endpoints: initial data structure

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2025.6.0
+current_version = 2025.4.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize =
+serialize = 
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:rc_t]
-values =
+values = 
 	rc
 	final
 optional_value = final

.dockerignore

@@ -5,7 +5,6 @@ dist/**
 build/**
 build_docs/**
 *Dockerfile
-**/*Dockerfile
 blueprints/local
 .git
 !gen-ts-api/node_modules

.github/workflows/ci-website.yml

@@ -41,60 +41,32 @@ jobs:
       - name: test
         working-directory: website/
         run: npm test
-  build-container:
+  build:
     runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
+    name: ${{ matrix.job }}
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - build
     steps:
       - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/dev-docs
-      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@v6
-        with:
-          tags: ${{ steps.ev.outputs.imageTags }}
-          file: website/Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
-          platforms: linux/amd64,linux/arm64
-          context: .
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+          node-version-file: website/package.json
+          cache: "npm"
+          cache-dependency-path: website/package-lock.json
+      - working-directory: website/
+        run: npm ci
+      - name: build
+        working-directory: website/
+        run: npm run ${{ matrix.job }}
   ci-website-mark:
     if: always()
     needs:
       - lint
       - test
-      - build-container
+      - build
     runs-on: ubuntu-latest
     steps:
       - uses: re-actors/alls-green@release/v1

.github/workflows/release-publish.yml

@@ -20,49 +20,6 @@ jobs:
       release: true
       registry_dockerhub: true
       registry_ghcr: true
-  build-docs:
-    runs-on: ubuntu-latest
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.6.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/docs
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build Docker Image
-        id: push
-        uses: docker/build-push-action@v6
-        with:
-          tags: ${{ steps.ev.outputs.imageTags }}
-          file: website/Dockerfile
-          push: true
-          platforms: linux/amd64,linux/arm64
-          context: .
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: true
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
@@ -236,6 +193,6 @@ jobs:
           SENTRY_ORG: authentik-security-inc
           SENTRY_PROJECT: authentik
         with:
-          release: authentik@${{ steps.ev.outputs.version }}
+          version: authentik@${{ steps.ev.outputs.version }}
           sourcemaps: "./web/dist"
           url_prefix: "~/static/dist"

Dockerfile

@@ -1,7 +1,26 @@
 # syntax=docker/dockerfile:1
 
-# Stage 1: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
+# Stage 1: Build website
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24 AS website-builder
+
+ENV NODE_ENV=production
+
+WORKDIR /work/website
+
+RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.json \
+    --mount=type=bind,target=/work/website/package-lock.json,src=./website/package-lock.json \
+    --mount=type=cache,id=npm-website,sharing=shared,target=/root/.npm \
+    npm ci --include=dev
+
+COPY ./website /work/website/
+COPY ./blueprints /work/blueprints/
+COPY ./schema.yml /work/
+COPY ./SECURITY.md /work/
+
+RUN npm run build-bundled
+
+# Stage 2: Build webui
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24 AS web-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -13,7 +32,7 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
     --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
     --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
-    --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
+    --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
     npm ci --include=dev
 
 COPY ./package.json /work
@@ -24,7 +43,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build && \
     npm run build:sfe
 
-# Stage 2: Build go proxy
+# Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.24-bookworm AS go-builder
 
 ARG TARGETOS
@@ -49,8 +68,8 @@ RUN --mount=type=bind,target=/go/src/goauthentik.io/go.mod,src=./go.mod \
 COPY ./cmd /go/src/goauthentik.io/cmd
 COPY ./authentik/lib /go/src/goauthentik.io/authentik/lib
 COPY ./web/static.go /go/src/goauthentik.io/web/static.go
-COPY --from=node-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
-COPY --from=node-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
+COPY --from=web-builder /work/web/robots.txt /go/src/goauthentik.io/web/robots.txt
+COPY --from=web-builder /work/web/security.txt /go/src/goauthentik.io/web/security.txt
 COPY ./internal /go/src/goauthentik.io/internal
 COPY ./go.mod /go/src/goauthentik.io/go.mod
 COPY ./go.sum /go/src/goauthentik.io/go.sum
@@ -61,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     CGO_ENABLED=1 GOFIPS140=latest GOARM="${TARGETVARIANT#v}" \
     go build -o /go/authentik ./cmd/server
 
-# Stage 3: MaxMind GeoIP
+# Stage 4: MaxMind GeoIP
 FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
@@ -74,9 +93,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     mkdir -p /usr/share/GeoIP && \
     /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
-# Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.11 AS uv
-# Stage 5: Base python image
+# Stage 5: Download uv
+FROM ghcr.io/astral-sh/uv:0.7.8 AS uv
+# Stage 6: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
 
 ENV VENV_PATH="/ak-root/.venv" \
@@ -90,7 +109,7 @@ WORKDIR /ak-root/
 
 COPY --from=uv /uv /uvx /bin/
 
-# Stage 6: Python dependencies
+# Stage 7: Python dependencies
 FROM python-base AS python-deps
 
 ARG TARGETARCH
@@ -125,7 +144,7 @@ RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
     --mount=type=cache,target=/root/.cache/uv \
     uv sync --frozen --no-install-project --no-dev
 
-# Stage 7: Run
+# Stage 8: Run
 FROM python-base AS final-image
 
 ARG VERSION
@@ -168,8 +187,9 @@ COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/.venv /ak-root/.venv
-COPY --from=node-builder /work/web/dist/ /web/dist/
-COPY --from=node-builder /work/web/authentik/ /web/authentik/
+COPY --from=web-builder /work/web/dist/ /web/dist/
+COPY --from=web-builder /work/web/authentik/ /web/authentik/
+COPY --from=website-builder /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000

SECURITY.md

@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
+| 2025.2.x  | ✅        |
 | 2025.4.x  | ✅        |
-| 2025.6.x  | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2025.6.0"
+__version__ = "2025.4.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/version.py

@@ -1,7 +1,6 @@
 """authentik administration overview"""
 
 from django.core.cache import cache
-from django_tenants.utils import get_public_schema_name
 from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
@@ -14,7 +13,6 @@ from authentik import __version__, get_build_hash
 from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 from authentik.outposts.models import Outpost
-from authentik.tenants.utils import get_current_tenant
 
 
 class VersionSerializer(PassiveSerializer):
@@ -37,8 +35,6 @@ class VersionSerializer(PassiveSerializer):
 
     def get_version_latest(self, _) -> str:
         """Get latest version from cache"""
-        if get_current_tenant().schema_name == get_public_schema_name():
-            return __version__
         version_in_cache = cache.get(VERSION_CACHE_KEY)
         if not version_in_cache:  # pragma: no cover
             update_latest_version.delay()

authentik/admin/apps.py

@@ -14,19 +14,3 @@ class AuthentikAdminConfig(ManagedAppConfig):
     label = "authentik_admin"
     verbose_name = "authentik Admin"
     default = True
-
-    @ManagedAppConfig.reconcile_global
-    def clear_update_notifications(self):
-        """Clear update notifications on startup if the notification was for the version
-        we're running now."""
-        from packaging.version import parse
-
-        from authentik.admin.tasks import LOCAL_VERSION
-        from authentik.events.models import EventAction, Notification
-
-        for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
-            if "new_version" not in notification.event.context:
-                continue
-            notification_version = notification.event.context["new_version"]
-            if LOCAL_VERSION >= parse(notification_version):
-                notification.delete()

authentik/admin/settings.py

@@ -1,7 +1,6 @@
 """authentik admin settings"""
 
 from celery.schedules import crontab
-from django_tenants.utils import get_public_schema_name
 
 from authentik.lib.utils.time import fqdn_rand
 
@@ -9,7 +8,6 @@ CELERY_BEAT_SCHEDULE = {
     "admin_latest_version": {
         "task": "authentik.admin.tasks.update_latest_version",
         "schedule": crontab(minute=fqdn_rand("admin_latest_version"), hour="*"),
-        "tenant_schemas": [get_public_schema_name()],
         "options": {"queue": "authentik_scheduled"},
     }
 }

authentik/admin/tasks.py

@@ -1,6 +1,7 @@
 """authentik admin tasks"""
 
 from django.core.cache import cache
+from django.db import DatabaseError, InternalError, ProgrammingError
 from django.utils.translation import gettext_lazy as _
 from packaging.version import parse
 from requests import RequestException
@@ -8,7 +9,7 @@ from structlog.stdlib import get_logger
 
 from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
-from authentik.events.models import Event, EventAction
+from authentik.events.models import Event, EventAction, Notification
 from authentik.events.system_tasks import SystemTask, TaskStatus, prefill_task
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
@@ -32,6 +33,20 @@ def _set_prom_info():
     )
 
 
+@CELERY_APP.task(
+    throws=(DatabaseError, ProgrammingError, InternalError),
+)
+def clear_update_notifications():
+    """Clear update notifications on startup if the notification was for the version
+    we're running now."""
+    for notification in Notification.objects.filter(event__action=EventAction.UPDATE_AVAILABLE):
+        if "new_version" not in notification.event.context:
+            continue
+        notification_version = notification.event.context["new_version"]
+        if LOCAL_VERSION >= parse(notification_version):
+            notification.delete()
+
+
 @CELERY_APP.task(bind=True, base=SystemTask)
 @prefill_task
 def update_latest_version(self: SystemTask):

authentik/admin/tests/test_tasks.py

@@ -1,12 +1,12 @@
 """test admin tasks"""
 
-from django.apps import apps
 from django.core.cache import cache
 from django.test import TestCase
 from requests_mock import Mocker
 
 from authentik.admin.tasks import (
     VERSION_CACHE_KEY,
+    clear_update_notifications,
     update_latest_version,
 )
 from authentik.events.models import Event, EventAction
@@ -72,13 +72,12 @@ class TestAdminTasks(TestCase):
 
     def test_clear_update_notifications(self):
         """Test clear of previous notification"""
-        admin_config = apps.get_app_config("authentik_admin")
         Event.objects.create(
             action=EventAction.UPDATE_AVAILABLE, context={"new_version": "99999999.9999999.9999999"}
         )
         Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={"new_version": "1.1.1"})
         Event.objects.create(action=EventAction.UPDATE_AVAILABLE, context={})
-        admin_config.clear_update_notifications()
+        clear_update_notifications()
         self.assertFalse(
             Event.objects.filter(
                 action=EventAction.UPDATE_AVAILABLE, context__new_version="1.1"

authentik/api/apps.py

@@ -1,13 +1,12 @@
 """authentik API AppConfig"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikAPIConfig(ManagedAppConfig):
+class AuthentikAPIConfig(AppConfig):
     """authentik API Config"""
 
     name = "authentik.api"
     label = "authentik_api"
     mountpoint = "api/"
     verbose_name = "authentik API"
-    default = True

authentik/blueprints/tests/test_managed_app_config.py

@@ -1,14 +0,0 @@
-from django.test import TestCase
-
-from authentik.blueprints.apps import ManagedAppConfig
-from authentik.enterprise.apps import EnterpriseConfig
-from authentik.lib.utils.reflection import get_apps
-
-
-class TestManagedAppConfig(TestCase):
-    def test_apps_use_managed_app_config(self):
-        for app in get_apps():
-            if app.name.startswith("authentik.enterprise"):
-                self.assertIn(EnterpriseConfig, app.__class__.__bases__)
-            else:
-                self.assertIn(ManagedAppConfig, app.__class__.__bases__)

authentik/brands/apps.py

@@ -1,9 +1,9 @@
 """authentik brands app"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikBrandsConfig(ManagedAppConfig):
+class AuthentikBrandsConfig(AppConfig):
     """authentik Brand app"""
 
     name = "authentik.brands"
@@ -12,4 +12,3 @@ class AuthentikBrandsConfig(ManagedAppConfig):
     mountpoints = {
         "authentik.brands.urls_root": "",
     }
-    default = True

authentik/core/api/applications.py

@@ -153,10 +153,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         return applications
 
     def _filter_applications_with_launch_url(
-        self, paginated_apps: Iterator[Application]
+        self, pagined_apps: Iterator[Application]
     ) -> list[Application]:
         applications = []
-        for app in paginated_apps:
+        for app in pagined_apps:
             if app.get_launch_url():
                 applications.append(app)
         return applications

authentik/core/migrations/0046_session_and_more.py

@@ -79,7 +79,6 @@ def _migrate_session(
         AuthenticatedSession.objects.using(db_alias).create(
             session=session,
             user=old_auth_session.user,
-            uuid=old_auth_session.uuid,
         )
 
 

authentik/core/migrations/0048_delete_oldauthenticatedsession_content_type.py

@@ -1,81 +1,10 @@
 # Generated by Django 5.1.9 on 2025-05-14 11:15
 
-from django.apps.registry import Apps, apps as global_apps
+from django.apps.registry import Apps
 from django.db import migrations
-from django.contrib.contenttypes.management import create_contenttypes
-from django.contrib.auth.management import create_permissions
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
-def migrate_authenticated_session_permissions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    """Migrate permissions from OldAuthenticatedSession to AuthenticatedSession"""
-    db_alias = schema_editor.connection.alias
-
-    # `apps` here is just an instance of `django.db.migrations.state.AppConfigStub`, we need the
-    # real config for creating permissions and content types
-    authentik_core_config = global_apps.get_app_config("authentik_core")
-    # These are only ran by django after all migrations, but we need them right now.
-    # `global_apps` is needed,
-    create_permissions(authentik_core_config, using=db_alias, verbosity=1)
-    create_contenttypes(authentik_core_config, using=db_alias, verbosity=1)
-
-    # But from now on, this is just a regular migration, so use `apps`
-    Permission = apps.get_model("auth", "Permission")
-    ContentType = apps.get_model("contenttypes", "ContentType")
-
-    try:
-        old_ct = ContentType.objects.using(db_alias).get(
-            app_label="authentik_core", model="oldauthenticatedsession"
-        )
-        new_ct = ContentType.objects.using(db_alias).get(
-            app_label="authentik_core", model="authenticatedsession"
-        )
-    except ContentType.DoesNotExist:
-        # This should exist at this point, but if not, let's cut our losses
-        return
-
-    # Get all permissions for the old content type
-    old_perms = Permission.objects.using(db_alias).filter(content_type=old_ct)
-
-    # Create equivalent permissions for the new content type
-    for old_perm in old_perms:
-        new_perm = (
-            Permission.objects.using(db_alias)
-            .filter(
-                content_type=new_ct,
-                codename=old_perm.codename,
-            )
-            .first()
-        )
-        if not new_perm:
-            # This should exist at this point, but if not, let's cut our losses
-            continue
-
-        # Global user permissions
-        User = apps.get_model("authentik_core", "User")
-        User.user_permissions.through.objects.using(db_alias).filter(
-            permission=old_perm
-        ).all().update(permission=new_perm)
-
-        # Global role permissions
-        DjangoGroup = apps.get_model("auth", "Group")
-        DjangoGroup.permissions.through.objects.using(db_alias).filter(
-            permission=old_perm
-        ).all().update(permission=new_perm)
-
-        # Object user permissions
-        UserObjectPermission = apps.get_model("guardian", "UserObjectPermission")
-        UserObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
-            permission=new_perm, content_type=new_ct
-        )
-
-        # Object role permissions
-        GroupObjectPermission = apps.get_model("guardian", "GroupObjectPermission")
-        GroupObjectPermission.objects.using(db_alias).filter(permission=old_perm).all().update(
-            permission=new_perm, content_type=new_ct
-        )
-
-
 def remove_old_authenticated_session_content_type(
     apps: Apps, schema_editor: BaseDatabaseSchemaEditor
 ):
@@ -92,12 +21,7 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RunPython(
-            code=migrate_authenticated_session_permissions,
-            reverse_code=migrations.RunPython.noop,
-        ),
         migrations.RunPython(
             code=remove_old_authenticated_session_content_type,
-            reverse_code=migrations.RunPython.noop,
         ),
     ]

authentik/core/templates/if/admin.html

@@ -10,7 +10,7 @@
 {% endblock %}
 
 {% block body %}
-<ak-message-container alignment="bottom"></ak-message-container>
+<ak-message-container></ak-message-container>
 <ak-interface-admin>
     <ak-loading></ak-loading>
 </ak-interface-admin>

authentik/endpoints/apps.py

@@ -0,0 +1,12 @@
+"""authentik endpoints app config"""
+
+from authentik.blueprints.apps import ManagedAppConfig
+
+
+class AuthentikEndpointsConfig(ManagedAppConfig):
+    """authentik endpoints app config"""
+
+    name = "authentik.endpoints"
+    label = "authentik_endpoints"
+    verbose_name = "authentik Endpoints"
+    default = True

authentik/endpoints/common_data.py

@@ -0,0 +1,47 @@
+from enum import Enum
+
+from pydantic import BaseModel
+
+
+class UNSUPPORTED(BaseModel):
+    pass
+
+
+class OSFamily(Enum):
+
+    linux = "linux"
+    unix = "unix"
+    bsd = "bsd"
+    windows = "windows"
+    macOS = "mac_os"
+    android = "android"
+    iOS = "i_os"
+    other = "other"
+
+class CommonDeviceData(BaseModel):
+    class Disk(BaseModel):
+        encryption: bool
+
+    class OS(BaseModel):
+        firewall_enabled: bool
+        family: OSFamily
+        name: str
+        version: str
+
+    class Network(BaseModel):
+        hostname: str
+        dns_servers: list[str]
+
+    class Hardware(BaseModel):
+        model: str
+        manufacturer: str
+
+    class Software(BaseModel):
+        name: str
+        version: str
+
+    os: OS | UNSUPPORTED
+    disks: list[Disk] | UNSUPPORTED
+    network: Network | UNSUPPORTED
+    hardware: Hardware | UNSUPPORTED
+    software: list[Software] | UNSUPPORTED

authentik/endpoints/connector.py

@@ -0,0 +1,16 @@
+from authentik.blueprints import models
+
+
+class EnrollmentMethods(models.TextChoices):
+    AUTOMATIC_USER = "automatic_user"  # Automatically enrolled through user action
+    AUTOMATIC_API = "automatic_api"  # Automatically enrolled through connector integration
+    MANUAL_USER = "manual_user"  # Manually enrolled
+
+
+class BaseConnector:
+
+    def __init__(self) -> None:
+        pass
+
+    def supported_enrollment_methods(self) -> list[EnrollmentMethods]:
+        return []

authentik/endpoints/connectors/google_chrome/connector.py

@@ -0,0 +1,7 @@
+from authentik.endpoints.connector import BaseConnector, EnrollmentMethods
+
+
+class GoogleChromeConnector(BaseConnector):
+
+    def supported_enrollment_methods(self) -> list[EnrollmentMethods]:
+        return [EnrollmentMethods.AUTOMATIC_USER]

authentik/endpoints/connectors/google_chrome/models.py

@@ -0,0 +1,7 @@
+from django.db import models
+
+from authentik.endpoints.models import Connector
+
+
+class GoogleChromeConnector(Connector):
+    credentials = models.JSONField()

authentik/endpoints/migrations/0001_initial.py

@@ -0,0 +1,125 @@
+# Generated by Django 5.0.9 on 2024-09-24 19:16
+
+import django.db.models.deletion
+import uuid
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Connector",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("connector_uuid", models.UUIDField(default=uuid.uuid4)),
+                ("name", models.TextField()),
+                (
+                    "enrollment_method",
+                    models.TextField(
+                        choices=[
+                            ("automatic_user", "Automatic User"),
+                            ("automatic_api", "Automatic Api"),
+                            ("manual_user", "Manual User"),
+                        ]
+                    ),
+                ),
+            ],
+            options={
+                "abstract": False,
+            },
+        ),
+        migrations.CreateModel(
+            name="Device",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("device_uuid", models.UUIDField(default=uuid.uuid4)),
+                ("identifier", models.TextField(unique=True)),
+            ],
+            options={
+                "abstract": False,
+            },
+        ),
+        migrations.CreateModel(
+            name="DeviceConnection",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("device_connection_uuid", models.UUIDField(default=uuid.uuid4)),
+                ("data", models.JSONField(default=dict)),
+                (
+                    "connection",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_endpoints.connector",
+                    ),
+                ),
+                (
+                    "device",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_endpoints.device"
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="device",
+            name="connections",
+            field=models.ManyToManyField(
+                through="authentik_endpoints.DeviceConnection", to="authentik_endpoints.connector"
+            ),
+        ),
+        migrations.CreateModel(
+            name="DeviceUser",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("device_user_uuid", models.UUIDField(default=uuid.uuid4)),
+                ("is_primary", models.BooleanField()),
+                (
+                    "device",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_endpoints.device"
+                    ),
+                ),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL
+                    ),
+                ),
+            ],
+        ),
+        migrations.AddField(
+            model_name="device",
+            name="users",
+            field=models.ManyToManyField(
+                through="authentik_endpoints.DeviceUser", to=settings.AUTH_USER_MODEL
+            ),
+        ),
+    ]

authentik/endpoints/models.py

@@ -0,0 +1,40 @@
+from uuid import uuid4
+
+from django.db import models
+from django.utils.functional import cached_property
+
+from authentik.core.models import User
+from authentik.endpoints.common_data import CommonDeviceData
+from authentik.lib.models import SerializerModel
+
+
+class Device(SerializerModel):
+    device_uuid = models.UUIDField(default=uuid4)
+
+    identifier = models.TextField(unique=True)
+    users = models.ManyToManyField(User, through="DeviceUser")
+    connections = models.ManyToManyField("Connector", through="DeviceConnection")
+
+    @cached_property
+    def data(self) -> CommonDeviceData:
+        pass
+
+
+class DeviceUser(models.Model):
+    device_user_uuid = models.UUIDField(default=uuid4)
+    device = models.ForeignKey("Device", on_delete=models.CASCADE)
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    is_primary = models.BooleanField()
+
+
+class DeviceConnection(models.Model):
+    device_connection_uuid = models.UUIDField(default=uuid4)
+    device = models.ForeignKey("Device", on_delete=models.CASCADE)
+    connection = models.ForeignKey("Connector", on_delete=models.CASCADE)
+    data = models.JSONField(default=dict)
+
+
+class Connector(SerializerModel):
+    connector_uuid = models.UUIDField(default=uuid4)
+
+    name = models.TextField()

authentik/lib/default.yml

@@ -81,6 +81,7 @@ debugger: false
 
 log_level: info
 
+session_storage: cache
 sessions:
   unauthenticated_age: days=1
 

authentik/lib/sync/outgoing/tasks.py

@@ -130,7 +130,7 @@ class SyncTasks:
     def sync_objects(
         self, object_type: str, page: int, provider_pk: int, override_dry_run=False, **filter
     ):
-        _object_type: type[Model] = path_to_class(object_type)
+        _object_type = path_to_class(object_type)
         self.logger = get_logger().bind(
             provider_type=class_to_path(self._provider_model),
             provider_pk=provider_pk,
@@ -156,11 +156,7 @@ class SyncTasks:
         messages.append(
             asdict(
                 LogEvent(
-                    _(
-                        "Syncing page {page} of {object_type}".format(
-                            page=page, object_type=_object_type._meta.verbose_name_plural
-                        )
-                    ),
+                    _("Syncing page {page} of groups".format(page=page)),
                     log_level="info",
                     logger=f"{provider._meta.verbose_name}@{object_type}",
                 )

authentik/policies/dummy/apps.py

@@ -1,12 +1,11 @@
 """Authentik policy dummy app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikPolicyDummyConfig(ManagedAppConfig):
+class AuthentikPolicyDummyConfig(AppConfig):
     """Authentik policy_dummy app config"""
 
     name = "authentik.policies.dummy"
     label = "authentik_policies_dummy"
     verbose_name = "authentik Policies.Dummy"
-    default = True

authentik/policies/engine.py

@@ -1,11 +1,11 @@
 """authentik policy engine"""
 
-from collections.abc import Iterable
+from collections.abc import Iterator
 from multiprocessing import Pipe, current_process
 from multiprocessing.connection import Connection
+from time import perf_counter
 
 from django.core.cache import cache
-from django.db.models import Count, Q, QuerySet
 from django.http import HttpRequest
 from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
@@ -67,11 +67,14 @@ class PolicyEngine:
         self.__processes: list[PolicyProcessInfo] = []
         self.use_cache = True
         self.__expected_result_count = 0
-        self.__static_result: PolicyResult | None = None
 
-    def bindings(self) -> QuerySet[PolicyBinding] | Iterable[PolicyBinding]:
+    def iterate_bindings(self) -> Iterator[PolicyBinding]:
         """Make sure all Policies are their respective classes"""
-        return PolicyBinding.objects.filter(target=self.__pbm, enabled=True).order_by("order")
+        return (
+            PolicyBinding.objects.filter(target=self.__pbm, enabled=True)
+            .order_by("order")
+            .iterator()
+        )
 
     def _check_policy_type(self, binding: PolicyBinding):
         """Check policy type, make sure it's not the root class as that has no logic implemented"""
@@ -81,66 +84,30 @@ class PolicyEngine:
     def _check_cache(self, binding: PolicyBinding):
         if not self.use_cache:
             return False
-        # It's a bit silly to time this, but
-        with HIST_POLICIES_EXECUTION_TIME.labels(
-            binding_order=binding.order,
-            binding_target_type=binding.target_type,
-            binding_target_name=binding.target_name,
-            object_pk=str(self.request.obj.pk),
-            object_type=class_to_path(self.request.obj.__class__),
-            mode="cache_retrieve",
-        ).time():
-            key = cache_key(binding, self.request)
-            cached_policy = cache.get(key, None)
-            if not cached_policy:
-                return False
+        before = perf_counter()
+        key = cache_key(binding, self.request)
+        cached_policy = cache.get(key, None)
+        duration = max(perf_counter() - before, 0)
+        if not cached_policy:
+            return False
         self.logger.debug(
             "P_ENG: Taking result from cache",
             binding=binding,
             cache_key=key,
             request=self.request,
         )
+        HIST_POLICIES_EXECUTION_TIME.labels(
+            binding_order=binding.order,
+            binding_target_type=binding.target_type,
+            binding_target_name=binding.target_name,
+            object_pk=str(self.request.obj.pk),
+            object_type=class_to_path(self.request.obj.__class__),
+            mode="cache_retrieve",
+        ).observe(duration)
+        # It's a bit silly to time this, but
         self.__cached_policies.append(cached_policy)
         return True
 
-    def compute_static_bindings(self, bindings: QuerySet[PolicyBinding]):
-        """Check static bindings if possible"""
-        aggrs = {
-            "total": Count(
-                "pk", filter=Q(Q(group__isnull=False) | Q(user__isnull=False), policy=None)
-            ),
-        }
-        if self.request.user.pk:
-            all_groups = self.request.user.all_groups()
-            aggrs["passing"] = Count(
-                "pk",
-                filter=Q(
-                    Q(
-                        Q(user=self.request.user) | Q(group__in=all_groups),
-                        negate=False,
-                    )
-                    | Q(
-                        Q(~Q(user=self.request.user), user__isnull=False)
-                        | Q(~Q(group__in=all_groups), group__isnull=False),
-                        negate=True,
-                    ),
-                    enabled=True,
-                ),
-            )
-        matched_bindings = bindings.aggregate(**aggrs)
-        passing = False
-        if matched_bindings["total"] == 0 and matched_bindings.get("passing", 0) == 0:
-            # If we didn't find any static bindings, do nothing
-            return
-        self.logger.debug("P_ENG: Found static bindings", **matched_bindings)
-        if matched_bindings.get("passing", 0) > 0:
-            # Any passing static binding -> passing
-            passing = True
-        elif matched_bindings["total"] > 0 and matched_bindings.get("passing", 0) < 1:
-            # No matching static bindings but at least one is configured -> not passing
-            passing = False
-        self.__static_result = PolicyResult(passing)
-
     def build(self) -> "PolicyEngine":
         """Build wrapper which monitors performance"""
         with (
@@ -156,12 +123,7 @@ class PolicyEngine:
             span: Span
             span.set_data("pbm", self.__pbm)
             span.set_data("request", self.request)
-            bindings = self.bindings()
-            policy_bindings = bindings
-            if isinstance(bindings, QuerySet):
-                self.compute_static_bindings(bindings)
-                policy_bindings = [x for x in bindings if x.policy]
-            for binding in policy_bindings:
+            for binding in self.iterate_bindings():
                 self.__expected_result_count += 1
 
                 self._check_policy_type(binding)
@@ -191,13 +153,10 @@ class PolicyEngine:
     @property
     def result(self) -> PolicyResult:
         """Get policy-checking result"""
-        self.__processes.sort(key=lambda x: x.binding.order)
         process_results: list[PolicyResult] = [x.result for x in self.__processes if x.result]
         all_results = list(process_results + self.__cached_policies)
         if len(all_results) < self.__expected_result_count:  # pragma: no cover
             raise AssertionError("Got less results than polices")
-        if self.__static_result:
-            all_results.append(self.__static_result)
         # No results, no policies attached -> passing
         if len(all_results) == 0:
             return PolicyResult(self.empty_result)

authentik/policies/event_matcher/apps.py

@@ -1,12 +1,11 @@
 """authentik Event Matcher policy app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikPoliciesEventMatcherConfig(ManagedAppConfig):
+class AuthentikPoliciesEventMatcherConfig(AppConfig):
     """authentik Event Matcher policy app config"""
 
     name = "authentik.policies.event_matcher"
     label = "authentik_policies_event_matcher"
     verbose_name = "authentik Policies.Event Matcher"
-    default = True

authentik/policies/expiry/apps.py

@@ -1,12 +1,11 @@
 """Authentik policy_expiry app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikPolicyExpiryConfig(ManagedAppConfig):
+class AuthentikPolicyExpiryConfig(AppConfig):
     """Authentik policy_expiry app config"""
 
     name = "authentik.policies.expiry"
     label = "authentik_policies_expiry"
     verbose_name = "authentik Policies.Expiry"
-    default = True

authentik/policies/expression/apps.py

@@ -1,12 +1,11 @@
 """Authentik policy_expression app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikPolicyExpressionConfig(ManagedAppConfig):
+class AuthentikPolicyExpressionConfig(AppConfig):
     """Authentik policy_expression app config"""
 
     name = "authentik.policies.expression"
     label = "authentik_policies_expression"
     verbose_name = "authentik Policies.Expression"
-    default = True

authentik/policies/geoip/apps.py

@@ -1,12 +1,11 @@
 """Authentik policy geoip app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikPolicyGeoIPConfig(ManagedAppConfig):
+class AuthentikPolicyGeoIPConfig(AppConfig):
     """Authentik policy_geoip app config"""
 
     name = "authentik.policies.geoip"
     label = "authentik_policies_geoip"
     verbose_name = "authentik Policies.GeoIP"
-    default = True

authentik/policies/password/apps.py

@@ -1,12 +1,11 @@
 """authentik Password policy app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikPoliciesPasswordConfig(ManagedAppConfig):
+class AuthentikPoliciesPasswordConfig(AppConfig):
     """authentik Password policy app config"""
 
     name = "authentik.policies.password"
     label = "authentik_policies_password"
     verbose_name = "authentik Policies.Password"
-    default = True

authentik/policies/tests/test_engine.py

@@ -1,12 +1,9 @@
 """policy engine tests"""
 
 from django.core.cache import cache
-from django.db import connections
 from django.test import TestCase
-from django.test.utils import CaptureQueriesContext
 
-from authentik.core.models import Group
-from authentik.core.tests.utils import create_test_user
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.engine import PolicyEngine
@@ -22,7 +19,7 @@ class TestPolicyEngine(TestCase):
 
     def setUp(self):
         clear_policy_cache()
-        self.user = create_test_user()
+        self.user = create_test_admin_user()
         self.policy_false = DummyPolicy.objects.create(
             name=generate_id(), result=False, wait_min=0, wait_max=1
         )
@@ -130,43 +127,3 @@ class TestPolicyEngine(TestCase):
         self.assertEqual(len(cache.keys(f"{CACHE_PREFIX}{binding.policy_binding_uuid.hex}*")), 1)
         self.assertEqual(engine.build().passing, False)
         self.assertEqual(len(cache.keys(f"{CACHE_PREFIX}{binding.policy_binding_uuid.hex}*")), 1)
-
-    def test_engine_static_bindings(self):
-        """Test static bindings"""
-        group_a = Group.objects.create(name=generate_id())
-        group_b = Group.objects.create(name=generate_id())
-        group_b.users.add(self.user)
-        user = create_test_user()
-
-        for case in [
-            {
-                "message": "Group, not member",
-                "binding_args": {"group": group_a},
-                "passing": False,
-            },
-            {
-                "message": "Group, member",
-                "binding_args": {"group": group_b},
-                "passing": True,
-            },
-            {
-                "message": "User, other",
-                "binding_args": {"user": user},
-                "passing": False,
-            },
-            {
-                "message": "User, same",
-                "binding_args": {"user": self.user},
-                "passing": True,
-            },
-        ]:
-            with self.subTest():
-                pbm = PolicyBindingModel.objects.create()
-                for x in range(1000):
-                    PolicyBinding.objects.create(target=pbm, order=x, **case["binding_args"])
-                engine = PolicyEngine(pbm, self.user)
-                engine.use_cache = False
-                with CaptureQueriesContext(connections["default"]) as ctx:
-                    engine.build()
-                self.assertLess(ctx.final_queries, 1000)
-                self.assertEqual(engine.result.passing, case["passing"])

authentik/policies/tests/test_process.py

@@ -29,12 +29,13 @@ class TestPolicyProcess(TestCase):
     def setUp(self):
         clear_policy_cache()
         self.factory = RequestFactory()
-        self.user = User.objects.create_user(username=generate_id())
+        self.user = User.objects.create_user(username="policyuser")
 
     def test_group_passing(self):
         """Test binding to group"""
-        group = Group.objects.create(name=generate_id())
+        group = Group.objects.create(name="test-group")
         group.users.add(self.user)
+        group.save()
         binding = PolicyBinding(group=group)
 
         request = PolicyRequest(self.user)
@@ -43,7 +44,8 @@ class TestPolicyProcess(TestCase):
 
     def test_group_negative(self):
         """Test binding to group"""
-        group = Group.objects.create(name=generate_id())
+        group = Group.objects.create(name="test-group")
+        group.save()
         binding = PolicyBinding(group=group)
 
         request = PolicyRequest(self.user)
@@ -113,10 +115,8 @@ class TestPolicyProcess(TestCase):
 
     def test_exception(self):
         """Test policy execution"""
-        policy = Policy.objects.create(name=generate_id())
-        binding = PolicyBinding(
-            policy=policy, target=Application.objects.create(name=generate_id())
-        )
+        policy = Policy.objects.create(name="test-execution")
+        binding = PolicyBinding(policy=policy, target=Application.objects.create(name="test"))
 
         request = PolicyRequest(self.user)
         response = PolicyProcess(binding, request, None).execute()
@@ -125,15 +125,13 @@ class TestPolicyProcess(TestCase):
     def test_execution_logging(self):
         """Test policy execution creates event"""
         policy = DummyPolicy.objects.create(
-            name=generate_id(),
+            name="test-execution-logging",
             result=False,
             wait_min=0,
             wait_max=1,
             execution_logging=True,
         )
-        binding = PolicyBinding(
-            policy=policy, target=Application.objects.create(name=generate_id())
-        )
+        binding = PolicyBinding(policy=policy, target=Application.objects.create(name="test"))
 
         http_request = self.factory.get(reverse("authentik_api:user-impersonate-end"))
         http_request.user = self.user
@@ -188,15 +186,13 @@ class TestPolicyProcess(TestCase):
     def test_execution_logging_anonymous(self):
         """Test policy execution creates event with anonymous user"""
         policy = DummyPolicy.objects.create(
-            name=generate_id(),
+            name="test-execution-logging-anon",
             result=False,
             wait_min=0,
             wait_max=1,
             execution_logging=True,
         )
-        binding = PolicyBinding(
-            policy=policy, target=Application.objects.create(name=generate_id())
-        )
+        binding = PolicyBinding(policy=policy, target=Application.objects.create(name="test"))
 
         user = AnonymousUser()
 
@@ -223,9 +219,9 @@ class TestPolicyProcess(TestCase):
 
     def test_raises(self):
         """Test policy that raises error"""
-        policy_raises = ExpressionPolicy.objects.create(name=generate_id(), expression="{{ 0/0 }}")
+        policy_raises = ExpressionPolicy.objects.create(name="raises", expression="{{ 0/0 }}")
         binding = PolicyBinding(
-            policy=policy_raises, target=Application.objects.create(name=generate_id())
+            policy=policy_raises, target=Application.objects.create(name="test")
         )
 
         request = PolicyRequest(self.user)

authentik/providers/ldap/apps.py

@@ -1,12 +1,11 @@
 """authentik ldap provider app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikProviderLDAPConfig(ManagedAppConfig):
+class AuthentikProviderLDAPConfig(AppConfig):
     """authentik ldap provider app config"""
 
     name = "authentik.providers.ldap"
     label = "authentik_providers_ldap"
     verbose_name = "authentik Providers.LDAP"
-    default = True

authentik/providers/proxy/apps.py

@@ -10,11 +10,3 @@ class AuthentikProviderProxyConfig(ManagedAppConfig):
     label = "authentik_providers_proxy"
     verbose_name = "authentik Providers.Proxy"
     default = True
-
-    @ManagedAppConfig.reconcile_tenant
-    def proxy_set_defaults(self):
-        from authentik.providers.proxy.models import ProxyProvider
-
-        for provider in ProxyProvider.objects.all():
-            provider.set_oauth_defaults()
-            provider.save()

authentik/providers/proxy/tasks.py

@@ -2,13 +2,25 @@
 
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
+from django.db import DatabaseError, InternalError, ProgrammingError
 
 from authentik.outposts.consumer import OUTPOST_GROUP
 from authentik.outposts.models import Outpost, OutpostType
 from authentik.providers.oauth2.id_token import hash_session_key
+from authentik.providers.proxy.models import ProxyProvider
 from authentik.root.celery import CELERY_APP
 
 
+@CELERY_APP.task(
+    throws=(DatabaseError, ProgrammingError, InternalError),
+)
+def proxy_set_defaults():
+    """Ensure correct defaults are set for all providers"""
+    for provider in ProxyProvider.objects.all():
+        provider.set_oauth_defaults()
+        provider.save()
+
+
 @CELERY_APP.task()
 def proxy_on_logout(session_id: str):
     """Update outpost instances connected to a single outpost"""

authentik/providers/rac/models.py

@@ -166,6 +166,7 @@ class ConnectionToken(ExpiringModel):
         always_merger.merge(settings, default_settings)
         always_merger.merge(settings, self.endpoint.provider.settings)
         always_merger.merge(settings, self.endpoint.settings)
+        always_merger.merge(settings, self.settings)
 
         def mapping_evaluator(mappings: QuerySet):
             for mapping in mappings:
@@ -190,7 +191,6 @@ class ConnectionToken(ExpiringModel):
         mapping_evaluator(
             RACPropertyMapping.objects.filter(endpoint__in=[self.endpoint]).order_by("name")
         )
-        always_merger.merge(settings, self.settings)
 
         settings["drive-path"] = f"/tmp/connection/{self.token}"  # nosec
         settings["create-drive-path"] = "true"

authentik/providers/rac/tests/test_models.py

@@ -90,6 +90,23 @@ class TestModels(TransactionTestCase):
                 "resize-method": "display-update",
             },
         )
+        # Set settings in token
+        token.settings = {
+            "level": "token",
+        }
+        token.save()
+        self.assertEqual(
+            token.get_settings(),
+            {
+                "hostname": self.endpoint.host.split(":")[0],
+                "port": "1324",
+                "client-name": f"authentik - {self.user}",
+                "drive-path": path,
+                "create-drive-path": "true",
+                "level": "token",
+                "resize-method": "display-update",
+            },
+        )
         # Set settings in property mapping (provider)
         mapping = RACPropertyMapping.objects.create(
             name=generate_id(),
@@ -134,22 +151,3 @@ class TestModels(TransactionTestCase):
                 "resize-method": "display-update",
             },
         )
-        # Set settings in token
-        token.settings = {
-            "level": "token",
-        }
-        token.save()
-        self.assertEqual(
-            token.get_settings(),
-            {
-                "hostname": self.endpoint.host.split(":")[0],
-                "port": "1324",
-                "client-name": f"authentik - {self.user}",
-                "drive-path": path,
-                "create-drive-path": "true",
-                "foo": "true",
-                "bar": "6",
-                "resize-method": "display-update",
-                "level": "token",
-            },
-        )

authentik/providers/radius/apps.py

@@ -1,12 +1,11 @@
 """authentik radius provider app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikProviderRadiusConfig(ManagedAppConfig):
+class AuthentikProviderRadiusConfig(AppConfig):
     """authentik radius provider app config"""
 
     name = "authentik.providers.radius"
     label = "authentik_providers_radius"
     verbose_name = "authentik Providers.Radius"
-    default = True

authentik/providers/saml/apps.py

@@ -1,13 +1,12 @@
 """authentik SAML IdP app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikProviderSAMLConfig(ManagedAppConfig):
+class AuthentikProviderSAMLConfig(AppConfig):
     """authentik SAML IdP app config"""
 
     name = "authentik.providers.saml"
     label = "authentik_providers_saml"
     verbose_name = "authentik Providers.SAML"
     mountpoint = "application/saml/"
-    default = True

authentik/providers/scim/clients/groups.py

@@ -47,16 +47,15 @@ class SCIMGroupClient(SCIMClient[Group, SCIMProviderGroup, SCIMGroupSchema]):
 
     def to_schema(self, obj: Group, connection: SCIMProviderGroup) -> SCIMGroupSchema:
         """Convert authentik user into SCIM"""
-        raw_scim_group = super().to_schema(obj, connection)
+        raw_scim_group = super().to_schema(
+            obj,
+            connection,
+            schemas=(SCIM_GROUP_SCHEMA,),
+        )
         try:
             scim_group = SCIMGroupSchema.model_validate(delete_none_values(raw_scim_group))
         except ValidationError as exc:
             raise StopSync(exc, obj) from exc
-        if SCIM_GROUP_SCHEMA not in scim_group.schemas:
-            scim_group.schemas.insert(0, SCIM_GROUP_SCHEMA)
-        # As this might be unset, we need to tell pydantic it's set so ensure the schemas
-        # are included, even if its just the defaults
-        scim_group.schemas = list(scim_group.schemas)
         if not scim_group.externalId:
             scim_group.externalId = str(obj.pk)
 

authentik/providers/scim/clients/users.py

@@ -31,16 +31,15 @@ class SCIMUserClient(SCIMClient[User, SCIMProviderUser, SCIMUserSchema]):
 
     def to_schema(self, obj: User, connection: SCIMProviderUser) -> SCIMUserSchema:
         """Convert authentik user into SCIM"""
-        raw_scim_user = super().to_schema(obj, connection)
+        raw_scim_user = super().to_schema(
+            obj,
+            connection,
+            schemas=(SCIM_USER_SCHEMA,),
+        )
         try:
             scim_user = SCIMUserSchema.model_validate(delete_none_values(raw_scim_user))
         except ValidationError as exc:
             raise StopSync(exc, obj) from exc
-        if SCIM_USER_SCHEMA not in scim_user.schemas:
-            scim_user.schemas.insert(0, SCIM_USER_SCHEMA)
-        # As this might be unset, we need to tell pydantic it's set so ensure the schemas
-        # are included, even if its just the defaults
-        scim_user.schemas = list(scim_user.schemas)
         if not scim_user.externalId:
             scim_user.externalId = str(obj.uid)
         return scim_user

authentik/providers/scim/tests/test_user.py

@@ -91,57 +91,6 @@ class SCIMUserTests(TestCase):
             },
         )
 
-    @Mocker()
-    def test_user_create_custom_schema(self, mock: Mocker):
-        """Test user creation with custom schema"""
-        schema = SCIMMapping.objects.create(
-            name="custom_schema",
-            expression="""return {"schemas": ["foo"]}""",
-        )
-        self.provider.property_mappings.add(schema)
-        scim_id = generate_id()
-        mock.get(
-            "https://localhost/ServiceProviderConfig",
-            json={},
-        )
-        mock.post(
-            "https://localhost/Users",
-            json={
-                "id": scim_id,
-            },
-        )
-        uid = generate_id()
-        user = User.objects.create(
-            username=uid,
-            name=f"{uid} {uid}",
-            email=f"{uid}@goauthentik.io",
-        )
-        self.assertEqual(mock.call_count, 2)
-        self.assertEqual(mock.request_history[0].method, "GET")
-        self.assertEqual(mock.request_history[1].method, "POST")
-        self.assertJSONEqual(
-            mock.request_history[1].body,
-            {
-                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User", "foo"],
-                "active": True,
-                "emails": [
-                    {
-                        "primary": True,
-                        "type": "other",
-                        "value": f"{uid}@goauthentik.io",
-                    }
-                ],
-                "externalId": user.uid,
-                "name": {
-                    "familyName": uid,
-                    "formatted": f"{uid} {uid}",
-                    "givenName": uid,
-                },
-                "displayName": f"{uid} {uid}",
-                "userName": uid,
-            },
-        )
-
     @Mocker()
     def test_user_create_different_provider_same_id(self, mock: Mocker):
         """Test user creation with multiple providers that happen

authentik/recovery/apps.py

@@ -1,13 +1,12 @@
 """authentik Recovery app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikRecoveryConfig(ManagedAppConfig):
+class AuthentikRecoveryConfig(AppConfig):
     """authentik Recovery app config"""
 
     name = "authentik.recovery"
     label = "authentik_recovery"
     verbose_name = "authentik Recovery"
     mountpoint = "recovery/"
-    default = True

authentik/root/celery.py

@@ -98,7 +98,13 @@ def _get_startup_tasks_default_tenant() -> list[Callable]:
 
 def _get_startup_tasks_all_tenants() -> list[Callable]:
     """Get all tasks to be run on startup for all tenants"""
-    return []
+    from authentik.admin.tasks import clear_update_notifications
+    from authentik.providers.proxy.tasks import proxy_set_defaults
+
+    return [
+        clear_update_notifications,
+        proxy_set_defaults,
+    ]
 
 
 @worker_ready.connect

authentik/root/settings.py

@@ -73,6 +73,7 @@ TENANT_APPS = [
     "authentik.admin",
     "authentik.api",
     "authentik.crypto",
+    "authentik.endpoints",
     "authentik.flows",
     "authentik.outposts",
     "authentik.policies.dummy",

authentik/sources/ldap/api.py

@@ -103,7 +103,6 @@ class LDAPSourceSerializer(SourceSerializer):
             "user_object_filter",
             "group_object_filter",
             "group_membership_field",
-            "user_membership_attribute",
             "object_uniqueness_field",
             "password_login_update_internal_password",
             "sync_users",
@@ -140,7 +139,6 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
         "user_object_filter",
         "group_object_filter",
         "group_membership_field",
-        "user_membership_attribute",
         "object_uniqueness_field",
         "password_login_update_internal_password",
         "sync_users",

authentik/sources/ldap/migrations/0010_ldapsource_user_membership_attribute.py

@@ -1,32 +0,0 @@
-# Generated by Django 5.1.9 on 2025-05-29 11:22
-
-from django.apps.registry import Apps
-from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def set_user_membership_attribute(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    LDAPSource = apps.get_model("authentik_sources_ldap", "LDAPSource")
-    db_alias = schema_editor.connection.alias
-
-    LDAPSource.objects.using(db_alias).filter(group_membership_field="memberUid").all().update(
-        user_membership_attribute="ldap_uniq"
-    )
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ("authentik_sources_ldap", "0009_groupldapsourceconnection_validated_by_and_more"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="ldapsource",
-            name="user_membership_attribute",
-            field=models.TextField(
-                default="distinguishedName",
-                help_text="Attribute which matches the value of `group_membership_field`.",
-            ),
-        ),
-        migrations.RunPython(set_user_membership_attribute, migrations.RunPython.noop),
-    ]

authentik/sources/ldap/models.py

@@ -100,10 +100,6 @@ class LDAPSource(Source):
         default="(objectClass=person)",
         help_text=_("Consider Objects matching this filter to be Users."),
     )
-    user_membership_attribute = models.TextField(
-        default=LDAP_DISTINGUISHED_NAME,
-        help_text=_("Attribute which matches the value of `group_membership_field`."),
-    )
     group_membership_field = models.TextField(
         default="member", help_text=_("Field which contains members of a group.")
     )

authentik/sources/ldap/sync/membership.py

@@ -71,11 +71,17 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
             if not ak_group:
                 continue
 
+            membership_mapping_attribute = LDAP_DISTINGUISHED_NAME
+            if self._source.group_membership_field == "memberUid":
+                # If memberships are based on the posixGroup's 'memberUid'
+                # attribute we use the RDN instead of the FDN to lookup members.
+                membership_mapping_attribute = LDAP_UNIQUENESS
+
             users = User.objects.filter(
-                Q(**{f"attributes__{self._source.user_membership_attribute}__in": members})
+                Q(**{f"attributes__{membership_mapping_attribute}__in": members})
                 | Q(
                     **{
-                        f"attributes__{self._source.user_membership_attribute}__isnull": True,
+                        f"attributes__{membership_mapping_attribute}__isnull": True,
                         "ak_groups__in": [ak_group],
                     }
                 )

authentik/sources/ldap/tests/test_sync.py

@@ -269,56 +269,12 @@ class LDAPSyncTests(TestCase):
         self.source.group_membership_field = "memberUid"
         self.source.user_object_filter = "(objectClass=posixAccount)"
         self.source.group_object_filter = "(objectClass=posixGroup)"
-        self.source.user_membership_attribute = "uid"
         self.source.user_property_mappings.set(
-            [
-                *LDAPSourcePropertyMapping.objects.filter(
-                    Q(managed__startswith="goauthentik.io/sources/ldap/default")
-                    | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
-                ).all(),
-                LDAPSourcePropertyMapping.objects.create(
-                    name="name",
-                    expression='return {"attributes": {"uid": list_flatten(ldap.get("uid"))}}',
-                ),
-            ]
-        )
-        self.source.group_property_mappings.set(
             LDAPSourcePropertyMapping.objects.filter(
-                managed="goauthentik.io/sources/ldap/openldap-cn"
+                Q(managed__startswith="goauthentik.io/sources/ldap/default")
+                | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
             )
         )
-        connection = MagicMock(return_value=mock_slapd_connection(LDAP_PASSWORD))
-        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
-            self.source.save()
-            user_sync = UserLDAPSynchronizer(self.source)
-            user_sync.sync_full()
-            group_sync = GroupLDAPSynchronizer(self.source)
-            group_sync.sync_full()
-            membership_sync = MembershipLDAPSynchronizer(self.source)
-            membership_sync.sync_full()
-            # Test if membership mapping based on memberUid works.
-            posix_group = Group.objects.filter(name="group-posix").first()
-            self.assertTrue(posix_group.users.filter(name="user-posix").exists())
-
-    def test_sync_groups_openldap_posix_group_nonstandard_membership_attribute(self):
-        """Test posix group sync"""
-        self.source.object_uniqueness_field = "cn"
-        self.source.group_membership_field = "memberUid"
-        self.source.user_object_filter = "(objectClass=posixAccount)"
-        self.source.group_object_filter = "(objectClass=posixGroup)"
-        self.source.user_membership_attribute = "cn"
-        self.source.user_property_mappings.set(
-            [
-                *LDAPSourcePropertyMapping.objects.filter(
-                    Q(managed__startswith="goauthentik.io/sources/ldap/default")
-                    | Q(managed__startswith="goauthentik.io/sources/ldap/openldap")
-                ).all(),
-                LDAPSourcePropertyMapping.objects.create(
-                    name="name",
-                    expression='return {"attributes": {"cn": list_flatten(ldap.get("cn"))}}',
-                ),
-            ]
-        )
         self.source.group_property_mappings.set(
             LDAPSourcePropertyMapping.objects.filter(
                 managed="goauthentik.io/sources/ldap/openldap-cn"

authentik/sources/plex/apps.py

@@ -1,12 +1,11 @@
 """authentik plex config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikSourcePlexConfig(ManagedAppConfig):
+class AuthentikSourcePlexConfig(AppConfig):
     """authentik source plex config"""
 
     name = "authentik.sources.plex"
     label = "authentik_sources_plex"
     verbose_name = "authentik Sources.Plex"
-    default = True

authentik/stages/authenticator/apps.py

@@ -1,12 +1,11 @@
 """Authenticator"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageAuthenticatorConfig(ManagedAppConfig):
+class AuthentikStageAuthenticatorConfig(AppConfig):
     """Authenticator App config"""
 
     name = "authentik.stages.authenticator"
     label = "authentik_stages_authenticator"
     verbose_name = "authentik Stages.Authenticator"
-    default = True

authentik/stages/authenticator_sms/apps.py

@@ -1,12 +1,11 @@
 """SMS"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageAuthenticatorSMSConfig(ManagedAppConfig):
+class AuthentikStageAuthenticatorSMSConfig(AppConfig):
     """SMS App config"""
 
     name = "authentik.stages.authenticator_sms"
     label = "authentik_stages_authenticator_sms"
     verbose_name = "authentik Stages.Authenticator.SMS"
-    default = True

authentik/stages/authenticator_totp/apps.py

@@ -1,12 +1,11 @@
 """TOTP"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageAuthenticatorTOTPConfig(ManagedAppConfig):
+class AuthentikStageAuthenticatorTOTPConfig(AppConfig):
     """TOTP App config"""
 
     name = "authentik.stages.authenticator_totp"
     label = "authentik_stages_authenticator_totp"
     verbose_name = "authentik Stages.Authenticator.TOTP"
-    default = True

authentik/stages/authenticator_validate/apps.py

@@ -1,12 +1,11 @@
 """Authenticator Validation Stage"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageAuthenticatorValidateConfig(ManagedAppConfig):
+class AuthentikStageAuthenticatorValidateConfig(AppConfig):
     """Authenticator Validation Stage"""
 
     name = "authentik.stages.authenticator_validate"
     label = "authentik_stages_authenticator_validate"
     verbose_name = "authentik Stages.Authenticator.Validate"
-    default = True

authentik/stages/authenticator_validate/tests/test_webauthn.py

@@ -151,7 +151,9 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
             webauthn_user_verification=UserVerification.PREFERRED,
         )
         stage.webauthn_allowed_device_types.set(
-            WebAuthnDeviceType.objects.filter(description="YubiKey 5 Series")
+            WebAuthnDeviceType.objects.filter(
+                description="Android Authenticator with SafetyNet Attestation"
+            )
         )
         session = self.client.session
         plan = FlowPlan(flow_pk=flow.pk.hex)
@@ -337,7 +339,9 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
             device_classes=[DeviceClasses.WEBAUTHN],
         )
         stage.webauthn_allowed_device_types.set(
-            WebAuthnDeviceType.objects.filter(description="YubiKey 5 Series")
+            WebAuthnDeviceType.objects.filter(
+                description="Android Authenticator with SafetyNet Attestation"
+            )
         )
         session = self.client.session
         plan = FlowPlan(flow_pk=flow.pk.hex)

authentik/stages/authenticator_webauthn/tests.py

@@ -141,7 +141,9 @@ class TestAuthenticatorWebAuthnStage(FlowTestCase):
         """Test registration with restricted devices (fail)"""
         webauthn_mds_import.delay(force=True).get()
         self.stage.device_type_restrictions.set(
-            WebAuthnDeviceType.objects.filter(description="YubiKey 5 Series")
+            WebAuthnDeviceType.objects.filter(
+                description="Android Authenticator with SafetyNet Attestation"
+            )
         )
 
         plan = FlowPlan(flow_pk=self.flow.pk.hex, bindings=[self.binding], markers=[StageMarker()])

authentik/stages/captcha/apps.py

@@ -1,12 +1,11 @@
 """authentik captcha app"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageCaptchaConfig(ManagedAppConfig):
+class AuthentikStageCaptchaConfig(AppConfig):
     """authentik captcha app"""
 
     name = "authentik.stages.captcha"
     label = "authentik_stages_captcha"
     verbose_name = "authentik Stages.Captcha"
-    default = True

authentik/stages/consent/apps.py

@@ -1,12 +1,11 @@
 """authentik consent app"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageConsentConfig(ManagedAppConfig):
+class AuthentikStageConsentConfig(AppConfig):
     """authentik consent app"""
 
     name = "authentik.stages.consent"
     label = "authentik_stages_consent"
     verbose_name = "authentik Stages.Consent"
-    default = True

authentik/stages/deny/apps.py

@@ -1,12 +1,11 @@
 """authentik deny stage app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageDenyConfig(ManagedAppConfig):
+class AuthentikStageDenyConfig(AppConfig):
     """authentik deny stage config"""
 
     name = "authentik.stages.deny"
     label = "authentik_stages_deny"
     verbose_name = "authentik Stages.Deny"
-    default = True

authentik/stages/dummy/apps.py

@@ -1,12 +1,11 @@
 """authentik dummy stage config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageDummyConfig(ManagedAppConfig):
+class AuthentikStageDummyConfig(AppConfig):
     """authentik dummy stage config"""
 
     name = "authentik.stages.dummy"
     label = "authentik_stages_dummy"
     verbose_name = "authentik Stages.Dummy"
-    default = True

authentik/stages/identification/apps.py

@@ -1,12 +1,11 @@
 """authentik identification stage app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageIdentificationConfig(ManagedAppConfig):
+class AuthentikStageIdentificationConfig(AppConfig):
     """authentik identification stage config"""
 
     name = "authentik.stages.identification"
     label = "authentik_stages_identification"
     verbose_name = "authentik Stages.Identification"
-    default = True

authentik/stages/invitation/apps.py

@@ -1,12 +1,11 @@
 """authentik invitation stage app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageInvitationConfig(ManagedAppConfig):
+class AuthentikStageInvitationConfig(AppConfig):
     """authentik invitation stage config"""
 
     name = "authentik.stages.invitation"
     label = "authentik_stages_invitation"
     verbose_name = "authentik Stages.Invitation"
-    default = True

authentik/stages/password/apps.py

@@ -1,12 +1,11 @@
 """authentik core app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStagePasswordConfig(ManagedAppConfig):
+class AuthentikStagePasswordConfig(AppConfig):
     """authentik password stage config"""
 
     name = "authentik.stages.password"
     label = "authentik_stages_password"
     verbose_name = "authentik Stages.Password"
-    default = True

authentik/stages/prompt/apps.py

@@ -1,12 +1,11 @@
 """authentik prompt stage app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStagePromptConfig(ManagedAppConfig):
+class AuthentikStagePromptConfig(AppConfig):
     """authentik prompt stage config"""
 
     name = "authentik.stages.prompt"
     label = "authentik_stages_prompt"
     verbose_name = "authentik Stages.Prompt"
-    default = True

authentik/stages/prompt/stage.py

@@ -1,6 +1,6 @@
 """Prompt Stage Logic"""
 
-from collections.abc import Callable
+from collections.abc import Callable, Iterator
 from email.policy import Policy
 from types import MethodType
 from typing import Any
@@ -190,7 +190,7 @@ class ListPolicyEngine(PolicyEngine):
         self.__list = policies
         self.use_cache = False
 
-    def bindings(self):
+    def iterate_bindings(self) -> Iterator[PolicyBinding]:
         for policy in self.__list:
             yield PolicyBinding(
                 policy=policy,

authentik/stages/redirect/apps.py

@@ -1,12 +1,11 @@
 """authentik redirect app"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageRedirectConfig(ManagedAppConfig):
+class AuthentikStageRedirectConfig(AppConfig):
     """authentik redirect app"""
 
     name = "authentik.stages.redirect"
     label = "authentik_stages_redirect"
     verbose_name = "authentik Stages.Redirect"
-    default = True

authentik/stages/user_delete/apps.py

@@ -1,12 +1,11 @@
 """authentik delete stage app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageUserDeleteConfig(ManagedAppConfig):
+class AuthentikStageUserDeleteConfig(AppConfig):
     """authentik delete stage config"""
 
     name = "authentik.stages.user_delete"
     label = "authentik_stages_user_delete"
     verbose_name = "authentik Stages.User Delete"
-    default = True

authentik/stages/user_login/apps.py

@@ -1,12 +1,11 @@
 """authentik login stage app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageUserLoginConfig(ManagedAppConfig):
+class AuthentikStageUserLoginConfig(AppConfig):
     """authentik login stage config"""
 
     name = "authentik.stages.user_login"
     label = "authentik_stages_user_login"
     verbose_name = "authentik Stages.User Login"
-    default = True

authentik/stages/user_login/stage.py

@@ -11,7 +11,7 @@ from rest_framework.fields import BooleanField, CharField
 from authentik.core.models import Session, User
 from authentik.events.middleware import audit_ignore
 from authentik.flows.challenge import ChallengeResponse, WithUserInfoChallenge
-from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE
 from authentik.flows.stage import ChallengeStageView
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.root.middleware import ClientIPMiddleware
@@ -108,6 +108,10 @@ class UserLoginStageView(ChallengeStageView):
             flow_slug=self.executor.flow.slug,
             session_duration=delta,
         )
+        # Only show success message if we don't have a source in the flow
+        # as sources show their own success messages
+        if not self.executor.plan.context.get(PLAN_CONTEXT_SOURCE, None):
+            messages.success(self.request, _("Successfully logged in!"))
         if self.executor.current_stage.terminate_other_sessions:
             Session.objects.filter(
                 authenticatedsession__user=user,

authentik/stages/user_logout/apps.py

@@ -1,12 +1,11 @@
 """authentik logout stage app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageUserLogoutConfig(ManagedAppConfig):
+class AuthentikStageUserLogoutConfig(AppConfig):
     """authentik logout stage config"""
 
     name = "authentik.stages.user_logout"
     label = "authentik_stages_user_logout"
     verbose_name = "authentik Stages.User Logout"
-    default = True

authentik/stages/user_write/apps.py

@@ -1,12 +1,11 @@
 """authentik write stage app config"""
 
-from authentik.blueprints.apps import ManagedAppConfig
+from django.apps import AppConfig
 
 
-class AuthentikStageUserWriteConfig(ManagedAppConfig):
+class AuthentikStageUserWriteConfig(AppConfig):
     """authentik write stage config"""
 
     name = "authentik.stages.user_write"
     label = "authentik_stages_user_write"
     verbose_name = "authentik Stages.User Write"
-    default = True

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2025.6.0 Blueprint schema",
+    "title": "authentik 2025.4.1 Blueprint schema",
     "required": [
         "version",
         "entries"
@@ -8147,12 +8147,6 @@
                     "title": "Group membership field",
                     "description": "Field which contains members of a group."
                 },
-                "user_membership_attribute": {
-                    "type": "string",
-                    "minLength": 1,
-                    "title": "User membership attribute",
-                    "description": "Attribute which matches the value of `group_membership_field`."
-                },
                 "object_uniqueness_field": {
                     "type": "string",
                     "minLength": 1,

cmd/ldap/main.go

@@ -2,13 +2,17 @@ package main
 
 import (
 	"fmt"
+	"net/url"
 	"os"
 
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"goauthentik.io/internal/common"
+	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/outpost/ak/entrypoint"
+	"goauthentik.io/internal/debug"
+	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/ldap"
 )
@@ -21,15 +25,65 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`
 
 var rootCmd = &cobra.Command{
-	Long:             helpMessage,
-	Version:          constants.FullVersion(),
-	PersistentPreRun: common.PreRun,
-	RunE: func(cmd *cobra.Command, args []string) error {
-		err := entrypoint.OutpostMain("authentik.outpost.ldap", ldap.NewServer)
-		if err != nil {
+	Long:    helpMessage,
+	Version: constants.FullVersion(),
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		log.SetLevel(log.DebugLevel)
+		log.SetFormatter(&log.JSONFormatter{
+			FieldMap: log.FieldMap{
+				log.FieldKeyMsg:  "event",
+				log.FieldKeyTime: "timestamp",
+			},
+			DisableHTMLEscape: true,
+		})
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		debug.EnableDebugServer()
+		akURL := config.Get().AuthentikHost
+		if akURL == "" {
+			fmt.Println("env AUTHENTIK_HOST not set!")
 			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+		akToken := config.Get().AuthentikToken
+		if akToken == "" {
+			fmt.Println("env AUTHENTIK_TOKEN not set!")
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+
+		akURLActual, err := url.Parse(akURL)
+		if err != nil {
+			fmt.Println(err)
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+
+		ex := common.Init()
+		defer common.Defer()
+		go func() {
+			for {
+				<-ex
+				os.Exit(0)
+			}
+		}()
+
+		ac := ak.NewAPIController(*akURLActual, akToken)
+		if ac == nil {
+			os.Exit(1)
+		}
+		defer ac.Shutdown()
+
+		ac.Server = ldap.NewServer(ac)
+
+		err = ac.Start()
+		if err != nil {
+			log.WithError(err).Panic("Failed to run server")
+		}
+
+		for {
+			<-ex
 		}
-		return err
 	},
 }
 

cmd/proxy/main.go

@@ -2,13 +2,17 @@ package main
 
 import (
 	"fmt"
+	"net/url"
 	"os"
 
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"goauthentik.io/internal/common"
+	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/outpost/ak/entrypoint"
+	"goauthentik.io/internal/debug"
+	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/proxyv2"
 )
@@ -24,15 +28,65 @@ Optionally, you can set these:
 - AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST`
 
 var rootCmd = &cobra.Command{
-	Long:             helpMessage,
-	Version:          constants.FullVersion(),
-	PersistentPreRun: common.PreRun,
-	RunE: func(cmd *cobra.Command, args []string) error {
-		err := entrypoint.OutpostMain("authentik.outpost.proxy", proxyv2.NewProxyServer)
-		if err != nil {
+	Long:    helpMessage,
+	Version: constants.FullVersion(),
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		log.SetLevel(log.DebugLevel)
+		log.SetFormatter(&log.JSONFormatter{
+			FieldMap: log.FieldMap{
+				log.FieldKeyMsg:  "event",
+				log.FieldKeyTime: "timestamp",
+			},
+			DisableHTMLEscape: true,
+		})
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		debug.EnableDebugServer()
+		akURL := config.Get().AuthentikHost
+		if akURL == "" {
+			fmt.Println("env AUTHENTIK_HOST not set!")
 			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+		akToken := config.Get().AuthentikToken
+		if akToken == "" {
+			fmt.Println("env AUTHENTIK_TOKEN not set!")
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+
+		akURLActual, err := url.Parse(akURL)
+		if err != nil {
+			fmt.Println(err)
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+
+		ex := common.Init()
+		defer common.Defer()
+		go func() {
+			for {
+				<-ex
+				os.Exit(0)
+			}
+		}()
+
+		ac := ak.NewAPIController(*akURLActual, akToken)
+		if ac == nil {
+			os.Exit(1)
+		}
+		defer ac.Shutdown()
+
+		ac.Server = proxyv2.NewProxyServer(ac)
+
+		err = ac.Start()
+		if err != nil {
+			log.WithError(err).Panic("Failed to run server")
+		}
+
+		for {
+			<-ex
 		}
-		return err
 	},
 }
 

cmd/rac/main.go

@@ -2,13 +2,16 @@ package main
 
 import (
 	"fmt"
+	"net/url"
 	"os"
 
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/outpost/ak/entrypoint"
+	"goauthentik.io/internal/debug"
+	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/rac"
 )
@@ -21,15 +24,65 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`
 
 var rootCmd = &cobra.Command{
-	Long:             helpMessage,
-	Version:          constants.FullVersion(),
-	PersistentPreRun: common.PreRun,
-	RunE: func(cmd *cobra.Command, args []string) error {
-		err := entrypoint.OutpostMain("authentik.outpost.rac", rac.NewServer)
-		if err != nil {
+	Long:    helpMessage,
+	Version: constants.FullVersion(),
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		log.SetLevel(log.DebugLevel)
+		log.SetFormatter(&log.JSONFormatter{
+			FieldMap: log.FieldMap{
+				log.FieldKeyMsg:  "event",
+				log.FieldKeyTime: "timestamp",
+			},
+			DisableHTMLEscape: true,
+		})
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		debug.EnableDebugServer()
+		akURL, found := os.LookupEnv("AUTHENTIK_HOST")
+		if !found {
+			fmt.Println("env AUTHENTIK_HOST not set!")
 			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+		akToken, found := os.LookupEnv("AUTHENTIK_TOKEN")
+		if !found {
+			fmt.Println("env AUTHENTIK_TOKEN not set!")
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+
+		akURLActual, err := url.Parse(akURL)
+		if err != nil {
+			fmt.Println(err)
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+
+		ex := common.Init()
+		defer common.Defer()
+		go func() {
+			for {
+				<-ex
+				os.Exit(0)
+			}
+		}()
+
+		ac := ak.NewAPIController(*akURLActual, akToken)
+		if ac == nil {
+			os.Exit(1)
+		}
+		defer ac.Shutdown()
+
+		ac.Server = rac.NewServer(ac)
+
+		err = ac.Start()
+		if err != nil {
+			log.WithError(err).Panic("Failed to run server")
+		}
+
+		for {
+			<-ex
 		}
-		return err
 	},
 }
 

cmd/radius/main.go

@@ -2,13 +2,16 @@ package main
 
 import (
 	"fmt"
+	"net/url"
 	"os"
 
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/constants"
-	"goauthentik.io/internal/outpost/ak/entrypoint"
+	"goauthentik.io/internal/debug"
+	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/radius"
 )
@@ -21,15 +24,65 @@ Required environment variables:
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`
 
 var rootCmd = &cobra.Command{
-	Long:             helpMessage,
-	Version:          constants.FullVersion(),
-	PersistentPreRun: common.PreRun,
-	RunE: func(cmd *cobra.Command, args []string) error {
-		err := entrypoint.OutpostMain("authentik.outpost.radius", radius.NewServer)
-		if err != nil {
+	Long:    helpMessage,
+	Version: constants.FullVersion(),
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		log.SetLevel(log.DebugLevel)
+		log.SetFormatter(&log.JSONFormatter{
+			FieldMap: log.FieldMap{
+				log.FieldKeyMsg:  "event",
+				log.FieldKeyTime: "timestamp",
+			},
+			DisableHTMLEscape: true,
+		})
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		debug.EnableDebugServer()
+		akURL, found := os.LookupEnv("AUTHENTIK_HOST")
+		if !found {
+			fmt.Println("env AUTHENTIK_HOST not set!")
 			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+		akToken, found := os.LookupEnv("AUTHENTIK_TOKEN")
+		if !found {
+			fmt.Println("env AUTHENTIK_TOKEN not set!")
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+
+		akURLActual, err := url.Parse(akURL)
+		if err != nil {
+			fmt.Println(err)
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+
+		ex := common.Init()
+		defer common.Defer()
+		go func() {
+			for {
+				<-ex
+				os.Exit(0)
+			}
+		}()
+
+		ac := ak.NewAPIController(*akURLActual, akToken)
+		if ac == nil {
+			os.Exit(1)
+		}
+		defer ac.Shutdown()
+
+		ac.Server = radius.NewServer(ac)
+
+		err = ac.Start()
+		if err != nil {
+			log.WithError(err).Panic("Failed to run server")
+		}
+
+		for {
+			<-ex
 		}
-		return err
 	},
 }
 

cmd/server/server.go

@@ -22,12 +22,21 @@ import (
 )
 
 var rootCmd = &cobra.Command{
-	Use:              "authentik",
-	Short:            "Start authentik instance",
-	Version:          constants.FullVersion(),
-	PersistentPreRun: common.PreRun,
+	Use:     "authentik",
+	Short:   "Start authentik instance",
+	Version: constants.FullVersion(),
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		log.SetLevel(log.DebugLevel)
+		log.SetFormatter(&log.JSONFormatter{
+			FieldMap: log.FieldMap{
+				log.FieldKeyMsg:  "event",
+				log.FieldKeyTime: "timestamp",
+			},
+			DisableHTMLEscape: true,
+		})
+	},
 	Run: func(cmd *cobra.Command, args []string) {
-		debug.EnableDebugServer("authentik.core")
+		debug.EnableDebugServer()
 		l := log.WithField("logger", "authentik.root")
 
 		if config.Get().ErrorReporting.Enabled {
@@ -90,7 +99,7 @@ func attemptProxyStart(ws *web.WebServer, u *url.URL) {
 		})
 
 		srv := proxyv2.NewProxyServer(ac)
-		ws.ProxyServer = srv.(*proxyv2.ProxyServer)
+		ws.ProxyServer = srv
 		ac.Server = srv
 		l.Debug("attempting to start outpost")
 		err := ac.StartBackgroundTasks()

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
     restart: unless-stopped
     command: server
     environment:
@@ -55,7 +55,7 @@ services:
       redis:
         condition: service_healthy
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.6.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.1}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -16,19 +16,18 @@ require (
 	github.com/gorilla/securecookie v1.1.2
 	github.com/gorilla/sessions v1.4.0
 	github.com/gorilla/websocket v1.5.3
-	github.com/grafana/pyroscope-go v1.2.2
 	github.com/jellydator/ttlcache/v3 v3.3.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.1
 	github.com/prometheus/client_golang v1.22.0
-	github.com/redis/go-redis/v9 v9.9.0
+	github.com/redis/go-redis/v9 v9.8.0
 	github.com/sethvargo/go-envconfig v1.3.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025060.1
+	goauthentik.io/api/v3 v3.2025041.2
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.30.0
 	golang.org/x/sync v0.14.0
@@ -59,10 +58,8 @@ require (
 	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-openapi/validate v0.24.0 // indirect
-	github.com/grafana/pyroscope-go/godeltaprof v0.1.8 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect

go.sum

@@ -178,10 +178,6 @@ github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2e
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grafana/pyroscope-go v1.2.2 h1:uvKCyZMD724RkaCEMrSTC38Yn7AnFe8S2wiAIYdDPCE=
-github.com/grafana/pyroscope-go v1.2.2/go.mod h1:zzT9QXQAp2Iz2ZdS216UiV8y9uXJYQiGE1q8v1FyhqU=
-github.com/grafana/pyroscope-go/godeltaprof v0.1.8 h1:iwOtYXeeVSAeYefJNaxDytgjKtUuKQbJqgAIjlnicKg=
-github.com/grafana/pyroscope-go/godeltaprof v0.1.8/go.mod h1:2+l7K7twW49Ct4wFluZD3tZ6e0SjanjcUUBPVD/UuGU=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -249,8 +245,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redis/go-redis/v9 v9.9.0 h1:URbPQ4xVQSQhZ27WMQVmZSo3uT3pL+4IdHVcYq2nVfM=
-github.com/redis/go-redis/v9 v9.9.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI=
+github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@@ -266,8 +262,6 @@ github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -296,8 +290,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025060.1 h1:H/TDuroJlQicuxrWEnLcO3lzQaHuR28xrUb1L2362Vo=
-goauthentik.io/api/v3 v3.2025060.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025041.2 h1:vFYYnhcDcxL95RczZwhzt3i4LptFXMvIRN+vgf8sQYg=
+goauthentik.io/api/v3 v3.2025041.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/common/prerun.go

@@ -1,17 +0,0 @@
-package common
-
-import (
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-)
-
-func PreRun(cmd *cobra.Command, args []string) {
-	log.SetLevel(log.DebugLevel)
-	log.SetFormatter(&log.JSONFormatter{
-		FieldMap: log.FieldMap{
-			log.FieldKeyMsg:  "event",
-			log.FieldKeyTime: "timestamp",
-		},
-		DisableHTMLEscape: true,
-	})
-}

internal/constants/constants.go

@@ -33,4 +33,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2025.6.0"
+const VERSION = "2025.4.1"

internal/debug/debug.go

@@ -5,24 +5,19 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/pprof"
-	"os"
-	"runtime"
 
 	"github.com/gorilla/mux"
-	"github.com/grafana/pyroscope-go"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/utils/web"
 )
 
-var l = log.WithField("logger", "authentik.debugger.go")
-
-func EnableDebugServer(appName string) {
+func EnableDebugServer() {
+	l := log.WithField("logger", "authentik.go_debugger")
 	if !config.Get().Debug {
 		return
 	}
 	h := mux.NewRouter()
-	enablePyroscope(appName)
 	h.HandleFunc("/debug/pprof/", pprof.Index)
 	h.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
 	h.HandleFunc("/debug/pprof/profile", pprof.Profile)
@@ -59,38 +54,3 @@ func EnableDebugServer(appName string) {
 		}
 	}()
 }
-
-func enablePyroscope(appName string) {
-	p, pok := os.LookupEnv("AUTHENTIK_PYROSCOPE_HOST")
-	if !pok {
-		return
-	}
-	l.Debug("Enabling pyroscope")
-	runtime.SetMutexProfileFraction(5)
-	runtime.SetBlockProfileRate(5)
-	hostname, err := os.Hostname()
-	if err != nil {
-		panic(err)
-	}
-	_, err = pyroscope.Start(pyroscope.Config{
-		ApplicationName: appName,
-		ServerAddress:   p,
-		Logger:          pyroscope.StandardLogger,
-		Tags:            map[string]string{"hostname": hostname},
-		ProfileTypes: []pyroscope.ProfileType{
-			pyroscope.ProfileCPU,
-			pyroscope.ProfileAllocObjects,
-			pyroscope.ProfileAllocSpace,
-			pyroscope.ProfileInuseObjects,
-			pyroscope.ProfileInuseSpace,
-			pyroscope.ProfileGoroutines,
-			pyroscope.ProfileMutexCount,
-			pyroscope.ProfileMutexDuration,
-			pyroscope.ProfileBlockCount,
-			pyroscope.ProfileBlockDuration,
-		},
-	})
-	if err != nil {
-		panic(err)
-	}
-}

internal/outpost/ak/api.go

@@ -135,10 +135,6 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 	return ac
 }
 
-func (a *APIController) Log() *log.Entry {
-	return a.logger
-}
-
 // Start Starts all handlers, non-blocking
 func (a *APIController) Start() error {
 	err := a.Server.Refresh()

internal/outpost/ak/entrypoint/entrypoint.go

@@ -1,51 +0,0 @@
-package entrypoint
-
-import (
-	"errors"
-	"net/url"
-	"os"
-
-	"goauthentik.io/internal/common"
-	"goauthentik.io/internal/config"
-	"goauthentik.io/internal/debug"
-	"goauthentik.io/internal/outpost/ak"
-)
-
-func OutpostMain(appName string, server func(ac *ak.APIController) ak.Outpost) error {
-	debug.EnableDebugServer(appName)
-	akURL := config.Get().AuthentikHost
-	if akURL == "" {
-		return errors.New("environment variable `AUTHENTIK_HOST` not set")
-	}
-	akToken := config.Get().AuthentikToken
-	if akToken == "" {
-		return errors.New("environment variable `AUTHENTIK_TOKEN` not set")
-	}
-
-	akURLActual, err := url.Parse(akURL)
-	if err != nil {
-		return err
-	}
-
-	ex := common.Init()
-	defer common.Defer()
-
-	ac := ak.NewAPIController(*akURLActual, akToken)
-	if ac == nil {
-		os.Exit(1)
-	}
-	defer ac.Shutdown()
-
-	ac.Server = server(ac)
-
-	err = ac.Start()
-	if err != nil {
-		ac.Log().WithError(err).Panic("Failed to run server")
-		return err
-	}
-
-	for {
-		<-ex
-		return nil
-	}
-}

internal/outpost/ak/global.go

@@ -48,20 +48,20 @@ func doGlobalSetup(outpost api.Outpost, globalConfig *api.Config) {
 	if globalConfig.ErrorReporting.Enabled {
 		if !initialSetup {
 			l.WithField("env", globalConfig.ErrorReporting.Environment).Debug("Error reporting enabled")
-			err := sentry.Init(sentry.ClientOptions{
-				Dsn:           globalConfig.ErrorReporting.SentryDsn,
-				Environment:   globalConfig.ErrorReporting.Environment,
-				EnableTracing: true,
-				TracesSampler: sentryutils.SamplerFunc(float64(globalConfig.ErrorReporting.TracesSampleRate)),
-				Release:       fmt.Sprintf("authentik@%s", constants.VERSION),
-				HTTPTransport: webutils.NewUserAgentTransport(constants.UserAgentOutpost(), http.DefaultTransport),
-				IgnoreErrors: []string{
-					http.ErrAbortHandler.Error(),
-				},
-			})
-			if err != nil {
-				l.WithField("env", globalConfig.ErrorReporting.Environment).WithError(err).Warning("Failed to initialise sentry")
-			}
+		}
+		err := sentry.Init(sentry.ClientOptions{
+			Dsn:           globalConfig.ErrorReporting.SentryDsn,
+			Environment:   globalConfig.ErrorReporting.Environment,
+			EnableTracing: true,
+			TracesSampler: sentryutils.SamplerFunc(float64(globalConfig.ErrorReporting.TracesSampleRate)),
+			Release:       fmt.Sprintf("authentik@%s", constants.VERSION),
+			HTTPTransport: webutils.NewUserAgentTransport(constants.UserAgentOutpost(), http.DefaultTransport),
+			IgnoreErrors: []string{
+				http.ErrAbortHandler.Error(),
+			},
+		})
+		if err != nil {
+			l.WithField("env", globalConfig.ErrorReporting.Environment).WithError(err).Warning("Failed to initialise sentry")
 		}
 	}
 

internal/outpost/ldap/ldap.go

@@ -26,7 +26,7 @@ type LDAPServer struct {
 	providers   []*ProviderInstance
 }
 
-func NewServer(ac *ak.APIController) ak.Outpost {
+func NewServer(ac *ak.APIController) *LDAPServer {
 	ls := &LDAPServer{
 		log:       log.WithField("logger", "authentik.outpost.ldap"),
 		ac:        ac,