slight refactors

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
fix
2025-06-09 00:48:28 +02:00 · 2025-06-08 15:52:24 +02:00 · 2025-06-08 03:03:48 +02:00 · 2025-06-08 02:51:27 +02:00 · 2025-06-08 02:25:47 +02:00 · 2025-06-08 02:16:03 +02:00
506 changed files with 17955 additions and 18191 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.6.2
+current_version = 2025.6.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -21,8 +21,6 @@ optional_value = final
 [bumpversion:file:package.json]
 [bumpversion:file:package-lock.json]
 [bumpversion:file:docker-compose.yml]
 [bumpversion:file:schema.yml]
@ -33,4 +31,6 @@ optional_value = final
 [bumpversion:file:internal/constants/constants.go]
 [bumpversion:file:web/src/common/constants.ts]
 [bumpversion:file:lifecycle/aws/template.yaml]
--- a/.dockerignore
+++ b/.dockerignore
@ -11,4 +11,3 @@ blueprints/local
 !gen-ts-api/node_modules
 !gen-ts-api/dist/**
 !gen-go-api/
 .venv
--- a/.editorconfig
+++ b/.editorconfig
@ -7,9 +7,6 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 [*.toml]
 indent_size = 2
 [*.html]
 indent_size = 2
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -100,13 +100,6 @@ updates:
      goauthentik:
        patterns:
          - "@goauthentik/*"
      eslint:
        patterns:
          - "@eslint/*"
          - "@typescript-eslint/*"
          - "eslint-*"
          - "eslint"
          - "typescript-eslint"
  - package-ecosystem: npm
    directory: "/lifecycle/aws"
    schedule:
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@ -15,8 +15,8 @@ jobs:
      matrix:
        version:
          - docs
          - version-2025-4
          - version-2025-2
          - version-2024-12
    steps:
      - uses: actions/checkout@v4
      - run: |
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -202,7 +202,7 @@ jobs:
        uses: actions/cache@v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
@ -226,61 +226,6 @@ jobs:
          flags: e2e
          file: unittest.xml
          token: ${{ secrets.CODECOV_TOKEN }}
  test-conformance:
    name: test-conformance (${{ matrix.job.name }})
    runs-on: ubuntu-latest
    timeout-minutes: 30
    strategy:
      fail-fast: false
      matrix:
        job:
          - name: basic
            glob: tests/openid_conformance/test_basic.py
          - name: implicit
            glob: tests/openid_conformance/test_implicit.py
    steps:
      - uses: actions/checkout@v4
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
        run: |
          docker compose -f tests/e2e/docker-compose.yml up -d --quiet-pull
      - name: Setup conformance suite
        run: |
          docker compose -f tests/openid_conformance/compose.yml up -d --quiet-pull
      - id: cache-web
        uses: actions/cache@v4
        with:
          path: web/dist
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
        run: |
          npm ci
          make -C .. gen-client-ts
          npm run build
          npm run build:sfe
      - name: run conformance
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
          uv run coverage xml
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
          flags: conformance
          token: ${{ secrets.CODECOV_TOKEN }}
      - if: ${{ !cancelled() }}
        uses: codecov/test-results-action@v1
        with:
          flags: conformance
          file: unittest.xml
          token: ${{ secrets.CODECOV_TOKEN }}
      - if: ${{ !cancelled() }}
        uses: actions/upload-artifact@v4
        with:
          name: conformance-certification-${{ matrix.job.glob }}
          path: tests/openid_conformance/exports/
  ci-core-mark:
    if: always()
    needs:
@ -290,7 +235,6 @@ jobs:
      - test-unittest
      - test-integration
      - test-e2e
      - test-conformance
    runs-on: ubuntu-latest
    steps:
      - uses: re-actors/alls-green@release/v1
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -41,27 +41,6 @@ jobs:
      - name: test
        working-directory: website/
        run: npm test
  build:
    runs-on: ubuntu-latest
    name: ${{ matrix.job }}
    strategy:
      fail-fast: false
      matrix:
        job:
          - build
          - build:integrations
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version-file: website/package.json
          cache: "npm"
          cache-dependency-path: website/package-lock.json
      - working-directory: website/
        run: npm ci
      - name: build
        working-directory: website/
        run: npm run ${{ matrix.job }}
  build-container:
    runs-on: ubuntu-latest
    permissions:
@ -115,7 +94,6 @@ jobs:
    needs:
      - lint
      - test
      - build
      - build-container
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -2,7 +2,7 @@ name: "CodeQL"
 on:
  push:
-    branches: [main, next, version*]
+    branches: [main, "*", next, version*]
  pull_request:
    branches: [main]
  schedule:
--- a/.gitignore
+++ b/.gitignore
@ -217,4 +217,3 @@ source_docs/
 ### Docker ###
 docker-compose.override.yml
 tests/openid_conformance/exports/*.zip
--- a/4
+++ b/4
@ -75,9 +75,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.14 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.11 AS uv
 # Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.5-slim-bookworm-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.3-slim-bookworm-fips AS python-base
 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
--- a/6
+++ b/6
@ -86,10 +86,6 @@ dev-create-db:
 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.
 update-test-mmdb:  ## Update test GeoIP and ASN Databases
 	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
 	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb
 #########################
 ## API Schema
 #########################
@ -98,7 +94,7 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema --file blueprints/schema.json
+		uv run ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
-__version__ = "2025.6.2"
+__version__ = "2025.6.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/api/metrics.py
+++ b/authentik/admin/api/metrics.py
@ -0,0 +1,79 @@
 """authentik administration metrics"""
 from datetime import timedelta
 from django.db.models.functions import ExtractHour
 from drf_spectacular.utils import extend_schema, extend_schema_field
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import EventAction
 class CoordinateSerializer(PassiveSerializer):
    """Coordinates for diagrams"""
    x_cord = IntegerField(read_only=True)
    y_cord = IntegerField(read_only=True)
 class LoginMetricsSerializer(PassiveSerializer):
    """Login Metrics per 1h"""
    logins = SerializerMethodField()
    logins_failed = SerializerMethodField()
    authorizations = SerializerMethodField()
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins(self, _):
        """Get successful logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        return (
            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_failed(self, _):
        """Get failed logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        return (
            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN_FAILED
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_authorizations(self, _):
        """Get successful authorizations per 8 hours for the last 7 days"""
        user = self.context["user"]
        return (
            get_objects_for_user(user, "authentik_events.view_event").filter(
                action=EventAction.AUTHORIZE_APPLICATION
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
 class AdministrationMetricsViewSet(APIView):
    """Login Metrics per 1h"""
    permission_classes = [IsAuthenticated]
    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
    def get(self, request: Request) -> Response:
        """Login Metrics per 1h"""
        serializer = LoginMetricsSerializer(True)
        serializer.context["user"] = request.user
        return Response(serializer.data)
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -36,6 +36,11 @@ class TestAdminAPI(TestCase):
        body = loads(response.content)
        self.assertEqual(len(body), 0)
    def test_metrics(self):
        """Test metrics API"""
        response = self.client.get(reverse("authentik_api:admin_metrics"))
        self.assertEqual(response.status_code, 200)
    def test_apps(self):
        """Test apps API"""
        response = self.client.get(reverse("authentik_api:apps-list"))
--- a/authentik/admin/urls.py
+++ b/authentik/admin/urls.py
@ -3,6 +3,7 @@
 from django.urls import path
 from authentik.admin.api.meta import AppsViewSet, ModelViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
 from authentik.admin.api.system import SystemView
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.version_history import VersionHistoryViewSet
@ -11,6 +12,11 @@ from authentik.admin.api.workers import WorkerView
 api_urlpatterns = [
    ("admin/apps", AppsViewSet, "apps"),
    ("admin/models", ModelViewSet, "models"),
    path(
        "admin/metrics/",
        AdministrationMetricsViewSet.as_view(),
        name="admin_metrics",
    ),
    path("admin/version/", VersionView.as_view(), name="admin_version"),
    ("admin/version/history", VersionHistoryViewSet, "version_history"),
    path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -72,33 +72,20 @@ class Command(BaseCommand):
                    "additionalProperties": True,
                },
                "entries": {
                    "anyOf": [
                        {
                    "type": "array",
-                            "items": {"$ref": "#/$defs/blueprint_entry"},
+                    "items": {
-                        },
+                        "oneOf": [],
                        {
                            "type": "object",
                            "additionalProperties": {
                                "type": "array",
                                "items": {"$ref": "#/$defs/blueprint_entry"},
                    },
                },
                    ],
            },
-            },
+            "$defs": {},
            "$defs": {"blueprint_entry": {"oneOf": []}},
        }
    def add_arguments(self, parser):
        parser.add_argument("--file", type=str)
    @no_translations
-    def handle(self, *args, file: str, **options):
+    def handle(self, *args, **options):
        """Generate JSON Schema for blueprints"""
        self.build()
-        with open(file, "w") as _schema:
+        self.stdout.write(dumps(self.schema, indent=4, default=Command.json_default))
            _schema.write(dumps(self.schema, indent=4, default=Command.json_default))
    @staticmethod
    def json_default(value: Any) -> Any:
@ -125,7 +112,7 @@ class Command(BaseCommand):
                }
            )
            model_path = f"{model._meta.app_label}.{model._meta.model_name}"
-            self.schema["$defs"]["blueprint_entry"]["oneOf"].append(
+            self.schema["properties"]["entries"]["items"]["oneOf"].append(
                self.template_entry(model_path, model, serializer)
            )
@ -147,7 +134,7 @@ class Command(BaseCommand):
                "id": {"type": "string"},
                "state": {
                    "type": "string",
-                    "enum": sorted([s.value for s in BlueprintEntryDesiredState]),
+                    "enum": [s.value for s in BlueprintEntryDesiredState],
                    "default": "present",
                },
                "conditions": {"type": "array", "items": {"type": "boolean"}},
@ -218,7 +205,7 @@ class Command(BaseCommand):
                "type": "object",
                "required": ["permission"],
                "properties": {
-                    "permission": {"type": "string", "enum": sorted(perms)},
+                    "permission": {"type": "string", "enum": perms},
                    "user": {"type": "integer"},
                    "role": {"type": "string"},
                },
--- a/authentik/blueprints/tests/fixtures/state_present.yaml
+++ b/authentik/blueprints/tests/fixtures/state_present.yaml
@ -1,6 +1,5 @@
 version: 1
 entries:
  foo:
    - identifiers:
          name: "%(id)s"
          slug: "%(id)s"
--- a/authentik/blueprints/tests/test_packaged.py
+++ b/authentik/blueprints/tests/test_packaged.py
@ -35,6 +35,6 @@ def blueprint_tester(file_name: Path) -> Callable:
 for blueprint_file in Path("blueprints/").glob("**/*.yaml"):
-    if "local" in str(blueprint_file) or "testing" in str(blueprint_file):
+    if "local" in str(blueprint_file):
        continue
    setattr(TestPackaged, f"test_blueprint_{blueprint_file}", blueprint_tester(blueprint_file))
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -191,18 +191,11 @@ class Blueprint:
    """Dataclass used for a full export"""
    version: int = field(default=1)
-    entries: list[BlueprintEntry] | dict[str, list[BlueprintEntry]] = field(default_factory=list)
+    entries: list[BlueprintEntry] = field(default_factory=list)
    context: dict = field(default_factory=dict)
    metadata: BlueprintMetadata | None = field(default=None)
    def iter_entries(self) -> Iterable[BlueprintEntry]:
        if isinstance(self.entries, dict):
            for _section, entries in self.entries.items():
                yield from entries
        else:
            yield from self.entries
 class YAMLTag:
    """Base class for all YAML Tags"""
@ -233,7 +226,7 @@ class KeyOf(YAMLTag):
        self.id_from = node.value
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        for _entry in blueprint.iter_entries():
+        for _entry in blueprint.entries:
            if _entry.id == self.id_from and _entry._state.instance:
                # Special handling for PolicyBindingModels, as they'll have a different PK
                # which is used when creating policy bindings
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -384,7 +384,7 @@ class Importer:
    def _apply_models(self, raise_errors=False) -> bool:
        """Apply (create/update) models yaml"""
        self.__pk_map = {}
-        for entry in self._import.iter_entries():
+        for entry in self._import.entries:
            model_app_label, model_name = entry.get_model(self._import).split(".")
            try:
                model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
--- a/authentik/blueprints/v1/meta/registry.py
+++ b/authentik/blueprints/v1/meta/registry.py
@ -47,7 +47,7 @@ class MetaModelRegistry:
        models = apps.get_models()
        for _, value in self.models.items():
            models.append(value)
-        return sorted(models, key=str)
+        return models
    def get_model(self, app_label: str, model_id: str) -> type[Model]:
        """Get model checks if any virtual models are registered, and falls back
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@ -148,14 +148,3 @@ class TestBrands(APITestCase):
                "default_locale": "",
            },
        )
    def test_custom_css(self):
        """Test custom_css"""
        brand = create_test_brand()
        brand.branding_custom_css = """* {
            font-family: "Foo bar";
        }"""
        brand.save()
        res = self.client.get(reverse("authentik_core:if-user"))
        self.assertEqual(res.status_code, 200)
        self.assertIn(brand.branding_custom_css, res.content.decode())
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@ -5,8 +5,6 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
 from django.utils.html import _json_script_escapes
 from django.utils.safestring import mark_safe
 from authentik import get_full_version
 from authentik.brands.models import Brand
@ -34,13 +32,8 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
    """Context Processor that injects brand object into every template"""
    brand = getattr(request, "brand", DEFAULT_BRAND)
    tenant = getattr(request, "tenant", Tenant())
    # similarly to `json_script` we escape everything HTML-related, however django
    # only directly exposes this as a function that also wraps it in a <script> tag
    # which we dont want for CSS
    brand_css = mark_safe(str(brand.branding_custom_css).translate(_json_script_escapes))  # nosec
    return {
        "brand": brand,
        "brand_css": brand_css,
        "footer_links": tenant.footer_links,
        "html_meta": {**get_http_meta()},
        "version": get_full_version(),
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -2,9 +2,11 @@
 from collections.abc import Iterator
 from copy import copy
 from datetime import timedelta
 from django.core.cache import cache
 from django.db.models import QuerySet
 from django.db.models.functions import ExtractHour
 from django.shortcuts import get_object_or_404
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
@ -18,6 +20,7 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.api.pagination import Pagination
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.providers import ProviderSerializer
@ -25,6 +28,7 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.events.models import EventAction
 from authentik.lib.utils.file import (
    FilePathSerializer,
    FileUploadSerializer,
@ -149,10 +153,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        return applications
    def _filter_applications_with_launch_url(
-        self, pagined_apps: Iterator[Application]
+        self, paginated_apps: Iterator[Application]
    ) -> list[Application]:
        applications = []
-        for app in pagined_apps:
+        for app in paginated_apps:
            if app.get_launch_url():
                applications.append(app)
        return applications
@ -317,3 +321,18 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        """Set application icon (as URL)"""
        app: Application = self.get_object()
        return set_file_url(request, app, "meta_icon")
    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
    @extend_schema(responses={200: CoordinateSerializer(many=True)})
    @action(detail=True, pagination_class=None, filter_backends=[])
    def metrics(self, request: Request, slug: str):
        """Metrics for application logins"""
        app = self.get_object()
        return Response(
            get_objects_for_user(request.user, "authentik_events.view_event").filter(
                action=EventAction.AUTHORIZE_APPLICATION,
                context__authorized_application__pk=app.pk.hex,
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@ -1,6 +1,8 @@
 """Authenticator Devices API Views"""
-from drf_spectacular.utils import extend_schema
+from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import (
    BooleanField,
@ -13,7 +15,6 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
 from authentik.core.api.users import ParamUserSerializer
 from authentik.core.api.utils import MetaNameSerializer
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
 from authentik.stages.authenticator import device_classes, devices_for_user
@ -22,7 +23,7 @@ from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
 class DeviceSerializer(MetaNameSerializer):
-    """Serializer for authenticator devices"""
+    """Serializer for Duo authenticator devices"""
    pk = CharField()
    name = CharField()
@ -32,27 +33,22 @@ class DeviceSerializer(MetaNameSerializer):
    last_updated = DateTimeField(read_only=True)
    last_used = DateTimeField(read_only=True, allow_null=True)
    extra_description = SerializerMethodField()
    external_id = SerializerMethodField()
    def get_type(self, instance: Device) -> str:
        """Get type of device"""
        return instance._meta.label
-    def get_extra_description(self, instance: Device) -> str | None:
+    def get_extra_description(self, instance: Device) -> str:
        """Get extra description"""
        if isinstance(instance, WebAuthnDevice):
-            return instance.device_type.description if instance.device_type else None
+            return (
                instance.device_type.description
                if instance.device_type
                else _("Extra description not available")
            )
        if isinstance(instance, EndpointDevice):
            return instance.data.get("deviceSignals", {}).get("deviceModel")
-        return None
+        return ""
    def get_external_id(self, instance: Device) -> str | None:
        """Get external Device ID"""
        if isinstance(instance, WebAuthnDevice):
            return instance.device_type.aaguid if instance.device_type else None
        if isinstance(instance, EndpointDevice):
            return instance.data.get("deviceSignals", {}).get("deviceModel")
        return None
 class DeviceViewSet(ViewSet):
@ -61,6 +57,7 @@ class DeviceViewSet(ViewSet):
    serializer_class = DeviceSerializer
    permission_classes = [IsAuthenticated]
    @extend_schema(responses={200: DeviceSerializer(many=True)})
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
        devices = devices_for_user(request.user)
@ -82,11 +79,18 @@ class AdminDeviceViewSet(ViewSet):
            yield from device_set
    @extend_schema(
-        parameters=[ParamUserSerializer],
+        parameters=[
            OpenApiParameter(
                name="user",
                location=OpenApiParameter.QUERY,
                type=OpenApiTypes.INT,
            )
        ],
        responses={200: DeviceSerializer(many=True)},
    )
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
-        args = ParamUserSerializer(data=request.query_params)
+        kwargs = {}
-        args.is_valid(raise_exception=True)
+        if "user" in request.query_params:
-        return Response(DeviceSerializer(self.get_devices(**args.validated_data), many=True).data)
+            kwargs = {"user": request.query_params["user"]}
        return Response(DeviceSerializer(self.get_devices(**kwargs), many=True).data)
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -6,6 +6,7 @@ from typing import Any
 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import Permission
 from django.db.models.functions import ExtractHour
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
@ -51,6 +52,7 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
@ -90,12 +92,6 @@ from authentik.stages.email.utils import TemplateEmailMessage
 LOGGER = get_logger()
 class ParamUserSerializer(PassiveSerializer):
    """Partial serializer for query parameters to select a user"""
    user = PrimaryKeyRelatedField(queryset=User.objects.all().exclude_anonymous(), required=False)
 class UserGroupSerializer(ModelSerializer):
    """Simplified Group Serializer for user's groups"""
@ -321,6 +317,53 @@ class SessionUserSerializer(PassiveSerializer):
    original = UserSelfSerializer(required=False)
 class UserMetricsSerializer(PassiveSerializer):
    """User Metrics"""
    logins = SerializerMethodField()
    logins_failed = SerializerMethodField()
    authorizations = SerializerMethodField()
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins(self, _):
        """Get successful logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        request = self.context["request"]
        return (
            get_objects_for_user(request.user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN, user__pk=user.pk
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_failed(self, _):
        """Get failed logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        request = self.context["request"]
        return (
            get_objects_for_user(request.user, "authentik_events.view_event").filter(
                action=EventAction.LOGIN_FAILED, context__username=user.username
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
    @extend_schema_field(CoordinateSerializer(many=True))
    def get_authorizations(self, _):
        """Get failed logins per 8 hours for the last 7 days"""
        user = self.context["user"]
        request = self.context["request"]
        return (
            get_objects_for_user(request.user, "authentik_events.view_event").filter(
                action=EventAction.AUTHORIZE_APPLICATION, user__pk=user.pk
            )
            # 3 data points per day, so 8 hour spans
            .get_events_per(timedelta(days=7), ExtractHour, 7 * 3)
        )
 class UsersFilter(FilterSet):
    """Filter for users"""
@ -392,23 +435,8 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    queryset = User.objects.none()
    ordering = ["username"]
    serializer_class = UserSerializer
    filterset_class = UsersFilter
    search_fields = ["username", "name", "is_active", "email", "uuid", "attributes"]
-
+    filterset_class = UsersFilter
    def get_ql_fields(self):
        from djangoql.schema import BoolField, StrField
        from authentik.enterprise.search.fields import ChoiceSearchField, JSONSearchField
        return [
            StrField(User, "username"),
            StrField(User, "name"),
            StrField(User, "email"),
            StrField(User, "path"),
            BoolField(User, "is_active", nullable=True),
            ChoiceSearchField(User, "type"),
            JSONSearchField(User, "attributes"),
        ]
    def get_queryset(self):
        base_qs = User.objects.all().exclude_anonymous()
@ -579,6 +607,17 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            update_session_auth_hash(self.request, user)
        return Response(status=204)
    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
    @action(detail=True, pagination_class=None, filter_backends=[])
    def metrics(self, request: Request, pk: int) -> Response:
        """User metrics per 1h"""
        user: User = self.get_object()
        serializer = UserMetricsSerializer(instance={})
        serializer.context["user"] = user
        serializer.context["request"] = request
        return Response(serializer.data)
    @permission_required("authentik_core.reset_user_password")
    @extend_schema(
        responses={
--- a/authentik/core/management/commands/change_user_type.py
+++ b/authentik/core/management/commands/change_user_type.py
@ -13,6 +13,7 @@ class Command(TenantCommand):
        parser.add_argument("usernames", nargs="*", type=str)
    def handle_per_tenant(self, **options):
        print(options)
        new_type = UserTypes(options["type"])
        qs = (
            User.objects.exclude_anonymous()
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -18,7 +18,7 @@ from django.http import HttpRequest
 from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
-from django_cte import CTE, with_cte
+from django_cte import CTEQuerySet, With
 from guardian.conf import settings
 from guardian.mixins import GuardianUserMixin
 from model_utils.managers import InheritanceManager
@ -136,7 +136,7 @@ class AttributesMixin(models.Model):
        return instance, False
-class GroupQuerySet(QuerySet):
+class GroupQuerySet(CTEQuerySet):
    def with_children_recursive(self):
        """Recursively get all groups that have the current queryset as parents
        or are indirectly related."""
@ -165,9 +165,9 @@ class GroupQuerySet(QuerySet):
            )
        # Build the recursive query, see above
-        cte = CTE.recursive(make_cte)
+        cte = With.recursive(make_cte)
        # Return the result, as a usable queryset for Group.
-        return with_cte(cte, select=cte.join(Group, group_uuid=cte.col.group_uuid))
+        return cte.join(Group, group_uuid=cte.col.group_uuid).with_cte(cte)
 class Group(SerializerModel, AttributesMixin):
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -16,7 +16,7 @@
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <style>{{ brand_css }}</style>
+        <style>{{ brand.branding_custom_css }}</style>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -114,7 +114,6 @@ class TestApplicationsAPI(APITestCase):
        self.assertJSONEqual(
            response.content.decode(),
            {
                "autocomplete": {},
                "pagination": {
                    "next": 0,
                    "previous": 0,
@ -168,7 +167,6 @@ class TestApplicationsAPI(APITestCase):
        self.assertJSONEqual(
            response.content.decode(),
            {
                "autocomplete": {},
                "pagination": {
                    "next": 0,
                    "previous": 0,
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -81,6 +81,22 @@ class TestUsersAPI(APITestCase):
        response = self.client.get(reverse("authentik_api:user-list"), {"include_groups": "true"})
        self.assertEqual(response.status_code, 200)
    def test_metrics(self):
        """Test user's metrics"""
        self.client.force_login(self.admin)
        response = self.client.get(
            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 200)
    def test_metrics_denied(self):
        """Test user's metrics (non-superuser)"""
        self.client.force_login(self.user)
        response = self.client.get(
            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
        )
        self.assertEqual(response.status_code, 403)
    def test_recovery_no_flow(self):
        """Test user recovery link (no recovery flow set)"""
        self.client.force_login(self.admin)
--- a/authentik/enterprise/policies/unique_password/tests/test_tasks.py
+++ b/authentik/enterprise/policies/unique_password/tests/test_tasks.py
@ -119,17 +119,17 @@ class TestTrimPasswordHistory(TestCase):
            [
                UserPasswordHistory(
                    user=self.user,
-                    old_password="hunter1",  # nosec
+                    old_password="hunter1",  # nosec B106
                    created_at=_now - timedelta(days=3),
                ),
                UserPasswordHistory(
                    user=self.user,
-                    old_password="hunter2",  # nosec
+                    old_password="hunter2",  # nosec B106
                    created_at=_now - timedelta(days=2),
                ),
                UserPasswordHistory(
                    user=self.user,
-                    old_password="hunter3",  # nosec
+                    old_password="hunter3",  # nosec B106
                    created_at=_now,
                ),
            ]
--- a/authentik/enterprise/providers/ssf/signals.py
+++ b/authentik/enterprise/providers/ssf/signals.py
@ -1,8 +1,10 @@
 from hashlib import sha256
 from django.contrib.auth.signals import user_logged_out
 from django.db.models import Model
 from django.db.models.signals import post_delete, post_save, pre_delete
 from django.dispatch import receiver
 from django.http.request import HttpRequest
 from guardian.shortcuts import assign_perm
 from authentik.core.models import (
@ -60,6 +62,31 @@ def ssf_providers_post_save(sender: type[Model], instance: SSFProvider, created:
            instance.save()
@receiver(user_logged_out)
 def ssf_user_logged_out_session_revoked(sender, request: HttpRequest, user: User, **_):
    """Session revoked trigger (user logged out)"""
    if not request.session or not request.session.session_key or not user:
        return
    send_ssf_event(
        EventTypes.CAEP_SESSION_REVOKED,
        {
            "initiating_entity": "user",
        },
        sub_id={
            "format": "complex",
            "session": {
                "format": "opaque",
                "id": sha256(request.session.session_key.encode("ascii")).hexdigest(),
            },
            "user": {
                "format": "email",
                "email": user.email,
            },
        },
        request=request,
    )
@receiver(pre_delete, sender=AuthenticatedSession)
 def ssf_user_session_delete_session_revoked(sender, instance: AuthenticatedSession, **_):
    """Session revoked trigger (users' session has been deleted)
--- a/authentik/enterprise/search/init.py
+++ b/authentik/enterprise/search/init.py
--- a/authentik/enterprise/search/apps.py
+++ b/authentik/enterprise/search/apps.py
@ -1,12 +0,0 @@
 """Enterprise app config"""
 from authentik.enterprise.apps import EnterpriseConfig
 class AuthentikEnterpriseSearchConfig(EnterpriseConfig):
    """Enterprise app config"""
    name = "authentik.enterprise.search"
    label = "authentik_search"
    verbose_name = "authentik Enterprise.Search"
    default = True
--- a/authentik/enterprise/search/fields.py
+++ b/authentik/enterprise/search/fields.py
@ -1,128 +0,0 @@
 """DjangoQL search"""
 from collections import OrderedDict, defaultdict
 from collections.abc import Generator
 from django.db import connection
 from django.db.models import Model, Q
 from djangoql.compat import text_type
 from djangoql.schema import StrField
 class JSONSearchField(StrField):
    """JSON field for DjangoQL"""
    model: Model
    def __init__(self, model=None, name=None, nullable=None, suggest_nested=True):
        # Set this in the constructor to not clobber the type variable
        self.type = "relation"
        self.suggest_nested = suggest_nested
        super().__init__(model, name, nullable)
    def get_lookup(self, path, operator, value):
        search = "__".join(path)
        op, invert = self.get_operator(operator)
        q = Q(**{f"{search}{op}": self.get_lookup_value(value)})
        return ~q if invert else q
    def json_field_keys(self) -> Generator[tuple[str]]:
        with connection.cursor() as cursor:
            cursor.execute(
                f"""
                WITH RECURSIVE "{self.name}_keys" AS (
                    SELECT
                        ARRAY[jsonb_object_keys("{self.name}")] AS key_path_array,
                        "{self.name}" -> jsonb_object_keys("{self.name}") AS value
                    FROM {self.model._meta.db_table}
                    WHERE "{self.name}" IS NOT NULL
                        AND jsonb_typeof("{self.name}") = 'object'
                    UNION ALL
                    SELECT
                        ck.key_path_array || jsonb_object_keys(ck.value),
                        ck.value -> jsonb_object_keys(ck.value) AS value
                    FROM "{self.name}_keys" ck
                    WHERE jsonb_typeof(ck.value) = 'object'
                ),
                unique_paths AS (
                    SELECT DISTINCT key_path_array
                    FROM "{self.name}_keys"
                )
                SELECT key_path_array FROM unique_paths;
            """  # nosec
            )
            return (x[0] for x in cursor.fetchall())
    def get_nested_options(self) -> OrderedDict:
        """Get keys of all nested objects to show autocomplete"""
        if not self.suggest_nested:
            return OrderedDict()
        base_model_name = f"{self.model._meta.app_label}.{self.model._meta.model_name}_{self.name}"
        def recursive_function(parts: list[str], parent_parts: list[str] | None = None):
            if not parent_parts:
                parent_parts = []
            path = parts.pop(0)
            parent_parts.append(path)
            relation_key = "_".join(parent_parts)
            if len(parts) > 1:
                out_dict = {
                    relation_key: {
                        parts[0]: {
                            "type": "relation",
                            "relation": f"{relation_key}_{parts[0]}",
                        }
                    }
                }
                child_paths = recursive_function(parts.copy(), parent_parts.copy())
                child_paths.update(out_dict)
                return child_paths
            else:
                return {relation_key: {parts[0]: {}}}
        relation_structure = defaultdict(dict)
        for relations in self.json_field_keys():
            result = recursive_function([base_model_name] + relations)
            for relation_key, value in result.items():
                for sub_relation_key, sub_value in value.items():
                    if not relation_structure[relation_key].get(sub_relation_key, None):
                        relation_structure[relation_key][sub_relation_key] = sub_value
                    else:
                        relation_structure[relation_key][sub_relation_key].update(sub_value)
        final_dict = defaultdict(dict)
        for key, value in relation_structure.items():
            for sub_key, sub_value in value.items():
                if not sub_value:
                    final_dict[key][sub_key] = {
                        "type": "str",
                        "nullable": True,
                    }
                else:
                    final_dict[key][sub_key] = sub_value
        return OrderedDict(final_dict)
    def relation(self) -> str:
        return f"{self.model._meta.app_label}.{self.model._meta.model_name}_{self.name}"
 class ChoiceSearchField(StrField):
    def __init__(self, model=None, name=None, nullable=None):
        super().__init__(model, name, nullable, suggest_options=True)
    def get_options(self, search):
        result = []
        choices = self._field_choices()
        if choices:
            search = search.lower()
            for c in choices:
                choice = text_type(c[0])
                if search in choice.lower():
                    result.append(choice)
        return result
--- a/authentik/enterprise/search/pagination.py
+++ b/authentik/enterprise/search/pagination.py
@ -1,53 +0,0 @@
 from rest_framework.response import Response
 from authentik.api.pagination import Pagination
 from authentik.enterprise.search.ql import AUTOCOMPLETE_COMPONENT_NAME, QLSearch
 class AutocompletePagination(Pagination):
    def paginate_queryset(self, queryset, request, view=None):
        self.view = view
        return super().paginate_queryset(queryset, request, view)
    def get_autocomplete(self):
        schema = QLSearch().get_schema(self.request, self.view)
        introspections = {}
        if hasattr(self.view, "get_ql_fields"):
            from authentik.enterprise.search.schema import AKQLSchemaSerializer
            introspections = AKQLSchemaSerializer().serialize(
                schema(self.page.paginator.object_list.model)
            )
        return introspections
    def get_paginated_response(self, data):
        previous_page_number = 0
        if self.page.has_previous():
            previous_page_number = self.page.previous_page_number()
        next_page_number = 0
        if self.page.has_next():
            next_page_number = self.page.next_page_number()
        return Response(
            {
                "pagination": {
                    "next": next_page_number,
                    "previous": previous_page_number,
                    "count": self.page.paginator.count,
                    "current": self.page.number,
                    "total_pages": self.page.paginator.num_pages,
                    "start_index": self.page.start_index(),
                    "end_index": self.page.end_index(),
                },
                "results": data,
                "autocomplete": self.get_autocomplete(),
            }
        )
    def get_paginated_response_schema(self, schema):
        final_schema = super().get_paginated_response_schema(schema)
        final_schema["properties"]["autocomplete"] = {
            "$ref": f"#/components/schemas/{AUTOCOMPLETE_COMPONENT_NAME}"
        }
        final_schema["required"].append("autocomplete")
        return final_schema
--- a/authentik/enterprise/search/ql.py
+++ b/authentik/enterprise/search/ql.py
@ -1,78 +0,0 @@
 """DjangoQL search"""
 from django.apps import apps
 from django.db.models import QuerySet
 from djangoql.ast import Name
 from djangoql.exceptions import DjangoQLError
 from djangoql.queryset import apply_search
 from djangoql.schema import DjangoQLSchema
 from rest_framework.filters import SearchFilter
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
 from authentik.enterprise.search.fields import JSONSearchField
 LOGGER = get_logger()
 AUTOCOMPLETE_COMPONENT_NAME = "Autocomplete"
 AUTOCOMPLETE_SCHEMA = {
    "type": "object",
    "additionalProperties": {},
 }
 class BaseSchema(DjangoQLSchema):
    """Base Schema which deals with JSON Fields"""
    def resolve_name(self, name: Name):
        model = self.model_label(self.current_model)
        root_field = name.parts[0]
        field = self.models[model].get(root_field)
        # If the query goes into a JSON field, return the root
        # field as the JSON field will do the rest
        if isinstance(field, JSONSearchField):
            # This is a workaround; build_filter will remove the right-most
            # entry in the path as that is intended to be the same as the field
            # however for JSON that is not the case
            if name.parts[-1] != root_field:
                name.parts.append(root_field)
            return field
        return super().resolve_name(name)
 class QLSearch(SearchFilter):
    """rest_framework search filter which uses DjangoQL"""
    @property
    def enabled(self):
        return apps.get_app_config("authentik_enterprise").enabled()
    def get_search_terms(self, request) -> str:
        """
        Search terms are set by a ?search=... query parameter,
        and may be comma and/or whitespace delimited.
        """
        params = request.query_params.get(self.search_param, "")
        params = params.replace("\x00", "")  # strip null characters
        return params
    def get_schema(self, request: Request, view) -> BaseSchema:
        ql_fields = []
        if hasattr(view, "get_ql_fields"):
            ql_fields = view.get_ql_fields()
        class InlineSchema(BaseSchema):
            def get_fields(self, model):
                return ql_fields or []
        return InlineSchema
    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
        search_query = self.get_search_terms(request)
        schema = self.get_schema(request, view)
        if len(search_query) == 0 or not self.enabled:
            return super().filter_queryset(request, queryset, view)
        try:
            return apply_search(queryset, search_query, schema=schema)
        except DjangoQLError as exc:
            LOGGER.debug("Failed to parse search expression", exc=exc)
            return super().filter_queryset(request, queryset, view)
--- a/authentik/enterprise/search/schema.py
+++ b/authentik/enterprise/search/schema.py
@ -1,29 +0,0 @@
 from djangoql.serializers import DjangoQLSchemaSerializer
 from drf_spectacular.generators import SchemaGenerator
 from authentik.api.schema import create_component
 from authentik.enterprise.search.fields import JSONSearchField
 from authentik.enterprise.search.ql import AUTOCOMPLETE_COMPONENT_NAME, AUTOCOMPLETE_SCHEMA
 class AKQLSchemaSerializer(DjangoQLSchemaSerializer):
    def serialize(self, schema):
        serialization = super().serialize(schema)
        for _, fields in schema.models.items():
            for _, field in fields.items():
                if not isinstance(field, JSONSearchField):
                    continue
                serialization["models"].update(field.get_nested_options())
        return serialization
    def serialize_field(self, field):
        result = super().serialize_field(field)
        if isinstance(field, JSONSearchField):
            result["relation"] = field.relation()
        return result
 def postprocess_schema_search_autocomplete(result, generator: SchemaGenerator, **kwargs):
    create_component(generator, AUTOCOMPLETE_COMPONENT_NAME, AUTOCOMPLETE_SCHEMA)
    return result
--- a/authentik/enterprise/search/settings.py
+++ b/authentik/enterprise/search/settings.py
@ -1,17 +0,0 @@
 SPECTACULAR_SETTINGS = {
    "POSTPROCESSING_HOOKS": [
        "authentik.api.schema.postprocess_schema_responses",
        "authentik.enterprise.search.schema.postprocess_schema_search_autocomplete",
        "drf_spectacular.hooks.postprocess_schema_enums",
    ],
 }
 REST_FRAMEWORK = {
    "DEFAULT_PAGINATION_CLASS": "authentik.enterprise.search.pagination.AutocompletePagination",
    "DEFAULT_FILTER_BACKENDS": [
        "authentik.enterprise.search.ql.QLSearch",
        "authentik.rbac.filters.ObjectFilter",
        "django_filters.rest_framework.DjangoFilterBackend",
        "rest_framework.filters.OrderingFilter",
    ],
 }
--- a/authentik/enterprise/search/tests.py
+++ b/authentik/enterprise/search/tests.py
@ -1,78 +0,0 @@
 from json import loads
 from unittest.mock import PropertyMock, patch
 from urllib.parse import urlencode
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user
@patch(
    "authentik.enterprise.audit.middleware.EnterpriseAuditMiddleware.enabled",
    PropertyMock(return_value=True),
 )
 class QLTest(APITestCase):
    def setUp(self):
        self.user = create_test_admin_user()
        # ensure we have more than 1 user
        create_test_admin_user()
    def test_search(self):
        """Test simple search query"""
        self.client.force_login(self.user)
        query = f'username = "{self.user.username}"'
        res = self.client.get(
            reverse(
                "authentik_api:user-list",
            )
            + f"?{urlencode({"search": query})}"
        )
        self.assertEqual(res.status_code, 200)
        content = loads(res.content)
        self.assertEqual(content["pagination"]["count"], 1)
        self.assertEqual(content["results"][0]["username"], self.user.username)
    def test_no_search(self):
        """Ensure works with no search query"""
        self.client.force_login(self.user)
        res = self.client.get(
            reverse(
                "authentik_api:user-list",
            )
        )
        self.assertEqual(res.status_code, 200)
        content = loads(res.content)
        self.assertNotEqual(content["pagination"]["count"], 1)
    def test_search_no_ql(self):
        """Test simple search query (no QL)"""
        self.client.force_login(self.user)
        res = self.client.get(
            reverse(
                "authentik_api:user-list",
            )
            + f"?{urlencode({"search": self.user.username})}"
        )
        self.assertEqual(res.status_code, 200)
        content = loads(res.content)
        self.assertGreaterEqual(content["pagination"]["count"], 1)
        self.assertEqual(content["results"][0]["username"], self.user.username)
    def test_search_json(self):
        """Test search query with a JSON attribute"""
        self.user.attributes = {"foo": {"bar": "baz"}}
        self.user.save()
        self.client.force_login(self.user)
        query = 'attributes.foo.bar = "baz"'
        res = self.client.get(
            reverse(
                "authentik_api:user-list",
            )
            + f"?{urlencode({"search": query})}"
        )
        self.assertEqual(res.status_code, 200)
        content = loads(res.content)
        self.assertEqual(content["pagination"]["count"], 1)
        self.assertEqual(content["results"][0]["username"], self.user.username)
--- a/authentik/enterprise/settings.py
+++ b/authentik/enterprise/settings.py
@ -18,7 +18,6 @@ TENANT_APPS = [
    "authentik.enterprise.providers.google_workspace",
    "authentik.enterprise.providers.microsoft_entra",
    "authentik.enterprise.providers.ssf",
    "authentik.enterprise.search",
    "authentik.enterprise.stages.authenticator_endpoint_gdtc",
    "authentik.enterprise.stages.mtls",
    "authentik.enterprise.stages.source",
--- a/authentik/enterprise/stages/source/stage.py
+++ b/authentik/enterprise/stages/source/stage.py
@ -97,7 +97,6 @@ class SourceStageFinal(StageView):
        token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
        self.logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
        plan = token.plan
        plan.context.update(self.executor.plan.context)
        plan.context[PLAN_CONTEXT_IS_RESTORED] = token
        response = plan.to_redirect(self.request, token.flow)
        token.delete()
--- a/authentik/enterprise/stages/source/tests.py
+++ b/authentik/enterprise/stages/source/tests.py
@ -90,12 +90,10 @@ class TestSourceStage(FlowTestCase):
        plan: FlowPlan = session[SESSION_KEY_PLAN]
        plan.insert_stage(in_memory_stage(SourceStageFinal), index=0)
        plan.context[PLAN_CONTEXT_IS_RESTORED] = flow_token
        plan.context["foo"] = "bar"
        session[SESSION_KEY_PLAN] = plan
        session.save()
        # Pretend we've just returned from the source
        with self.assertFlowFinishes() as ff:
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}), follow=True
        )
@ -103,4 +101,3 @@ class TestSourceStage(FlowTestCase):
        self.assertStageRedirects(
            response, reverse("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
        )
        self.assertEqual(ff().context["foo"], "bar")
--- a/authentik/events/api/events.py
+++ b/authentik/events/api/events.py
@ -1,36 +1,28 @@
 """Events API Views"""
 from datetime import timedelta
 from json import loads
 import django_filters
-from django.db.models import Count, ExpressionWrapper, F, QuerySet
+from django.db.models.aggregates import Count
 from django.db.models import DateTimeField as DjangoDateTimeField
 from django.db.models.fields.json import KeyTextTransform, KeyTransform
-from django.db.models.functions import TruncHour
+from django.db.models.functions import ExtractDay, ExtractHour
 from django.db.models.query_utils import Q
 from django.utils.timezone import now
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import ChoiceField, DateTimeField, DictField, IntegerField
+from rest_framework.fields import DictField, IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from authentik.admin.api.metrics import CoordinateSerializer
 from authentik.core.api.object_types import TypeCreateSerializer
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.events.models import Event, EventAction
 class EventVolumeSerializer(PassiveSerializer):
    """Count of events of action created on day"""
    action = ChoiceField(choices=EventAction.choices)
    time = DateTimeField()
    count = IntegerField()
 class EventSerializer(ModelSerializer):
    """Event Serializer"""
@ -61,7 +53,7 @@ class EventsFilter(django_filters.FilterSet):
    """Filter for events"""
    username = django_filters.CharFilter(
-        field_name="user", label="Username", method="filter_username"
+        field_name="user", lookup_expr="username", label="Username"
    )
    context_model_pk = django_filters.CharFilter(
        field_name="context",
@ -86,19 +78,12 @@ class EventsFilter(django_filters.FilterSet):
        field_name="action",
        lookup_expr="icontains",
    )
    actions = django_filters.MultipleChoiceFilter(
        field_name="action",
        choices=EventAction.choices,
    )
    brand_name = django_filters.CharFilter(
        field_name="brand",
        lookup_expr="name",
        label="Brand name",
    )
    def filter_username(self, queryset, name, value):
        return queryset.filter(Q(user__username=value) | Q(context__username=value))
    def filter_context_model_pk(self, queryset, name, value):
        """Because we store the PK as UUID.hex,
        we need to remove the dashes that a client may send. We can't use a
@ -132,22 +117,6 @@ class EventViewSet(ModelViewSet):
    ]
    filterset_class = EventsFilter
    def get_ql_fields(self):
        from djangoql.schema import DateTimeField, StrField
        from authentik.enterprise.search.fields import ChoiceSearchField, JSONSearchField
        return [
            ChoiceSearchField(Event, "action"),
            StrField(Event, "event_uuid"),
            StrField(Event, "app", suggest_options=True),
            StrField(Event, "client_ip"),
            JSONSearchField(Event, "user", suggest_nested=False),
            JSONSearchField(Event, "brand", suggest_nested=False),
            JSONSearchField(Event, "context", suggest_nested=False),
            DateTimeField(Event, "created", suggest_options=True),
        ]
    @extend_schema(
        methods=["GET"],
        responses={200: EventTopPerUserSerializer(many=True)},
@ -187,37 +156,45 @@ class EventViewSet(ModelViewSet):
        return Response(EventTopPerUserSerializer(instance=events, many=True).data)
    @extend_schema(
-        responses={200: EventVolumeSerializer(many=True)},
+        responses={200: CoordinateSerializer(many=True)},
        parameters=[
            OpenApiParameter(
                "history_days",
                type=OpenApiTypes.NUMBER,
                location=OpenApiParameter.QUERY,
                required=False,
                default=7,
            ),
        ],
    )
    @action(detail=False, methods=["GET"], pagination_class=None)
    def volume(self, request: Request) -> Response:
        """Get event volume for specified filters and timeframe"""
-        queryset: QuerySet[Event] = self.filter_queryset(self.get_queryset())
+        queryset = self.filter_queryset(self.get_queryset())
-        delta = timedelta(days=7)
+        return Response(queryset.get_events_per(timedelta(days=7), ExtractHour, 7 * 3))
-        time_delta = request.query_params.get("history_days", 7)
+
-        if time_delta:
+    @extend_schema(
-            delta = timedelta(days=min(int(time_delta), 60))
+        responses={200: CoordinateSerializer(many=True)},
        filters=[],
        parameters=[
            OpenApiParameter(
                "action",
                type=OpenApiTypes.STR,
                location=OpenApiParameter.QUERY,
                required=False,
            ),
            OpenApiParameter(
                "query",
                type=OpenApiTypes.STR,
                location=OpenApiParameter.QUERY,
                required=False,
            ),
        ],
    )
    @action(detail=False, methods=["GET"], pagination_class=None)
    def per_month(self, request: Request):
        """Get the count of events per month"""
        filtered_action = request.query_params.get("action", EventAction.LOGIN)
        try:
            query = loads(request.query_params.get("query", "{}"))
        except ValueError:
            return Response(status=400)
        return Response(
-            queryset.filter(created__gte=now() - delta)
+            get_objects_for_user(request.user, "authentik_events.view_event")
-            .annotate(hour=TruncHour("created"))
+            .filter(action=filtered_action)
-            .annotate(
+            .filter(**query)
-                time=ExpressionWrapper(
+            .get_events_per(timedelta(weeks=4), ExtractDay, 30)
                    F("hour") - (F("hour__hour") % 6) * timedelta(hours=1),
                    output_field=DjangoDateTimeField(),
                )
            )
            .values("time", "action")
            .annotate(count=Count("pk"))
            .order_by("time", "action")
        )
    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
--- a/authentik/events/api/notification_rules.py
+++ b/authentik/events/api/notification_rules.py
@ -11,7 +11,7 @@ from authentik.events.models import NotificationRule
 class NotificationRuleSerializer(ModelSerializer):
    """NotificationRule Serializer"""
-    destination_group_obj = GroupSerializer(read_only=True, source="destination_group")
+    group_obj = GroupSerializer(read_only=True, source="group")
    class Meta:
        model = NotificationRule
@ -20,9 +20,8 @@ class NotificationRuleSerializer(ModelSerializer):
            "name",
            "transports",
            "severity",
-            "destination_group",
+            "group",
-            "destination_group_obj",
+            "group_obj",
            "destination_event_user",
        ]
@ -31,6 +30,6 @@ class NotificationRuleViewSet(UsedByMixin, ModelViewSet):
    queryset = NotificationRule.objects.all()
    serializer_class = NotificationRuleSerializer
-    filterset_fields = ["name", "severity", "destination_group__name"]
+    filterset_fields = ["name", "severity", "group__name"]
    ordering = ["name"]
-    search_fields = ["name", "destination_group__name"]
+    search_fields = ["name", "group__name"]
--- a/authentik/events/context_processors/mmdb.py
+++ b/authentik/events/context_processors/mmdb.py
@ -15,13 +15,13 @@ class MMDBContextProcessor(EventContextProcessor):
        self.reader: Reader | None = None
        self._last_mtime: float = 0.0
        self.logger = get_logger()
-        self.load()
+        self.open()
    def path(self) -> str | None:
        """Get the path to the MMDB file to load"""
        raise NotImplementedError
-    def load(self):
+    def open(self):
        """Get GeoIP Reader, if configured, otherwise none"""
        path = self.path()
        if path == "" or not path:
@ -44,7 +44,7 @@ class MMDBContextProcessor(EventContextProcessor):
            diff = self._last_mtime < mtime
            if diff > 0:
                self.logger.info("Found new MMDB Database, reopening", diff=diff, path=path)
-                self.load()
+                self.open()
        except OSError as exc:
            self.logger.warning("Failed to check MMDB age", exc=exc)
--- a/authentik/events/middleware.py
+++ b/authentik/events/middleware.py
@ -19,7 +19,7 @@ from authentik.blueprints.v1.importer import excluded_models
 from authentik.core.models import Group, User
 from authentik.events.models import Event, EventAction, Notification
 from authentik.events.utils import model_to_dict
-from authentik.lib.sentry import should_ignore_exception
+from authentik.lib.sentry import before_send
 from authentik.lib.utils.errors import exception_to_string
 from authentik.stages.authenticator_static.models import StaticToken
@ -173,7 +173,7 @@ class AuditMiddleware:
                message=exception_to_string(exception),
            )
            thread.run()
-        elif not should_ignore_exception(exception):
+        elif before_send({}, {"exc_info": (None, exception, None)}) is not None:
            thread = EventNewThread(
                EventAction.SYSTEM_EXCEPTION,
                request,
--- a/authentik/events/migrations/0010_rename_group_notificationrule_destination_group_and_more.py
+++ b/authentik/events/migrations/0010_rename_group_notificationrule_destination_group_and_more.py
@ -1,26 +0,0 @@
 # Generated by Django 5.1.11 on 2025-06-16 23:21
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_events", "0009_remove_notificationtransport_webhook_mapping_and_more"),
    ]
    operations = [
        migrations.RenameField(
            model_name="notificationrule",
            old_name="group",
            new_name="destination_group",
        ),
        migrations.AddField(
            model_name="notificationrule",
            name="destination_event_user",
            field=models.BooleanField(
                default=False,
                help_text="When enabled, notification will be sent to user the user that triggered the event.When destination_group is configured, notification is sent to both.",
            ),
        ),
    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -1,16 +1,21 @@
 """authentik events models"""
-from collections.abc import Generator
+import time
 from collections import Counter
 from datetime import timedelta
 from difflib import get_close_matches
 from functools import lru_cache
 from inspect import currentframe
 from smtplib import SMTPException
 from typing import Any
 from uuid import uuid4
 from django.apps import apps
 from django.db import connection, models
 from django.db.models import Count, ExpressionWrapper, F
 from django.db.models.fields import DurationField
 from django.db.models.functions import Extract
 from django.db.models.manager import Manager
 from django.db.models.query import QuerySet
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.utils.timezone import now
@ -119,6 +124,60 @@ class EventAction(models.TextChoices):
    CUSTOM_PREFIX = "custom_"
 class EventQuerySet(QuerySet):
    """Custom events query set with helper functions"""
    def get_events_per(
        self,
        time_since: timedelta,
        extract: Extract,
        data_points: int,
    ) -> list[dict[str, int]]:
        """Get event count by hour in the last day, fill with zeros"""
        _now = now()
        max_since = timedelta(days=60)
        # Allow maximum of 60 days to limit load
        if time_since.total_seconds() > max_since.total_seconds():
            time_since = max_since
        date_from = _now - time_since
        result = (
            self.filter(created__gte=date_from)
            .annotate(age=ExpressionWrapper(_now - F("created"), output_field=DurationField()))
            .annotate(age_interval=extract("age"))
            .values("age_interval")
            .annotate(count=Count("pk"))
            .order_by("age_interval")
        )
        data = Counter({int(d["age_interval"]): d["count"] for d in result})
        results = []
        interval_delta = time_since / data_points
        for interval in range(1, -data_points, -1):
            results.append(
                {
                    "x_cord": time.mktime((_now + (interval_delta * interval)).timetuple()) * 1000,
                    "y_cord": data[interval * -1],
                }
            )
        return results
 class EventManager(Manager):
    """Custom helper methods for Events"""
    def get_queryset(self) -> QuerySet:
        """use custom queryset"""
        return EventQuerySet(self.model, using=self._db)
    def get_events_per(
        self,
        time_since: timedelta,
        extract: Extract,
        data_points: int,
    ) -> list[dict[str, int]]:
        """Wrap method from queryset"""
        return self.get_queryset().get_events_per(time_since, extract, data_points)
 class Event(SerializerModel, ExpiringModel):
    """An individual Audit/Metrics/Notification/Error Event"""
@ -134,6 +193,8 @@ class Event(SerializerModel, ExpiringModel):
    # Shadow the expires attribute from ExpiringModel to override the default duration
    expires = models.DateTimeField(default=default_event_duration)
    objects = EventManager()
    @staticmethod
    def _get_app_from_request(request: HttpRequest) -> str:
        if not isinstance(request, HttpRequest):
@ -549,7 +610,7 @@ class NotificationRule(SerializerModel, PolicyBindingModel):
        default=NotificationSeverity.NOTICE,
        help_text=_("Controls which severity level the created notifications will have."),
    )
-    destination_group = models.ForeignKey(
+    group = models.ForeignKey(
        Group,
        help_text=_(
            "Define which group of users this notification should be sent and shown to. "
@ -559,19 +620,6 @@ class NotificationRule(SerializerModel, PolicyBindingModel):
        blank=True,
        on_delete=models.SET_NULL,
    )
    destination_event_user = models.BooleanField(
        default=False,
        help_text=_(
            "When enabled, notification will be sent to user the user that triggered the event."
            "When destination_group is configured, notification is sent to both."
        ),
    )
    def destination_users(self, event: Event) -> Generator[User, Any]:
        if self.destination_event_user and event.user.get("pk"):
            yield User(pk=event.user.get("pk"))
        if self.destination_group:
            yield from self.destination_group.users.all()
    @property
    def serializer(self) -> type[Serializer]:
--- a/authentik/events/tasks.py
+++ b/authentik/events/tasks.py
@ -68,10 +68,14 @@ def event_trigger_handler(event_uuid: str, trigger_name: str):
    if not result.passing:
        return
    if not trigger.group:
        LOGGER.debug("e(trigger): trigger has no group", trigger=trigger)
        return
    LOGGER.debug("e(trigger): event trigger matched", trigger=trigger)
    # Create the notification objects
    for transport in trigger.transports.all():
-        for user in trigger.destination_users(event):
+        for user in trigger.group.users.all():
            LOGGER.debug("created notification")
            notification_transport.apply_async(
                args=[
--- a/authentik/events/tests/test_enrich_geoip.py
+++ b/authentik/events/tests/test_enrich_geoip.py
@ -2,9 +2,7 @@
 from django.test import TestCase
 from authentik.events.context_processors.base import get_context_processors
 from authentik.events.context_processors.geoip import GeoIPContextProcessor
 from authentik.events.models import Event, EventAction
 class TestGeoIP(TestCase):
@ -15,7 +13,8 @@ class TestGeoIP(TestCase):
    def test_simple(self):
        """Test simple city wrapper"""
-        # IPs from https://github.com/maxmind/MaxMind-DB/blob/main/source-data/GeoLite2-City-Test.json
+        # IPs from
        # https://github.com/maxmind/MaxMind-DB/blob/main/source-data/GeoLite2-City-Test.json
        self.assertEqual(
            self.reader.city_dict("2.125.160.216"),
            {
@ -26,12 +25,3 @@ class TestGeoIP(TestCase):
                "long": -1.25,
            },
        )
    def test_special_chars(self):
        """Test city name with special characters"""
        # IPs from https://github.com/maxmind/MaxMind-DB/blob/main/source-data/GeoLite2-City-Test.json
        event = Event.new(EventAction.LOGIN)
        event.client_ip = "89.160.20.112"
        for processor in get_context_processors():
            processor.enrich_event(event)
        event.save()
--- a/authentik/events/tests/test_notifications.py
+++ b/authentik/events/tests/test_notifications.py
@ -6,7 +6,6 @@ from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import Group, User
 from authentik.core.tests.utils import create_test_user
 from authentik.events.models import (
    Event,
    EventAction,
@ -35,7 +34,7 @@ class TestEventsNotifications(APITestCase):
    def test_trigger_empty(self):
        """Test trigger without any policies attached"""
        transport = NotificationTransport.objects.create(name=generate_id())
-        trigger = NotificationRule.objects.create(name=generate_id(), destination_group=self.group)
+        trigger = NotificationRule.objects.create(name=generate_id(), group=self.group)
        trigger.transports.add(transport)
        trigger.save()
@ -47,7 +46,7 @@ class TestEventsNotifications(APITestCase):
    def test_trigger_single(self):
        """Test simple transport triggering"""
        transport = NotificationTransport.objects.create(name=generate_id())
-        trigger = NotificationRule.objects.create(name=generate_id(), destination_group=self.group)
+        trigger = NotificationRule.objects.create(name=generate_id(), group=self.group)
        trigger.transports.add(transport)
        trigger.save()
        matcher = EventMatcherPolicy.objects.create(
@ -60,25 +59,6 @@ class TestEventsNotifications(APITestCase):
            Event.new(EventAction.CUSTOM_PREFIX).save()
        self.assertEqual(execute_mock.call_count, 1)
    def test_trigger_event_user(self):
        """Test trigger with event user"""
        user = create_test_user()
        transport = NotificationTransport.objects.create(name=generate_id())
        trigger = NotificationRule.objects.create(name=generate_id(), destination_event_user=True)
        trigger.transports.add(transport)
        trigger.save()
        matcher = EventMatcherPolicy.objects.create(
            name="matcher", action=EventAction.CUSTOM_PREFIX
        )
        PolicyBinding.objects.create(target=trigger, policy=matcher, order=0)
        execute_mock = MagicMock()
        with patch("authentik.events.models.NotificationTransport.send", execute_mock):
            Event.new(EventAction.CUSTOM_PREFIX).set_user(user).save()
        self.assertEqual(execute_mock.call_count, 1)
        notification: Notification = execute_mock.call_args[0][0]
        self.assertEqual(notification.user, user)
    def test_trigger_no_group(self):
        """Test trigger without group"""
        trigger = NotificationRule.objects.create(name=generate_id())
@ -96,7 +76,7 @@ class TestEventsNotifications(APITestCase):
        """Test Policy error which would cause recursion"""
        transport = NotificationTransport.objects.create(name=generate_id())
        NotificationRule.objects.filter(name__startswith="default").delete()
-        trigger = NotificationRule.objects.create(name=generate_id(), destination_group=self.group)
+        trigger = NotificationRule.objects.create(name=generate_id(), group=self.group)
        trigger.transports.add(transport)
        trigger.save()
        matcher = EventMatcherPolicy.objects.create(
@ -119,7 +99,7 @@ class TestEventsNotifications(APITestCase):
        transport = NotificationTransport.objects.create(name=generate_id(), send_once=True)
        NotificationRule.objects.filter(name__startswith="default").delete()
-        trigger = NotificationRule.objects.create(name=generate_id(), destination_group=self.group)
+        trigger = NotificationRule.objects.create(name=generate_id(), group=self.group)
        trigger.transports.add(transport)
        trigger.save()
        matcher = EventMatcherPolicy.objects.create(
@ -143,7 +123,7 @@ class TestEventsNotifications(APITestCase):
            name=generate_id(), webhook_mapping_body=mapping, mode=TransportMode.LOCAL
        )
        NotificationRule.objects.filter(name__startswith="default").delete()
-        trigger = NotificationRule.objects.create(name=generate_id(), destination_group=self.group)
+        trigger = NotificationRule.objects.create(name=generate_id(), group=self.group)
        trigger.transports.add(transport)
        matcher = EventMatcherPolicy.objects.create(
            name="matcher", action=EventAction.CUSTOM_PREFIX
--- a/authentik/flows/tests/test_executor.py
+++ b/authentik/flows/tests/test_executor.py
@ -4,10 +4,8 @@ from unittest.mock import MagicMock, PropertyMock, patch
 from urllib.parse import urlencode
 from django.http import HttpRequest, HttpResponse
 from django.test import override_settings
 from django.test.client import RequestFactory
 from django.urls import reverse
 from rest_framework.exceptions import ParseError
 from authentik.core.models import Group, User
 from authentik.core.tests.utils import create_test_flow, create_test_user
@ -650,25 +648,3 @@ class TestFlowExecutor(FlowTestCase):
            self.assertStageResponse(response, flow, component="ak-stage-identification")
            response = self.client.post(exec_url, {"uid_field": user_other.username}, follow=True)
            self.assertStageResponse(response, flow, component="ak-stage-access-denied")
    @patch(
        "authentik.flows.views.executor.to_stage_response",
        TO_STAGE_RESPONSE_MOCK,
    )
    def test_invalid_json(self):
        """Test invalid JSON body"""
        flow = create_test_flow()
        FlowStageBinding.objects.create(
            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
        )
        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})
        with override_settings(TEST=False, DEBUG=False):
            self.client.logout()
            response = self.client.post(url, data="{", content_type="application/json")
            self.assertEqual(response.status_code, 200)
        with self.assertRaises(ParseError):
            self.client.logout()
            response = self.client.post(url, data="{", content_type="application/json")
            self.assertEqual(response.status_code, 200)
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -55,7 +55,7 @@ from authentik.flows.planner import (
    FlowPlanner,
 )
 from authentik.flows.stage import AccessDeniedStage, StageView
-from authentik.lib.sentry import SentryIgnoredException, should_ignore_exception
+from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.reflection import all_subclasses, class_to_path
 from authentik.lib.utils.urls import is_url_absolute, redirect_with_qs
@ -234,9 +234,8 @@ class FlowExecutorView(APIView):
        """Handle exception in stage execution"""
        if settings.DEBUG or settings.TEST:
            raise exc
        self._logger.warning(exc)
        if not should_ignore_exception(exc):
        capture_exception(exc)
        self._logger.warning(exc)
        Event.new(
            action=EventAction.SYSTEM_EXCEPTION,
            message=exception_to_string(exc),
--- a/authentik/lib/logging.py
+++ b/authentik/lib/logging.py
@ -104,7 +104,6 @@ def get_logger_config():
        "hpack": "WARNING",
        "httpx": "WARNING",
        "azure": "WARNING",
        "httpcore": "WARNING",
    }
    for handler_name, level in handler_level_map.items():
        base_config["loggers"][handler_name] = {
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -14,7 +14,6 @@ from django_redis.exceptions import ConnectionInterrupted
 from docker.errors import DockerException
 from h11 import LocalProtocolError
 from ldap3.core.exceptions import LDAPException
 from psycopg.errors import Error
 from redis.exceptions import ConnectionError as RedisConnectionError
 from redis.exceptions import RedisError, ResponseError
 from rest_framework.exceptions import APIException
@ -45,49 +44,6 @@ class SentryIgnoredException(Exception):
    """Base Class for all errors that are suppressed, and not sent to sentry."""
 ignored_classes = (
    # Inbuilt types
    KeyboardInterrupt,
    ConnectionResetError,
    OSError,
    PermissionError,
    # Django Errors
    Error,
    ImproperlyConfigured,
    DatabaseError,
    OperationalError,
    InternalError,
    ProgrammingError,
    SuspiciousOperation,
    ValidationError,
    # Redis errors
    RedisConnectionError,
    ConnectionInterrupted,
    RedisError,
    ResponseError,
    # websocket errors
    ChannelFull,
    WebSocketException,
    LocalProtocolError,
    # rest_framework error
    APIException,
    # celery errors
    WorkerLostError,
    CeleryError,
    SoftTimeLimitExceeded,
    # custom baseclass
    SentryIgnoredException,
    # ldap errors
    LDAPException,
    # Docker errors
    DockerException,
    # End-user errors
    Http404,
    # AsyncIO
    CancelledError,
 )
 class SentryTransport(HttpTransport):
    """Custom sentry transport with custom user-agent"""
@ -145,17 +101,56 @@ def traces_sampler(sampling_context: dict) -> float:
    return float(CONFIG.get("error_reporting.sample_rate", 0.1))
 def should_ignore_exception(exc: Exception) -> bool:
    """Check if an exception should be dropped"""
    return isinstance(exc, ignored_classes)
 def before_send(event: dict, hint: dict) -> dict | None:
    """Check if error is database error, and ignore if so"""
    from psycopg.errors import Error
    ignored_classes = (
        # Inbuilt types
        KeyboardInterrupt,
        ConnectionResetError,
        OSError,
        PermissionError,
        # Django Errors
        Error,
        ImproperlyConfigured,
        DatabaseError,
        OperationalError,
        InternalError,
        ProgrammingError,
        SuspiciousOperation,
        ValidationError,
        # Redis errors
        RedisConnectionError,
        ConnectionInterrupted,
        RedisError,
        ResponseError,
        # websocket errors
        ChannelFull,
        WebSocketException,
        LocalProtocolError,
        # rest_framework error
        APIException,
        # celery errors
        WorkerLostError,
        CeleryError,
        SoftTimeLimitExceeded,
        # custom baseclass
        SentryIgnoredException,
        # ldap errors
        LDAPException,
        # Docker errors
        DockerException,
        # End-user errors
        Http404,
        # AsyncIO
        CancelledError,
    )
    exc_value = None
    if "exc_info" in hint:
        _, exc_value, _ = hint["exc_info"]
-        if should_ignore_exception(exc_value):
+        if isinstance(exc_value, ignored_classes):
            LOGGER.debug("dropping exception", exc=exc_value)
            return None
    if "logger" in event:
--- a/authentik/lib/tests/test_sentry.py
+++ b/authentik/lib/tests/test_sentry.py
@ -2,7 +2,7 @@
 from django.test import TestCase
-from authentik.lib.sentry import SentryIgnoredException, should_ignore_exception
+from authentik.lib.sentry import SentryIgnoredException, before_send
 class TestSentry(TestCase):
@ -10,8 +10,8 @@ class TestSentry(TestCase):
    def test_error_not_sent(self):
        """Test SentryIgnoredError not sent"""
-        self.assertTrue(should_ignore_exception(SentryIgnoredException()))
+        self.assertIsNone(before_send({}, {"exc_info": (0, SentryIgnoredException(), 0)}))
    def test_error_sent(self):
        """Test error sent"""
-        self.assertFalse(should_ignore_exception(ValueError()))
+        self.assertEqual({}, before_send({}, {"exc_info": (0, ValueError(), 0)}))
--- a/authentik/outposts/consumer.py
+++ b/authentik/outposts/consumer.py
@ -37,9 +37,6 @@ class WebsocketMessageInstruction(IntEnum):
    # Provider specific message
    PROVIDER_SPECIFIC = 3
    # Session ended
    SESSION_END = 4
@dataclass(slots=True)
 class WebsocketMessage:
@ -148,14 +145,6 @@ class OutpostConsumer(JsonWebsocketConsumer):
            asdict(WebsocketMessage(instruction=WebsocketMessageInstruction.TRIGGER_UPDATE))
        )
    def event_session_end(self, event):
        """Event handler which is called when a session is ended"""
        self.send_json(
            asdict(
                WebsocketMessage(instruction=WebsocketMessageInstruction.SESSION_END, args=event)
            )
        )
    def event_provider_specific(self, event):
        """Event handler which can be called by provider-specific
        implementations to send specific messages to the outpost"""
--- a/authentik/outposts/signals.py
+++ b/authentik/outposts/signals.py
@ -7,16 +7,11 @@ from django.dispatch import receiver
 from structlog.stdlib import get_logger
 from authentik.brands.models import Brand
-from authentik.core.models import AuthenticatedSession, Provider
+from authentik.core.models import Provider
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.utils.reflection import class_to_path
 from authentik.outposts.models import Outpost, OutpostServiceConnection
-from authentik.outposts.tasks import (
+from authentik.outposts.tasks import CACHE_KEY_OUTPOST_DOWN, outpost_controller, outpost_post_save
    CACHE_KEY_OUTPOST_DOWN,
    outpost_controller,
    outpost_post_save,
    outpost_session_end,
 )
 LOGGER = get_logger()
 UPDATE_TRIGGERING_MODELS = (
@ -78,9 +73,3 @@ def pre_delete_cleanup(sender, instance: Outpost, **_):
    instance.user.delete()
    cache.set(CACHE_KEY_OUTPOST_DOWN % instance.pk.hex, instance)
    outpost_controller.delay(instance.pk.hex, action="down", from_cache=True)
@receiver(pre_delete, sender=AuthenticatedSession)
 def logout_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
    """Catch logout by expiring sessions being deleted"""
    outpost_session_end.delay(instance.session.session_key)
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@ -1,6 +1,5 @@
 """outpost tasks"""
 from hashlib import sha256
 from os import R_OK, access
 from pathlib import Path
 from socket import gethostname
@ -50,11 +49,6 @@ LOGGER = get_logger()
 CACHE_KEY_OUTPOST_DOWN = "goauthentik.io/outposts/teardown/%s"
 def hash_session_key(session_key: str) -> str:
    """Hash the session key for sending session end signals"""
    return sha256(session_key.encode("ascii")).hexdigest()
 def controller_for_outpost(outpost: Outpost) -> type[BaseController] | None:
    """Get a controller for the outpost, when a service connection is defined"""
    if not outpost.service_connection:
@ -295,20 +289,3 @@ def outpost_connection_discovery(self: SystemTask):
                url=unix_socket_path,
            )
    self.set_status(TaskStatus.SUCCESSFUL, *messages)
@CELERY_APP.task()
 def outpost_session_end(session_id: str):
    """Update outpost instances connected to a single outpost"""
    layer = get_channel_layer()
    hashed_session_id = hash_session_key(session_id)
    for outpost in Outpost.objects.all():
        LOGGER.info("Sending session end signal to outpost", outpost=outpost)
        group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
        async_to_sync(layer.group_send)(
            group,
            {
                "type": "event.session.end",
                "session_id": hashed_session_id,
            },
        )
--- a/authentik/outposts/tests/test_ws.py
+++ b/authentik/outposts/tests/test_ws.py
@ -1,9 +1,11 @@
 """Websocket tests"""
 from dataclasses import asdict
 from unittest.mock import patch
 from channels.routing import URLRouter
 from channels.testing import WebsocketCommunicator
 from django.contrib.contenttypes.models import ContentType
 from django.test import TransactionTestCase
 from authentik import __version__
@ -14,6 +16,12 @@ from authentik.providers.proxy.models import ProxyProvider
 from authentik.root import websocket
 def patched__get_ct_cached(app_label, codename):
    """Caches `ContentType` instances like its `QuerySet` does."""
    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestOutpostWS(TransactionTestCase):
    """Websocket tests"""
--- a/authentik/policies/engine.py
+++ b/authentik/policies/engine.py
@ -1,11 +1,11 @@
 """authentik policy engine"""
-from collections.abc import Iterator
+from collections.abc import Iterable
 from multiprocessing import Pipe, current_process
 from multiprocessing.connection import Connection
 from time import perf_counter
 from django.core.cache import cache
 from django.db.models import Count, Q, QuerySet
 from django.http import HttpRequest
 from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
@ -67,14 +67,11 @@ class PolicyEngine:
        self.__processes: list[PolicyProcessInfo] = []
        self.use_cache = True
        self.__expected_result_count = 0
        self.__static_result: PolicyResult | None = None
-    def iterate_bindings(self) -> Iterator[PolicyBinding]:
+    def bindings(self) -> QuerySet[PolicyBinding] | Iterable[PolicyBinding]:
        """Make sure all Policies are their respective classes"""
-        return (
+        return PolicyBinding.objects.filter(target=self.__pbm, enabled=True).order_by("order")
            PolicyBinding.objects.filter(target=self.__pbm, enabled=True)
            .order_by("order")
            .iterator()
        )
    def _check_policy_type(self, binding: PolicyBinding):
        """Check policy type, make sure it's not the root class as that has no logic implemented"""
@ -84,10 +81,17 @@ class PolicyEngine:
    def _check_cache(self, binding: PolicyBinding):
        if not self.use_cache:
            return False
-        before = perf_counter()
+        # It's a bit silly to time this, but
        with HIST_POLICIES_EXECUTION_TIME.labels(
            binding_order=binding.order,
            binding_target_type=binding.target_type,
            binding_target_name=binding.target_name,
            object_pk=str(self.request.obj.pk),
            object_type=class_to_path(self.request.obj.__class__),
            mode="cache_retrieve",
        ).time():
            key = cache_key(binding, self.request)
            cached_policy = cache.get(key, None)
        duration = max(perf_counter() - before, 0)
            if not cached_policy:
                return False
        self.logger.debug(
@ -96,18 +100,47 @@ class PolicyEngine:
            cache_key=key,
            request=self.request,
        )
        HIST_POLICIES_EXECUTION_TIME.labels(
            binding_order=binding.order,
            binding_target_type=binding.target_type,
            binding_target_name=binding.target_name,
            object_pk=str(self.request.obj.pk),
            object_type=class_to_path(self.request.obj.__class__),
            mode="cache_retrieve",
        ).observe(duration)
        # It's a bit silly to time this, but
        self.__cached_policies.append(cached_policy)
        return True
    def compute_static_bindings(self, bindings: QuerySet[PolicyBinding]):
        """Check static bindings if possible"""
        aggrs = {
            "total": Count(
                "pk", filter=Q(Q(group__isnull=False) | Q(user__isnull=False), policy=None)
            ),
        }
        if self.request.user.pk:
            all_groups = self.request.user.all_groups()
            aggrs["passing"] = Count(
                "pk",
                filter=Q(
                    Q(
                        Q(user=self.request.user) | Q(group__in=all_groups),
                        negate=False,
                    )
                    | Q(
                        Q(~Q(user=self.request.user), user__isnull=False)
                        | Q(~Q(group__in=all_groups), group__isnull=False),
                        negate=True,
                    ),
                    enabled=True,
                ),
            )
        matched_bindings = bindings.aggregate(**aggrs)
        passing = False
        if matched_bindings["total"] == 0 and matched_bindings.get("passing", 0) == 0:
            # If we didn't find any static bindings, do nothing
            return
        self.logger.debug("P_ENG: Found static bindings", **matched_bindings)
        if matched_bindings.get("passing", 0) > 0:
            # Any passing static binding -> passing
            passing = True
        elif matched_bindings["total"] > 0 and matched_bindings.get("passing", 0) < 1:
            # No matching static bindings but at least one is configured -> not passing
            passing = False
        self.__static_result = PolicyResult(passing)
    def build(self) -> "PolicyEngine":
        """Build wrapper which monitors performance"""
        with (
@ -123,7 +156,12 @@ class PolicyEngine:
            span: Span
            span.set_data("pbm", self.__pbm)
            span.set_data("request", self.request)
-            for binding in self.iterate_bindings():
+            bindings = self.bindings()
            policy_bindings = bindings
            if isinstance(bindings, QuerySet):
                self.compute_static_bindings(bindings)
                policy_bindings = [x for x in bindings if x.policy]
            for binding in policy_bindings:
                self.__expected_result_count += 1
                self._check_policy_type(binding)
@ -153,10 +191,13 @@ class PolicyEngine:
    @property
    def result(self) -> PolicyResult:
        """Get policy-checking result"""
        self.__processes.sort(key=lambda x: x.binding.order)
        process_results: list[PolicyResult] = [x.result for x in self.__processes if x.result]
        all_results = list(process_results + self.__cached_policies)
        if len(all_results) < self.__expected_result_count:  # pragma: no cover
            raise AssertionError("Got less results than polices")
        if self.__static_result:
            all_results.append(self.__static_result)
        # No results, no policies attached -> passing
        if len(all_results) == 0:
            return PolicyResult(self.empty_result)
--- a/authentik/policies/tests/test_engine.py
+++ b/authentik/policies/tests/test_engine.py
@ -1,9 +1,12 @@
 """policy engine tests"""
 from django.core.cache import cache
 from django.db import connections
 from django.test import TestCase
 from django.test.utils import CaptureQueriesContext
-from authentik.core.tests.utils import create_test_admin_user
+from authentik.core.models import Group
 from authentik.core.tests.utils import create_test_user
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.engine import PolicyEngine
@ -19,7 +22,7 @@ class TestPolicyEngine(TestCase):
    def setUp(self):
        clear_policy_cache()
-        self.user = create_test_admin_user()
+        self.user = create_test_user()
        self.policy_false = DummyPolicy.objects.create(
            name=generate_id(), result=False, wait_min=0, wait_max=1
        )
@ -127,3 +130,43 @@ class TestPolicyEngine(TestCase):
        self.assertEqual(len(cache.keys(f"{CACHE_PREFIX}{binding.policy_binding_uuid.hex}*")), 1)
        self.assertEqual(engine.build().passing, False)
        self.assertEqual(len(cache.keys(f"{CACHE_PREFIX}{binding.policy_binding_uuid.hex}*")), 1)
    def test_engine_static_bindings(self):
        """Test static bindings"""
        group_a = Group.objects.create(name=generate_id())
        group_b = Group.objects.create(name=generate_id())
        group_b.users.add(self.user)
        user = create_test_user()
        for case in [
            {
                "message": "Group, not member",
                "binding_args": {"group": group_a},
                "passing": False,
            },
            {
                "message": "Group, member",
                "binding_args": {"group": group_b},
                "passing": True,
            },
            {
                "message": "User, other",
                "binding_args": {"user": user},
                "passing": False,
            },
            {
                "message": "User, same",
                "binding_args": {"user": self.user},
                "passing": True,
            },
        ]:
            with self.subTest():
                pbm = PolicyBindingModel.objects.create()
                for x in range(1000):
                    PolicyBinding.objects.create(target=pbm, order=x, **case["binding_args"])
                engine = PolicyEngine(pbm, self.user)
                engine.use_cache = False
                with CaptureQueriesContext(connections["default"]) as ctx:
                    engine.build()
                self.assertLess(ctx.final_queries, 1000)
                self.assertEqual(engine.result.passing, case["passing"])
--- a/authentik/policies/tests/test_process.py
+++ b/authentik/policies/tests/test_process.py
@ -29,13 +29,12 @@ class TestPolicyProcess(TestCase):
    def setUp(self):
        clear_policy_cache()
        self.factory = RequestFactory()
-        self.user = User.objects.create_user(username="policyuser")
+        self.user = User.objects.create_user(username=generate_id())
    def test_group_passing(self):
        """Test binding to group"""
-        group = Group.objects.create(name="test-group")
+        group = Group.objects.create(name=generate_id())
        group.users.add(self.user)
        group.save()
        binding = PolicyBinding(group=group)
        request = PolicyRequest(self.user)
@ -44,8 +43,7 @@ class TestPolicyProcess(TestCase):
    def test_group_negative(self):
        """Test binding to group"""
-        group = Group.objects.create(name="test-group")
+        group = Group.objects.create(name=generate_id())
        group.save()
        binding = PolicyBinding(group=group)
        request = PolicyRequest(self.user)
@ -115,8 +113,10 @@ class TestPolicyProcess(TestCase):
    def test_exception(self):
        """Test policy execution"""
-        policy = Policy.objects.create(name="test-execution")
+        policy = Policy.objects.create(name=generate_id())
-        binding = PolicyBinding(policy=policy, target=Application.objects.create(name="test"))
+        binding = PolicyBinding(
            policy=policy, target=Application.objects.create(name=generate_id())
        )
        request = PolicyRequest(self.user)
        response = PolicyProcess(binding, request, None).execute()
@ -125,13 +125,15 @@ class TestPolicyProcess(TestCase):
    def test_execution_logging(self):
        """Test policy execution creates event"""
        policy = DummyPolicy.objects.create(
-            name="test-execution-logging",
+            name=generate_id(),
            result=False,
            wait_min=0,
            wait_max=1,
            execution_logging=True,
        )
-        binding = PolicyBinding(policy=policy, target=Application.objects.create(name="test"))
+        binding = PolicyBinding(
            policy=policy, target=Application.objects.create(name=generate_id())
        )
        http_request = self.factory.get(reverse("authentik_api:user-impersonate-end"))
        http_request.user = self.user
@ -186,13 +188,15 @@ class TestPolicyProcess(TestCase):
    def test_execution_logging_anonymous(self):
        """Test policy execution creates event with anonymous user"""
        policy = DummyPolicy.objects.create(
-            name="test-execution-logging-anon",
+            name=generate_id(),
            result=False,
            wait_min=0,
            wait_max=1,
            execution_logging=True,
        )
-        binding = PolicyBinding(policy=policy, target=Application.objects.create(name="test"))
+        binding = PolicyBinding(
            policy=policy, target=Application.objects.create(name=generate_id())
        )
        user = AnonymousUser()
@ -219,9 +223,9 @@ class TestPolicyProcess(TestCase):
    def test_raises(self):
        """Test policy that raises error"""
-        policy_raises = ExpressionPolicy.objects.create(name="raises", expression="{{ 0/0 }}")
+        policy_raises = ExpressionPolicy.objects.create(name=generate_id(), expression="{{ 0/0 }}")
        binding = PolicyBinding(
-            policy=policy_raises, target=Application.objects.create(name="test")
+            policy=policy_raises, target=Application.objects.create(name=generate_id())
        )
        request = PolicyRequest(self.user)
--- a/authentik/providers/oauth2/signals.py
+++ b/authentik/providers/oauth2/signals.py
@ -1,10 +1,23 @@
 from django.contrib.auth.signals import user_logged_out
 from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
 from authentik.core.models import AuthenticatedSession, User
 from authentik.providers.oauth2.models import AccessToken, DeviceToken, RefreshToken
@receiver(user_logged_out)
 def user_logged_out_oauth_tokens_removal(sender, request: HttpRequest, user: User, **_):
    """Revoke tokens upon user logout"""
    if not request.session or not request.session.session_key:
        return
    AccessToken.objects.filter(
        user=user,
        session__session__session_key=request.session.session_key,
    ).delete()
@receiver(pre_delete, sender=AuthenticatedSession)
 def user_session_deleted_oauth_tokens_removal(sender, instance: AuthenticatedSession, **_):
    """Revoke tokens upon user logout"""
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -387,7 +387,8 @@ class TestAuthorize(OAuthTestCase):
            self.assertEqual(
                response.url,
                (
-                    f"http://localhost#id_token={provider.encode(token.id_token.to_dict())}"
+                    f"http://localhost#access_token={token.token}"
                    f"&id_token={provider.encode(token.id_token.to_dict())}"
                    f"&token_type={TOKEN_TYPE}"
                    f"&expires_in={int(expires)}&state={state}"
                ),
@ -562,6 +563,7 @@ class TestAuthorize(OAuthTestCase):
                "url": "http://localhost",
                "title": f"Redirecting to {app.name}...",
                "attrs": {
                    "access_token": token.token,
                    "id_token": provider.encode(token.id_token.to_dict()),
                    "token_type": TOKEN_TYPE,
                    "expires_in": "3600",
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -150,12 +150,12 @@ class OAuthAuthorizationParams:
        self.check_redirect_uri()
        self.check_grant()
        self.check_scope(github_compat)
        self.check_nonce()
        self.check_code_challenge()
        if self.request:
            raise AuthorizeError(
                self.redirect_uri, "request_not_supported", self.grant_type, self.state
            )
        self.check_nonce()
        self.check_code_challenge()
    def check_grant(self):
        """Check grant"""
@ -630,6 +630,7 @@ class OAuthFulfillmentStage(StageView):
        if self.params.response_type in [
            ResponseTypes.ID_TOKEN_TOKEN,
            ResponseTypes.CODE_ID_TOKEN_TOKEN,
            ResponseTypes.ID_TOKEN,
            ResponseTypes.CODE_TOKEN,
        ]:
            query_fragment["access_token"] = token.token
--- a/authentik/providers/proxy/signals.py
+++ b/authentik/providers/proxy/signals.py
@ -0,0 +1,23 @@
 """Proxy provider signals"""
 from django.contrib.auth.signals import user_logged_out
 from django.db.models.signals import pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
 from authentik.core.models import AuthenticatedSession, User
 from authentik.providers.proxy.tasks import proxy_on_logout
@receiver(user_logged_out)
 def logout_proxy_revoke_direct(sender: type[User], request: HttpRequest, **_):
    """Catch logout by direct logout and forward to proxy providers"""
    if not request.session or not request.session.session_key:
        return
    proxy_on_logout.delay(request.session.session_key)
@receiver(pre_delete, sender=AuthenticatedSession)
 def logout_proxy_revoke(sender: type[AuthenticatedSession], instance: AuthenticatedSession, **_):
    """Catch logout by expiring sessions being deleted"""
    proxy_on_logout.delay(instance.session.session_key)
--- a/authentik/providers/proxy/tasks.py
+++ b/authentik/providers/proxy/tasks.py
@ -0,0 +1,26 @@
 """proxy provider tasks"""
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from authentik.outposts.consumer import OUTPOST_GROUP
 from authentik.outposts.models import Outpost, OutpostType
 from authentik.providers.oauth2.id_token import hash_session_key
 from authentik.root.celery import CELERY_APP
@CELERY_APP.task()
 def proxy_on_logout(session_id: str):
    """Update outpost instances connected to a single outpost"""
    layer = get_channel_layer()
    hashed_session_id = hash_session_key(session_id)
    for outpost in Outpost.objects.filter(type=OutpostType.PROXY):
        group = OUTPOST_GROUP % {"outpost_pk": str(outpost.pk)}
        async_to_sync(layer.group_send)(
            group,
            {
                "type": "event.provider.specific",
                "sub_type": "logout",
                "session_id": hashed_session_id,
            },
        )
--- a/authentik/providers/rac/signals.py
+++ b/authentik/providers/rac/signals.py
@ -2,11 +2,13 @@
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.contrib.auth.signals import user_logged_out
 from django.core.cache import cache
 from django.db.models.signals import post_delete, post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
-from authentik.core.models import AuthenticatedSession
+from authentik.core.models import AuthenticatedSession, User
 from authentik.providers.rac.api.endpoints import user_endpoint_cache_key
 from authentik.providers.rac.consumer_client import (
    RAC_CLIENT_GROUP_SESSION,
@ -15,6 +17,21 @@ from authentik.providers.rac.consumer_client import (
 from authentik.providers.rac.models import ConnectionToken, Endpoint
@receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
    """Disconnect any open RAC connections"""
    if not request.session or not request.session.session_key:
        return
    layer = get_channel_layer()
    async_to_sync(layer.group_send)(
        RAC_CLIENT_GROUP_SESSION
        % {
            "session": request.session.session_key,
        },
        {"type": "event.disconnect", "reason": "session_logout"},
    )
@receiver(pre_delete, sender=AuthenticatedSession)
 def user_session_deleted(sender, instance: AuthenticatedSession, **_):
    layer = get_channel_layer()
--- a/authentik/providers/rac/tests/test_endpoints_api.py
+++ b/authentik/providers/rac/tests/test_endpoints_api.py
@ -49,7 +49,6 @@ class TestEndpointsAPI(APITestCase):
        self.assertJSONEqual(
            response.content.decode(),
            {
                "autocomplete": {},
                "pagination": {
                    "next": 0,
                    "previous": 0,
@ -102,7 +101,6 @@ class TestEndpointsAPI(APITestCase):
        self.assertJSONEqual(
            response.content.decode(),
            {
                "autocomplete": {},
                "pagination": {
                    "next": 0,
                    "previous": 0,
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@ -20,9 +20,6 @@ from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 PLAN_CONNECTION_SETTINGS = "connection_settings"
 class RACStartView(PolicyAccessView):
@ -112,15 +109,10 @@ class RACFinalStage(RedirectStage):
        return super().dispatch(request, *args, **kwargs)
    def get_challenge(self, *args, **kwargs) -> RedirectChallenge:
        settings = self.executor.plan.context.get(PLAN_CONNECTION_SETTINGS)
        if not settings:
            settings = self.executor.plan.context.get(PLAN_CONTEXT_PROMPT, {}).get(
                PLAN_CONNECTION_SETTINGS
            )
        token = ConnectionToken.objects.create(
            provider=self.provider,
            endpoint=self.endpoint,
-            settings=settings or {},
+            settings=self.executor.plan.context.get("connection_settings", {}),
            session=self.request.session["authenticatedsession"],
            expires=now() + timedelta_from_string(self.provider.connection_expiry),
            expiring=True,
--- a/authentik/providers/scim/clients/groups.py
+++ b/authentik/providers/scim/clients/groups.py
@ -5,6 +5,7 @@ from itertools import batched
 from django.db import transaction
 from pydantic import ValidationError
 from pydanticscim.group import GroupMember
 from pydanticscim.responses import PatchOp
 from authentik.core.models import Group
 from authentik.lib.sync.mapper import PropertyMappingManager
@ -19,12 +20,7 @@ from authentik.providers.scim.clients.base import SCIMClient
 from authentik.providers.scim.clients.exceptions import (
    SCIMRequestException,
 )
-from authentik.providers.scim.clients.schema import (
+from authentik.providers.scim.clients.schema import SCIM_GROUP_SCHEMA, PatchOperation, PatchRequest
    SCIM_GROUP_SCHEMA,
    PatchOp,
    PatchOperation,
    PatchRequest,
 )
 from authentik.providers.scim.clients.schema import Group as SCIMGroupSchema
 from authentik.providers.scim.models import (
    SCIMMapping,
--- a/authentik/providers/scim/clients/schema.py
+++ b/authentik/providers/scim/clients/schema.py
@ -1,7 +1,5 @@
 """Custom SCIM schemas"""
 from enum import Enum
 from pydantic import Field
 from pydanticscim.group import Group as BaseGroup
 from pydanticscim.responses import PatchOperation as BasePatchOperation
@ -67,21 +65,6 @@ class ServiceProviderConfiguration(BaseServiceProviderConfiguration):
        )
 class PatchOp(str, Enum):
    replace = "replace"
    remove = "remove"
    add = "add"
    @classmethod
    def _missing_(cls, value):
        value = value.lower()
        for member in cls:
            if member.lower() == value:
                return member
        return None
 class PatchRequest(BasePatchRequest):
    """PatchRequest which correctly sets schemas"""
@ -91,7 +74,6 @@ class PatchRequest(BasePatchRequest):
 class PatchOperation(BasePatchOperation):
    """PatchOperation with optional path"""
    op: PatchOp
    path: str | None
--- a/authentik/rbac/tests/test_api_assigned_by_roles.py
+++ b/authentik/rbac/tests/test_api_assigned_by_roles.py
@ -44,7 +44,6 @@ class TestRBACRoleAPI(APITestCase):
        self.assertJSONEqual(
            res.content.decode(),
            {
                "autocomplete": {},
                "pagination": {
                    "next": 0,
                    "previous": 0,
--- a/authentik/rbac/tests/test_api_assigned_by_users.py
+++ b/authentik/rbac/tests/test_api_assigned_by_users.py
@ -46,7 +46,6 @@ class TestRBACUserAPI(APITestCase):
        self.assertJSONEqual(
            res.content.decode(),
            {
                "autocomplete": {},
                "pagination": {
                    "next": 0,
                    "previous": 0,
--- a/authentik/rbac/tests/test_api_filters.py
+++ b/authentik/rbac/tests/test_api_filters.py
@ -38,7 +38,6 @@ class TestAPIPerms(APITestCase):
        self.assertJSONEqual(
            res.content.decode(),
            {
                "autocomplete": {},
                "pagination": {
                    "next": 0,
                    "previous": 0,
@ -74,7 +73,6 @@ class TestAPIPerms(APITestCase):
        self.assertJSONEqual(
            res.content.decode(),
            {
                "autocomplete": {},
                "pagination": {
                    "next": 0,
                    "previous": 0,
--- a/authentik/rbac/tests/test_decorators.py
+++ b/authentik/rbac/tests/test_decorators.py
@ -1,29 +1,12 @@
 """test decorators api"""
 from django.urls import reverse
 from guardian.shortcuts import assign_perm
 from rest_framework.decorators import action
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.test import APITestCase
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_user
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import get_request
 from authentik.rbac.decorators import permission_required
 class MVS(ModelViewSet):
    queryset = Application.objects.all()
    lookup_field = "slug"
    @permission_required("authentik_core.view_application", ["authentik_events.view_event"])
    @action(detail=True, pagination_class=None, filter_backends=[])
    def test(self, request: Request, slug: str):
        self.get_object()
        return Response(status=200)
 class TestAPIDecorators(APITestCase):
@ -35,33 +18,41 @@ class TestAPIDecorators(APITestCase):
    def test_obj_perm_denied(self):
        """Test object perm denied"""
-        request = get_request("", user=self.user)
+        self.client.force_login(self.user)
        app = Application.objects.create(name=generate_id(), slug=generate_id())
-        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
+        response = self.client.get(
            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
        )
        self.assertEqual(response.status_code, 403)
    def test_obj_perm_global(self):
        """Test object perm successful (global)"""
        assign_perm("authentik_core.view_application", self.user)
        assign_perm("authentik_events.view_event", self.user)
        self.client.force_login(self.user)
        app = Application.objects.create(name=generate_id(), slug=generate_id())
-        request = get_request("", user=self.user)
+        response = self.client.get(
-        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
-        self.assertEqual(response.status_code, 200, response.data)
+        )
        self.assertEqual(response.status_code, 200)
    def test_obj_perm_scoped(self):
        """Test object perm successful (scoped)"""
        assign_perm("authentik_events.view_event", self.user)
        app = Application.objects.create(name=generate_id(), slug=generate_id())
        assign_perm("authentik_core.view_application", self.user, app)
-        request = get_request("", user=self.user)
+        self.client.force_login(self.user)
-        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
+        response = self.client.get(
            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
        )
        self.assertEqual(response.status_code, 200)
    def test_other_perm_denied(self):
        """Test other perm denied"""
        self.client.force_login(self.user)
        app = Application.objects.create(name=generate_id(), slug=generate_id())
        assign_perm("authentik_core.view_application", self.user, app)
-        request = get_request("", user=self.user)
+        response = self.client.get(
-        response = MVS.as_view({"get": "test"})(request, slug=app.slug)
+            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
        )
        self.assertEqual(response.status_code, 403)
--- a/authentik/root/asgi.py
+++ b/authentik/root/asgi.py
@ -9,14 +9,13 @@ https://docs.djangoproject.com/en/3.0/howto/deployment/asgi/
 import django
 from channels.routing import ProtocolTypeRouter, URLRouter
 from defusedxml import defuse_stdlib
 from django.core.asgi import get_asgi_application
 from sentry_sdk.integrations.asgi import SentryAsgiMiddleware
 from authentik.root.setup import setup
 # DJANGO_SETTINGS_MODULE is set in gunicorn.conf.py
-setup()
+defuse_stdlib()
 django.setup()
--- a/authentik/root/celery.py
+++ b/authentik/root/celery.py
@ -27,7 +27,7 @@ from structlog.stdlib import get_logger
 from tenant_schemas_celery.app import CeleryApp as TenantAwareCeleryApp
 from authentik import get_full_version
-from authentik.lib.sentry import should_ignore_exception
+from authentik.lib.sentry import before_send
 from authentik.lib.utils.errors import exception_to_string
 # set the default Django settings module for the 'celery' program.
@ -81,7 +81,7 @@ def task_error_hook(task_id: str, exception: Exception, traceback, *args, **kwar
    LOGGER.warning("Task failure", task_id=task_id.replace("-", ""), exc=exception)
    CTX_TASK_ID.set(...)
-    if not should_ignore_exception(exception):
+    if before_send({}, {"exc_info": (None, exception, None)}) is not None:
        Event.new(
            EventAction.SYSTEM_EXCEPTION, message=exception_to_string(exception), task_id=task_id
        ).save()
--- a/authentik/root/db/base.py
+++ b/authentik/root/db/base.py
@ -1,49 +1,13 @@
 """authentik database backend"""
 from django.core.checks import Warning
 from django.db.backends.base.validation import BaseDatabaseValidation
 from django_tenants.postgresql_backend.base import DatabaseWrapper as BaseDatabaseWrapper
 from authentik.lib.config import CONFIG
 class DatabaseValidation(BaseDatabaseValidation):
    def check(self, **kwargs):
        return self._check_encoding()
    def _check_encoding(self):
        """Throw a warning when the server_encoding is not UTF-8 or
        server_encoding and client_encoding are mismatched"""
        messages = []
        with self.connection.cursor() as cursor:
            cursor.execute("SHOW server_encoding;")
            server_encoding = cursor.fetchone()[0]
            cursor.execute("SHOW client_encoding;")
            client_encoding = cursor.fetchone()[0]
            if server_encoding != client_encoding:
                messages.append(
                    Warning(
                        "PostgreSQL Server and Client encoding are mismatched: Server: "
                        f"{server_encoding}, Client: {client_encoding}",
                        id="ak.db.W001",
                    )
                )
            if server_encoding != "UTF8":
                messages.append(
                    Warning(
                        f"PostgreSQL Server encoding is not UTF8: {server_encoding}",
                        id="ak.db.W002",
                    )
                )
        return messages
 class DatabaseWrapper(BaseDatabaseWrapper):
    """database backend which supports rotating credentials"""
    validation_class = DatabaseValidation
    def get_connection_params(self):
        """Refresh DB credentials before getting connection params"""
        conn_params = super().get_connection_params()
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -446,8 +446,6 @@ _DISALLOWED_ITEMS = [
    "MIDDLEWARE",
    "AUTHENTICATION_BACKENDS",
    "CELERY",
    "SPECTACULAR_SETTINGS",
    "REST_FRAMEWORK",
 ]
 SILENCED_SYSTEM_CHECKS = [
@ -470,8 +468,6 @@ def _update_settings(app_path: str):
        TENANT_APPS.extend(getattr(settings_module, "TENANT_APPS", []))
        MIDDLEWARE.extend(getattr(settings_module, "MIDDLEWARE", []))
        AUTHENTICATION_BACKENDS.extend(getattr(settings_module, "AUTHENTICATION_BACKENDS", []))
        SPECTACULAR_SETTINGS.update(getattr(settings_module, "SPECTACULAR_SETTINGS", {}))
        REST_FRAMEWORK.update(getattr(settings_module, "REST_FRAMEWORK", {}))
        CELERY["beat_schedule"].update(getattr(settings_module, "CELERY_BEAT_SCHEDULE", {}))
        for _attr in dir(settings_module):
            if not _attr.startswith("__") and _attr not in _DISALLOWED_ITEMS:
--- a/authentik/root/setup.py
+++ b/authentik/root/setup.py
@ -1,26 +0,0 @@
 import os
 import warnings
 from cryptography.hazmat.backends.openssl.backend import backend
 from defusedxml import defuse_stdlib
 from authentik.lib.config import CONFIG
 def setup():
    warnings.filterwarnings("ignore", "SelectableGroups dict interface")
    warnings.filterwarnings(
        "ignore",
        "defusedxml.lxml is no longer supported and will be removed in a future release.",
    )
    warnings.filterwarnings(
        "ignore",
        "defusedxml.cElementTree is deprecated, import from defusedxml.ElementTree instead.",
    )
    defuse_stdlib()
    if CONFIG.get_bool("compliance.fips.enabled", False):
        backend._enable_fips()
    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "authentik.root.settings")
--- a/authentik/root/test_runner.py
+++ b/authentik/root/test_runner.py
@ -3,46 +3,25 @@
 import os
 from argparse import ArgumentParser
 from unittest import TestCase
 from unittest.mock import patch
 import pytest
 from django.conf import settings
 from django.contrib.contenttypes.models import ContentType
 from django.test.runner import DiscoverRunner
 from structlog.stdlib import get_logger
 from authentik.events.context_processors.asn import ASN_CONTEXT_PROCESSOR
 from authentik.events.context_processors.geoip import GEOIP_CONTEXT_PROCESSOR
 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import sentry_init
 from authentik.root.signals import post_startup, pre_startup, startup
 from tests.e2e.utils import get_docker_tag
 # globally set maxDiff to none to show full assert error
 TestCase.maxDiff = None
 def get_docker_tag() -> str:
    """Get docker-tag based off of CI variables"""
    env_pr_branch = "GITHUB_HEAD_REF"
    default_branch = "GITHUB_REF"
    branch_name = os.environ.get(default_branch, "main")
    if os.environ.get(env_pr_branch, "") != "":
        branch_name = os.environ[env_pr_branch]
    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
    return f"gh-{branch_name}"
 def patched__get_ct_cached(app_label, codename):
    """Caches `ContentType` instances like its `QuerySet` does."""
    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
 class PytestTestRunner(DiscoverRunner):  # pragma: no cover
    """Runs pytest to discover and run tests."""
    def __init__(self, **kwargs):
        super().__init__(**kwargs)
        self.logger = get_logger().bind(runner="pytest")
        self.args = []
        if self.failfast:
@ -55,36 +34,22 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
        if kwargs.get("no_capture", False):
            self.args.append("--capture=no")
        self._setup_test_environment()
    def _setup_test_environment(self):
        """Configure test environment settings"""
        settings.TEST = True
        settings.CELERY["task_always_eager"] = True
-
+        CONFIG.set("events.context_processors.geoip", "tests/GeoLite2-City-Test.mmdb")
-        # Test-specific configuration
+        CONFIG.set("events.context_processors.asn", "tests/GeoLite2-ASN-Test.mmdb")
-        test_config = {
+        CONFIG.set("blueprints_dir", "./blueprints")
-            "events.context_processors.geoip": "tests/GeoLite2-City-Test.mmdb",
+        CONFIG.set(
-            "events.context_processors.asn": "tests/GeoLite2-ASN-Test.mmdb",
+            "outposts.container_image_base",
-            "blueprints_dir": "./blueprints",
+            f"ghcr.io/goauthentik/dev-%(type)s:{get_docker_tag()}",
-            "outposts.container_image_base": f"ghcr.io/goauthentik/dev-%(type)s:{get_docker_tag()}",
+        )
-            "tenants.enabled": False,
+        CONFIG.set("tenants.enabled", False)
-            "outposts.disable_embedded_outpost": False,
+        CONFIG.set("outposts.disable_embedded_outpost", False)
-            "error_reporting.sample_rate": 0,
+        CONFIG.set("error_reporting.sample_rate", 0)
-            "error_reporting.environment": "testing",
+        CONFIG.set("error_reporting.environment", "testing")
-            "error_reporting.send_pii": True,
+        CONFIG.set("error_reporting.send_pii", True)
        }
        for key, value in test_config.items():
            CONFIG.set(key, value)
        ASN_CONTEXT_PROCESSOR.load()
        GEOIP_CONTEXT_PROCESSOR.load()
        sentry_init()
        self.logger.debug("Test environment configured")
        # Send startup signals
        pre_startup.send(sender=self, mode="test")
        startup.send(sender=self, mode="test")
        post_startup.send(sender=self, mode="test")
@ -107,21 +72,7 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
            help="Disable any capturing of stdout/stderr during tests.",
        )
-    def _validate_test_label(self, label: str) -> bool:
+    def run_tests(self, test_labels, extra_tests=None, **kwargs):
        """Validate test label format"""
        if not label:
            return False
        # Check for invalid characters, but allow forward slashes and colons
        # for paths and pytest markers
        invalid_chars = set('\\*?"<>|')
        if any(c in label for c in invalid_chars):
            self.logger.error("Invalid characters in test label", label=label)
            return False
        return True
    def run_tests(self, test_labels: list[str], extra_tests=None, **kwargs):
        """Run pytest and return the exitcode.
        It translates some of Django's test command option to pytest's.
@ -131,17 +82,10 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
        The extra_tests argument has been deprecated since Django 5.x
        It is kept for compatibility with PyCharm's Django test runner.
        """
        if not test_labels:
            self.logger.error("No test files specified")
            return 1
        for label in test_labels:
            if not self._validate_test_label(label):
                return 1
            valid_label_found = False
            label_as_path = os.path.abspath(label)
            # File path has been specified
            if os.path.exists(label_as_path):
                self.args.append(label_as_path)
@ -149,31 +93,24 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
            elif "::" in label:
                self.args.append(label)
                valid_label_found = True
            # Convert dotted module path to file_path::class::method
            else:
                # Check if the label is a dotted module path
                path_pieces = label.split(".")
                # Check whether only class or class and method are specified
                for i in range(-1, -3, -1):
                    try:
                    path = os.path.join(*path_pieces[:i]) + ".py"
-                        if os.path.exists(path):
+                    label_as_path = os.path.abspath(path)
-                            if i < -1:
+                    if os.path.exists(label_as_path):
-                                path_method = path + "::" + "::".join(path_pieces[i:])
+                        path_method = label_as_path + "::" + "::".join(path_pieces[i:])
                        self.args.append(path_method)
                            else:
                                self.args.append(path)
                        valid_label_found = True
                        break
                    except (TypeError, IndexError):
                        continue
            if not valid_label_found:
-                self.logger.error("Test file not found", label=label)
+                raise RuntimeError(
-                return 1
+                    f"One of the test labels: {label!r}, "
                    f"is not supported. Use a dotted module name or "
                    f"path instead."
                )
        self.logger.info("Running tests", test_files=self.args)
        with patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached):
            try:
        return pytest.main(self.args)
            except Exception as e:
                self.logger.error("Error running tests", error=str(e), test_files=self.args)
                return 1
--- a/authentik/sources/ldap/tasks.py
+++ b/authentik/sources/ldap/tasks.py
@ -71,31 +71,37 @@ def ldap_sync_single(source_pk: str):
            return
        # Delete all sync tasks from the cache
        DBSystemTask.objects.filter(name="ldap_sync", uid__startswith=source.slug).delete()
-
+        task = chain(
-        # The order of these operations needs to be preserved as each depends on the previous one(s)
+            # User and group sync can happen at once, they have no dependencies on each other
-        # 1. User and group sync can happen simultaneously
+            group(
-        # 2. Membership sync needs to run afterwards
+                ldap_sync_paginator(source, UserLDAPSynchronizer)
-        # 3. Finally, user and group deletions can happen simultaneously
+                + ldap_sync_paginator(source, GroupLDAPSynchronizer),
-        user_group_sync = ldap_sync_paginator(source, UserLDAPSynchronizer) + ldap_sync_paginator(
+            ),
-            source, GroupLDAPSynchronizer
+            # Membership sync needs to run afterwards
            group(
                ldap_sync_paginator(source, MembershipLDAPSynchronizer),
            ),
            # Finally, deletions. What we'd really like to do here is something like
            # ```
            # user_identifiers = <ldap query>
            # User.objects.exclude(
            #     usersourceconnection__identifier__in=user_uniqueness_identifiers,
            # ).delete()
            # ```
            # This runs into performance issues in large installations. So instead we spread the
            # work out into three steps:
            # 1. Get every object from the LDAP source.
            # 2. Mark every object as "safe" in the database. This is quick, but any error could
            #    mean deleting users which should not be deleted, so we do it immediately, in
            #    large chunks, and only queue the deletion step afterwards.
            # 3. Delete every unmarked item. This is slow, so we spread it over many tasks in
            #    small chunks.
            group(
                ldap_sync_paginator(source, UserLDAPForwardDeletion)
                + ldap_sync_paginator(source, GroupLDAPForwardDeletion),
            ),
        )
-        membership_sync = ldap_sync_paginator(source, MembershipLDAPSynchronizer)
+        task()
        user_group_deletion = ldap_sync_paginator(
            source, UserLDAPForwardDeletion
        ) + ldap_sync_paginator(source, GroupLDAPForwardDeletion)
        # Celery is buggy with empty groups, so we are careful only to add non-empty groups.
        # See https://github.com/celery/celery/issues/9772
        task_groups = []
        if user_group_sync:
            task_groups.append(group(user_group_sync))
        if membership_sync:
            task_groups.append(group(membership_sync))
        if user_group_deletion:
            task_groups.append(group(user_group_deletion))
        all_tasks = chain(task_groups)
        all_tasks()
 def ldap_sync_paginator(source: LDAPSource, sync: type[BaseLDAPSynchronizer]) -> list:
--- a/authentik/sources/scim/tests/test_groups.py
+++ b/authentik/sources/scim/tests/test_groups.py
@ -1,277 +0,0 @@
 """Test SCIM Group"""
 from json import dumps
 from uuid import uuid4
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import Group
 from authentik.core.tests.utils import create_test_user
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
 from authentik.providers.scim.clients.schema import Group as SCIMGroupSchema
 from authentik.sources.scim.models import (
    SCIMSource,
    SCIMSourceGroup,
 )
 from authentik.sources.scim.views.v2.base import SCIM_CONTENT_TYPE
 class TestSCIMGroups(APITestCase):
    """Test SCIM Group view"""
    def setUp(self) -> None:
        self.source = SCIMSource.objects.create(name=generate_id(), slug=generate_id())
    def test_group_list(self):
        """Test full group list"""
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-groups",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, 200)
    def test_group_list_single(self):
        """Test full group list (single group)"""
        group = Group.objects.create(name=generate_id())
        user = create_test_user()
        group.users.add(user)
        SCIMSourceGroup.objects.create(
            source=self.source,
            group=group,
            id=str(uuid4()),
        )
        response = self.client.get(
            reverse(
                "authentik_sources_scim:v2-groups",
                kwargs={
                    "source_slug": self.source.slug,
                    "group_id": str(group.pk),
                },
            ),
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, second=200)
        SCIMGroupSchema.model_validate_json(response.content, strict=True)
    def test_group_create(self):
        """Test group create"""
        ext_id = generate_id()
        response = self.client.post(
            reverse(
                "authentik_sources_scim:v2-groups",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            data=dumps({"displayName": generate_id(), "externalId": ext_id}),
            content_type=SCIM_CONTENT_TYPE,
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, 201)
        self.assertTrue(SCIMSourceGroup.objects.filter(source=self.source, id=ext_id).exists())
        self.assertTrue(
            Event.objects.filter(
                action=EventAction.MODEL_CREATED, user__username=self.source.token.user.username
            ).exists()
        )
    def test_group_create_members(self):
        """Test group create"""
        user = create_test_user()
        ext_id = generate_id()
        response = self.client.post(
            reverse(
                "authentik_sources_scim:v2-groups",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            data=dumps(
                {
                    "displayName": generate_id(),
                    "externalId": ext_id,
                    "members": [{"value": str(user.uuid)}],
                }
            ),
            content_type=SCIM_CONTENT_TYPE,
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, 201)
        self.assertTrue(SCIMSourceGroup.objects.filter(source=self.source, id=ext_id).exists())
        self.assertTrue(
            Event.objects.filter(
                action=EventAction.MODEL_CREATED, user__username=self.source.token.user.username
            ).exists()
        )
    def test_group_create_members_empty(self):
        """Test group create"""
        ext_id = generate_id()
        response = self.client.post(
            reverse(
                "authentik_sources_scim:v2-groups",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            data=dumps({"displayName": generate_id(), "externalId": ext_id, "members": []}),
            content_type=SCIM_CONTENT_TYPE,
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, 201)
        self.assertTrue(SCIMSourceGroup.objects.filter(source=self.source, id=ext_id).exists())
        self.assertTrue(
            Event.objects.filter(
                action=EventAction.MODEL_CREATED, user__username=self.source.token.user.username
            ).exists()
        )
    def test_group_create_duplicate(self):
        """Test group create (duplicate)"""
        group = Group.objects.create(name=generate_id())
        existing = SCIMSourceGroup.objects.create(source=self.source, group=group, id=uuid4())
        ext_id = generate_id()
        response = self.client.post(
            reverse(
                "authentik_sources_scim:v2-groups",
                kwargs={
                    "source_slug": self.source.slug,
                },
            ),
            data=dumps(
                {"displayName": generate_id(), "externalId": ext_id, "id": str(existing.group.pk)}
            ),
            content_type=SCIM_CONTENT_TYPE,
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, 409)
        self.assertJSONEqual(
            response.content,
            {
                "detail": "Group with ID exists already.",
                "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
                "scimType": "uniqueness",
                "status": 409,
            },
        )
    def test_group_update(self):
        """Test group update"""
        group = Group.objects.create(name=generate_id())
        existing = SCIMSourceGroup.objects.create(source=self.source, group=group, id=uuid4())
        ext_id = generate_id()
        response = self.client.put(
            reverse(
                "authentik_sources_scim:v2-groups",
                kwargs={"source_slug": self.source.slug, "group_id": group.pk},
            ),
            data=dumps(
                {"displayName": generate_id(), "externalId": ext_id, "id": str(existing.pk)}
            ),
            content_type=SCIM_CONTENT_TYPE,
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, second=200)
    def test_group_update_non_existent(self):
        """Test group update"""
        ext_id = generate_id()
        response = self.client.put(
            reverse(
                "authentik_sources_scim:v2-groups",
                kwargs={
                    "source_slug": self.source.slug,
                    "group_id": str(uuid4()),
                },
            ),
            data=dumps({"displayName": generate_id(), "externalId": ext_id, "id": ""}),
            content_type=SCIM_CONTENT_TYPE,
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, second=404)
        self.assertJSONEqual(
            response.content,
            {
                "detail": "Group not found.",
                "schemas": ["urn:ietf:params:scim:api:messages:2.0:Error"],
                "status": 404,
            },
        )
    def test_group_patch_add(self):
        """Test group patch"""
        user = create_test_user()
        group = Group.objects.create(name=generate_id())
        SCIMSourceGroup.objects.create(source=self.source, group=group, id=uuid4())
        response = self.client.patch(
            reverse(
                "authentik_sources_scim:v2-groups",
                kwargs={"source_slug": self.source.slug, "group_id": group.pk},
            ),
            data=dumps(
                {
                    "Operations": [
                        {
                            "op": "Add",
                            "path": "members",
                            "value": {"value": str(user.uuid)},
                        }
                    ]
                }
            ),
            content_type=SCIM_CONTENT_TYPE,
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, second=200)
        self.assertTrue(group.users.filter(pk=user.pk).exists())
    def test_group_patch_remove(self):
        """Test group patch"""
        user = create_test_user()
        group = Group.objects.create(name=generate_id())
        group.users.add(user)
        SCIMSourceGroup.objects.create(source=self.source, group=group, id=uuid4())
        response = self.client.patch(
            reverse(
                "authentik_sources_scim:v2-groups",
                kwargs={"source_slug": self.source.slug, "group_id": group.pk},
            ),
            data=dumps(
                {
                    "Operations": [
                        {
                            "op": "remove",
                            "path": "members",
                            "value": {"value": str(user.uuid)},
                        }
                    ]
                }
            ),
            content_type=SCIM_CONTENT_TYPE,
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, second=200)
        self.assertFalse(group.users.filter(pk=user.pk).exists())
    def test_group_delete(self):
        """Test group delete"""
        group = Group.objects.create(name=generate_id())
        SCIMSourceGroup.objects.create(source=self.source, group=group, id=uuid4())
        response = self.client.delete(
            reverse(
                "authentik_sources_scim:v2-groups",
                kwargs={"source_slug": self.source.slug, "group_id": group.pk},
            ),
            content_type=SCIM_CONTENT_TYPE,
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, second=204)
--- a/authentik/sources/scim/tests/test_users.py
+++ b/authentik/sources/scim/tests/test_users.py
@ -177,51 +177,3 @@ class TestSCIMUsers(APITestCase):
            SCIMSourceUser.objects.get(source=self.source, id=ext_id).user.attributes["phone"],
            "0123456789",
        )
    def test_user_update(self):
        """Test user update"""
        user = create_test_user()
        existing = SCIMSourceUser.objects.create(source=self.source, user=user, id=uuid4())
        ext_id = generate_id()
        response = self.client.put(
            reverse(
                "authentik_sources_scim:v2-users",
                kwargs={
                    "source_slug": self.source.slug,
                    "user_id": str(user.uuid),
                },
            ),
            data=dumps(
                {
                    "id": str(existing.pk),
                    "userName": generate_id(),
                    "externalId": ext_id,
                    "emails": [
                        {
                            "primary": True,
                            "value": user.email,
                        }
                    ],
                }
            ),
            content_type=SCIM_CONTENT_TYPE,
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, 200)
    def test_user_delete(self):
        """Test user delete"""
        user = create_test_user()
        SCIMSourceUser.objects.create(source=self.source, user=user, id=uuid4())
        response = self.client.delete(
            reverse(
                "authentik_sources_scim:v2-users",
                kwargs={
                    "source_slug": self.source.slug,
                    "user_id": str(user.uuid),
                },
            ),
            content_type=SCIM_CONTENT_TYPE,
            HTTP_AUTHORIZATION=f"Bearer {self.source.token.key}",
        )
        self.assertEqual(response.status_code, 204)
--- a/authentik/sources/scim/views/v2/auth.py
+++ b/authentik/sources/scim/views/v2/auth.py
@ -8,7 +8,6 @@ from rest_framework.authentication import BaseAuthentication, get_authorization_
 from rest_framework.request import Request
 from rest_framework.views import APIView
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import Token, TokenIntents, User
 from authentik.sources.scim.models import SCIMSource
@ -27,7 +26,6 @@ class SCIMTokenAuth(BaseAuthentication):
        _username, _, password = b64decode(key.encode()).decode().partition(":")
        token = self.check_token(password, source_slug)
        if token:
            CTX_AUTH_VIA.set("scim_basic")
            return (token.user, token)
        return None
@ -54,5 +52,4 @@ class SCIMTokenAuth(BaseAuthentication):
        token = self.check_token(key, source_slug)
        if not token:
            return None
        CTX_AUTH_VIA.set("scim_token")
        return (token.user, token)
--- a/authentik/sources/scim/views/v2/base.py
+++ b/authentik/sources/scim/views/v2/base.py
@ -1,11 +1,13 @@
 """SCIM Utils"""
 from typing import Any
 from urllib.parse import urlparse
 from django.conf import settings
 from django.core.paginator import Page, Paginator
 from django.db.models import Q, QuerySet
 from django.http import HttpRequest
 from django.urls import resolve
 from rest_framework.parsers import JSONParser
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.renderers import JSONRenderer
@ -44,7 +46,7 @@ class SCIMView(APIView):
    logger: BoundLogger
    permission_classes = [IsAuthenticated]
-    parser_classes = [SCIMParser, JSONParser]
+    parser_classes = [SCIMParser]
    renderer_classes = [SCIMRenderer]
    def setup(self, request: HttpRequest, *args: Any, **kwargs: Any) -> None:
@ -54,6 +56,28 @@ class SCIMView(APIView):
    def get_authenticators(self):
        return [SCIMTokenAuth(self)]
    def patch_resolve_value(self, raw_value: dict) -> User | Group | None:
        """Attempt to resolve a raw `value` attribute of a patch operation into
        a database model"""
        model = User
        query = {}
        if "$ref" in raw_value:
            url = urlparse(raw_value["$ref"])
            if match := resolve(url.path):
                if match.url_name == "v2-users":
                    model = User
                    query = {"pk": int(match.kwargs["user_id"])}
        elif "type" in raw_value:
            match raw_value["type"]:
                case "User":
                    model = User
                    query = {"pk": int(raw_value["value"])}
                case "Group":
                    model = Group
        else:
            return None
        return model.objects.filter(**query).first()
    def filter_parse(self, request: Request):
        """Parse the path of a Patch Operation"""
        path = request.query_params.get("filter")
--- a/authentik/sources/scim/views/v2/exceptions.py
+++ b/authentik/sources/scim/views/v2/exceptions.py
@ -1,58 +0,0 @@
 from enum import Enum
 from pydanticscim.responses import SCIMError as BaseSCIMError
 from rest_framework.exceptions import ValidationError
 class SCIMErrorTypes(Enum):
    invalid_filter = "invalidFilter"
    too_many = "tooMany"
    uniqueness = "uniqueness"
    mutability = "mutability"
    invalid_syntax = "invalidSyntax"
    invalid_path = "invalidPath"
    no_target = "noTarget"
    invalid_value = "invalidValue"
    invalid_vers = "invalidVers"
    sensitive = "sensitive"
 class SCIMError(BaseSCIMError):
    scimType: SCIMErrorTypes | None = None
    detail: str | None = None
 class SCIMValidationError(ValidationError):
    status_code = 400
    default_detail = SCIMError(scimType=SCIMErrorTypes.invalid_syntax, status=400)
    def __init__(self, detail: SCIMError | None):
        if detail is None:
            detail = self.default_detail
        detail.status = self.status_code
        self.detail = detail.model_dump(mode="json", exclude_none=True)
 class SCIMConflictError(SCIMValidationError):
    status_code = 409
    def __init__(self, detail: str):
        super().__init__(
            SCIMError(
                detail=detail,
                scimType=SCIMErrorTypes.uniqueness,
                status=self.status_code,
            )
        )
 class SCIMNotFoundError(SCIMValidationError):
    status_code = 404
    def __init__(self, detail: str):
        super().__init__(
            SCIMError(
                detail=detail,
                status=self.status_code,
            )
        )
--- a/authentik/sources/scim/views/v2/groups.py
+++ b/authentik/sources/scim/views/v2/groups.py
@ -4,25 +4,19 @@ from uuid import uuid4
 from django.db.models import Q
 from django.db.transaction import atomic
-from django.http import QueryDict
+from django.http import Http404, QueryDict
 from django.urls import reverse
 from pydantic import ValidationError as PydanticValidationError
 from pydanticscim.group import GroupMember
 from rest_framework.exceptions import ValidationError
 from rest_framework.request import Request
 from rest_framework.response import Response
 from scim2_filter_parser.attr_paths import AttrPath
 from authentik.core.models import Group, User
-from authentik.providers.scim.clients.schema import SCIM_GROUP_SCHEMA, PatchOp, PatchOperation
+from authentik.providers.scim.clients.schema import SCIM_USER_SCHEMA
 from authentik.providers.scim.clients.schema import Group as SCIMGroupModel
 from authentik.sources.scim.models import SCIMSourceGroup
 from authentik.sources.scim.views.v2.base import SCIMObjectView
 from authentik.sources.scim.views.v2.exceptions import (
    SCIMConflictError,
    SCIMNotFoundError,
    SCIMValidationError,
 )
 class GroupsView(SCIMObjectView):
@ -33,7 +27,7 @@ class GroupsView(SCIMObjectView):
    def group_to_scim(self, scim_group: SCIMSourceGroup) -> dict:
        """Convert Group to SCIM data"""
        payload = SCIMGroupModel(
-            schemas=[SCIM_GROUP_SCHEMA],
+            schemas=[SCIM_USER_SCHEMA],
            id=str(scim_group.group.pk),
            externalId=scim_group.id,
            displayName=scim_group.group.name,
@ -64,7 +58,7 @@ class GroupsView(SCIMObjectView):
        if group_id:
            connection = base_query.filter(source=self.source, group__group_uuid=group_id).first()
            if not connection:
-                raise SCIMNotFoundError("Group not found.")
+                raise Http404
            return Response(self.group_to_scim(connection))
        connections = (
            base_query.filter(source=self.source).order_by("pk").filter(self.filter_parse(request))
@ -125,7 +119,7 @@ class GroupsView(SCIMObjectView):
        ).first()
        if connection:
            self.logger.debug("Found existing group")
-            raise SCIMConflictError("Group with ID exists already.")
+            return Response(status=409)
        connection = self.update_group(None, request.data)
        return Response(self.group_to_scim(connection), status=201)
@ -135,44 +129,10 @@ class GroupsView(SCIMObjectView):
            source=self.source, group__group_uuid=group_id
        ).first()
        if not connection:
-            raise SCIMNotFoundError("Group not found.")
+            raise Http404
        connection = self.update_group(connection, request.data)
        return Response(self.group_to_scim(connection), status=200)
    @atomic
    def patch(self, request: Request, group_id: str, **kwargs) -> Response:
        """Patch group handler"""
        connection = SCIMSourceGroup.objects.filter(
            source=self.source, group__group_uuid=group_id
        ).first()
        if not connection:
            raise SCIMNotFoundError("Group not found.")
        for _op in request.data.get("Operations", []):
            operation = PatchOperation.model_validate(_op)
            if operation.op.lower() not in ["add", "remove", "replace"]:
                raise SCIMValidationError()
            attr_path = AttrPath(f'{operation.path} eq ""', {})
            if attr_path.first_path == ("members", None, None):
                # FIXME: this can probably be de-duplicated
                if operation.op == PatchOp.add:
                    if not isinstance(operation.value, list):
                        operation.value = [operation.value]
                    query = Q()
                    for member in operation.value:
                        query |= Q(uuid=member["value"])
                    if query:
                        connection.group.users.add(*User.objects.filter(query))
                elif operation.op == PatchOp.remove:
                    if not isinstance(operation.value, list):
                        operation.value = [operation.value]
                    query = Q()
                    for member in operation.value:
                        query |= Q(uuid=member["value"])
                    if query:
                        connection.group.users.remove(*User.objects.filter(query))
        return Response(self.group_to_scim(connection), status=200)
    @atomic
    def delete(self, request: Request, group_id: str, **kwargs) -> Response:
        """Delete group handler"""
@ -180,7 +140,7 @@ class GroupsView(SCIMObjectView):
            source=self.source, group__group_uuid=group_id
        ).first()
        if not connection:
-            raise SCIMNotFoundError("Group not found.")
+            raise Http404
        connection.group.delete()
        connection.delete()
        return Response(status=204)
--- a/authentik/sources/scim/views/v2/resource_types.py
+++ b/authentik/sources/scim/views/v2/resource_types.py
@ -1,11 +1,11 @@
 """SCIM Meta views"""
 from django.http import Http404
 from django.urls import reverse
 from rest_framework.request import Request
 from rest_framework.response import Response
 from authentik.sources.scim.views.v2.base import SCIMView
 from authentik.sources.scim.views.v2.exceptions import SCIMNotFoundError
 class ResourceTypesView(SCIMView):
@ -138,7 +138,7 @@ class ResourceTypesView(SCIMView):
            resource = [x for x in resource_types if x.get("id") == resource_type]
            if resource:
                return Response(resource[0])
-            raise SCIMNotFoundError("Resource not found.")
+            raise Http404
        return Response(
            {
                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
--- a/authentik/sources/scim/views/v2/schemas.py
+++ b/authentik/sources/scim/views/v2/schemas.py
@ -3,12 +3,12 @@
 from json import loads
 from django.conf import settings
 from django.http import Http404
 from django.urls import reverse
 from rest_framework.request import Request
 from rest_framework.response import Response
 from authentik.sources.scim.views.v2.base import SCIMView
 from authentik.sources.scim.views.v2.exceptions import SCIMNotFoundError
 with open(
    settings.BASE_DIR / "authentik" / "sources" / "scim" / "schemas" / "schema.json",
@ -44,7 +44,7 @@ class SchemaView(SCIMView):
            schema = [x for x in schemas if x.get("id") == schema_uri]
            if schema:
                return Response(schema[0])
-            raise SCIMNotFoundError("Schema not found.")
+            raise Http404
        return Response(
            {
                "schemas": ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
--- a/authentik/sources/scim/views/v2/service_provider_config.py
+++ b/authentik/sources/scim/views/v2/service_provider_config.py
@ -33,8 +33,6 @@ class ServiceProviderConfigView(SCIMView):
            {
                "schemas": ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
                "authenticationSchemes": auth_schemas,
                # We only support patch for groups currently, so don't broadly advertise it.
                # Implementations that require Group patch will use it regardless of this flag.
                "patch": {"supported": False},
                "bulk": {"supported": False, "maxOperations": 0, "maxPayloadSize": 0},
                "filter": {
--- a/authentik/sources/scim/views/v2/users.py
+++ b/authentik/sources/scim/views/v2/users.py
@ -4,7 +4,7 @@ from uuid import uuid4
 from django.db.models import Q
 from django.db.transaction import atomic
-from django.http import QueryDict
+from django.http import Http404, QueryDict
 from django.urls import reverse
 from pydanticscim.user import Email, EmailKind, Name
 from rest_framework.exceptions import ValidationError
@ -16,7 +16,6 @@ from authentik.providers.scim.clients.schema import SCIM_USER_SCHEMA
 from authentik.providers.scim.clients.schema import User as SCIMUserModel
 from authentik.sources.scim.models import SCIMSourceUser
 from authentik.sources.scim.views.v2.base import SCIMObjectView
 from authentik.sources.scim.views.v2.exceptions import SCIMConflictError, SCIMNotFoundError
 class UsersView(SCIMObjectView):
@ -70,7 +69,7 @@ class UsersView(SCIMObjectView):
                .first()
            )
            if not connection:
-                raise SCIMNotFoundError("User not found.")
+                raise Http404
            return Response(self.user_to_scim(connection))
        connections = (
            SCIMSourceUser.objects.filter(source=self.source).select_related("user").order_by("pk")
@ -123,7 +122,7 @@ class UsersView(SCIMObjectView):
        ).first()
        if connection:
            self.logger.debug("Found existing user")
-            raise SCIMConflictError("Group with ID exists already.")
+            return Response(status=409)
        connection = self.update_user(None, request.data)
        return Response(self.user_to_scim(connection), status=201)
@ -131,7 +130,7 @@ class UsersView(SCIMObjectView):
        """Update user handler"""
        connection = SCIMSourceUser.objects.filter(source=self.source, user__uuid=user_id).first()
        if not connection:
-            raise SCIMNotFoundError("User not found.")
+            raise Http404
        self.update_user(connection, request.data)
        return Response(self.user_to_scim(connection), status=200)
@ -140,7 +139,7 @@ class UsersView(SCIMObjectView):
        """Delete user handler"""
        connection = SCIMSourceUser.objects.filter(source=self.source, user__uuid=user_id).first()
        if not connection:
-            raise SCIMNotFoundError("User not found.")
+            raise Http404
        connection.user.delete()
        connection.delete()
        return Response(status=204)
--- a/authentik/stages/authenticator_validate/challenge.py
+++ b/authentik/stages/authenticator_validate/challenge.py
@ -1,7 +1,6 @@
 """Validation stage challenge checking"""
 from json import loads
 from typing import TYPE_CHECKING
 from urllib.parse import urlencode
 from django.http import HttpRequest
@ -37,12 +36,10 @@ from authentik.stages.authenticator_email.models import EmailDevice
 from authentik.stages.authenticator_sms.models import SMSDevice
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
 from authentik.stages.authenticator_webauthn.models import UserVerification, WebAuthnDevice
-from authentik.stages.authenticator_webauthn.stage import PLAN_CONTEXT_WEBAUTHN_CHALLENGE
+from authentik.stages.authenticator_webauthn.stage import SESSION_KEY_WEBAUTHN_CHALLENGE
 from authentik.stages.authenticator_webauthn.utils import get_origin, get_rp_id
 LOGGER = get_logger()
 if TYPE_CHECKING:
    from authentik.stages.authenticator_validate.stage import AuthenticatorValidateStageView
 class DeviceChallenge(PassiveSerializer):
@ -55,11 +52,11 @@ class DeviceChallenge(PassiveSerializer):
 def get_challenge_for_device(
-    stage_view: "AuthenticatorValidateStageView", stage: AuthenticatorValidateStage, device: Device
+    request: HttpRequest, stage: AuthenticatorValidateStage, device: Device
 ) -> dict:
    """Generate challenge for a single device"""
    if isinstance(device, WebAuthnDevice):
-        return get_webauthn_challenge(stage_view, stage, device)
+        return get_webauthn_challenge(request, stage, device)
    if isinstance(device, EmailDevice):
        return {"email": mask_email(device.email)}
    # Code-based challenges have no hints
@ -67,30 +64,26 @@ def get_challenge_for_device(
 def get_webauthn_challenge_without_user(
-    stage_view: "AuthenticatorValidateStageView", stage: AuthenticatorValidateStage
+    request: HttpRequest, stage: AuthenticatorValidateStage
 ) -> dict:
    """Same as `get_webauthn_challenge`, but allows any client device. We can then later check
    who the device belongs to."""
-    stage_view.executor.plan.context.pop(PLAN_CONTEXT_WEBAUTHN_CHALLENGE, None)
+    request.session.pop(SESSION_KEY_WEBAUTHN_CHALLENGE, None)
    authentication_options = generate_authentication_options(
-        rp_id=get_rp_id(stage_view.request),
+        rp_id=get_rp_id(request),
        allow_credentials=[],
        user_verification=UserVerificationRequirement(stage.webauthn_user_verification),
    )
-    stage_view.executor.plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = (
+    request.session[SESSION_KEY_WEBAUTHN_CHALLENGE] = authentication_options.challenge
        authentication_options.challenge
    )
    return loads(options_to_json(authentication_options))
 def get_webauthn_challenge(
-    stage_view: "AuthenticatorValidateStageView",
+    request: HttpRequest, stage: AuthenticatorValidateStage, device: WebAuthnDevice | None = None
    stage: AuthenticatorValidateStage,
    device: WebAuthnDevice | None = None,
 ) -> dict:
    """Send the client a challenge that we'll check later"""
-    stage_view.executor.plan.context.pop(PLAN_CONTEXT_WEBAUTHN_CHALLENGE, None)
+    request.session.pop(SESSION_KEY_WEBAUTHN_CHALLENGE, None)
    allowed_credentials = []
@ -101,14 +94,12 @@ def get_webauthn_challenge(
            allowed_credentials.append(user_device.descriptor)
    authentication_options = generate_authentication_options(
-        rp_id=get_rp_id(stage_view.request),
+        rp_id=get_rp_id(request),
        allow_credentials=allowed_credentials,
        user_verification=UserVerificationRequirement(stage.webauthn_user_verification),
    )
-    stage_view.executor.plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = (
+    request.session[SESSION_KEY_WEBAUTHN_CHALLENGE] = authentication_options.challenge
        authentication_options.challenge
    )
    return loads(options_to_json(authentication_options))
@ -155,7 +146,7 @@ def validate_challenge_code(code: str, stage_view: StageView, user: User) -> Dev
 def validate_challenge_webauthn(data: dict, stage_view: StageView, user: User) -> Device:
    """Validate WebAuthn Challenge"""
    request = stage_view.request
-    challenge = stage_view.executor.plan.context.get(PLAN_CONTEXT_WEBAUTHN_CHALLENGE)
+    challenge = request.session.get(SESSION_KEY_WEBAUTHN_CHALLENGE)
    stage: AuthenticatorValidateStage = stage_view.executor.current_stage
    try:
        credential = parse_authentication_credential_json(data)
--- a/authentik/stages/authenticator_validate/stage.py
+++ b/authentik/stages/authenticator_validate/stage.py
@ -224,7 +224,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
                data={
                    "device_class": device_class,
                    "device_uid": device.pk,
-                    "challenge": get_challenge_for_device(self, stage, device),
+                    "challenge": get_challenge_for_device(self.request, stage, device),
                    "last_used": device.last_used,
                }
            )
@ -243,7 +243,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
                "device_class": DeviceClasses.WEBAUTHN,
                "device_uid": -1,
                "challenge": get_webauthn_challenge_without_user(
-                    self,
+                    self.request,
                    self.executor.current_stage,
                ),
                "last_used": None,
--- a/authentik/stages/authenticator_validate/tests/test_webauthn.py
+++ b/authentik/stages/authenticator_validate/tests/test_webauthn.py
@ -31,7 +31,7 @@ from authentik.stages.authenticator_webauthn.models import (
    WebAuthnDevice,
    WebAuthnDeviceType,
 )
-from authentik.stages.authenticator_webauthn.stage import PLAN_CONTEXT_WEBAUTHN_CHALLENGE
+from authentik.stages.authenticator_webauthn.stage import SESSION_KEY_WEBAUTHN_CHALLENGE
 from authentik.stages.authenticator_webauthn.tasks import webauthn_mds_import
 from authentik.stages.identification.models import IdentificationStage, UserFields
 from authentik.stages.user_login.models import UserLoginStage
@ -103,11 +103,7 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
            device_classes=[DeviceClasses.WEBAUTHN],
            webauthn_user_verification=UserVerification.PREFERRED,
        )
-        plan = FlowPlan("")
+        challenge = get_challenge_for_device(request, stage, webauthn_device)
        stage_view = AuthenticatorValidateStageView(
            FlowExecutorView(flow=None, current_stage=stage, plan=plan), request=request
        )
        challenge = get_challenge_for_device(stage_view, stage, webauthn_device)
        del challenge["challenge"]
        self.assertEqual(
            challenge,
@ -126,9 +122,7 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
        with self.assertRaises(ValidationError):
            validate_challenge_webauthn(
-                {},
+                {}, StageView(FlowExecutorView(current_stage=stage), request=request), self.user
                StageView(FlowExecutorView(current_stage=stage, plan=plan), request=request),
                self.user,
            )
    def test_device_challenge_webauthn_restricted(self):
@ -199,35 +193,22 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
            sign_count=0,
            rp_id=generate_id(),
        )
-        plan = FlowPlan("")
+        challenge = get_challenge_for_device(request, stage, webauthn_device)
-        plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
+        webauthn_challenge = request.session[SESSION_KEY_WEBAUTHN_CHALLENGE]
            "g98I51mQvZXo5lxLfhrD2zfolhZbLRyCgqkkYap1jwSaJ13BguoJWCF9_Lg3AgO4Wh-Bqa556JE20oKsYbl6RA"
        )
        stage_view = AuthenticatorValidateStageView(
            FlowExecutorView(flow=None, current_stage=stage, plan=plan), request=request
        )
        challenge = get_challenge_for_device(stage_view, stage, webauthn_device)
        self.assertEqual(
-            challenge["allowCredentials"],
+            challenge,
-            [
+            {
                "allowCredentials": [
                    {
                        "id": "QKZ97ASJAOIDyipAs6mKUxDUZgDrWrbAsUb5leL7-oU",
                        "type": "public-key",
                    }
                ],
-        )
+                "challenge": bytes_to_base64url(webauthn_challenge),
-        self.assertIsNotNone(challenge["challenge"])
+                "rpId": "testserver",
-        self.assertEqual(
+                "timeout": 60000,
-            challenge["rpId"],
+                "userVerification": "preferred",
-            "testserver",
+            },
        )
        self.assertEqual(
            challenge["timeout"],
            60000,
        )
        self.assertEqual(
            challenge["userVerification"],
            "preferred",
        )
    def test_get_challenge_userless(self):
@ -247,16 +228,18 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
            sign_count=0,
            rp_id=generate_id(),
        )
-        plan = FlowPlan("")
+        challenge = get_webauthn_challenge_without_user(request, stage)
-        stage_view = AuthenticatorValidateStageView(
+        webauthn_challenge = request.session[SESSION_KEY_WEBAUTHN_CHALLENGE]
-            FlowExecutorView(flow=None, current_stage=stage, plan=plan), request=request
+        self.assertEqual(
            challenge,
            {
                "allowCredentials": [],
                "challenge": bytes_to_base64url(webauthn_challenge),
                "rpId": "testserver",
                "timeout": 60000,
                "userVerification": "preferred",
            },
        )
        challenge = get_webauthn_challenge_without_user(stage_view, stage)
        self.assertEqual(challenge["allowCredentials"], [])
        self.assertIsNotNone(challenge["challenge"])
        self.assertEqual(challenge["rpId"], "testserver")
        self.assertEqual(challenge["timeout"], 60000)
        self.assertEqual(challenge["userVerification"], "preferred")
    def test_validate_challenge_unrestricted(self):
        """Test webauthn authentication (unrestricted webauthn device)"""
@ -292,10 +275,10 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
                "last_used": None,
            }
        ]
-        plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
+        session[SESSION_KEY_PLAN] = plan
        session[SESSION_KEY_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
            "aCC6ak_DP45xMH1qyxzUM5iC2xc4QthQb09v7m4qDBmY8FvWvhxFzSuFlDYQmclrh5fWS5q0TPxgJGF4vimcFQ"
        )
        session[SESSION_KEY_PLAN] = plan
        session.save()
        response = self.client.post(
@ -369,10 +352,10 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
                "last_used": None,
            }
        ]
-        plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
+        session[SESSION_KEY_PLAN] = plan
        session[SESSION_KEY_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
            "aCC6ak_DP45xMH1qyxzUM5iC2xc4QthQb09v7m4qDBmY8FvWvhxFzSuFlDYQmclrh5fWS5q0TPxgJGF4vimcFQ"
        )
        session[SESSION_KEY_PLAN] = plan
        session.save()
        response = self.client.post(
@ -450,10 +433,10 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
                "last_used": None,
            }
        ]
-        plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
+        session[SESSION_KEY_PLAN] = plan
        session[SESSION_KEY_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
            "g98I51mQvZXo5lxLfhrD2zfolhZbLRyCgqkkYap1jwSaJ13BguoJWCF9_Lg3AgO4Wh-Bqa556JE20oKsYbl6RA"
        )
        session[SESSION_KEY_PLAN] = plan
        session.save()
        response = self.client.post(
@ -513,14 +496,17 @@ class AuthenticatorValidateStageWebAuthnTests(FlowTestCase):
            not_configured_action=NotConfiguredAction.CONFIGURE,
            device_classes=[DeviceClasses.WEBAUTHN],
        )
-        plan = FlowPlan(flow.pk.hex)
+        stage_view = AuthenticatorValidateStageView(
-        plan.context[PLAN_CONTEXT_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
+            FlowExecutorView(flow=flow, current_stage=stage), request=request
            "g98I51mQvZXo5lxLfhrD2zfolhZbLRyCgqkkYap1jwSaJ13BguoJWCF9_Lg3AgO4Wh-Bqa556JE20oKsYbl6RA"
        )
        request = get_request("/")
        request.session[SESSION_KEY_WEBAUTHN_CHALLENGE] = base64url_to_bytes(
            "g98I51mQvZXo5lxLfhrD2zfolhZbLRyCgqkkYap1jwSaJ13BguoJWCF9_Lg3AgO4Wh-Bqa556JE20oKsYbl6RA"
        )
        request.session.save()
        stage_view = AuthenticatorValidateStageView(
-            FlowExecutorView(flow=flow, current_stage=stage, plan=plan), request=request
+            FlowExecutorView(flow=flow, current_stage=stage), request=request
        )
        request.META["SERVER_NAME"] = "localhost"
        request.META["SERVER_PORT"] = "9000"
--- a/authentik/stages/authenticator_webauthn/api/stages.py
+++ b/authentik/stages/authenticator_webauthn/api/stages.py
@ -25,7 +25,6 @@ class AuthenticatorWebAuthnStageSerializer(StageSerializer):
            "resident_key_requirement",
            "device_type_restrictions",
            "device_type_restrictions_obj",
            "max_attempts",
        ]
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jens Langhammer	6e1cf8a23c	slight refactors Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2025-06-09 00:48:28 +02:00
Jens Langhammer	fde6120e67	fix Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2025-06-08 15:52:24 +02:00
Jens Langhammer	dabd812071	fix more Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2025-06-08 03:03:48 +02:00
Jens Langhammer	db92da4cb8	fix em actually Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2025-06-08 02:51:27 +02:00
Jens Langhammer	81c23fff98	found the first bug Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2025-06-08 02:25:47 +02:00
Jens Langhammer	54b5774a15	better Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2025-06-08 02:16:03 +02:00
Jens Langhammer	ba4650a088	less hardcoded names Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2025-06-08 02:07:29 +02:00
Jens Langhammer	b7d2c5188b	improve Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2025-06-08 02:07:23 +02:00
Jens Langhammer	dd8e71df7d	initial optimisation Signed-off-by: Jens Langhammer <jens@goauthentik.io>	2025-06-08 01:24:12 +02:00