginator.paginate_queryset(queryset, request)
@@ -251,6 +274,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                     allowed_applications,
                     timeout=86400,
                 )
+
+        if only_with_launch_url == "true":
+            allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
+
         serializer = self.get_serializer(allowed_applications, many=True)
         return self.get_paginated_response(serializer.data)
 

authentik/core/api/devices.py

@@ -1,30 +1,55 @@
 """Authenticator Devices API Views"""
 
+from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
-from rest_framework.fields import BooleanField, CharField, IntegerField, SerializerMethodField
-from rest_framework.permissions import IsAdminUser, IsAuthenticated
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    DateTimeField,
+    SerializerMethodField,
+)
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 
 from authentik.core.api.utils import MetaNameSerializer
+from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
+from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
+from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
 
 
 class DeviceSerializer(MetaNameSerializer):
     """Serializer for Duo authenticator devices"""
 
-    pk = IntegerField()
+    pk = CharField()
     name = CharField()
     type = SerializerMethodField()
     confirmed = BooleanField()
+    created = DateTimeField(read_only=True)
+    last_updated = DateTimeField(read_only=True)
+    last_used = DateTimeField(read_only=True, allow_null=True)
+    extra_description = SerializerMethodField()
 
     def get_type(self, instance: Device) -> str:
         """Get type of device"""
         return instance._meta.label
 
+    def get_extra_description(self, instance: Device) -> str:
+        """Get extra description"""
+        if isinstance(instance, WebAuthnDevice):
+            return (
+                instance.device_type.description
+                if instance.device_type
+                else _("Extra description not available")
+            )
+        if isinstance(instance, EndpointDevice):
+            return instance.data.get("deviceSignals", {}).get("deviceModel")
+        return ""
+
 
 class DeviceViewSet(ViewSet):
     """Viewset for authenticator devices"""
@@ -43,7 +68,7 @@ class AdminDeviceViewSet(ViewSet):
     """Viewset for authenticator devices"""
 
     serializer_class = DeviceSerializer
-    permission_classes = [IsAdminUser]
+    permission_classes = []
 
     def get_devices(self, **kwargs):
         """Get all devices in all child classes"""
@@ -61,6 +86,10 @@ class AdminDeviceViewSet(ViewSet):
         ],
         responses={200: DeviceSerializer(many=True)},
     )
+    @permission_required(
+        None,
+        [f"{model._meta.app_label}.view_{model._meta.model_name}" for model in device_classes()],
+    )
     def list(self, request: Request) -> Response:
         """Get all devices for current user"""
         kwargs = {}

authentik/core/api/property_mappings.py

@@ -2,8 +2,15 @@
 
 from json import dumps
 
+from django_filters.filters import AllValuesMultipleFilter, BooleanFilter
+from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from drf_spectacular.utils import (
+    OpenApiParameter,
+    OpenApiResponse,
+    extend_schema,
+    extend_schema_field,
+)
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
@@ -23,8 +30,10 @@ from authentik.core.api.utils import (
     PassiveSerializer,
 )
 from authentik.core.expression.evaluator import PropertyMappingEvaluator
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
 from authentik.core.models import Group, PropertyMapping, User
 from authentik.events.utils import sanitize_item
+from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.api.exec import PolicyTestSerializer
 from authentik.rbac.decorators import permission_required
 
@@ -67,6 +76,18 @@ class PropertyMappingSerializer(ManagedSerializer, ModelSerializer, MetaNameSeri
         ]
 
 
+class PropertyMappingFilterSet(FilterSet):
+    """Filter for PropertyMapping"""
+
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
+
+    managed__isnull = BooleanFilter(field_name="managed", lookup_expr="isnull")
+
+    class Meta:
+        model = PropertyMapping
+        fields = ["name", "managed"]
+
+
 class PropertyMappingViewSet(
     TypesMixin,
     mixins.RetrieveModelMixin,
@@ -87,11 +108,9 @@ class PropertyMappingViewSet(
 
     queryset = PropertyMapping.objects.select_subclasses()
     serializer_class = PropertyMappingSerializer
-    search_fields = [
-        "name",
-    ]
-    filterset_fields = {"managed": ["isnull"]}
+    filterset_class = PropertyMappingFilterSet
     ordering = ["name"]
+    search_fields = ["name"]
 
     @permission_required("authentik_core.view_propertymapping")
     @extend_schema(
@@ -145,12 +164,15 @@ class PropertyMappingViewSet(
 
         response_data = {"successful": True, "result": ""}
         try:
-            result = mapping.evaluate(**context)
+            result = mapping.evaluate(dry_run=True, **context)
             response_data["result"] = dumps(
                 sanitize_item(result), indent=(4 if format_result else None)
             )
+        except PropertyMappingExpressionException as exc:
+            response_data["result"] = exception_to_string(exc.exc)
+            response_data["successful"] = False
         except Exception as exc:
-            response_data["result"] = str(exc)
+            response_data["result"] = exception_to_string(exc)
             response_data["successful"] = False
         response = PropertyMappingTestResultSerializer(response_data)
         return Response(response.data)

authentik/core/api/providers.py

@@ -38,6 +38,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
             "name",
             "authentication_flow",
             "authorization_flow",
+            "invalidation_flow",
             "property_mappings",
             "component",
             "assigned_application_slug",
@@ -50,6 +51,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
         ]
         extra_kwargs = {
             "authorization_flow": {"required": True, "allow_null": False},
+            "invalidation_flow": {"required": True, "allow_null": False},
         }
 
 

authentik/core/api/sources.py

@@ -19,7 +19,7 @@ from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
-from authentik.core.models import Source, UserSourceConnection
+from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.lib.utils.file import (
     FilePathSerializer,
@@ -60,6 +60,8 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
             "enabled",
             "authentication_flow",
             "enrollment_flow",
+            "user_property_mappings",
+            "group_property_mappings",
             "component",
             "verbose_name",
             "verbose_name_plural",
@@ -188,6 +190,47 @@ class UserSourceConnectionViewSet(
     queryset = UserSourceConnection.objects.all()
     serializer_class = UserSourceConnectionSerializer
     permission_classes = [OwnerSuperuserPermissions]
-    filterset_fields = ["user"]
+    filterset_fields = ["user", "source__slug"]
+    search_fields = ["source__slug"]
     filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
-    ordering = ["pk"]
+    ordering = ["source__slug", "pk"]
+
+
+class GroupSourceConnectionSerializer(SourceSerializer):
+    """Group Source Connection Serializer"""
+
+    source = SourceSerializer(read_only=True)
+
+    class Meta:
+        model = GroupSourceConnection
+        fields = [
+            "pk",
+            "group",
+            "source",
+            "identifier",
+            "created",
+        ]
+        extra_kwargs = {
+            "group": {"read_only": True},
+            "identifier": {"read_only": True},
+            "created": {"read_only": True},
+        }
+
+
+class GroupSourceConnectionViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.UpdateModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """Group-source connection Viewset"""
+
+    queryset = GroupSourceConnection.objects.all()
+    serializer_class = GroupSourceConnectionSerializer
+    permission_classes = [OwnerSuperuserPermissions]
+    filterset_fields = ["group", "source__slug"]
+    search_fields = ["source__slug"]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    ordering = ["source__slug", "pk"]

authentik/core/api/used_by.py

@@ -14,6 +14,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 
 from authentik.core.api.utils import PassiveSerializer
+from authentik.rbac.filters import ObjectFilter
 
 
 class DeleteAction(Enum):
@@ -53,7 +54,7 @@ class UsedByMixin:
     @extend_schema(
         responses={200: UsedBySerializer(many=True)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
     def used_by(self, request: Request, *args, **kwargs) -> Response:
         """Get a list of all objects that use this object"""
         model: Model = self.get_object()

authentik/core/api/users.py

@@ -5,6 +5,7 @@ from json import loads
 from typing import Any
 
 from django.contrib.auth import update_session_auth_hash
+from django.contrib.auth.models import Permission
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.db.models.functions import ExtractHour
@@ -33,15 +34,21 @@ from drf_spectacular.utils import (
 )
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, IntegerField, ListField, SerializerMethodField
+from rest_framework.exceptions import ValidationError
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    ChoiceField,
+    DateTimeField,
+    IntegerField,
+    ListField,
+    SerializerMethodField,
+)
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
-    BooleanField,
-    DateTimeField,
     ListSerializer,
     PrimaryKeyRelatedField,
-    ValidationError,
 )
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
@@ -78,6 +85,7 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
+from authentik.rbac.models import get_permission_choices
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -141,12 +149,19 @@ class UserSerializer(ModelSerializer):
         super().__init__(*args, **kwargs)
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
             self.fields["password"] = CharField(required=False, allow_null=True)
+            self.fields["permissions"] = ListField(
+                required=False, child=ChoiceField(choices=get_permission_choices())
+            )
 
     def create(self, validated_data: dict) -> User:
         """If this serializer is used in the blueprint context, we allow for
         directly setting a password. However should be done via the `set_password`
         method instead of directly setting it like rest_framework."""
         password = validated_data.pop("password", None)
+        permissions = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        )
+        validated_data["user_permissions"] = permissions
         instance: User = super().create(validated_data)
         self._set_password(instance, password)
         return instance
@@ -155,6 +170,10 @@ class UserSerializer(ModelSerializer):
         """Same as `create` above, set the password directly if we're in a blueprint
         context"""
         password = validated_data.pop("password", None)
+        permissions = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        )
+        validated_data["user_permissions"] = permissions
         instance = super().update(instance, validated_data)
         self._set_password(instance, password)
         return instance
@@ -659,10 +678,13 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         if not request.tenant.impersonation:
             LOGGER.debug("User attempted to impersonate", user=request.user)
             return Response(status=401)
-        if not request.user.has_perm("impersonate"):
+        user_to_be = self.get_object()
+        # Check both object-level perms and global perms
+        if not request.user.has_perm(
+            "authentik_core.impersonate", user_to_be
+        ) and not request.user.has_perm("authentik_core.impersonate"):
             LOGGER.debug("User attempted to impersonate without permissions", user=request.user)
             return Response(status=401)
-        user_to_be = self.get_object()
         if user_to_be.pk == self.request.user.pk:
             LOGGER.debug("User attempted to impersonate themselves", user=request.user)
             return Response(status=401)

authentik/core/management/commands/change_user_type.py

@@ -0,0 +1,32 @@
+"""Change user type"""
+
+from authentik.core.models import User, UserTypes
+from authentik.tenants.management import TenantCommand
+
+
+class Command(TenantCommand):
+    """Change user type"""
+
+    def add_arguments(self, parser):
+        parser.add_argument("--type", type=str, required=True)
+        parser.add_argument("--all", action="store_true", default=False)
+        parser.add_argument("usernames", nargs="*", type=str)
+
+    def handle_per_tenant(self, **options):
+        print(options)
+        new_type = UserTypes(options["type"])
+        qs = (
+            User.objects.exclude_anonymous()
+            .exclude(type=UserTypes.SERVICE_ACCOUNT)
+            .exclude(type=UserTypes.INTERNAL_SERVICE_ACCOUNT)
+        )
+        if options["usernames"] and options["all"]:
+            self.stderr.write("--all and usernames specified, only one can be specified")
+            return
+        if not options["usernames"] and not options["all"]:
+            self.stderr.write("--all or usernames must be specified")
+            return
+        if options["usernames"] and not options["all"]:
+            qs = qs.filter(username__in=options["usernames"])
+        updated = qs.update(type=new_type)
+        self.stdout.write(f"Updated {updated} users.")

authentik/core/management/commands/shell.py

@@ -4,6 +4,7 @@ import code
 import platform
 import sys
 import traceback
+from pprint import pprint
 
 from django.apps import apps
 from django.core.management.base import BaseCommand
@@ -34,7 +35,9 @@ class Command(BaseCommand):
 
     def get_namespace(self):
         """Prepare namespace with all models"""
-        namespace = {}
+        namespace = {
+            "pprint": pprint,
+        }
 
         # Gather Django models and constants from each app
         for app in apps.get_app_configs():

authentik/core/middleware.py

@@ -5,7 +5,7 @@ from contextvars import ContextVar
 from uuid import uuid4
 
 from django.http import HttpRequest, HttpResponse
-from django.utils.translation import activate
+from django.utils.translation import override
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
 
@@ -31,17 +31,19 @@ class ImpersonateMiddleware:
     def __call__(self, request: HttpRequest) -> HttpResponse:
         # No permission checks are done here, they need to be checked before
         # SESSION_KEY_IMPERSONATE_USER is set.
+        locale_to_set = None
         if request.user.is_authenticated:
             locale = request.user.locale(request)
             if locale != "":
-                activate(locale)
+                locale_to_set = locale
 
         if SESSION_KEY_IMPERSONATE_USER in request.session:
             request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
             # Ensure that the user is active, otherwise nothing will work
             request.user.is_active = True
 
-        return self.get_response(request)
+        with override(locale_to_set):
+            return self.get_response(request)
 
 
 class RequestIDMiddleware:

authentik/core/migrations/0029_provider_backchannel_applications_and_more.py

@@ -7,12 +7,13 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
 def backport_is_backchannel(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
     from authentik.providers.ldap.models import LDAPProvider
     from authentik.providers.scim.models import SCIMProvider
 
     for model in [LDAPProvider, SCIMProvider]:
         try:
-            for obj in model.objects.only("is_backchannel"):
+            for obj in model.objects.using(db_alias).only("is_backchannel"):
                 obj.is_backchannel = True
                 obj.save()
         except (DatabaseError, InternalError, ProgrammingError):

authentik/core/migrations/0036_source_group_property_mappings_and_more.py

@@ -0,0 +1,43 @@
+# Generated by Django 5.0.2 on 2024-02-29 11:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0035_alter_group_options_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="source",
+            name="group_property_mappings",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                related_name="source_grouppropertymappings_set",
+                to="authentik_core.propertymapping",
+            ),
+        ),
+        migrations.AddField(
+            model_name="source",
+            name="user_property_mappings",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                related_name="source_userpropertymappings_set",
+                to="authentik_core.propertymapping",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="source",
+            name="property_mappings",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                related_name="source_set",
+                to="authentik_core.propertymapping",
+            ),
+        ),
+    ]

authentik/core/migrations/0037_remove_source_property_mappings.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.0.2 on 2024-02-29 11:21
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_ldap", "0005_remove_ldappropertymapping_object_field_and_more"),
+        ("authentik_core", "0036_source_group_property_mappings_and_more"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="source",
+            name="property_mappings",
+        ),
+    ]

authentik/core/migrations/0038_source_authentik_c_enabled_d72365_idx.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.0.7 on 2024-07-22 13:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0037_remove_source_property_mappings"),
+        ("authentik_flows", "0027_auto_20231028_1424"),
+        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="source",
+            index=models.Index(fields=["enabled"], name="authentik_c_enabled_d72365_idx"),
+        ),
+    ]

authentik/core/migrations/0039_source_group_matching_mode_alter_group_name_and_more.py

@@ -0,0 +1,67 @@
+# Generated by Django 5.0.7 on 2024-08-01 18:52
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0038_source_authentik_c_enabled_d72365_idx"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="source",
+            name="group_matching_mode",
+            field=models.TextField(
+                choices=[
+                    ("identifier", "Use the source-specific identifier"),
+                    (
+                        "name_link",
+                        "Link to a group with identical name. Can have security implications when a group name is used with another source.",
+                    ),
+                    (
+                        "name_deny",
+                        "Use the group name, but deny enrollment when the name already exists.",
+                    ),
+                ],
+                default="identifier",
+                help_text="How the source determines if an existing group should be used or a new group created.",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="group",
+            name="name",
+            field=models.TextField(verbose_name="name"),
+        ),
+        migrations.CreateModel(
+            name="GroupSourceConnection",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                ("identifier", models.TextField()),
+                (
+                    "group",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.group"
+                    ),
+                ),
+                (
+                    "source",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.source"
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("group", "source")},
+            },
+        ),
+    ]

authentik/core/migrations/0040_provider_invalidation_flow.py

@@ -0,0 +1,55 @@
+# Generated by Django 5.0.9 on 2024-10-02 11:35
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def migrate_invalidation_flow_default(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from authentik.flows.models import FlowDesignation, FlowAuthenticationRequirement
+
+    db_alias = schema_editor.connection.alias
+
+    Flow = apps.get_model("authentik_flows", "Flow")
+    Provider = apps.get_model("authentik_core", "Provider")
+
+    # So this flow is managed via a blueprint, bue we're in a migration so we don't want to rely on that
+    # since the blueprint is just an empty flow we can just create it here
+    # and let it be managed by the blueprint later
+    flow, _ = Flow.objects.using(db_alias).update_or_create(
+        slug="default-provider-invalidation-flow",
+        defaults={
+            "name": "Logged out of application",
+            "title": "You've logged out of %(app)s.",
+            "authentication": FlowAuthenticationRequirement.NONE,
+            "designation": FlowDesignation.INVALIDATION,
+        },
+    )
+    Provider.objects.using(db_alias).filter(invalidation_flow=None).update(invalidation_flow=flow)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0039_source_group_matching_mode_alter_group_name_and_more"),
+        ("authentik_flows", "0027_auto_20231028_1424"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="provider",
+            name="invalidation_flow",
+            field=models.ForeignKey(
+                default=None,
+                help_text="Flow used ending the session from a provider.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                related_name="provider_invalidation",
+                to="authentik_flows.flow",
+            ),
+        ),
+        migrations.RunPython(migrate_invalidation_flow_default),
+    ]

authentik/core/models.py

@@ -11,6 +11,7 @@ from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.db import models
 from django.db.models import Q, QuerySet, options
+from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
 from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.timezone import now
@@ -28,6 +29,7 @@ from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.generators import generate_id
+from authentik.lib.merge import MERGE_LIST_UNIQUE
 from authentik.lib.models import (
     CreatedUpdatedModel,
     DomainlessFormattedURLValidator,
@@ -100,6 +102,38 @@ class UserTypes(models.TextChoices):
     INTERNAL_SERVICE_ACCOUNT = "internal_service_account"
 
 
+class AttributesMixin(models.Model):
+    """Adds an attributes property to a model"""
+
+    attributes = models.JSONField(default=dict, blank=True)
+
+    class Meta:
+        abstract = True
+
+    def update_attributes(self, properties: dict[str, Any]):
+        """Update fields and attributes, but correctly by merging dicts"""
+        for key, value in properties.items():
+            if key == "attributes":
+                continue
+            setattr(self, key, value)
+        final_attributes = {}
+        MERGE_LIST_UNIQUE.merge(final_attributes, self.attributes)
+        MERGE_LIST_UNIQUE.merge(final_attributes, properties.get("attributes", {}))
+        self.attributes = final_attributes
+        self.save()
+
+    @classmethod
+    def update_or_create_attributes(
+        cls, query: dict[str, Any], properties: dict[str, Any]
+    ) -> tuple[models.Model, bool]:
+        """Same as django's update_or_create but correctly updates attributes by merging dicts"""
+        instance = cls.objects.filter(**query).first()
+        if not instance:
+            return cls.objects.create(**properties), True
+        instance.update_attributes(properties)
+        return instance, False
+
+
 class GroupQuerySet(CTEQuerySet):
     def with_children_recursive(self):
         """Recursively get all groups that have the current queryset as parents
@@ -134,12 +168,12 @@ class GroupQuerySet(CTEQuerySet):
         return cte.join(Group, group_uuid=cte.col.group_uuid).with_cte(cte)
 
 
-class Group(SerializerModel):
+class Group(SerializerModel, AttributesMixin):
     """Group model which supports a basic hierarchy and has attributes"""
 
     group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
 
-    name = models.CharField(_("name"), max_length=80)
+    name = models.TextField(_("name"))
     is_superuser = models.BooleanField(
         default=False, help_text=_("Users added to this group will be superusers.")
     )
@@ -154,10 +188,27 @@ class Group(SerializerModel):
         on_delete=models.SET_NULL,
         related_name="children",
     )
-    attributes = models.JSONField(default=dict, blank=True)
 
     objects = GroupQuerySet.as_manager()
 
+    class Meta:
+        unique_together = (
+            (
+                "name",
+                "parent",
+            ),
+        )
+        indexes = [models.Index(fields=["name"])]
+        verbose_name = _("Group")
+        verbose_name_plural = _("Groups")
+        permissions = [
+            ("add_user_to_group", _("Add user to group")),
+            ("remove_user_from_group", _("Remove user from group")),
+        ]
+
+    def __str__(self):
+        return f"Group {self.name}"
+
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.groups import GroupSerializer
@@ -182,24 +233,6 @@ class Group(SerializerModel):
             qs = Group.objects.filter(group_uuid=self.group_uuid)
         return qs.with_children_recursive()
 
-    def __str__(self):
-        return f"Group {self.name}"
-
-    class Meta:
-        unique_together = (
-            (
-                "name",
-                "parent",
-            ),
-        )
-        indexes = [models.Index(fields=["name"])]
-        verbose_name = _("Group")
-        verbose_name_plural = _("Groups")
-        permissions = [
-            ("add_user_to_group", _("Add user to group")),
-            ("remove_user_from_group", _("Remove user from group")),
-        ]
-
 
 class UserQuerySet(models.QuerySet):
     """User queryset"""
@@ -225,7 +258,7 @@ class UserManager(DjangoUserManager):
         return self.get_queryset().exclude_anonymous()
 
 
-class User(SerializerModel, GuardianUserMixin, AbstractUser):
+class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
     """authentik User model, based on django's contrib auth user model."""
 
     uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
@@ -237,10 +270,30 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
     ak_groups = models.ManyToManyField("Group", related_name="users")
     password_change_date = models.DateTimeField(auto_now_add=True)
 
-    attributes = models.JSONField(default=dict, blank=True)
-
     objects = UserManager()
 
+    class Meta:
+        verbose_name = _("User")
+        verbose_name_plural = _("Users")
+        permissions = [
+            ("reset_user_password", _("Reset Password")),
+            ("impersonate", _("Can impersonate other users")),
+            ("assign_user_permissions", _("Can assign permissions to users")),
+            ("unassign_user_permissions", _("Can unassign permissions from users")),
+            ("preview_user", _("Can preview user data sent to providers")),
+            ("view_user_applications", _("View applications the user has access to")),
+        ]
+        indexes = [
+            models.Index(fields=["last_login"]),
+            models.Index(fields=["password_change_date"]),
+            models.Index(fields=["uuid"]),
+            models.Index(fields=["path"]),
+            models.Index(fields=["type"]),
+        ]
+
+    def __str__(self):
+        return self.username
+
     @staticmethod
     def default_path() -> str:
         """Get the default user path"""
@@ -277,11 +330,13 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
         """superuser == staff user"""
         return self.is_superuser  # type: ignore
 
-    def set_password(self, raw_password, signal=True):
+    def set_password(self, raw_password, signal=True, sender=None):
         if self.pk and signal:
             from authentik.core.signals import password_changed
 
-            password_changed.send(sender=self, user=self, password=raw_password)
+            if not sender:
+                sender = self
+            password_changed.send(sender=sender, user=self, password=raw_password)
         self.password_change_date = now()
         return super().set_password(raw_password)
 
@@ -322,25 +377,6 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
         """Get avatar, depending on authentik.avatar setting"""
         return get_avatar(self)
 
-    class Meta:
-        verbose_name = _("User")
-        verbose_name_plural = _("Users")
-        permissions = [
-            ("reset_user_password", _("Reset Password")),
-            ("impersonate", _("Can impersonate other users")),
-            ("assign_user_permissions", _("Can assign permissions to users")),
-            ("unassign_user_permissions", _("Can unassign permissions from users")),
-            ("preview_user", _("Can preview user data sent to providers")),
-            ("view_user_applications", _("View applications the user has access to")),
-        ]
-        indexes = [
-            models.Index(fields=["last_login"]),
-            models.Index(fields=["password_change_date"]),
-            models.Index(fields=["uuid"]),
-            models.Index(fields=["path"]),
-            models.Index(fields=["type"]),
-        ]
-
 
 class Provider(SerializerModel):
     """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
@@ -357,14 +393,23 @@ class Provider(SerializerModel):
         ),
         related_name="provider_authentication",
     )
-
     authorization_flow = models.ForeignKey(
         "authentik_flows.Flow",
+        # Set to cascade even though null is allowed, since most providers
+        # still require an authorization flow set
         on_delete=models.CASCADE,
         null=True,
         help_text=_("Flow used when authorizing this provider."),
         related_name="provider_authorization",
     )
+    invalidation_flow = models.ForeignKey(
+        "authentik_flows.Flow",
+        on_delete=models.SET_DEFAULT,
+        default=None,
+        null=True,
+        help_text=_("Flow used ending the session from a provider."),
+        related_name="provider_invalidation",
+    )
 
     property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
 
@@ -428,6 +473,14 @@ class BackchannelProvider(Provider):
         abstract = True
 
 
+class ApplicationQuerySet(QuerySet):
+    def with_provider(self) -> "QuerySet[Application]":
+        qs = self.select_related("provider")
+        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
+            qs = qs.select_related(f"provider__{subclass}")
+        return qs
+
+
 class Application(SerializerModel, PolicyBindingModel):
     """Every Application which uses authentik for authentication/identification/authorization
     needs an Application record. Other authentication types can subclass this Model to
@@ -459,6 +512,8 @@ class Application(SerializerModel, PolicyBindingModel):
     meta_description = models.TextField(default="", blank=True)
     meta_publisher = models.TextField(default="", blank=True)
 
+    objects = ApplicationQuerySet.as_manager()
+
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.applications import ApplicationSerializer
@@ -495,16 +550,28 @@ class Application(SerializerModel, PolicyBindingModel):
         return url
 
     def get_provider(self) -> Provider | None:
-        """Get casted provider instance"""
+        """Get casted provider instance. Needs Application queryset with_provider"""
         if not self.provider:
             return None
-        # if the Application class has been cache, self.provider is set
-        # but doing a direct query lookup will fail.
-        # In that case, just return None
-        try:
-            return Provider.objects.get_subclass(pk=self.provider.pk)
-        except Provider.DoesNotExist:
+
+        candidates = []
+        base_class = Provider
+        for subclass in base_class.objects.get_queryset()._get_subclasses_recurse(base_class):
+            parent = self.provider
+            for level in subclass.split(LOOKUP_SEP):
+                try:
+                    parent = getattr(parent, level)
+                except AttributeError:
+                    break
+            if parent in candidates:
+                continue
+            idx = subclass.count(LOOKUP_SEP)
+            if type(parent) is not base_class:
+                idx += 1
+            candidates.insert(idx, parent)
+        if not candidates:
             return None
+        return candidates[-1]
 
     def __str__(self):
         return str(self.name)
@@ -534,6 +601,19 @@ class SourceUserMatchingModes(models.TextChoices):
     )
 
 
+class SourceGroupMatchingModes(models.TextChoices):
+    """Different modes a source can handle new/returning groups"""
+
+    IDENTIFIER = "identifier", _("Use the source-specific identifier")
+    NAME_LINK = "name_link", _(
+        "Link to a group with identical name. Can have security implications "
+        "when a group name is used with another source."
+    )
+    NAME_DENY = "name_deny", _(
+        "Use the group name, but deny enrollment when the name already exists."
+    )
+
+
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
 
@@ -543,7 +623,12 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     user_path_template = models.TextField(default="goauthentik.io/sources/%(slug)s")
 
     enabled = models.BooleanField(default=True)
-    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
+    user_property_mappings = models.ManyToManyField(
+        "PropertyMapping", default=None, blank=True, related_name="source_userpropertymappings_set"
+    )
+    group_property_mappings = models.ManyToManyField(
+        "PropertyMapping", default=None, blank=True, related_name="source_grouppropertymappings_set"
+    )
     icon = models.FileField(
         upload_to="source-icons/",
         default=None,
@@ -578,6 +663,14 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
             "a new user enrolled."
         ),
     )
+    group_matching_mode = models.TextField(
+        choices=SourceGroupMatchingModes.choices,
+        default=SourceGroupMatchingModes.IDENTIFIER,
+        help_text=_(
+            "How the source determines if an existing group should be used or "
+            "a new group created."
+        ),
+    )
 
     objects = InheritanceManager()
 
@@ -607,6 +700,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         """Return component used to edit this object"""
         raise NotImplementedError
 
+    @property
+    def property_mapping_type(self) -> "type[PropertyMapping]":
+        """Return property mapping type used by this object"""
+        raise NotImplementedError
+
     def ui_login_button(self, request: HttpRequest) -> UILoginButton | None:
         """If source uses a http-based flow, return UI Information about the login
         button. If source doesn't use http-based flow, return None."""
@@ -617,6 +715,14 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         user settings are available, or UserSettingSerializer."""
         return None
 
+    def get_base_user_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
+        """Get base properties for a user to build final properties upon."""
+        raise NotImplementedError
+
+    def get_base_group_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
+        """Get base properties for a group to build final properties upon."""
+        raise NotImplementedError
+
     def __str__(self):
         return str(self.name)
 
@@ -632,6 +738,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
                     "name",
                 ]
             ),
+            models.Index(
+                fields=[
+                    "enabled",
+                ]
+            ),
         ]
 
 
@@ -655,6 +766,27 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
         unique_together = (("user", "source"),)
 
 
+class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
+    """Connection between Group and Source."""
+
+    group = models.ForeignKey(Group, on_delete=models.CASCADE)
+    source = models.ForeignKey(Source, on_delete=models.CASCADE)
+    identifier = models.TextField()
+
+    objects = InheritanceManager()
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        """Get serializer for this model"""
+        raise NotImplementedError
+
+    def __str__(self) -> str:
+        return f"Group-source connection (group={self.group_id}, source={self.source_id})"
+
+    class Meta:
+        unique_together = (("group", "source"),)
+
+
 class ExpiringModel(models.Model):
     """Base Model which can expire, and is automatically cleaned up."""
 
@@ -787,7 +919,7 @@ class PropertyMapping(SerializerModel, ManagedModel):
         except ControlFlowException as exc:
             raise exc
         except Exception as exc:
-            raise PropertyMappingExpressionException(self, exc) from exc
+            raise PropertyMappingExpressionException(exc, self) from exc
 
     def __str__(self):
         return f"Property Mapping {self.name}"

authentik/core/signals.py

@@ -52,6 +52,8 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
 @receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
     """Delete AuthenticatedSession if it exists"""
+    if not request.session or not request.session.session_key:
+        return
     AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
 
 

authentik/core/sources/flow_manager.py

@@ -1,19 +1,28 @@
 """Source decision helper"""
 
-from enum import Enum
 from typing import Any
 
 from django.contrib import messages
-from django.db import IntegrityError
-from django.db.models.query_utils import Q
+from django.db import IntegrityError, transaction
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
 from django.urls import reverse
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
 
-from authentik.core.models import Source, SourceUserMatchingModes, User, UserSourceConnection
-from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostSourceStage
+from authentik.core.models import (
+    Group,
+    GroupSourceConnection,
+    Source,
+    User,
+    UserSourceConnection,
+)
+from authentik.core.sources.mapper import SourceMapper
+from authentik.core.sources.matcher import Action, SourceMatcher
+from authentik.core.sources.stage import (
+    PLAN_CONTEXT_SOURCES_CONNECTION,
+    PostSourceStage,
+)
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow, FlowToken, Stage, in_memory_stage
@@ -36,17 +45,10 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 
+LOGGER = get_logger()
+
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
-
-
-class Action(Enum):
-    """Actions that can be decided based on the request
-    and source settings"""
-
-    LINK = "link"
-    AUTH = "auth"
-    ENROLL = "enroll"
-    DENY = "deny"
+PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 
 
 class MessageStage(StageView):
@@ -70,96 +72,79 @@ class SourceFlowManager:
     or deny the request."""
 
     source: Source
+    mapper: SourceMapper
+    matcher: SourceMatcher
     request: HttpRequest
 
     identifier: str
 
-    connection_type: type[UserSourceConnection] = UserSourceConnection
+    user_connection_type: type[UserSourceConnection] = UserSourceConnection
+    group_connection_type: type[GroupSourceConnection] = GroupSourceConnection
 
-    enroll_info: dict[str, Any]
+    user_info: dict[str, Any]
     policy_context: dict[str, Any]
+    user_properties: dict[str, Any | dict[str, Any]]
+    groups_properties: dict[str, dict[str, Any | dict[str, Any]]]
 
     def __init__(
         self,
         source: Source,
         request: HttpRequest,
         identifier: str,
-        enroll_info: dict[str, Any],
+        user_info: dict[str, Any],
+        policy_context: dict[str, Any],
     ) -> None:
         self.source = source
+        self.mapper = SourceMapper(self.source)
+        self.matcher = SourceMatcher(
+            self.source, self.user_connection_type, self.group_connection_type
+        )
         self.request = request
         self.identifier = identifier
-        self.enroll_info = enroll_info
+        self.user_info = user_info
         self._logger = get_logger().bind(source=source, identifier=identifier)
-        self.policy_context = {}
+        self.policy_context = policy_context
+
+        self.user_properties = self.mapper.build_object_properties(
+            object_type=User, request=request, user=None, **self.user_info
+        )
+        self.groups_properties = {
+            group_id: self.mapper.build_object_properties(
+                object_type=Group,
+                request=request,
+                user=None,
+                group_id=group_id,
+                **self.user_info,
+            )
+            for group_id in self.user_properties.setdefault("groups", [])
+        }
+        del self.user_properties["groups"]
 
     def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
         """decide which action should be taken"""
-        new_connection = self.connection_type(source=self.source, identifier=self.identifier)
         # When request is authenticated, always link
         if self.request.user.is_authenticated:
+            new_connection = self.user_connection_type(
+                source=self.source, identifier=self.identifier
+            )
             new_connection.user = self.request.user
-            new_connection = self.update_connection(new_connection, **kwargs)
+            new_connection = self.update_user_connection(new_connection, **kwargs)
+            if existing := self.user_connection_type.objects.filter(
+                source=self.source, identifier=self.identifier
+            ).first():
+                existing = self.update_user_connection(existing)
+                return Action.AUTH, existing
             return Action.LINK, new_connection
 
-        existing_connections = self.connection_type.objects.filter(
-            source=self.source, identifier=self.identifier
-        )
-        if existing_connections.exists():
-            connection = existing_connections.first()
-            return Action.AUTH, self.update_connection(connection, **kwargs)
-        # No connection exists, but we match on identifier, so enroll
-        if self.source.user_matching_mode == SourceUserMatchingModes.IDENTIFIER:
-            # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
+        action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)
+        if connection:
+            connection = self.update_user_connection(connection, **kwargs)
+        return action, connection
 
-        # Check for existing users with matching attributes
-        query = Q()
-        # Either query existing user based on email or username
-        if self.source.user_matching_mode in [
-            SourceUserMatchingModes.EMAIL_LINK,
-            SourceUserMatchingModes.EMAIL_DENY,
-        ]:
-            if not self.enroll_info.get("email", None):
-                self._logger.warning("Refusing to use none email", source=self.source)
-                return Action.DENY, None
-            query = Q(email__exact=self.enroll_info.get("email", None))
-        if self.source.user_matching_mode in [
-            SourceUserMatchingModes.USERNAME_LINK,
-            SourceUserMatchingModes.USERNAME_DENY,
-        ]:
-            if not self.enroll_info.get("username", None):
-                self._logger.warning("Refusing to use none username", source=self.source)
-                return Action.DENY, None
-            query = Q(username__exact=self.enroll_info.get("username", None))
-        self._logger.debug("trying to link with existing user", query=query)
-        matching_users = User.objects.filter(query)
-        # No matching users, always enroll
-        if not matching_users.exists():
-            self._logger.debug("no matching users found, enrolling")
-            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
-
-        user = matching_users.first()
-        if self.source.user_matching_mode in [
-            SourceUserMatchingModes.EMAIL_LINK,
-            SourceUserMatchingModes.USERNAME_LINK,
-        ]:
-            new_connection.user = user
-            new_connection = self.update_connection(new_connection, **kwargs)
-            return Action.LINK, new_connection
-        if self.source.user_matching_mode in [
-            SourceUserMatchingModes.EMAIL_DENY,
-            SourceUserMatchingModes.USERNAME_DENY,
-        ]:
-            self._logger.info("denying source because user exists", user=user)
-            return Action.DENY, None
-        # Should never get here as default enroll case is returned above.
-        return Action.DENY, None  # pragma: no cover
-
-    def update_connection(
+    def update_user_connection(
         self, connection: UserSourceConnection, **kwargs
     ) -> UserSourceConnection:  # pragma: no cover
-        """Optionally make changes to the connection after it is looked up/created."""
+        """Optionally make changes to the user connection after it is looked up/created."""
         return connection
 
     def get_flow(self, **kwargs) -> HttpResponse:
@@ -212,28 +197,34 @@ class SourceFlowManager:
 
     def _prepare_flow(
         self,
-        flow: Flow,
+        flow: Flow | None,
         connection: UserSourceConnection,
         stages: list[StageView] | None = None,
-        **kwargs,
+        **flow_context,
     ) -> HttpResponse:
         """Prepare Authentication Plan, redirect user FlowExecutor"""
-        kwargs.update(
+        # Ensure redirect is carried through when user was trying to
+        # authorize application
+        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
+            NEXT_ARG_NAME, "authentik_core:if-user"
+        )
+        flow_context.update(
             {
                 # Since we authenticate the user by their token, they have no backend set
                 PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
                 PLAN_CONTEXT_SSO: True,
                 PLAN_CONTEXT_SOURCE: self.source,
                 PLAN_CONTEXT_SOURCES_CONNECTION: connection,
+                PLAN_CONTEXT_SOURCE_GROUPS: self.groups_properties,
             }
         )
-        kwargs.update(self.policy_context)
+        flow_context.update(self.policy_context)
         if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
             token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
             self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
             plan = token.plan
             plan.context[PLAN_CONTEXT_IS_RESTORED] = token
-            plan.context.update(kwargs)
+            plan.context.update(flow_context)
             for stage in self.get_stages_to_append(flow):
                 plan.append_stage(stage)
             if stages:
@@ -252,8 +243,8 @@ class SourceFlowManager:
         final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
             NEXT_ARG_NAME, "authentik_core:if-user"
         )
-        if PLAN_CONTEXT_REDIRECT not in kwargs:
-            kwargs[PLAN_CONTEXT_REDIRECT] = final_redirect
+        if PLAN_CONTEXT_REDIRECT not in flow_context:
+            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect
 
         if not flow:
             return bad_request_message(
@@ -265,9 +256,12 @@ class SourceFlowManager:
         # We append some stages so the initial flow we get might be empty
         planner.allow_empty_flows = True
         planner.use_cache = False
-        plan = planner.plan(self.request, kwargs)
+        plan = planner.plan(self.request, flow_context)
         for stage in self.get_stages_to_append(flow):
             plan.append_stage(stage)
+        plan.append_stage(
+            in_memory_stage(GroupUpdateStage, group_connection_type=self.group_connection_type)
+        )
         if stages:
             for stage in stages:
                 plan.append_stage(stage)
@@ -283,7 +277,6 @@ class SourceFlowManager:
         connection: UserSourceConnection,
     ) -> HttpResponse:
         """Login user and redirect."""
-        flow_kwargs = {PLAN_CONTEXT_PENDING_USER: connection.user}
         return self._prepare_flow(
             self.source.authentication_flow,
             connection,
@@ -297,7 +290,11 @@ class SourceFlowManager:
                     ),
                 )
             ],
-            **flow_kwargs,
+            **{
+                PLAN_CONTEXT_PENDING_USER: connection.user,
+                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
+                PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
+            },
         )
 
     def handle_existing_link(
@@ -309,7 +306,9 @@ class SourceFlowManager:
         # When request isn't authenticated we jump straight to auth
         if not self.request.user.is_authenticated:
             return self.handle_auth(connection)
-        # Connection has already been saved
+        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
+            return self._prepare_flow(None, connection)
+        connection.save()
         Event.new(
             EventAction.SOURCE_LINKED,
             message="Linked Source",
@@ -352,7 +351,66 @@ class SourceFlowManager:
                 )
             ],
             **{
-                PLAN_CONTEXT_PROMPT: delete_none_values(self.enroll_info),
+                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
                 PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
             },
         )
+
+
+class GroupUpdateStage(StageView):
+    """Dynamically injected stage which updates the user after enrollment/authentication."""
+
+    def handle_group(
+        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
+    ) -> Group | None:
+        action, connection = self.matcher.get_group_action(group_id, group_properties)
+        if action == Action.ENROLL:
+            group = Group.objects.create(**group_properties)
+            connection.group = group
+            connection.save()
+            return group
+        elif action in (Action.LINK, Action.AUTH):
+            group = connection.group
+            group.update_attributes(group_properties)
+            connection.save()
+            return group
+
+        return None
+
+    def handle_groups(self) -> bool:
+        self.source: Source = self.executor.plan.context[PLAN_CONTEXT_SOURCE]
+        self.user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
+        self.group_connection_type: GroupSourceConnection = (
+            self.executor.current_stage.group_connection_type
+        )
+        self.matcher = SourceMatcher(self.source, None, self.group_connection_type)
+
+        raw_groups: dict[str, dict[str, Any | dict[str, Any]]] = self.executor.plan.context[
+            PLAN_CONTEXT_SOURCE_GROUPS
+        ]
+        groups: list[Group] = []
+
+        for group_id, group_properties in raw_groups.items():
+            group = self.handle_group(group_id, group_properties)
+            if not group:
+                return False
+            groups.append(group)
+
+        with transaction.atomic():
+            self.user.ak_groups.remove(
+                *self.user.ak_groups.filter(groupsourceconnection__source=self.source)
+            )
+            self.user.ak_groups.add(*groups)
+
+        return True
+
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Stage used after the user has been enrolled to sync their groups from source data"""
+        if self.handle_groups():
+            return self.executor.stage_ok()
+        else:
+            return self.executor.stage_invalid("Failed to update groups. Please try again later.")
+
+    def post(self, request: HttpRequest) -> HttpResponse:
+        """Wrapper for post requests"""
+        return self.get(request)

authentik/core/sources/mapper.py

@@ -0,0 +1,103 @@
+from typing import Any
+
+from django.http import HttpRequest
+from structlog.stdlib import get_logger
+
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.core.models import Group, PropertyMapping, Source, User
+from authentik.events.models import Event, EventAction
+from authentik.lib.merge import MERGE_LIST_UNIQUE
+from authentik.lib.sync.mapper import PropertyMappingManager
+from authentik.policies.utils import delete_none_values
+
+LOGGER = get_logger()
+
+
+class SourceMapper:
+    def __init__(self, source: Source):
+        self.source = source
+
+    def get_manager(
+        self, object_type: type[User | Group], context_keys: list[str]
+    ) -> PropertyMappingManager:
+        """Get property mapping manager for this source."""
+
+        qs = PropertyMapping.objects.none()
+        if object_type == User:
+            qs = self.source.user_property_mappings.all().select_subclasses()
+        elif object_type == Group:
+            qs = self.source.group_property_mappings.all().select_subclasses()
+        qs = qs.order_by("name")
+        return PropertyMappingManager(
+            qs,
+            self.source.property_mapping_type,
+            ["source", "properties"] + context_keys,
+        )
+
+    def get_base_properties(
+        self, object_type: type[User | Group], **kwargs
+    ) -> dict[str, Any | dict[str, Any]]:
+        """Get base properties for a user or a group to build final properties upon."""
+        if object_type == User:
+            properties = self.source.get_base_user_properties(**kwargs)
+            properties.setdefault("path", self.source.get_user_path())
+            return properties
+        if object_type == Group:
+            return self.source.get_base_group_properties(**kwargs)
+        return {}
+
+    def build_object_properties(
+        self,
+        object_type: type[User | Group],
+        manager: "PropertyMappingManager | None" = None,
+        user: User | None = None,
+        request: HttpRequest | None = None,
+        **kwargs,
+    ) -> dict[str, Any | dict[str, Any]]:
+        """Build a user or group properties from the source configured property mappings."""
+
+        properties = self.get_base_properties(object_type, **kwargs)
+        if "attributes" not in properties:
+            properties["attributes"] = {}
+
+        if not manager:
+            manager = self.get_manager(object_type, list(kwargs.keys()))
+        evaluations = manager.iter_eval(
+            user=user,
+            request=request,
+            return_mapping=True,
+            source=self.source,
+            properties=properties,
+            **kwargs,
+        )
+        while True:
+            try:
+                value, mapping = next(evaluations)
+            except StopIteration:
+                break
+            except PropertyMappingExpressionException as exc:
+                Event.new(
+                    EventAction.CONFIGURATION_ERROR,
+                    message=f"Failed to evaluate property mapping: '{exc.mapping.name}'",
+                    source=self,
+                    mapping=exc.mapping,
+                ).save()
+                LOGGER.warning(
+                    "Mapping failed to evaluate",
+                    exc=exc,
+                    source=self,
+                    mapping=exc.mapping,
+                )
+                raise exc
+
+            if not value or not isinstance(value, dict):
+                LOGGER.debug(
+                    "Mapping evaluated to None or is not a dict. Skipping",
+                    source=self,
+                    mapping=mapping,
+                )
+                continue
+
+            MERGE_LIST_UNIQUE.merge(properties, value)
+
+        return delete_none_values(properties)

authentik/core/sources/matcher.py

@@ -0,0 +1,152 @@
+"""Source user and group matching"""
+
+from dataclasses import dataclass
+from enum import Enum
+from typing import Any
+
+from django.db.models import Q
+from structlog import get_logger
+
+from authentik.core.models import (
+    Group,
+    GroupSourceConnection,
+    Source,
+    SourceGroupMatchingModes,
+    SourceUserMatchingModes,
+    User,
+    UserSourceConnection,
+)
+
+
+class Action(Enum):
+    """Actions that can be decided based on the request and source settings"""
+
+    LINK = "link"
+    AUTH = "auth"
+    ENROLL = "enroll"
+    DENY = "deny"
+
+
+@dataclass
+class MatchableProperty:
+    property: str
+    link_mode: SourceUserMatchingModes | SourceGroupMatchingModes
+    deny_mode: SourceUserMatchingModes | SourceGroupMatchingModes
+
+
+class SourceMatcher:
+    def __init__(
+        self,
+        source: Source,
+        user_connection_type: type[UserSourceConnection],
+        group_connection_type: type[GroupSourceConnection],
+    ):
+        self.source = source
+        self.user_connection_type = user_connection_type
+        self.group_connection_type = group_connection_type
+        self._logger = get_logger().bind(source=self.source)
+
+    def get_action(
+        self,
+        object_type: type[User | Group],
+        matchable_properties: list[MatchableProperty],
+        identifier: str,
+        properties: dict[str, Any | dict[str, Any]],
+    ) -> tuple[Action, UserSourceConnection | GroupSourceConnection | None]:
+        connection_type = None
+        matching_mode = None
+        identifier_matching_mode = None
+        if object_type == User:
+            connection_type = self.user_connection_type
+            matching_mode = self.source.user_matching_mode
+            identifier_matching_mode = SourceUserMatchingModes.IDENTIFIER
+        if object_type == Group:
+            connection_type = self.group_connection_type
+            matching_mode = self.source.group_matching_mode
+            identifier_matching_mode = SourceGroupMatchingModes.IDENTIFIER
+        if not connection_type or not matching_mode or not identifier_matching_mode:
+            return Action.DENY, None
+
+        new_connection = connection_type(source=self.source, identifier=identifier)
+
+        existing_connections = connection_type.objects.filter(
+            source=self.source, identifier=identifier
+        )
+        if existing_connections.exists():
+            return Action.AUTH, existing_connections.first()
+        # No connection exists, but we match on identifier, so enroll
+        if matching_mode == identifier_matching_mode:
+            # We don't save the connection here cause it doesn't have a user/group assigned yet
+            return Action.ENROLL, new_connection
+
+        # Check for existing users with matching attributes
+        query = Q()
+        for matchable_property in matchable_properties:
+            property = matchable_property.property
+            if matching_mode in [matchable_property.link_mode, matchable_property.deny_mode]:
+                if not properties.get(property, None):
+                    self._logger.warning(
+                        "Refusing to use none property", identifier=identifier, property=property
+                    )
+                    return Action.DENY, None
+                query_args = {
+                    f"{property}__exact": properties[property],
+                }
+                query = Q(**query_args)
+        self._logger.debug(
+            "Trying to link with existing object", query=query, identifier=identifier
+        )
+        matching_objects = object_type.objects.filter(query)
+        # Not matching objects, always enroll
+        if not matching_objects.exists():
+            self._logger.debug("No matching objects found, enrolling")
+            return Action.ENROLL, new_connection
+
+        obj = matching_objects.first()
+        if matching_mode in [mp.link_mode for mp in matchable_properties]:
+            attr = None
+            if object_type == User:
+                attr = "user"
+            if object_type == Group:
+                attr = "group"
+            setattr(new_connection, attr, obj)
+            return Action.LINK, new_connection
+        if matching_mode in [mp.deny_mode for mp in matchable_properties]:
+            self._logger.info("Denying source because object exists", obj=obj)
+            return Action.DENY, None
+
+        # Should never get here as default enroll case is returned above.
+        return Action.DENY, None  # pragma: no cover
+
+    def get_user_action(
+        self, identifier: str, properties: dict[str, Any | dict[str, Any]]
+    ) -> tuple[Action, UserSourceConnection | None]:
+        return self.get_action(
+            User,
+            [
+                MatchableProperty(
+                    "username",
+                    SourceUserMatchingModes.USERNAME_LINK,
+                    SourceUserMatchingModes.USERNAME_DENY,
+                ),
+                MatchableProperty(
+                    "email", SourceUserMatchingModes.EMAIL_LINK, SourceUserMatchingModes.EMAIL_DENY
+                ),
+            ],
+            identifier,
+            properties,
+        )
+
+    def get_group_action(
+        self, identifier: str, properties: dict[str, Any | dict[str, Any]]
+    ) -> tuple[Action, GroupSourceConnection | None]:
+        return self.get_action(
+            Group,
+            [
+                MatchableProperty(
+                    "name", SourceGroupMatchingModes.NAME_LINK, SourceGroupMatchingModes.NAME_DENY
+                ),
+            ],
+            identifier,
+            properties,
+        )

authentik/core/templates/base/header_js.html

@@ -10,7 +10,7 @@
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",
     };
-    window.addEventListener("DOMContentLoaded", () => {
+    window.addEventListener("DOMContentLoaded", function () {
         {% for message in messages %}
         window.dispatchEvent(
             new CustomEvent("ak-message", {

authentik/core/templates/base/skeleton.html

@@ -4,7 +4,7 @@
 
 <!DOCTYPE html>
 
-<html lang="en">
+<html>
     <head>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
@@ -15,8 +15,8 @@
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
-        {% versioned_script "dist/poly-%v.js" %}
-        {% versioned_script "dist/standalone/loading/index-%v.js" %}
+        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
+        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
         {% block head %}
         {% endblock %}
         <meta name="sentry-trace" content="{{ sentry_trace }}" />

authentik/core/templates/if/admin.html

@@ -3,7 +3,7 @@
 {% load authentik_core %}
 
 {% block head %}
-{% versioned_script "dist/admin/AdminInterface-%v.js" %}
+<script src="{% versioned_script 'dist/admin/AdminInterface-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
 {% include "base/header_js.html" %}

authentik/core/templates/if/end_session.html

@@ -1,43 +0,0 @@
-{% extends 'login/base_full.html' %}
-
-{% load static %}
-{% load i18n %}
-
-{% block title %}
-{% trans 'End session' %} - {{ brand.branding_title }}
-{% endblock %}
-
-{% block card_title %}
-{% blocktrans with application=application.name %}
-You've logged out of {{ application }}.
-{% endblocktrans %}
-{% endblock %}
-
-{% block card %}
-<form method="POST" class="pf-c-form">
-    <p>
-        {% blocktrans with application=application.name branding_title=brand.branding_title %}
-            You've logged out of {{ application }}. You can go back to the overview to launch another application, or log out of your {{ branding_title }} account.
-        {% endblocktrans %}
-    </p>
-
-    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
-        {% trans 'Go back to overview' %}
-    </a>
-
-    <a id="logout" href="{% url 'authentik_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">
-        {% blocktrans with branding_title=brand.branding_title %}
-            Log out of {{ branding_title }}
-        {% endblocktrans %}
-    </a>
-
-    {% if application.get_launch_url %}
-    <a href="{{ application.get_launch_url }}" class="pf-c-button pf-m-secondary">
-        {% blocktrans with application=application.name %}
-            Log back into {{ application }}
-        {% endblocktrans %}
-    </a>
-    {% endif %}
-
-</form>
-{% endblock %}

authentik/core/templates/if/user.html

@@ -3,7 +3,7 @@
 {% load authentik_core %}
 
 {% block head %}
-{% versioned_script "dist/user/UserInterface-%v.js" %}
+<script src="{% versioned_script 'dist/user/UserInterface-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: light)">
 <meta name="theme-color" content="#1c1e21" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}

authentik/core/templates/login/base_full.html

@@ -71,9 +71,9 @@
                 </li>
                 {% endfor %}
                 <li>
-                    <a rel="noopener noreferrer" target="_blank" href="https://goauthentik.io?utm_source=authentik">
+                    <span>
                         {% trans 'Powered by authentik' %}
-                    </a>
+                    </span>
                 </li>
             </ul>
         </footer>

authentik/core/templatetags/authentik_core.py

@@ -2,7 +2,6 @@
 
 from django import template
 from django.templatetags.static import static as static_loader
-from django.utils.safestring import mark_safe
 
 from authentik import get_full_version
 
@@ -12,10 +11,4 @@ register = template.Library()
 @register.simple_tag()
 def versioned_script(path: str) -> str:
     """Wrapper around {% static %} tag that supports setting the version"""
-    returned_lines = [
-        (
-            f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
-            '" type="module"></script>'
-        ),
-    ]
-    return mark_safe("".join(returned_lines))  # nosec
+    return static_loader(path.replace("%v", get_full_version()))

authentik/core/tests/test_applications_api.py

@@ -9,9 +9,12 @@ from rest_framework.test import APITestCase
 
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.proxy.models import ProxyProvider
+from authentik.providers.saml.models import SAMLProvider
 
 
 class TestApplicationsAPI(APITestCase):
@@ -21,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
         self.user = create_test_admin_user()
         self.provider = OAuth2Provider.objects.create(
             name="test",
-            redirect_uris="http://some-other-domain",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
             authorization_flow=create_test_flow(),
         )
         self.allowed: Application = Application.objects.create(
@@ -131,6 +134,7 @@ class TestApplicationsAPI(APITestCase):
                             "assigned_application_name": "allowed",
                             "assigned_application_slug": "allowed",
                             "authentication_flow": None,
+                            "invalidation_flow": None,
                             "authorization_flow": str(self.provider.authorization_flow.pk),
                             "component": "ak-provider-oauth2-form",
                             "meta_model_name": "authentik_providers_oauth2.oauth2provider",
@@ -183,6 +187,7 @@ class TestApplicationsAPI(APITestCase):
                             "assigned_application_name": "allowed",
                             "assigned_application_slug": "allowed",
                             "authentication_flow": None,
+                            "invalidation_flow": None,
                             "authorization_flow": str(self.provider.authorization_flow.pk),
                             "component": "ak-provider-oauth2-form",
                             "meta_model_name": "authentik_providers_oauth2.oauth2provider",
@@ -222,3 +227,31 @@ class TestApplicationsAPI(APITestCase):
                 ],
             },
         )
+
+    def test_get_provider(self):
+        """Ensure that proxy providers (at the time of writing that is the only provider
+        that inherits from another proxy type (OAuth) instead of inheriting from the root
+        provider class) is correctly looked up and selected from the database"""
+        slug = generate_id()
+        provider = ProxyProvider.objects.create(name=generate_id())
+        Application.objects.create(
+            name=generate_id(),
+            slug=slug,
+            provider=provider,
+        )
+        self.assertEqual(Application.objects.get(slug=slug).get_provider(), provider)
+        self.assertEqual(
+            Application.objects.with_provider().get(slug=slug).get_provider(), provider
+        )
+
+        slug = generate_id()
+        provider = SAMLProvider.objects.create(name=generate_id())
+        Application.objects.create(
+            name=generate_id(),
+            slug=slug,
+            provider=provider,
+        )
+        self.assertEqual(Application.objects.get(slug=slug).get_provider(), provider)
+        self.assertEqual(
+            Application.objects.with_provider().get(slug=slug).get_provider(), provider
+        )

authentik/core/tests/test_devices_api.py

@@ -0,0 +1,59 @@
+"""Test Devices API"""
+
+from json import loads
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.tests.utils import create_test_admin_user, create_test_user
+
+
+class TestDevicesAPI(APITestCase):
+    """Test applications API"""
+
+    def setUp(self) -> None:
+        self.admin = create_test_admin_user()
+        self.user1 = create_test_user()
+        self.device1 = self.user1.staticdevice_set.create()
+        self.user2 = create_test_user()
+        self.device2 = self.user2.staticdevice_set.create()
+
+    def test_user_api(self):
+        """Test user API"""
+        self.client.force_login(self.user1)
+        response = self.client.get(
+            reverse(
+                "authentik_api:device-list",
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(len(body), 1)
+        self.assertEqual(body[0]["pk"], str(self.device1.pk))
+
+    def test_user_api_as_admin(self):
+        """Test user API"""
+        self.client.force_login(self.admin)
+        response = self.client.get(
+            reverse(
+                "authentik_api:device-list",
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(len(body), 0)
+
+    def test_admin_api(self):
+        """Test admin API"""
+        self.client.force_login(self.admin)
+        response = self.client.get(
+            reverse(
+                "authentik_api:admin-device-list",
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(len(body), 2)
+        self.assertEqual(
+            {body[0]["pk"], body[1]["pk"]}, {str(self.device1.pk), str(self.device2.pk)}
+        )

authentik/core/tests/test_impersonation.py

@@ -3,10 +3,10 @@
 from json import loads
 
 from django.urls import reverse
+from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
-from authentik.core.models import User
-from authentik.core.tests.utils import create_test_admin_user
+from authentik.core.tests.utils import create_test_admin_user, create_test_user
 from authentik.tenants.utils import get_current_tenant
 
 
@@ -15,7 +15,7 @@ class TestImpersonation(APITestCase):
 
     def setUp(self) -> None:
         super().setUp()
-        self.other_user = User.objects.create(username="to-impersonate")
+        self.other_user = create_test_user()
         self.user = create_test_admin_user()
 
     def test_impersonate_simple(self):
@@ -44,6 +44,46 @@ class TestImpersonation(APITestCase):
         self.assertEqual(response_body["user"]["username"], self.user.username)
         self.assertNotIn("original", response_body)
 
+    def test_impersonate_global(self):
+        """Test impersonation with global permissions"""
+        new_user = create_test_user()
+        assign_perm("authentik_core.impersonate", new_user)
+        assign_perm("authentik_core.view_user", new_user)
+        self.client.force_login(new_user)
+
+        response = self.client.post(
+            reverse(
+                "authentik_api:user-impersonate",
+                kwargs={"pk": self.other_user.pk},
+            )
+        )
+        self.assertEqual(response.status_code, 201)
+
+        response = self.client.get(reverse("authentik_api:user-me"))
+        response_body = loads(response.content.decode())
+        self.assertEqual(response_body["user"]["username"], self.other_user.username)
+        self.assertEqual(response_body["original"]["username"], new_user.username)
+
+    def test_impersonate_scoped(self):
+        """Test impersonation with scoped permissions"""
+        new_user = create_test_user()
+        assign_perm("authentik_core.impersonate", new_user, self.other_user)
+        assign_perm("authentik_core.view_user", new_user, self.other_user)
+        self.client.force_login(new_user)
+
+        response = self.client.post(
+            reverse(
+                "authentik_api:user-impersonate",
+                kwargs={"pk": self.other_user.pk},
+            )
+        )
+        self.assertEqual(response.status_code, 201)
+
+        response = self.client.get(reverse("authentik_api:user-me"))
+        response_body = loads(response.content.decode())
+        self.assertEqual(response_body["user"]["username"], self.other_user.username)
+        self.assertEqual(response_body["original"]["username"], new_user.username)
+
     def test_impersonate_denied(self):
         """test impersonation without permissions"""
         self.client.force_login(self.other_user)

authentik/core/tests/test_source_flow_manager.py

@@ -38,7 +38,9 @@ class TestSourceFlowManager(TestCase):
     def test_unauthenticated_enroll(self):
         """Test un-authenticated user enrolling"""
         request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
         response = flow_manager.get_flow()
@@ -52,7 +54,9 @@ class TestSourceFlowManager(TestCase):
             user=get_anonymous_user(), source=self.source, identifier=self.identifier
         )
         request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.AUTH)
         response = flow_manager.get_flow()
@@ -64,7 +68,9 @@ class TestSourceFlowManager(TestCase):
         """Test authenticated user linking"""
         user = User.objects.create(username="foo", email="foo@bar.baz")
         request = get_request("/", user=user)
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
         action, connection = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
         self.assertIsNone(connection.pk)
@@ -75,9 +81,27 @@ class TestSourceFlowManager(TestCase):
             reverse("authentik_core:if-user") + "#/settings;page-sources",
         )
 
+    def test_authenticated_auth(self):
+        """Test authenticated user linking"""
+        user = User.objects.create(username="foo", email="foo@bar.baz")
+        UserOAuthSourceConnection.objects.create(
+            user=user, source=self.source, identifier=self.identifier
+        )
+        request = get_request("/", user=user)
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
+        action, connection = flow_manager.get_action()
+        self.assertEqual(action, Action.AUTH)
+        self.assertIsNotNone(connection.pk)
+        response = flow_manager.get_flow()
+        self.assertEqual(response.status_code, 302)
+
     def test_unauthenticated_link(self):
         """Test un-authenticated user linking"""
-        flow_manager = OAuthSourceFlowManager(self.source, get_request("/"), self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, get_request("/"), self.identifier, {"info": {}}, {}
+        )
         action, connection = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
         self.assertIsNone(connection.pk)
@@ -90,7 +114,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without email, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -100,7 +124,12 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"email": "foo@bar.baz"},
+            {
+                "info": {
+                    "email": "foo@bar.baz",
+                },
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -113,7 +142,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without username, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -123,7 +152,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -140,8 +172,11 @@ class TestSourceFlowManager(TestCase):
             get_request("/", user=AnonymousUser()),
             self.identifier,
             {
-                "username": "bar",
+                "info": {
+                    "username": "bar",
+                },
             },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -151,7 +186,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -165,7 +203,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -191,7 +232,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)

authentik/core/tests/test_source_flow_manager_group_update_stage.py

@@ -0,0 +1,237 @@
+"""Test Source flow_manager group update stage"""
+
+from django.test import RequestFactory
+
+from authentik.core.models import Group, SourceGroupMatchingModes
+from authentik.core.sources.flow_manager import PLAN_CONTEXT_SOURCE_GROUPS, GroupUpdateStage
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.flows.models import in_memory_stage
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE, FlowPlan
+from authentik.flows.tests import FlowTestCase
+from authentik.flows.views.executor import FlowExecutorView
+from authentik.lib.generators import generate_id
+from authentik.sources.oauth.models import GroupOAuthSourceConnection, OAuthSource
+
+
+class TestSourceFlowManager(FlowTestCase):
+    """Test Source flow_manager group update stage"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.factory = RequestFactory()
+        self.authentication_flow = create_test_flow()
+        self.enrollment_flow = create_test_flow()
+        self.source: OAuthSource = OAuthSource.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+            authentication_flow=self.authentication_flow,
+            enrollment_flow=self.enrollment_flow,
+        )
+        self.identifier = generate_id()
+        self.user = create_test_admin_user()
+
+    def test_nonexistant_group(self):
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(
+                group=Group.objects.get(name="group 1"), source=self.source
+            ).exists()
+        )
+
+    def test_nonexistant_group_name_link(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
+        self.source.save()
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(
+                group=Group.objects.get(name="group 1"), source=self.source
+            ).exists()
+        )
+
+    def test_existant_group_name_link(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
+        self.source.save()
+        group = Group.objects.create(name="group 1")
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
+        )
+
+    def test_nonexistant_group_name_deny(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_DENY
+        self.source.save()
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(
+                group=Group.objects.get(name="group 1"), source=self.source
+            ).exists()
+        )
+
+    def test_existant_group_name_deny(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_DENY
+        self.source.save()
+        group = Group.objects.create(name="group 1")
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertFalse(stage.handle_groups())
+        self.assertFalse(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertFalse(
+            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
+        )
+
+    def test_group_updates(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
+        self.source.save()
+
+        other_group = Group.objects.create(name="other group")
+        old_group = Group.objects.create(name="old group")
+        new_group = Group.objects.create(name="new group")
+        self.user.ak_groups.set([other_group, old_group])
+        GroupOAuthSourceConnection.objects.create(
+            group=old_group, source=self.source, identifier=old_group.name
+        )
+        GroupOAuthSourceConnection.objects.create(
+            group=new_group, source=self.source, identifier=new_group.name
+        )
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "new group": {
+                                "name": "new group",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertFalse(self.user.ak_groups.filter(name="old group").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="other group").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="new group").exists())
+        self.assertEqual(self.user.ak_groups.count(), 2)

authentik/core/tests/test_source_property_mappings.py

@@ -0,0 +1,72 @@
+"""Test Source Property mappings"""
+
+from django.test import TestCase
+
+from authentik.core.models import Group, PropertyMapping, Source, User
+from authentik.core.sources.mapper import SourceMapper
+from authentik.lib.generators import generate_id
+
+
+class ProxySource(Source):
+    @property
+    def property_mapping_type(self):
+        return PropertyMapping
+
+    def get_base_user_properties(self, **kwargs):
+        return {
+            "username": kwargs.get("username", None),
+            "email": kwargs.get("email", "default@authentik"),
+        }
+
+    def get_base_group_properties(self, **kwargs):
+        return {"name": kwargs.get("name", None)}
+
+    class Meta:
+        proxy = True
+
+
+class TestSourcePropertyMappings(TestCase):
+    """Test Source PropertyMappings"""
+
+    def test_base_properties(self):
+        source = ProxySource.objects.create(name=generate_id(), slug=generate_id(), enabled=True)
+        mapper = SourceMapper(source)
+
+        user_base_properties = mapper.get_base_properties(User, username="test1")
+        self.assertEqual(
+            user_base_properties,
+            {
+                "username": "test1",
+                "email": "default@authentik",
+                "path": f"goauthentik.io/sources/{source.slug}",
+            },
+        )
+
+        group_base_properties = mapper.get_base_properties(Group)
+        self.assertEqual(group_base_properties, {"name": None})
+
+    def test_build_properties(self):
+        source = ProxySource.objects.create(name=generate_id(), slug=generate_id(), enabled=True)
+        mapper = SourceMapper(source)
+
+        source.user_property_mappings.add(
+            PropertyMapping.objects.create(
+                name=generate_id(),
+                expression="""
+                    return {"username": data.get("username", None), "email": None}
+                """,
+            )
+        )
+
+        properties = mapper.build_object_properties(
+            object_type=User, user=None, request=None, username="test1", data={"username": "test2"}
+        )
+
+        self.assertEqual(
+            properties,
+            {
+                "username": "test2",
+                "path": f"goauthentik.io/sources/{source.slug}",
+                "attributes": {},
+            },
+        )

authentik/core/tests/test_transactional_applications_api.py

@@ -19,7 +19,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
         """Test transactional Application + provider creation"""
         self.client.force_login(self.user)
         uid = generate_id()
-        authorization_flow = create_test_flow()
         response = self.client.put(
             reverse("authentik_api:core-transactional-application"),
             data={
@@ -30,7 +29,9 @@ class TestTransactionalApplicationsAPI(APITestCase):
                 "provider_model": "authentik_providers_oauth2.oauth2provider",
                 "provider": {
                     "name": uid,
-                    "authorization_flow": str(authorization_flow.pk),
+                    "authorization_flow": str(create_test_flow().pk),
+                    "invalidation_flow": str(create_test_flow().pk),
+                    "redirect_uris": [],
                 },
             },
         )
@@ -56,10 +57,17 @@ class TestTransactionalApplicationsAPI(APITestCase):
                 "provider": {
                     "name": uid,
                     "authorization_flow": "",
+                    "invalidation_flow": "",
+                    "redirect_uris": [],
                 },
             },
         )
         self.assertJSONEqual(
             response.content.decode(),
-            {"provider": {"authorization_flow": ["This field may not be null."]}},
+            {
+                "provider": {
+                    "authorization_flow": ["This field may not be null."],
+                    "invalidation_flow": ["This field may not be null."],
+                }
+            },
         )

authentik/core/urls.py

@@ -5,8 +5,6 @@ from channels.sessions import CookieMiddleware
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
-from django.views.decorators.csrf import ensure_csrf_cookie
-from django.views.generic import RedirectView
 
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@@ -18,10 +16,14 @@ from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSe
 from authentik.core.api.tokens import TokenViewSet
 from authentik.core.api.transactional_applications import TransactionalApplicationView
 from authentik.core.api.users import UserViewSet
-from authentik.core.views import apps
+from authentik.core.views.apps import RedirectToAppLaunch
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import FlowInterfaceView, InterfaceView
-from authentik.core.views.session import EndSessionView
+from authentik.core.views.interface import (
+    BrandDefaultRedirectView,
+    InterfaceView,
+    RootRedirectView,
+)
+from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
@@ -29,38 +31,33 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
     path(
         "",
-        login_required(
-            RedirectView.as_view(pattern_name="authentik_core:if-user", query_string=True)
-        ),
+        login_required(RootRedirectView.as_view()),
         name="root-redirect",
     ),
     path(
-        # We have to use this format since everything else uses applications/o or applications/saml
+        # We have to use this format since everything else uses application/o or application/saml
         "application/launch/<slug:application_slug>/",
-        apps.RedirectToAppLaunch.as_view(),
+        RedirectToAppLaunch.as_view(),
         name="application-launch",
     ),
     # Interfaces
     path(
         "if/admin/",
-        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/admin.html")),
+        BrandDefaultRedirectView.as_view(template_name="if/admin.html"),
         name="if-admin",
     ),
     path(
         "if/user/",
-        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/user.html")),
+        BrandDefaultRedirectView.as_view(template_name="if/user.html"),
         name="if-user",
     ),
     path(
         "if/flow/<slug:flow_slug>/",
-        ensure_csrf_cookie(FlowInterfaceView.as_view()),
+        # FIXME: move this url to the flows app...also will cause all
+        # of the reverse calls to be adjusted
+        FlowInterfaceView.as_view(),
         name="if-flow",
     ),
-    path(
-        "if/session-end/<slug:application_slug>/",
-        ensure_csrf_cookie(EndSessionView.as_view()),
-        name="if-session-end",
-    ),
     # Fallback for WS
     path("ws/outpost/<uuid:pk>/", InterfaceView.as_view(template_name="if/admin.html")),
     path(

authentik/core/views/apps.py

@@ -8,7 +8,6 @@ from django.views import View
 from authentik.core.models import Application
 from authentik.flows.challenge import (
     ChallengeResponse,
-    ChallengeTypes,
     HttpChallengeResponse,
     RedirectChallenge,
 )
@@ -74,7 +73,6 @@ class RedirectToAppStage(ChallengeStageView):
             raise Http404
         return RedirectChallenge(
             instance={
-                "type": ChallengeTypes.REDIRECT.value,
                 "to": launch,
             }
         )

authentik/core/views/interface.py

@@ -3,15 +3,42 @@
 from json import dumps
 from typing import Any
 
-from django.shortcuts import get_object_or_404
-from django.views.generic.base import TemplateView
+from django.http import HttpRequest
+from django.http.response import HttpResponse
+from django.shortcuts import redirect
+from django.utils.translation import gettext as _
+from django.views.generic.base import RedirectView, TemplateView
 from rest_framework.request import Request
 
 from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
-from authentik.flows.models import Flow
+from authentik.brands.models import Brand
+from authentik.core.models import UserTypes
+from authentik.policies.denied import AccessDeniedResponse
+
+
+class RootRedirectView(RedirectView):
+    """Root redirect view, redirect to brand's default application if set"""
+
+    pattern_name = "authentik_core:if-user"
+    query_string = True
+
+    def redirect_to_app(self, request: HttpRequest):
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+            brand: Brand = request.brand
+            if brand.default_application:
+                return redirect(
+                    "authentik_core:application-launch",
+                    application_slug=brand.default_application.slug,
+                )
+        return None
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        if redirect_response := RootRedirectView().redirect_to_app(request):
+            return redirect_response
+        return super().dispatch(request, *args, **kwargs)
 
 
 class InterfaceView(TemplateView):
@@ -27,12 +54,18 @@ class InterfaceView(TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class FlowInterfaceView(InterfaceView):
-    """Flow interface"""
+class BrandDefaultRedirectView(InterfaceView):
+    """By default redirect to default app"""
 
-    template_name = "if/flow.html"
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
-        kwargs["inspector"] = "inspector" in self.request.GET
-        return super().get_context_data(**kwargs)
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+            brand: Brand = request.brand
+            if brand.default_application:
+                return redirect(
+                    "authentik_core:application-launch",
+                    application_slug=brand.default_application.slug,
+                )
+            response = AccessDeniedResponse(self.request)
+            response.error_message = _("Interface can only be accessed by internal users.")
+            return response
+        return super().dispatch(request, *args, **kwargs)

authentik/core/views/session.py

@@ -1,23 +0,0 @@
-"""authentik Session Views"""
-
-from typing import Any
-
-from django.shortcuts import get_object_or_404
-from django.views.generic.base import TemplateView
-
-from authentik.core.models import Application
-from authentik.policies.views import PolicyAccessView
-
-
-class EndSessionView(TemplateView, PolicyAccessView):
-    """Allow the client to end the Session"""
-
-    template_name = "if/end_session.html"
-
-    def resolve_provider_application(self):
-        self.application = get_object_or_404(Application, slug=self.kwargs["application_slug"])
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        context = super().get_context_data(**kwargs)
-        context["application"] = self.application
-        return context

authentik/crypto/api.py

@@ -24,6 +24,7 @@ from rest_framework.fields import (
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
@@ -35,6 +36,7 @@ from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
+from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()
 
@@ -180,7 +182,10 @@ class CertificateDataSerializer(PassiveSerializer):
 class CertificateGenerationSerializer(PassiveSerializer):
     """Certificate generation parameters"""
 
-    common_name = CharField()
+    common_name = CharField(
+        validators=[UniqueValidator(queryset=CertificateKeyPair.objects.all())],
+        source="name",
+    )
     subject_alt_name = CharField(required=False, allow_blank=True, label=_("Subject-alt name"))
     validity_days = IntegerField(initial=365)
     alg = ChoiceField(default=PrivateKeyAlg.RSA, choices=PrivateKeyAlg.choices)
@@ -241,11 +246,10 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
     def generate(self, request: Request) -> Response:
         """Generate a new, self-signed certificate-key pair"""
         data = CertificateGenerationSerializer(data=request.data)
-        if not data.is_valid():
-            return Response(data.errors, status=400)
+        data.is_valid(raise_exception=True)
         raw_san = data.validated_data.get("subject_alt_name", "")
         sans = raw_san.split(",") if raw_san != "" else []
-        builder = CertificateBuilder(data.validated_data["common_name"])
+        builder = CertificateBuilder(data.validated_data["name"])
         builder.alg = data.validated_data["alg"]
         builder.build(
             subject_alt_names=sans,
@@ -265,7 +269,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
         ],
         responses={200: CertificateDataSerializer(many=False)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
     def view_certificate(self, request: Request, pk: str) -> Response:
         """Return certificate-key pairs certificate and log access"""
         certificate: CertificateKeyPair = self.get_object()
@@ -295,7 +299,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
         ],
         responses={200: CertificateDataSerializer(many=False)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
     def view_private_key(self, request: Request, pk: str) -> Response:
         """Return certificate-key pairs private key and log access"""
         certificate: CertificateKeyPair = self.get_object()

authentik/crypto/builder.py

@@ -76,7 +76,7 @@ class CertificateBuilder:
             .subject_name(
                 x509.Name(
                     [
-                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name),
+                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name[:64]),
                         x509.NameAttribute(NameOID.ORGANIZATION_NAME, "authentik"),
                         x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"),
                     ]

authentik/crypto/tests.py

@@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
 
 
 class TestCrypto(APITestCase):
@@ -89,6 +89,17 @@ class TestCrypto(APITestCase):
         self.assertIsInstance(ext[1], DNSName)
         self.assertEqual(ext[1].value, "baz")
 
+    def test_builder_api_duplicate(self):
+        """Test Builder (via API)"""
+        cert = create_test_cert()
+        self.client.force_login(create_test_admin_user())
+        res = self.client.post(
+            reverse("authentik_api:certificatekeypair-generate"),
+            data={"common_name": cert.name, "subject_alt_name": "bar,baz", "validity_days": 3},
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(res.content, {"common_name": ["This field must be unique."]})
+
     def test_builder_api_empty_san(self):
         """Test Builder (via API)"""
         self.client.force_login(create_test_admin_user())
@@ -214,6 +225,46 @@ class TestCrypto(APITestCase):
         self.assertEqual(200, response.status_code)
         self.assertIn("Content-Disposition", response)
 
+    def test_certificate_download_denied(self):
+        """Test certificate export (download)"""
+        self.client.logout()
+        keypair = create_test_cert()
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-certificate",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(403, response.status_code)
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-certificate",
+                kwargs={"pk": keypair.pk},
+            ),
+            data={"download": True},
+        )
+        self.assertEqual(403, response.status_code)
+
+    def test_private_key_download_denied(self):
+        """Test private_key export (download)"""
+        self.client.logout()
+        keypair = create_test_cert()
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-private-key",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(403, response.status_code)
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-private-key",
+                kwargs={"pk": keypair.pk},
+            ),
+            data={"download": True},
+        )
+        self.assertEqual(403, response.status_code)
+
     def test_used_by(self):
         """Test used_by endpoint"""
         self.client.force_login(create_test_admin_user())
@@ -223,7 +274,7 @@ class TestCrypto(APITestCase):
             client_id="test",
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
-            redirect_uris="http://localhost",
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
             signing_key=keypair,
         )
         response = self.client.get(
@@ -246,6 +297,26 @@ class TestCrypto(APITestCase):
             ],
         )
 
+    def test_used_by_denied(self):
+        """Test used_by endpoint"""
+        self.client.logout()
+        keypair = create_test_cert()
+        OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            client_secret=generate_key(),
+            authorization_flow=create_test_flow(),
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            signing_key=keypair,
+        )
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-used-by",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(403, response.status_code)
+
     def test_discovery(self):
         """Test certificate discovery"""
         name = generate_id()

authentik/enterprise/api.py

@@ -1,12 +1,11 @@
 """Enterprise API Views"""
 
-from dataclasses import asdict
 from datetime import timedelta
 
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import extend_schema, inline_serializer
+from drf_spectacular.utils import OpenApiParameter, extend_schema, inline_serializer
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, IntegerField
@@ -30,7 +29,7 @@ class EnterpriseRequiredMixin:
 
     def validate(self, attrs: dict) -> dict:
         """Check that a valid license exists"""
-        if not LicenseKey.cached_summary().has_license:
+        if not LicenseKey.cached_summary().status.is_valid:
             raise ValidationError(_("Enterprise is required to create/update this object."))
         return super().validate(attrs)
 
@@ -87,7 +86,7 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
         },
     )
     @action(detail=False, methods=["GET"])
-    def get_install_id(self, request: Request) -> Response:
+    def install_id(self, request: Request) -> Response:
         """Get install_id"""
         return Response(
             data={
@@ -100,12 +99,22 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
         responses={
             200: LicenseSummarySerializer(),
         },
+        parameters=[
+            OpenApiParameter(
+                name="cached",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
+                default=True,
+            )
+        ],
     )
     @action(detail=False, methods=["GET"], permission_classes=[IsAuthenticated])
     def summary(self, request: Request) -> Response:
         """Get the total license status"""
-        response = LicenseSummarySerializer(data=asdict(LicenseKey.cached_summary()))
-        response.is_valid(raise_exception=True)
+        summary = LicenseKey.cached_summary()
+        if request.query_params.get("cached", "true").lower() == "false":
+            summary = LicenseKey.get_total().summary()
+        response = LicenseSummarySerializer(instance=summary)
         return Response(response.data)
 
     @permission_required(None, ["authentik_enterprise.view_license"])
@@ -128,7 +137,7 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
         forecast_for_months = 12
         response = LicenseForecastSerializer(
             data={
-                "internal_users": LicenseKey.get_default_user_count(),
+                "internal_users": LicenseKey.get_internal_user_count(),
                 "external_users": LicenseKey.get_external_user_count(),
                 "forecasted_internal_users": (internal_in_last_month * forecast_for_months),
                 "forecasted_external_users": (external_in_last_month * forecast_for_months),

authentik/enterprise/apps.py

@@ -25,4 +25,4 @@ class AuthentikEnterpriseConfig(EnterpriseConfig):
         """Actual enterprise check, cached"""
         from authentik.enterprise.license import LicenseKey
 
-        return LicenseKey.cached_summary().valid
+        return LicenseKey.cached_summary().status.is_valid

authentik/enterprise/license.py

@@ -3,24 +3,37 @@
 from base64 import b64decode
 from binascii import Error
 from dataclasses import asdict, dataclass, field
-from datetime import datetime, timedelta
+from datetime import UTC, datetime, timedelta
 from enum import Enum
 from functools import lru_cache
 from time import mktime
 
 from cryptography.exceptions import InvalidSignature
 from cryptography.x509 import Certificate, load_der_x509_certificate, load_pem_x509_certificate
-from dacite import from_dict
+from dacite import DaciteError, from_dict
 from django.core.cache import cache
 from django.db.models.query import QuerySet
 from django.utils.timezone import now
 from jwt import PyJWTError, decode, get_unverified_header
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import BooleanField, DateTimeField, IntegerField
+from rest_framework.fields import (
+    ChoiceField,
+    DateTimeField,
+    IntegerField,
+    ListField,
+)
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User, UserTypes
-from authentik.enterprise.models import License, LicenseUsage
+from authentik.enterprise.models import (
+    THRESHOLD_READ_ONLY_WEEKS,
+    THRESHOLD_WARNING_ADMIN_WEEKS,
+    THRESHOLD_WARNING_EXPIRY_WEEKS,
+    THRESHOLD_WARNING_USER_WEEKS,
+    License,
+    LicenseUsage,
+    LicenseUsageStatus,
+)
 from authentik.tenants.utils import get_unique_identifier
 
 CACHE_KEY_ENTERPRISE_LICENSE = "goauthentik.io/enterprise/license"
@@ -42,6 +55,9 @@ def get_license_aud() -> str:
 class LicenseFlags(Enum):
     """License flags"""
 
+    TRIAL = "trial"
+    NON_PRODUCTION = "non_production"
+
 
 @dataclass
 class LicenseSummary:
@@ -49,12 +65,9 @@ class LicenseSummary:
 
     internal_users: int
     external_users: int
-    valid: bool
-    show_admin_warning: bool
-    show_user_warning: bool
-    read_only: bool
+    status: LicenseUsageStatus
     latest_valid: datetime
-    has_license: bool
+    license_flags: list[LicenseFlags]
 
 
 class LicenseSummarySerializer(PassiveSerializer):
@@ -62,12 +75,9 @@ class LicenseSummarySerializer(PassiveSerializer):
 
     internal_users = IntegerField(required=True)
     external_users = IntegerField(required=True)
-    valid = BooleanField()
-    show_admin_warning = BooleanField()
-    show_user_warning = BooleanField()
-    read_only = BooleanField()
+    status = ChoiceField(choices=LicenseUsageStatus.choices)
     latest_valid = DateTimeField()
-    has_license = BooleanField()
+    license_flags = ListField(child=ChoiceField(choices=tuple(x.value for x in LicenseFlags)))
 
 
 @dataclass
@@ -80,10 +90,10 @@ class LicenseKey:
     name: str
     internal_users: int = 0
     external_users: int = 0
-    flags: list[LicenseFlags] = field(default_factory=list)
+    license_flags: list[LicenseFlags] = field(default_factory=list)
 
     @staticmethod
-    def validate(jwt: str) -> "LicenseKey":
+    def validate(jwt: str, check_expiry=True) -> "LicenseKey":
         """Validate the license from a given JWT"""
         try:
             headers = get_unverified_header(jwt)
@@ -107,26 +117,28 @@ class LicenseKey:
                     our_cert.public_key(),
                     algorithms=["ES512"],
                     audience=get_license_aud(),
+                    options={"verify_exp": check_expiry, "verify_signature": check_expiry},
                 ),
             )
         except PyJWTError:
+            unverified = decode(jwt, options={"verify_signature": False})
+            if unverified["aud"] != get_license_aud():
+                raise ValidationError("Invalid Install ID in license") from None
             raise ValidationError("Unable to verify license") from None
         return body
 
     @staticmethod
     def get_total() -> "LicenseKey":
         """Get a summarized version of all (not expired) licenses"""
-        active_licenses = License.objects.filter(expiry__gte=now())
         total = LicenseKey(get_license_aud(), 0, "Summarized license", 0, 0)
-        for lic in active_licenses:
+        for lic in License.objects.all():
             total.internal_users += lic.internal_users
             total.external_users += lic.external_users
             exp_ts = int(mktime(lic.expiry.timetuple()))
             if total.exp == 0:
                 total.exp = exp_ts
-            if exp_ts <= total.exp:
-                total.exp = exp_ts
-            total.flags.extend(lic.status.flags)
+            total.exp = max(total.exp, exp_ts)
+            total.license_flags.extend(lic.status.license_flags)
         return total
 
     @staticmethod
@@ -135,7 +147,7 @@ class LicenseKey:
         return User.objects.all().exclude_anonymous().exclude(is_active=False)
 
     @staticmethod
-    def get_default_user_count():
+    def get_internal_user_count():
         """Get current default user count"""
         return LicenseKey.base_user_qs().filter(type=UserTypes.INTERNAL).count()
 
@@ -144,59 +156,73 @@ class LicenseKey:
         """Get current external user count"""
         return LicenseKey.base_user_qs().filter(type=UserTypes.EXTERNAL).count()
 
-    def is_valid(self) -> bool:
-        """Check if the given license body covers all users
+    def _last_valid_date(self):
+        last_valid_date = (
+            LicenseUsage.objects.order_by("-record_date")
+            .filter(status=LicenseUsageStatus.VALID)
+            .first()
+        )
+        if not last_valid_date:
+            return datetime.fromtimestamp(0, UTC)
+        return last_valid_date.record_date
 
-        Only checks the current count, no historical data is checked"""
-        default_users = self.get_default_user_count()
-        if default_users > self.internal_users:
-            return False
-        active_users = self.get_external_user_count()
-        if active_users > self.external_users:
-            return False
-        return True
+    def status(self) -> LicenseUsageStatus:
+        """Check if the given license body covers all users, and is valid."""
+        last_valid = self._last_valid_date()
+        if self.exp == 0 and not License.objects.exists():
+            return LicenseUsageStatus.UNLICENSED
+        _now = now()
+        # Check limit-exceeded based status
+        internal_users = self.get_internal_user_count()
+        external_users = self.get_external_user_count()
+        if internal_users > self.internal_users or external_users > self.external_users:
+            if last_valid < _now - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS):
+                return LicenseUsageStatus.READ_ONLY
+            if last_valid < _now - timedelta(weeks=THRESHOLD_WARNING_USER_WEEKS):
+                return LicenseUsageStatus.LIMIT_EXCEEDED_USER
+            if last_valid < _now - timedelta(weeks=THRESHOLD_WARNING_ADMIN_WEEKS):
+                return LicenseUsageStatus.LIMIT_EXCEEDED_ADMIN
+        # Check expiry based status
+        if datetime.fromtimestamp(self.exp, UTC) < _now:
+            if datetime.fromtimestamp(self.exp, UTC) < _now - timedelta(
+                weeks=THRESHOLD_READ_ONLY_WEEKS
+            ):
+                return LicenseUsageStatus.READ_ONLY
+            return LicenseUsageStatus.EXPIRED
+        # Expiry warning
+        if datetime.fromtimestamp(self.exp, UTC) <= _now + timedelta(
+            weeks=THRESHOLD_WARNING_EXPIRY_WEEKS
+        ):
+            return LicenseUsageStatus.EXPIRY_SOON
+        return LicenseUsageStatus.VALID
 
     def record_usage(self):
         """Capture the current validity status and metrics and save them"""
         threshold = now() - timedelta(hours=8)
-        if not LicenseUsage.objects.filter(record_date__gte=threshold).exists():
-            LicenseUsage.objects.create(
-                user_count=self.get_default_user_count(),
+        usage = (
+            LicenseUsage.objects.order_by("-record_date").filter(record_date__gte=threshold).first()
+        )
+        if not usage:
+            usage = LicenseUsage.objects.create(
+                internal_user_count=self.get_internal_user_count(),
                 external_user_count=self.get_external_user_count(),
-                within_limits=self.is_valid(),
+                status=self.status(),
             )
         summary = asdict(self.summary())
         # Also cache the latest summary for the middleware
         cache.set(CACHE_KEY_ENTERPRISE_LICENSE, summary, timeout=CACHE_EXPIRY_ENTERPRISE_LICENSE)
-        return summary
-
-    @staticmethod
-    def last_valid_date() -> datetime:
-        """Get the last date the license was valid"""
-        usage: LicenseUsage = (
-            LicenseUsage.filter_not_expired(within_limits=True).order_by("-record_date").first()
-        )
-        if not usage:
-            return now()
-        return usage.record_date
+        return usage
 
     def summary(self) -> LicenseSummary:
         """Summary of license status"""
-        has_license = License.objects.all().count() > 0
-        last_valid = LicenseKey.last_valid_date()
-        show_admin_warning = last_valid < now() - timedelta(weeks=2)
-        show_user_warning = last_valid < now() - timedelta(weeks=4)
-        read_only = last_valid < now() - timedelta(weeks=6)
+        status = self.status()
         latest_valid = datetime.fromtimestamp(self.exp)
         return LicenseSummary(
-            show_admin_warning=show_admin_warning and has_license,
-            show_user_warning=show_user_warning and has_license,
-            read_only=read_only and has_license,
             latest_valid=latest_valid,
             internal_users=self.internal_users,
             external_users=self.external_users,
-            valid=self.is_valid(),
-            has_license=has_license,
+            status=status,
+            license_flags=self.license_flags,
         )
 
     @staticmethod
@@ -205,4 +231,8 @@ class LicenseKey:
         summary = cache.get(CACHE_KEY_ENTERPRISE_LICENSE)
         if not summary:
             return LicenseKey.get_total().summary()
-        return from_dict(LicenseSummary, summary)
+        try:
+            return from_dict(LicenseSummary, summary)
+        except DaciteError:
+            cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)
+            return LicenseKey.get_total().summary()