release: 2024.6.5

security: fix CVE-2024-47070 (#11536)

* security: fix CVE-2024-47070



* Update website/docs/security/CVE-2024-47070.md




---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Jens L. <jens@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.6.0
+current_version = 2024.6.5
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/dependabot.yml

@@ -21,7 +21,10 @@ updates:
     labels:
       - dependencies
   - package-ecosystem: npm
-    directory: "/web"
+    directories:
+      - "/web"
+      - "/tests/wdio"
+      - "/web/sfe"
     schedule:
       interval: daily
       time: "04:00"
@@ -30,7 +33,6 @@ updates:
     open-pull-requests-limit: 10
     commit-message:
       prefix: "web:"
-    # TODO: deduplicate these groups
     groups:
       sentry:
         patterns:
@@ -56,38 +58,6 @@ updates:
         patterns:
           - "@rollup/*"
           - "rollup-*"
-  - package-ecosystem: npm
-    directory: "/tests/wdio"
-    schedule:
-      interval: daily
-      time: "04:00"
-    labels:
-      - dependencies
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "web:"
-    # TODO: deduplicate these groups
-    groups:
-      sentry:
-        patterns:
-          - "@sentry/*"
-          - "@spotlightjs/*"
-      babel:
-        patterns:
-          - "@babel/*"
-          - "babel-*"
-      eslint:
-        patterns:
-          - "@typescript-eslint/*"
-          - "eslint"
-          - "eslint-*"
-      storybook:
-        patterns:
-          - "@storybook/*"
-          - "*storybook*"
-      esbuild:
-        patterns:
-          - "@esbuild/*"
       wdio:
         patterns:
           - "@wdio/*"

.github/workflows/api-ts-publish.yml

@@ -31,7 +31,12 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Upgrade /web
-        working-directory: web/
+        working-directory: web
+        run: |
+          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
+          npm i @goauthentik/api@$VERSION
+      - name: Upgrade /web/sfe
+        working-directory: web/sfe
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION

.github/workflows/ci-web.yml

@@ -20,6 +20,16 @@ jobs:
         project:
           - web
           - tests/wdio
+        include:
+          - command: tsc
+            project: web
+            extra_setup: |
+              cd sfe/ && npm ci
+        exclude:
+          - command: lint:lockfile
+            project: tests/wdio
+          - command: tsc
+            project: tests/wdio
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4

Dockerfile

@@ -30,7 +30,12 @@ WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
+    --mount=type=bind,target=/work/web/sfe/package.json,src=./web/sfe/package.json \
+    --mount=type=bind,target=/work/web/sfe/package-lock.json,src=./web/sfe/package-lock.json \
+    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
     --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
+    npm ci --include=dev && \
+    cd sfe && \
     npm ci --include=dev
 
 COPY ./package.json /work
@@ -38,7 +43,9 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 
-RUN npm run build
+RUN npm run build && \
+    cd sfe && \
+    npm run build
 
 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.6.0"
+__version__ = "2024.6.5"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/brands/api.py

@@ -24,7 +24,7 @@ from authentik.tenants.utils import get_current_tenant
 class FooterLinkSerializer(PassiveSerializer):
     """Links returned in Config API"""
 
-    href = CharField(read_only=True)
+    href = CharField(read_only=True, allow_null=True)
     name = CharField(read_only=True)
 
 

authentik/core/api/used_by.py

@@ -14,6 +14,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 
 from authentik.core.api.utils import PassiveSerializer
+from authentik.rbac.filters import ObjectFilter
 
 
 class DeleteAction(Enum):
@@ -53,7 +54,7 @@ class UsedByMixin:
     @extend_schema(
         responses={200: UsedBySerializer(many=True)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
     def used_by(self, request: Request, *args, **kwargs) -> Response:
         """Get a list of all objects that use this object"""
         model: Model = self.get_object()

authentik/core/migrations/0029_provider_backchannel_applications_and_more.py

@@ -7,12 +7,13 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
 def backport_is_backchannel(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
     from authentik.providers.ldap.models import LDAPProvider
     from authentik.providers.scim.models import SCIMProvider
 
     for model in [LDAPProvider, SCIMProvider]:
         try:
-            for obj in model.objects.only("is_backchannel"):
+            for obj in model.objects.using(db_alias).only("is_backchannel"):
                 obj.is_backchannel = True
                 obj.save()
         except (DatabaseError, InternalError, ProgrammingError):

authentik/core/sources/flow_manager.py

@@ -212,7 +212,7 @@ class SourceFlowManager:
 
     def _prepare_flow(
         self,
-        flow: Flow,
+        flow: Flow | None,
         connection: UserSourceConnection,
         stages: list[StageView] | None = None,
         **kwargs,
@@ -309,7 +309,9 @@ class SourceFlowManager:
         # When request isn't authenticated we jump straight to auth
         if not self.request.user.is_authenticated:
             return self.handle_auth(connection)
-        # Connection has already been saved
+        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
+            return self._prepare_flow(None, connection)
+        connection.save()
         Event.new(
             EventAction.SOURCE_LINKED,
             message="Linked Source",

authentik/core/templates/base/header_js.html

@@ -10,7 +10,7 @@
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",
     };
-    window.addEventListener("DOMContentLoaded", () => {
+    window.addEventListener("DOMContentLoaded", function () {
         {% for message in messages %}
         window.dispatchEvent(
             new CustomEvent("ak-message", {

authentik/core/templates/base/skeleton.html

@@ -4,7 +4,7 @@
 
 <!DOCTYPE html>
 
-<html lang="en">
+<html>
     <head>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">

authentik/core/templates/login/base_full.html

@@ -71,9 +71,9 @@
                 </li>
                 {% endfor %}
                 <li>
-                    <a href="https://goauthentik.io?utm_source=authentik">
+                    <span>
                         {% trans 'Powered by authentik' %}
-                    </a>
+                    </span>
                 </li>
             </ul>
         </footer>

authentik/core/templatetags/authentik_core.py

@@ -17,11 +17,5 @@ def versioned_script(path: str) -> str:
             f'<script src="{static_loader(path.replace("%v", get_full_version()))}'
             '" type="module"></script>'
         ),
-        # Legacy method of loading scripts used as a fallback, without the version in the filename
-        # TODO: Remove after 2024.6 or later
-        (
-            f'<script src="{static_loader(path.replace("-%v", ""))}?'
-            f'version={get_full_version()}" type="module"></script>'
-        ),
     ]
     return mark_safe("".join(returned_lines))  # nosec

authentik/core/urls.py

@@ -20,8 +20,9 @@ from authentik.core.api.transactional_applications import TransactionalApplicati
 from authentik.core.api.users import UserViewSet
 from authentik.core.views import apps
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import FlowInterfaceView, InterfaceView
+from authentik.core.views.interface import InterfaceView
 from authentik.core.views.session import EndSessionView
+from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
@@ -53,6 +54,8 @@ urlpatterns = [
     ),
     path(
         "if/flow/<slug:flow_slug>/",
+        # FIXME: move this url to the flows app...also will cause all
+        # of the reverse calls to be adjusted
         ensure_csrf_cookie(FlowInterfaceView.as_view()),
         name="if-flow",
     ),

authentik/core/views/interface.py

@@ -3,7 +3,6 @@
 from json import dumps
 from typing import Any
 
-from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
 from rest_framework.request import Request
 
@@ -11,7 +10,6 @@ from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
-from authentik.flows.models import Flow
 
 
 class InterfaceView(TemplateView):
@@ -25,14 +23,3 @@ class InterfaceView(TemplateView):
         kwargs["build"] = get_build_hash()
         kwargs["url_kwargs"] = self.kwargs
         return super().get_context_data(**kwargs)
-
-
-class FlowInterfaceView(InterfaceView):
-    """Flow interface"""
-
-    template_name = "if/flow.html"
-
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
-        kwargs["inspector"] = "inspector" in self.request.GET
-        return super().get_context_data(**kwargs)

authentik/crypto/api.py

@@ -35,6 +35,7 @@ from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
+from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()
 
@@ -265,7 +266,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
         ],
         responses={200: CertificateDataSerializer(many=False)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
     def view_certificate(self, request: Request, pk: str) -> Response:
         """Return certificate-key pairs certificate and log access"""
         certificate: CertificateKeyPair = self.get_object()
@@ -295,7 +296,7 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
         ],
         responses={200: CertificateDataSerializer(many=False)},
     )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
     def view_private_key(self, request: Request, pk: str) -> Response:
         """Return certificate-key pairs private key and log access"""
         certificate: CertificateKeyPair = self.get_object()

authentik/crypto/tests.py

@@ -214,6 +214,46 @@ class TestCrypto(APITestCase):
         self.assertEqual(200, response.status_code)
         self.assertIn("Content-Disposition", response)
 
+    def test_certificate_download_denied(self):
+        """Test certificate export (download)"""
+        self.client.logout()
+        keypair = create_test_cert()
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-certificate",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(403, response.status_code)
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-certificate",
+                kwargs={"pk": keypair.pk},
+            ),
+            data={"download": True},
+        )
+        self.assertEqual(403, response.status_code)
+
+    def test_private_key_download_denied(self):
+        """Test private_key export (download)"""
+        self.client.logout()
+        keypair = create_test_cert()
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-private-key",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(403, response.status_code)
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-private-key",
+                kwargs={"pk": keypair.pk},
+            ),
+            data={"download": True},
+        )
+        self.assertEqual(403, response.status_code)
+
     def test_used_by(self):
         """Test used_by endpoint"""
         self.client.force_login(create_test_admin_user())
@@ -246,6 +286,26 @@ class TestCrypto(APITestCase):
             ],
         )
 
+    def test_used_by_denied(self):
+        """Test used_by endpoint"""
+        self.client.logout()
+        keypair = create_test_cert()
+        OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            client_secret=generate_key(),
+            authorization_flow=create_test_flow(),
+            redirect_uris="http://localhost",
+            signing_key=keypair,
+        )
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-used-by",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(403, response.status_code)
+
     def test_discovery(self):
         """Test certificate discovery"""
         name = generate_id()

authentik/enterprise/providers/rac/api/connection_tokens.py

@@ -34,6 +34,12 @@ class ConnectionTokenSerializer(EnterpriseRequiredMixin, ModelSerializer):
         ]
 
 
+class ConnectionTokenOwnerFilter(OwnerFilter):
+    """Owner filter for connection tokens (checks session's user)"""
+
+    owner_key = "session__user"
+
+
 class ConnectionTokenViewSet(
     mixins.RetrieveModelMixin,
     mixins.UpdateModelMixin,
@@ -50,4 +56,9 @@ class ConnectionTokenViewSet(
     search_fields = ["endpoint__name", "provider__name"]
     ordering = ["endpoint__name", "provider__name"]
     permission_classes = [OwnerSuperuserPermissions]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    filter_backends = [
+        ConnectionTokenOwnerFilter,
+        DjangoFilterBackend,
+        OrderingFilter,
+        SearchFilter,
+    ]

authentik/enterprise/providers/rac/urls.py

@@ -5,7 +5,6 @@ from channels.sessions import CookieMiddleware
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
 
-from authentik.core.channels import TokenOutpostMiddleware
 from authentik.enterprise.providers.rac.api.connection_tokens import ConnectionTokenViewSet
 from authentik.enterprise.providers.rac.api.endpoints import EndpointViewSet
 from authentik.enterprise.providers.rac.api.property_mappings import RACPropertyMappingViewSet
@@ -13,6 +12,7 @@ from authentik.enterprise.providers.rac.api.providers import RACProviderViewSet
 from authentik.enterprise.providers.rac.consumer_client import RACClientConsumer
 from authentik.enterprise.providers.rac.consumer_outpost import RACOutpostConsumer
 from authentik.enterprise.providers.rac.views import RACInterface, RACStartView
+from authentik.outposts.channels import TokenOutpostMiddleware
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.middleware import ChannelsLoggingMiddleware
 

authentik/events/middleware.py

@@ -35,6 +35,7 @@ IGNORED_MODELS = tuple(
 
 _CTX_OVERWRITE_USER = ContextVar[User | None]("authentik_events_log_overwrite_user", default=None)
 _CTX_IGNORE = ContextVar[bool]("authentik_events_log_ignore", default=False)
+_CTX_REQUEST = ContextVar[HttpRequest | None]("authentik_events_log_request", default=None)
 
 
 def should_log_model(model: Model) -> bool:
@@ -149,11 +150,13 @@ class AuditMiddleware:
         m2m_changed.disconnect(dispatch_uid=request.request_id)
 
     def __call__(self, request: HttpRequest) -> HttpResponse:
+        _CTX_REQUEST.set(request)
         self.connect(request)
 
         response = self.get_response(request)
 
         self.disconnect(request)
+        _CTX_REQUEST.set(None)
         return response
 
     def process_exception(self, request: HttpRequest, exception: Exception):
@@ -167,7 +170,7 @@ class AuditMiddleware:
             thread = EventNewThread(
                 EventAction.SUSPICIOUS_REQUEST,
                 request,
-                message=str(exception),
+                message=exception_to_string(exception),
             )
             thread.run()
         elif before_send({}, {"exc_info": (None, exception, None)}) is not None:
@@ -192,6 +195,8 @@ class AuditMiddleware:
             return
         if _CTX_IGNORE.get():
             return
+        if request.request_id != _CTX_REQUEST.get().request_id:
+            return
         user = self.get_user(request)
 
         action = EventAction.MODEL_CREATED if created else EventAction.MODEL_UPDATED
@@ -205,6 +210,8 @@ class AuditMiddleware:
             return
         if _CTX_IGNORE.get():
             return
+        if request.request_id != _CTX_REQUEST.get().request_id:
+            return
         user = self.get_user(request)
 
         EventNewThread(
@@ -230,6 +237,8 @@ class AuditMiddleware:
             return
         if _CTX_IGNORE.get():
             return
+        if request.request_id != _CTX_REQUEST.get().request_id:
+            return
         user = self.get_user(request)
 
         EventNewThread(

authentik/events/models.py

@@ -238,6 +238,8 @@ class Event(SerializerModel, ExpiringModel):
                 "args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
                 "user_agent": request.META.get("HTTP_USER_AGENT", ""),
             }
+            if hasattr(request, "request_id"):
+                self.context["http_request"]["request_id"] = request.request_id
             # Special case for events created during flow execution
             # since they keep the http query within a wrapped query
             if QS_QUERY in self.context["http_request"]["args"]:

authentik/events/signals.py

@@ -75,7 +75,10 @@ def on_login_failed(
     **kwargs,
 ):
     """Failed Login, authentik custom event"""
-    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(request)
+    user = User.objects.filter(username=credentials.get("username")).first()
+    Event.new(EventAction.LOGIN_FAILED, **credentials, stage=stage, **kwargs).from_http(
+        request, user
+    )
 
 
 @receiver(invitation_used)

authentik/flows/api/flows.py

@@ -37,6 +37,7 @@ from authentik.lib.utils.file import (
 )
 from authentik.lib.views import bad_request_message
 from authentik.rbac.decorators import permission_required
+from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()
 
@@ -281,7 +282,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
             400: OpenApiResponse(description="Flow not applicable"),
         },
     )
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
     def execute(self, request: Request, slug: str):
         """Execute flow for current user"""
         # Because we pre-plan the flow here, and not in the planner, we need to manually clear

authentik/flows/migrations/0027_auto_20231028_1424.py

@@ -21,7 +21,9 @@ def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEd
         pass
 
     if users.exists():
-        Flow.objects.filter(slug="initial-setup").update(authentication="require_superuser")
+        Flow.objects.using(db_alias).filter(slug="initial-setup").update(
+            authentication="require_superuser"
+        )
 
 
 class Migration(migrations.Migration):

authentik/flows/templates/if/flow-sfe.html

@@ -0,0 +1,54 @@
+{% load static %}
+{% load i18n %}
+{% load authentik_core %}
+
+<!DOCTYPE html>
+
+<html lang="en">
+    <head>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
+        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
+        <link rel="icon" href="{{ brand.branding_favicon }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
+        {% block head_before %}
+        {% endblock %}
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">
+        <meta name="sentry-trace" content="{{ sentry_trace }}" />
+        {% include "base/header_js.html" %}
+        <style>
+          html,
+          body {
+            height: 100%;
+          }
+          body {
+            background-image: url("{{ flow.background_url }}");
+            background-repeat: no-repeat;
+            background-size: cover;
+          }
+          .card {
+            padding: 3rem;
+          }
+
+          .form-signin {
+            max-width: 330px;
+            padding: 1rem;
+          }
+
+          .form-signin .form-floating:focus-within {
+            z-index: 2;
+          }
+          .brand-icon {
+            max-width: 100%;
+          }
+        </style>
+    </head>
+    <body class="d-flex align-items-center py-4 bg-body-tertiary">
+      <div class="card m-auto">
+        <main class="form-signin w-100 m-auto" id="flow-sfe-container">
+        </main>
+        <span class="mt-3 mb-0 text-muted text-center">{% trans 'Powered by authentik' %}</span>
+      </div>
+      <script src="{% static 'dist/sfe/index.js' %}"></script>
+    </body>
+</html>

authentik/flows/views/interface.py

@@ -0,0 +1,41 @@
+"""Interface views"""
+
+from typing import Any
+
+from django.shortcuts import get_object_or_404
+from ua_parser.user_agent_parser import Parse
+
+from authentik.core.views.interface import InterfaceView
+from authentik.flows.models import Flow
+
+
+class FlowInterfaceView(InterfaceView):
+    """Flow interface"""
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        kwargs["inspector"] = "inspector" in self.request.GET
+        return super().get_context_data(**kwargs)
+
+    def compat_needs_sfe(self) -> bool:
+        """Check if we need to use the simplified flow executor for compatibility"""
+        ua = Parse(self.request.META.get("HTTP_USER_AGENT", ""))
+        if ua["user_agent"]["family"] == "IE":
+            return True
+        # Only use SFE for Edge 18 and older, after Edge 18 MS switched to chromium which supports
+        # the default flow executor
+        if (
+            ua["user_agent"]["family"] == "Edge"
+            and int(ua["user_agent"]["major"]) <= 18  # noqa: PLR2004
+        ):  # noqa: PLR2004
+            return True
+        # https://github.com/AzureAD/microsoft-authentication-library-for-objc
+        # Used by Microsoft Teams/Office on macOS, and also uses a very outdated browser engine
+        if "PKeyAuth" in ua["string"]:
+            return True
+        return False
+
+    def get_template_names(self) -> list[str]:
+        if self.compat_needs_sfe() or "sfe" in self.request.GET:
+            return ["if/flow-sfe.html"]
+        return ["if/flow.html"]

authentik/lib/sync/outgoing/signals.py

@@ -2,6 +2,7 @@ from collections.abc import Callable
 
 from django.core.paginator import Paginator
 from django.db.models import Model
+from django.db.models.query import Q
 from django.db.models.signals import m2m_changed, post_save, pre_delete
 
 from authentik.core.models import Group, User
@@ -34,7 +35,9 @@ def register_signals(
 
     def model_post_save(sender: type[Model], instance: User | Group, created: bool, **_):
         """Post save handler"""
-        if not provider_type.objects.filter(backchannel_application__isnull=False).exists():
+        if not provider_type.objects.filter(
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+        ).exists():
             return
         task_sync_direct.delay(class_to_path(instance.__class__), instance.pk, Direction.add.value)
 
@@ -43,7 +46,9 @@ def register_signals(
 
     def model_pre_delete(sender: type[Model], instance: User | Group, **_):
         """Pre-delete handler"""
-        if not provider_type.objects.filter(backchannel_application__isnull=False).exists():
+        if not provider_type.objects.filter(
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+        ).exists():
             return
         task_sync_direct.delay(
             class_to_path(instance.__class__), instance.pk, Direction.remove.value
@@ -58,7 +63,9 @@ def register_signals(
         """Sync group membership"""
         if action not in ["post_add", "post_remove"]:
             return
-        if not provider_type.objects.filter(backchannel_application__isnull=False).exists():
+        if not provider_type.objects.filter(
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+        ).exists():
             return
         # reverse: instance is a Group, pk_set is a list of user pks
         # non-reverse: instance is a User, pk_set is a list of groups

authentik/lib/sync/outgoing/tasks.py

@@ -5,6 +5,7 @@ from celery.exceptions import Retry
 from celery.result import allow_join_result
 from django.core.paginator import Paginator
 from django.db.models import Model, QuerySet
+from django.db.models.query import Q
 from django.utils.text import slugify
 from django.utils.translation import gettext_lazy as _
 from structlog.stdlib import BoundLogger, get_logger
@@ -37,7 +38,9 @@ class SyncTasks:
         self._provider_model = provider_model
 
     def sync_all(self, single_sync: Callable[[int], None]):
-        for provider in self._provider_model.objects.filter(backchannel_application__isnull=False):
+        for provider in self._provider_model.objects.filter(
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+        ):
             self.trigger_single_task(provider, single_sync)
 
     def trigger_single_task(self, provider: OutgoingSyncProvider, sync_task: Callable[[int], None]):
@@ -62,7 +65,8 @@ class SyncTasks:
             provider_pk=provider_pk,
         )
         provider = self._provider_model.objects.filter(
-            pk=provider_pk, backchannel_application__isnull=False
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False),
+            pk=provider_pk,
         ).first()
         if not provider:
             return
@@ -204,7 +208,9 @@ class SyncTasks:
         if not instance:
             return
         operation = Direction(raw_op)
-        for provider in self._provider_model.objects.filter(backchannel_application__isnull=False):
+        for provider in self._provider_model.objects.filter(
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+        ):
             client = provider.client_for_model(instance.__class__)
             # Check if the object is allowed within the provider's restrictions
             queryset = provider.get_object_qs(instance.__class__)
@@ -223,6 +229,8 @@ class SyncTasks:
                     client.delete(instance)
             except TransientSyncException as exc:
                 raise Retry() from exc
+            except SkipObjectException:
+                continue
             except StopSync as exc:
                 self.logger.warning(exc, provider_pk=provider.pk)
 
@@ -233,7 +241,9 @@ class SyncTasks:
         group = Group.objects.filter(pk=group_pk).first()
         if not group:
             return
-        for provider in self._provider_model.objects.filter(backchannel_application__isnull=False):
+        for provider in self._provider_model.objects.filter(
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+        ):
             # Check if the object is allowed within the provider's restrictions
             queryset: QuerySet = provider.get_object_qs(Group)
             # The queryset we get from the provider must include the instance we've got given
@@ -251,5 +261,7 @@ class SyncTasks:
                 client.update_group(group, operation, pk_set)
             except TransientSyncException as exc:
                 raise Retry() from exc
+            except SkipObjectException:
+                continue
             except StopSync as exc:
                 self.logger.warning(exc, provider_pk=provider.pk)

authentik/lib/tests/test_http.py

@@ -30,6 +30,11 @@ class TestHTTP(TestCase):
         request = self.factory.get("/", HTTP_X_FORWARDED_FOR="127.0.0.2")
         self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.2")
 
+    def test_forward_for_invalid(self):
+        """Test invalid forward for"""
+        request = self.factory.get("/", HTTP_X_FORWARDED_FOR="foobar")
+        self.assertEqual(ClientIPMiddleware.get_client_ip(request), ClientIPMiddleware.default_ip)
+
     def test_fake_outpost(self):
         """Test faked IP which is overridden by an outpost"""
         token = Token.objects.create(
@@ -53,6 +58,17 @@ class TestHTTP(TestCase):
             },
         )
         self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")
+        # Invalid, not a real IP
+        self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
+        self.user.save()
+        request = self.factory.get(
+            "/",
+            **{
+                ClientIPMiddleware.outpost_remote_ip_header: "foobar",
+                ClientIPMiddleware.outpost_token_header: token.key,
+            },
+        )
+        self.assertEqual(ClientIPMiddleware.get_client_ip(request), "127.0.0.1")
         # Valid
         self.user.type = UserTypes.INTERNAL_SERVICE_ACCOUNT
         self.user.save()

authentik/outposts/api/outposts.py

@@ -20,6 +20,7 @@ from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSeri
 from authentik.core.models import Provider
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.providers.rac.models import RACProvider
+from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
 from authentik.outposts.api.service_connections import ServiceConnectionSerializer
 from authentik.outposts.apps import MANAGED_OUTPOST, MANAGED_OUTPOST_NAME
 from authentik.outposts.models import (
@@ -49,6 +50,10 @@ class OutpostSerializer(ModelSerializer):
     service_connection_obj = ServiceConnectionSerializer(
         source="service_connection", read_only=True
     )
+    refresh_interval_s = SerializerMethodField()
+
+    def get_refresh_interval_s(self, obj: Outpost) -> int:
+        return int(timedelta_from_string(obj.config.refresh_interval).total_seconds())
 
     def validate_name(self, name: str) -> str:
         """Validate name (especially for embedded outpost)"""
@@ -84,7 +89,8 @@ class OutpostSerializer(ModelSerializer):
     def validate_config(self, config) -> dict:
         """Check that the config has all required fields"""
         try:
-            from_dict(OutpostConfig, config)
+            parsed = from_dict(OutpostConfig, config)
+            timedelta_string_validator(parsed.refresh_interval)
         except DaciteError as exc:
             raise ValidationError(f"Failed to validate config: {str(exc)}") from exc
         return config
@@ -99,6 +105,7 @@ class OutpostSerializer(ModelSerializer):
             "providers_obj",
             "service_connection",
             "service_connection_obj",
+            "refresh_interval_s",
             "token_identifier",
             "config",
             "managed",

authentik/outposts/api/service_connections.py

@@ -26,6 +26,7 @@ from authentik.outposts.models import (
     KubernetesServiceConnection,
     OutpostServiceConnection,
 )
+from authentik.rbac.filters import ObjectFilter
 
 
 class ServiceConnectionSerializer(ModelSerializer, MetaNameSerializer):
@@ -75,7 +76,7 @@ class ServiceConnectionViewSet(
     filterset_fields = ["name"]
 
     @extend_schema(responses={200: ServiceConnectionStateSerializer(many=False)})
-    @action(detail=True, pagination_class=None, filter_backends=[])
+    @action(detail=True, pagination_class=None, filter_backends=[ObjectFilter])
     def state(self, request: Request, pk: str) -> Response:
         """Get the service connection's state"""
         connection = self.get_object()

authentik/outposts/migrations/0001_squashed_0017_outpost_managed.py

@@ -13,16 +13,17 @@ import authentik.outposts.models
 
 
 def fix_missing_token_identifier(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
     User = apps.get_model("authentik_core", "User")
     Token = apps.get_model("authentik_core", "Token")
     from authentik.outposts.models import Outpost
 
-    for outpost in Outpost.objects.using(schema_editor.connection.alias).all().only("pk"):
+    for outpost in Outpost.objects.using(db_alias).all().only("pk"):
         user_identifier = outpost.user_identifier
-        users = User.objects.filter(username=user_identifier)
+        users = User.objects.using(db_alias).filter(username=user_identifier)
         if not users.exists():
             continue
-        tokens = Token.objects.filter(user=users.first())
+        tokens = Token.objects.using(db_alias).filter(user=users.first())
         for token in tokens:
             if token.identifier != outpost.token_identifier:
                 token.identifier = outpost.token_identifier
@@ -37,8 +38,8 @@ def migrate_to_service_connection(apps: Apps, schema_editor: BaseDatabaseSchemaE
         "authentik_outposts", "KubernetesServiceConnection"
     )
 
-    docker = DockerServiceConnection.objects.filter(local=True).first()
-    k8s = KubernetesServiceConnection.objects.filter(local=True).first()
+    docker = DockerServiceConnection.objects.using(db_alias).filter(local=True).first()
+    k8s = KubernetesServiceConnection.objects.using(db_alias).filter(local=True).first()
 
     try:
         for outpost in Outpost.objects.using(db_alias).all().exclude(deployment_type="custom"):
@@ -54,21 +55,21 @@ def migrate_to_service_connection(apps: Apps, schema_editor: BaseDatabaseSchemaE
 
 
 def remove_pb_prefix_users(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    alias = schema_editor.connection.alias
+    db_alias = schema_editor.connection.alias
     User = apps.get_model("authentik_core", "User")
     Outpost = apps.get_model("authentik_outposts", "Outpost")
 
-    for outpost in Outpost.objects.using(alias).all():
-        matching = User.objects.using(alias).filter(username=f"pb-outpost-{outpost.uuid.hex}")
+    for outpost in Outpost.objects.using(db_alias).all():
+        matching = User.objects.using(db_alias).filter(username=f"pb-outpost-{outpost.uuid.hex}")
         if matching.exists():
             matching.delete()
 
 
 def update_config_prefix(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    alias = schema_editor.connection.alias
+    db_alias = schema_editor.connection.alias
     Outpost = apps.get_model("authentik_outposts", "Outpost")
 
-    for outpost in Outpost.objects.using(alias).all():
+    for outpost in Outpost.objects.using(db_alias).all():
         config = outpost._config
         for key in list(config):
             if "passbook" in key:

authentik/outposts/models.py

@@ -61,6 +61,7 @@ class OutpostConfig:
 
     log_level: str = CONFIG.get("log_level")
     object_naming_template: str = field(default="ak-outpost-%(name)s")
+    refresh_interval: str = "minutes=5"
 
     container_image: str | None = field(default=None)
 

authentik/outposts/tests/test_ws.py

@@ -2,7 +2,6 @@
 
 from dataclasses import asdict
 
-from channels.exceptions import DenyConnection
 from channels.routing import URLRouter
 from channels.testing import WebsocketCommunicator
 from django.test import TransactionTestCase
@@ -37,9 +36,8 @@ class TestOutpostWS(TransactionTestCase):
         communicator = WebsocketCommunicator(
             URLRouter(websocket.websocket_urlpatterns), f"/ws/outpost/{self.outpost.pk}/"
         )
-        with self.assertRaises(DenyConnection):
-            connected, _ = await communicator.connect()
-            self.assertFalse(connected)
+        connected, _ = await communicator.connect()
+        self.assertFalse(connected)
 
     async def test_auth_valid(self):
         """Test auth with token"""

authentik/outposts/urls.py

@@ -2,13 +2,13 @@
 
 from django.urls import path
 
-from authentik.core.channels import TokenOutpostMiddleware
 from authentik.outposts.api.outposts import OutpostViewSet
 from authentik.outposts.api.service_connections import (
     DockerServiceConnectionViewSet,
     KubernetesServiceConnectionViewSet,
     ServiceConnectionViewSet,
 )
+from authentik.outposts.channels import TokenOutpostMiddleware
 from authentik.outposts.consumer import OutpostConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
 

authentik/policies/reputation/api.py

@@ -1,6 +1,8 @@
 """Reputation policy API Views"""
 
 from django.utils.translation import gettext_lazy as _
+from django_filters.filters import BaseInFilter, CharFilter
+from django_filters.filterset import FilterSet
 from rest_framework import mixins
 from rest_framework.exceptions import ValidationError
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
@@ -11,6 +13,10 @@ from authentik.policies.api.policies import PolicySerializer
 from authentik.policies.reputation.models import Reputation, ReputationPolicy
 
 
+class CharInFilter(BaseInFilter, CharFilter):
+    pass
+
+
 class ReputationPolicySerializer(PolicySerializer):
     """Reputation Policy Serializer"""
 
@@ -38,6 +44,16 @@ class ReputationPolicyViewSet(UsedByMixin, ModelViewSet):
     ordering = ["name"]
 
 
+class ReputationFilter(FilterSet):
+    """Filter for reputation"""
+
+    identifier_in = CharInFilter(field_name="identifier", lookup_expr="in")
+
+    class Meta:
+        model = Reputation
+        fields = ["identifier", "ip", "score"]
+
+
 class ReputationSerializer(ModelSerializer):
     """Reputation Serializer"""
 
@@ -66,5 +82,5 @@ class ReputationViewSet(
     queryset = Reputation.objects.all()
     serializer_class = ReputationSerializer
     search_fields = ["identifier", "ip", "score"]
-    filterset_fields = ["identifier", "ip", "score"]
+    filterset_class = ReputationFilter
     ordering = ["ip"]

authentik/providers/oauth2/tests/test_introspect.py

@@ -29,7 +29,6 @@ class TesOAuth2Introspection(OAuthTestCase):
         self.app = Application.objects.create(
             name=generate_id(), slug=generate_id(), provider=self.provider
         )
-        self.app.save()
         self.user = create_test_admin_user()
         self.auth = b64encode(
             f"{self.provider.client_id}:{self.provider.client_secret}".encode()
@@ -114,6 +113,41 @@ class TesOAuth2Introspection(OAuthTestCase):
             },
         )
 
+    def test_introspect_invalid_provider(self):
+        """Test introspection (mismatched provider and token)"""
+        provider: OAuth2Provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+            redirect_uris="",
+            signing_key=create_test_cert(),
+        )
+        auth = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
+
+        token: AccessToken = AccessToken.objects.create(
+            provider=self.provider,
+            user=self.user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+        res = self.client.post(
+            reverse("authentik_providers_oauth2:token-introspection"),
+            HTTP_AUTHORIZATION=f"Basic {auth}",
+            data={"token": token.token},
+        )
+        self.assertEqual(res.status_code, 200)
+        self.assertJSONEqual(
+            res.content.decode(),
+            {
+                "active": False,
+            },
+        )
+
     def test_introspect_invalid_auth(self):
         """Test introspect (invalid auth)"""
         res = self.client.post(

authentik/providers/oauth2/views/introspection.py

@@ -46,10 +46,10 @@ class TokenIntrospectionParams:
         if not provider:
             raise TokenIntrospectionError
 
-        access_token = AccessToken.objects.filter(token=raw_token).first()
+        access_token = AccessToken.objects.filter(token=raw_token, provider=provider).first()
         if access_token:
             return TokenIntrospectionParams(access_token, provider)
-        refresh_token = RefreshToken.objects.filter(token=raw_token).first()
+        refresh_token = RefreshToken.objects.filter(token=raw_token, provider=provider).first()
         if refresh_token:
             return TokenIntrospectionParams(refresh_token, provider)
         LOGGER.debug("Token does not exist", token=raw_token)

authentik/providers/saml/api/providers.py

@@ -268,7 +268,7 @@ class SAMLProviderViewSet(UsedByMixin, ModelViewSet):
         except ValueError as exc:  # pragma: no cover
             LOGGER.warning(str(exc))
             raise ValidationError(
-                _("Failed to import Metadata: {messages}".format_map({"message": str(exc)})),
+                _("Failed to import Metadata: {messages}".format_map({"messages": str(exc)})),
             ) from None
         return Response(status=204)
 

authentik/providers/scim/clients/base.py

@@ -89,6 +89,6 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
             return ServiceProviderConfiguration.model_validate(
                 self._request("GET", "/ServiceProviderConfig")
             )
-        except (ValidationError, SCIMRequestException) as exc:
+        except (ValidationError, SCIMRequestException, NotFoundSyncException) as exc:
             self.logger.warning("failed to get ServiceProviderConfig", exc=exc)
             return default_config

authentik/root/middleware.py

@@ -2,6 +2,7 @@
 
 from collections.abc import Callable
 from hashlib import sha512
+from ipaddress import ip_address
 from time import perf_counter, time
 from typing import Any
 
@@ -174,6 +175,7 @@ class ClientIPMiddleware:
 
     def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
         self.get_response = get_response
+        self.logger = get_logger().bind()
 
     def _get_client_ip_from_meta(self, meta: dict[str, Any]) -> str:
         """Attempt to get the client's IP by checking common HTTP Headers.
@@ -185,11 +187,16 @@ class ClientIPMiddleware:
             "HTTP_X_FORWARDED_FOR",
             "REMOTE_ADDR",
         )
-        for _header in headers:
-            if _header in meta:
-                ips: list[str] = meta.get(_header).split(",")
-                return ips[0].strip()
-        return self.default_ip
+        try:
+            for _header in headers:
+                if _header in meta:
+                    ips: list[str] = meta.get(_header).split(",")
+                    # Ensure the IP parses as a valid IP
+                    return str(ip_address(ips[0].strip()))
+            return self.default_ip
+        except ValueError as exc:
+            self.logger.debug("Invalid remote IP", exc=exc)
+            return self.default_ip
 
     # FIXME: this should probably not be in `root` but rather in a middleware in `outposts`
     # but for now it's fine
@@ -228,7 +235,11 @@ class ClientIPMiddleware:
         Hub.current.scope.set_user(user)
         # Set the outpost service account on the request
         setattr(request, self.request_attr_outpost_user, user)
-        return delegated_ip
+        try:
+            return str(ip_address(delegated_ip))
+        except ValueError as exc:
+            self.logger.debug("Invalid remote IP from Outpost", exc=exc)
+            return None
 
     def _get_client_ip(self, request: HttpRequest | None) -> str:
         """Attempt to get the client's IP by checking common HTTP Headers.
@@ -274,9 +285,13 @@ class ChannelsLoggingMiddleware:
         self.log(scope)
         try:
             return await self.inner(scope, receive, send)
+        except DenyConnection:
+            return await send({"type": "websocket.close"})
         except Exception as exc:
+            if settings.DEBUG:
+                raise exc
             LOGGER.warning("Exception in ASGI application", exc=exc)
-            raise DenyConnection() from None
+            return await send({"type": "websocket.close"})
 
     def log(self, scope: dict, **kwargs):
         """Log request"""

authentik/sources/ldap/migrations/0001_squashed_0012_auto_20210812_1703.py

@@ -31,9 +31,9 @@ def set_default_group_mappings(apps: Apps, schema_editor):
     db_alias = schema_editor.connection.alias
 
     for source in LDAPSource.objects.using(db_alias).all():
-        if source.property_mappings_group.exists():
+        if source.property_mappings_group.using(db_alias).exists():
             continue
-        source.property_mappings_group.set(
+        source.property_mappings_group.using(db_alias).set(
             LDAPPropertyMapping.objects.using(db_alias).filter(
                 managed="goauthentik.io/sources/ldap/default-name"
             )

authentik/sources/ldap/signals.py

@@ -39,7 +39,7 @@ def sync_ldap_source_on_save(sender, instance: LDAPSource, **_):
 @receiver(password_validate)
 def ldap_password_validate(sender, password: str, plan_context: dict[str, Any], **__):
     """if there's an LDAP Source with enabled password sync, check the password"""
-    sources = LDAPSource.objects.filter(sync_users_password=True)
+    sources = LDAPSource.objects.filter(sync_users_password=True, enabled=True)
     if not sources.exists():
         return
     source = sources.first()
@@ -56,7 +56,7 @@ def ldap_password_validate(sender, password: str, plan_context: dict[str, Any],
 @receiver(password_changed)
 def ldap_sync_password(sender, user: User, password: str, **_):
     """Connect to ldap and update password."""
-    sources = LDAPSource.objects.filter(sync_users_password=True)
+    sources = LDAPSource.objects.filter(sync_users_password=True, enabled=True)
     if not sources.exists():
         return
     source = sources.first()

authentik/sources/oauth/types/facebook.py

@@ -2,9 +2,6 @@
 
 from typing import Any
 
-from facebook import GraphAPI
-
-from authentik.sources.oauth.clients.oauth2 import OAuth2Client
 from authentik.sources.oauth.types.registry import SourceType, registry
 from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
@@ -19,19 +16,9 @@ class FacebookOAuthRedirect(OAuthRedirect):
         }
 
 
-class FacebookOAuth2Client(OAuth2Client):
-    """Facebook OAuth2 Client"""
-
-    def get_profile_info(self, token: dict[str, str]) -> dict[str, Any] | None:
-        api = GraphAPI(access_token=token["access_token"])
-        return api.get_object("me", fields="id,name,email")
-
-
 class FacebookOAuth2Callback(OAuthCallback):
     """Facebook OAuth2 Callback"""
 
-    client_class = FacebookOAuth2Client
-
     def get_user_enroll_context(
         self,
         info: dict[str, Any],

authentik/sources/saml/migrations/0001_squashed_0009_auto_20210301_0949.py

@@ -10,6 +10,8 @@ from authentik.sources.saml.processors import constants
 
 
 def update_algorithms(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
+
     SAMLSource = apps.get_model("authentik_sources_saml", "SAMLSource")
     signature_translation_map = {
         "rsa-sha1": constants.RSA_SHA1,
@@ -22,7 +24,7 @@ def update_algorithms(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
         "sha256": constants.SHA256,
     }
 
-    for source in SAMLSource.objects.all():
+    for source in SAMLSource.objects.using(db_alias).all():
         source.signature_algorithm = signature_translation_map.get(
             source.signature_algorithm, constants.RSA_SHA256
         )

authentik/sources/saml/processors/response.py

@@ -10,6 +10,7 @@ from django.core.cache import cache
 from django.core.exceptions import SuspiciousOperation
 from django.http import HttpRequest
 from django.utils.timezone import now
+from lxml import etree  # nosec
 from structlog.stdlib import get_logger
 
 from authentik.core.models import (
@@ -240,7 +241,7 @@ class ResponseProcessor:
             name_id.text,
             delete_none_values(self.get_attributes()),
         )
-        flow_manager.policy_context["saml_response"] = self._root
+        flow_manager.policy_context["saml_response"] = etree.tostring(self._root)
         return flow_manager
 
 

authentik/sources/scim/models.py

@@ -1,7 +1,5 @@
 """SCIM Source"""
 
-from uuid import uuid4
-
 from django.db import models
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
@@ -19,8 +17,6 @@ class SCIMSource(Source):
 
     @property
     def service_account_identifier(self) -> str:
-        if not self.pk:
-            self.pk = uuid4()
         return f"ak-source-scim-{self.pk}"
 
     @property

authentik/sources/scim/signals.py

@@ -1,41 +1,44 @@
 from django.db.models import Model
-from django.db.models.signals import pre_delete, pre_save
+from django.db.models.signals import post_delete, post_save
 from django.dispatch import receiver
 
 from authentik.core.models import USER_PATH_SYSTEM_PREFIX, Token, TokenIntents, User, UserTypes
+from authentik.events.middleware import audit_ignore
 from authentik.sources.scim.models import SCIMSource
 
 USER_PATH_SOURCE_SCIM = USER_PATH_SYSTEM_PREFIX + "/sources/scim"
 
 
-@receiver(pre_save, sender=SCIMSource)
-def scim_source_pre_save(sender: type[Model], instance: SCIMSource, **_):
+@receiver(post_save, sender=SCIMSource)
+def scim_source_post_save(sender: type[Model], instance: SCIMSource, created: bool, **_):
     """Create service account before source is saved"""
-    # .service_account_identifier will auto-assign a primary key uuid to the source
-    # if none is set yet, just so we can get the identifier before we save
     identifier = instance.service_account_identifier
-    user = User.objects.create(
+    user, _ = User.objects.update_or_create(
         username=identifier,
-        name=f"SCIM Source {instance.name} Service-Account",
-        type=UserTypes.INTERNAL_SERVICE_ACCOUNT,
-        path=USER_PATH_SOURCE_SCIM,
+        defaults={
+            "name": f"SCIM Source {instance.name} Service-Account",
+            "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
+            "path": USER_PATH_SOURCE_SCIM,
+        },
     )
-    token = Token.objects.create(
-        user=user,
+    token, token_created = Token.objects.update_or_create(
         identifier=identifier,
-        intent=TokenIntents.INTENT_API,
-        expiring=False,
-        managed=f"goauthentik.io/sources/scim/{instance.pk}",
+        defaults={
+            "user": user,
+            "intent": TokenIntents.INTENT_API,
+            "expiring": False,
+            "managed": f"goauthentik.io/sources/scim/{instance.pk}",
+        },
     )
-    instance.token = token
+    if created or token_created:
+        with audit_ignore():
+            instance.token = token
+            instance.save()
 
 
-@receiver(pre_delete, sender=SCIMSource)
-def scim_source_pre_delete(sender: type[Model], instance: SCIMSource, **_):
-    """Delete SCIM Source service account before deleting source"""
-    Token.objects.filter(
-        identifier=instance.service_account_identifier, intent=TokenIntents.INTENT_API
-    ).delete()
+@receiver(post_delete, sender=SCIMSource)
+def scim_source_post_delete(sender: type[Model], instance: SCIMSource, **_):
+    """Delete SCIM Source service account after deleting source"""
     User.objects.filter(
         username=instance.service_account_identifier, type=UserTypes.INTERNAL_SERVICE_ACCOUNT
     ).delete()

authentik/stages/authenticator_validate/migrations/0010_remove_authenticatorvalidatestage_configuration_stage_and_more.py

@@ -13,7 +13,7 @@ def migrate_configuration_stage(apps: Apps, schema_editor: BaseDatabaseSchemaEdi
 
     for stage in AuthenticatorValidateStage.objects.using(db_alias).all():
         if stage.configuration_stage:
-            stage.configuration_stages.set([stage.configuration_stage])
+            stage.configuration_stages.using(db_alias).set([stage.configuration_stage])
             stage.save()
 
 

authentik/stages/authenticator_validate/stage.py

@@ -325,7 +325,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
             serializer = SelectableStageSerializer(
                 data={
                     "pk": stage.pk,
-                    "name": stage.friendly_name or stage.name,
+                    "name": getattr(stage, "friendly_name", stage.name),
                     "verbose_name": str(stage._meta.verbose_name)
                     .replace("Setup Stage", "")
                     .strip(),

authentik/stages/authenticator_validate/tests/test_duo.py

@@ -8,6 +8,7 @@ from django.urls import reverse
 from rest_framework.exceptions import ValidationError
 
 from authentik.brands.utils import get_brand_for_request
+from authentik.core.middleware import RESPONSE_HEADER_ID
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.events.models import Event, EventAction
 from authentik.flows.models import FlowDesignation, FlowStageBinding
@@ -186,6 +187,7 @@ class AuthenticatorValidateStageDuoTests(FlowTestCase):
                     "method": "GET",
                     "path": f"/api/v3/flows/executor/{flow.slug}/",
                     "user_agent": "",
+                    "request_id": response[RESPONSE_HEADER_ID],
                 },
             },
         )

authentik/stages/email/templates/email/base.html

@@ -120,7 +120,7 @@
             </tr>
             <tr>
               <td align="center">
-                Powered by <a href="https://goauthentik.io?utm_source=authentik&utm_medium=email">authentik</a>.
+                Powered by <a rel="noopener noreferrer" target="_blank" href="https://goauthentik.io?utm_source=authentik&utm_medium=email">authentik</a>.
               </td>
             </tr>
           </table>

authentik/stages/identification/migrations/0002_auto_20200530_2204_squashed_0013_identificationstage_passwordless_flow.py

@@ -13,9 +13,9 @@ def assign_sources(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     IdentificationStage = apps.get_model("authentik_stages_identification", "identificationstage")
     Source = apps.get_model("authentik_core", "source")
 
-    sources = Source.objects.all()
-    for stage in IdentificationStage.objects.all().using(db_alias):
-        stage.sources.set(sources)
+    sources = Source.objects.using(db_alias).all()
+    for stage in IdentificationStage.objects.using(db_alias).all():
+        stage.sources.using(db_alias).set(sources)
         stage.save()
 
 
@@ -144,7 +144,7 @@ class Migration(migrations.Migration):
                 default=None,
                 help_text=(
                     "When set, shows a password field, instead of showing the password field as"
-                    " seaprate step."
+                    " separate step."
                 ),
                 null=True,
                 on_delete=django.db.models.deletion.SET_NULL,

authentik/stages/prompt/api.py

@@ -108,7 +108,7 @@ class PromptViewSet(UsedByMixin, ModelViewSet):
             return Response(
                 {
                     "non_field_errors": [
-                        exception_to_string(exc),
+                        exception_to_string(exc.exc),
                     ]
                 },
                 status=400,

authentik/stages/prompt/migrations/0009_prompt_name.py

@@ -12,7 +12,7 @@ def set_generated_name(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
 
     for prompt in Prompt.objects.using(db_alias).all():
         name = prompt.field_key
-        stage = prompt.promptstage_set.order_by("name").first()
+        stage = prompt.promptstage_set.using(db_alias).order_by("name").first()
         if stage:
             name += "_" + stage.name
         else:

authentik/stages/prompt/models.py

@@ -170,7 +170,7 @@ class Prompt(SerializerModel):
             try:
                 raw_choices = evaluator.evaluate(self.placeholder)
             except Exception as exc:  # pylint:disable=broad-except
-                wrapped = PropertyMappingExpressionException(str(exc))
+                wrapped = PropertyMappingExpressionException(exc, None)
                 LOGGER.warning(
                     "failed to evaluate prompt choices",
                     exc=wrapped,
@@ -208,7 +208,7 @@ class Prompt(SerializerModel):
             try:
                 return evaluator.evaluate(self.placeholder)
             except Exception as exc:  # pylint:disable=broad-except
-                wrapped = PropertyMappingExpressionException(str(exc), None)
+                wrapped = PropertyMappingExpressionException(exc, None)
                 LOGGER.warning(
                     "failed to evaluate prompt placeholder",
                     exc=wrapped,
@@ -237,7 +237,7 @@ class Prompt(SerializerModel):
             try:
                 value = evaluator.evaluate(self.initial_value)
             except Exception as exc:  # pylint:disable=broad-except
-                wrapped = PropertyMappingExpressionException(str(exc))
+                wrapped = PropertyMappingExpressionException(exc, None)
                 LOGGER.warning(
                     "failed to evaluate prompt initial value",
                     exc=wrapped,

authentik/stages/user_login/middleware.py

@@ -1,10 +1,9 @@
 """Sessions bound to ASN/Network and GeoIP/Continent/etc"""
 
-from django.conf import settings
 from django.contrib.auth.middleware import AuthenticationMiddleware
 from django.contrib.auth.signals import user_logged_out
+from django.contrib.auth.views import redirect_to_login
 from django.http.request import HttpRequest
-from django.shortcuts import redirect
 from structlog.stdlib import get_logger
 
 from authentik.core.models import AuthenticatedSession
@@ -87,7 +86,7 @@ class BoundSessionMiddleware(SessionMiddleware):
             AuthenticationMiddleware(lambda request: request).process_request(request)
             logout_extra(request, exc)
             request.session.clear()
-            return redirect(settings.LOGIN_URL)
+            return redirect_to_login(request.get_full_path())
         return None
 
     def recheck_session(self, request: HttpRequest):

authentik/stages/user_write/stage.py

@@ -6,6 +6,7 @@ from django.contrib.auth import update_session_auth_hash
 from django.db import transaction
 from django.db.utils import IntegrityError, InternalError
 from django.http import HttpRequest, HttpResponse
+from django.utils.functional import SimpleLazyObject
 from django.utils.translation import gettext as _
 from rest_framework.exceptions import ValidationError
 
@@ -118,6 +119,14 @@ class UserWriteStageView(StageView):
                 UserWriteStageView.write_attribute(user, key, value)
             # User has this key already
             elif hasattr(user, key):
+                if isinstance(user, SimpleLazyObject):
+                    user._setup()
+                    user = user._wrapped
+                attr = getattr(type(user), key)
+                if isinstance(attr, property):
+                    if not attr.fset:
+                        self.logger.info("discarding key", key=key)
+                        continue
                 setattr(user, key, value)
             # If none of the cases above matched, we have an attribute that the user doesn't have,
             # has no setter for, is not a nested attributes value and as such is invalid

blueprints/default/flow-default-authentication-flow.yaml

@@ -82,3 +82,5 @@ entries:
     order: 10
     target: !KeyOf default-authentication-flow-password-binding
     policy: !KeyOf default-authentication-flow-password-optional
+  attrs:
+    failure_result: true

blueprints/schema.json

@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://goauthentik.io/blueprints/schema.json",
     "type": "object",
-    "title": "authentik 2024.6.0 Blueprint schema",
+    "title": "authentik 2024.6.5 Blueprint schema",
     "required": [
         "version",
         "entries"

docker-compose.yml

@@ -31,7 +31,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.5}
     restart: unless-stopped
     command: server
     environment:
@@ -52,7 +52,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.0}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.6.5}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -28,7 +28,7 @@ require (
 	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024042.11
+	goauthentik.io/api/v3 v3.2024060.5
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.21.0
 	golang.org/x/sync v0.7.0

go.sum

@@ -294,8 +294,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2024042.11 h1:cGgUz1E8rlMphGvv04VI7i+MgT8eidZbxTpza5zd96I=
-goauthentik.io/api/v3 v3.2024042.11/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024060.5 h1:AjvPUZoObk7a86ZZaz2tmruteY+1vAEfVzIOzQpWSXM=
+goauthentik.io/api/v3 v3.2024060.5/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.6.0"
+const VERSION = "2024.6.5"

internal/outpost/ak/api_ws.go

@@ -183,7 +183,19 @@ func (ac *APIController) startWSHealth() {
 
 func (ac *APIController) startIntervalUpdater() {
 	logger := ac.logger.WithField("loop", "interval-updater")
-	ticker := time.NewTicker(5 * time.Minute)
+	getInterval := func() time.Duration {
+		// Ensure timer interval is not negative or 0
+		// for 0 we assume migration or unconfigured, so default to 5 minutes
+		if ac.Outpost.RefreshIntervalS <= 0 {
+			return 5 * time.Minute
+		}
+		// Clamp interval to be at least 30 seconds
+		if ac.Outpost.RefreshIntervalS < 30 {
+			return 30 * time.Second
+		}
+		return time.Duration(ac.Outpost.RefreshIntervalS) * time.Second
+	}
+	ticker := time.NewTicker(getInterval())
 	for ; true; <-ticker.C {
 		logger.Debug("Running interval update")
 		err := ac.OnRefresh()
@@ -198,6 +210,7 @@ func (ac *APIController) startIntervalUpdater() {
 				"build":        constants.BUILD("tagged"),
 			}).SetToCurrentTime()
 		}
+		ticker.Reset(getInterval())
 	}
 }
 

internal/outpost/proxyv2/templates/error.html

@@ -48,9 +48,9 @@
                 <footer class="pf-c-login__footer">
                     <ul class="pf-c-list pf-m-inline">
                         <li>
-                            <a href="https://goauthentik.io?utm_source=authentik_outpost&utm_campaign=proxy_error">
+                            <span>
                                 Powered by authentik
-                            </a>
+                            </span>
                         </li>
                     </ul>
                 </footer>

lifecycle/system_migrations/tenant_files.py

@@ -1,6 +1,7 @@
 # flake8: noqa
 from pathlib import Path
 
+from authentik.lib.config import CONFIG
 from lifecycle.migrate import BaseMigration
 
 MEDIA_ROOT = Path(__file__).parent.parent.parent / "media"
@@ -9,7 +10,9 @@ TENANT_MEDIA_ROOT = MEDIA_ROOT / "public"
 
 class Migration(BaseMigration):
     def needs_migration(self) -> bool:
-        return not TENANT_MEDIA_ROOT.exists()
+        return (
+            not TENANT_MEDIA_ROOT.exists() and CONFIG.get("storage.media.backend", "file") != "s3"
+        )
 
     def run(self):
         TENANT_MEDIA_ROOT.mkdir(parents=True)

package.json

@@ -1,5 +1,5 @@
 {
     "name": "@goauthentik/authentik",
-    "version": "2024.6.0",
+    "version": "2024.6.5",
     "private": true
 }

poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.2 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
 
 [[package]]
 name = "aiohttp"
@@ -1513,20 +1513,6 @@ files = [
 dnspython = ">=2.0.0"
 idna = ">=2.0.0"
 
-[[package]]
-name = "facebook-sdk"
-version = "3.1.0"
-description = "This client library is designed to support the Facebook Graph API and the official Facebook JavaScript SDK, which is the canonical way to implement Facebook authentication."
-optional = false
-python-versions = "*"
-files = [
-    {file = "facebook-sdk-3.1.0.tar.gz", hash = "sha256:cabcd2e69ea3d9f042919c99b353df7aa1e2be86d040121f6e9f5e63c1cf0f8d"},
-    {file = "facebook_sdk-3.1.0-py2.py3-none-any.whl", hash = "sha256:2e987b3e0f466a6f4ee77b935eb023dba1384134f004a2af21f1cfff7fe0806e"},
-]
-
-[package.dependencies]
-requests = "*"
-
 [[package]]
 name = "fido2"
 version = "1.1.3"
@@ -2954,9 +2940,14 @@ version = "0.0.14"
 description = "Python module for oci specifications"
 optional = false
 python-versions = "*"
-files = [
-    {file = "opencontainers-0.0.14.tar.gz", hash = "sha256:fde3b8099b56b5c956415df8933e2227e1914e805a277b844f2f9e52341738f2"},
-]
+files = []
+develop = false
+
+[package.source]
+type = "git"
+url = "https://github.com/vsoch/oci-python"
+reference = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf"
+resolved_reference = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf"
 
 [[package]]
 name = "opentelemetry-api"
@@ -5350,4 +5341,4 @@ files = [
 [metadata]
 lock-version = "2.0"
 python-versions = "~3.12"
-content-hash = "f960013b56683ab42d82f8b49b2822dffc76046e3d22695ebb737b405a98dbaf"
+content-hash = "055376879ff784080ab95c02eaa012fb1dad1213b1faa0dd1d61b0b812859b6d"

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.6.0"
+version = "2024.6.5"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 
@@ -110,7 +110,6 @@ docker = "*"
 drf-spectacular = "*"
 dumb-init = "*"
 duo-client = "*"
-facebook-sdk = "*"
 fido2 = "*"
 flower = "*"
 geoip2 = "*"
@@ -121,7 +120,7 @@ kubernetes = "*"
 ldap3 = "*"
 lxml = "*"
 msgraph-sdk = "*"
-opencontainers = { extras = ["reggie"], version = "*" }
+opencontainers = { git = "https://github.com/vsoch/oci-python", rev = "20d69d9cc50a0fef31605b46f06da0c94f1ec3cf", extras = ["reggie"] }
 packaging = "*"
 paramiko = "*"
 psycopg = { extras = ["c"], version = "*" }

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2024.6.0
+  version: 2024.6.5
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -13080,6 +13080,15 @@ paths:
         name: identifier
         schema:
           type: string
+      - in: query
+        name: identifier_in
+        schema:
+          type: array
+          items:
+            type: string
+        description: Multiple values may be separated by commas.
+        explode: false
+        style: form
       - in: query
         name: ip
         schema:
@@ -36625,6 +36634,7 @@ components:
         href:
           type: string
           readOnly: true
+          nullable: true
         name:
           type: string
           readOnly: true
@@ -39488,6 +39498,9 @@ components:
           allOf:
           - $ref: '#/components/schemas/ServiceConnection'
           readOnly: true
+        refresh_interval_s:
+          type: integer
+          readOnly: true
         token_identifier:
           type: string
           description: Get Token identifier
@@ -39509,6 +39522,7 @@ components:
       - pk
       - providers
       - providers_obj
+      - refresh_interval_s
       - service_connection_obj
       - token_identifier
       - type

tests/e2e/test-saml-idp/saml20-sp-remote.php

@@ -0,0 +1,23 @@
+<?php
+/**
+ * SAML 2.0 remote SP metadata for SimpleSAMLphp.
+ *
+ * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
+ */
+
+$metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array(
+    'AssertionConsumerService' => getenv('SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE'),
+    'SingleLogoutService' => getenv('SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE'),
+);
+
+if (null != getenv('SIMPLESAMLPHP_SP_NAME_ID_FORMAT')) {
+    $metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array_merge($metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')], array('NameIDFormat' => getenv('SIMPLESAMLPHP_SP_NAME_ID_FORMAT')));
+}
+
+if (null != getenv('SIMPLESAMLPHP_SP_NAME_ID_ATTRIBUTE')) {
+    $metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array_merge($metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')], array('simplesaml.nameidattribute' => getenv('SIMPLESAMLPHP_SP_NAME_ID_ATTRIBUTE')));
+}
+
+if (null != getenv('SIMPLESAMLPHP_SP_SIGN_ASSERTION')) {
+    $metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')] = array_merge($metadata[getenv('SIMPLESAMLPHP_SP_ENTITY_ID')], array('saml20.sign.assertion' => ('true' == getenv('SIMPLESAMLPHP_SP_SIGN_ASSERTION'))));
+}

tests/e2e/test_provider_ldap.py

@@ -5,7 +5,6 @@ from time import sleep
 
 from docker.client import DockerClient, from_env
 from docker.models.containers import Container
-from guardian.shortcuts import get_anonymous_user
 from ldap3 import ALL, ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE, Connection, Server
 from ldap3.core.exceptions import LDAPInvalidCredentialsResult
 
@@ -180,15 +179,13 @@ class TestProviderLDAP(SeleniumTestCase):
         )
         with self.assertRaises(LDAPInvalidCredentialsResult):
             _connection.bind()
-        anon = get_anonymous_user()
         self.assertTrue(
             Event.objects.filter(
                 action=EventAction.LOGIN_FAILED,
                 user={
-                    "pk": anon.pk,
-                    "email": anon.email,
-                    "username": anon.username,
-                    "is_anonymous": True,
+                    "pk": self.user.pk,
+                    "email": self.user.email,
+                    "username": self.user.username,
                 },
             ).exists(),
         )

tests/e2e/test_source_oauth_oauth2.py

@@ -1,5 +1,6 @@
 """test OAuth Source"""
 
+from json import loads
 from pathlib import Path
 from time import sleep
 from typing import Any
@@ -194,3 +195,41 @@ class TestSourceOAuth2(SeleniumTestCase):
         self.driver.get(self.if_user_url("/settings"))
 
         self.assert_user(User(username="foo", name="admin", email="admin@example.com"))
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @apply_blueprint(
+        "default/flow-default-source-authentication.yaml",
+        "default/flow-default-source-enrollment.yaml",
+        "default/flow-default-source-pre-authentication.yaml",
+    )
+    def test_oauth_link(self):
+        """test OAuth Source link OIDC"""
+        self.create_objects()
+        self.driver.get(self.live_server_url)
+        self.login()
+
+        self.driver.get(
+            self.url("authentik_sources_oauth:oauth-client-login", source_slug=self.slug)
+        )
+
+        # Now we should be at the IDP, wait for the login field
+        self.wait.until(ec.presence_of_element_located((By.ID, "login")))
+        self.driver.find_element(By.ID, "login").send_keys("admin@example.com")
+        self.driver.find_element(By.ID, "password").send_keys("password")
+        self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)
+
+        # Wait until we're logged in
+        self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "button[type=submit]")))
+        self.driver.find_element(By.CSS_SELECTOR, "button[type=submit]").click()
+
+        self.driver.get(self.url("authentik_api:usersourceconnection-list") + "?format=json")
+        body_json = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
+        results = body_json["results"]
+        self.assertEqual(len(results), 1)
+        connection = results[0]
+        self.assertEqual(connection["source"]["slug"], self.slug)
+        self.assertEqual(connection["user"], self.user.pk)

tests/e2e/test_source_saml.py

@@ -1,5 +1,6 @@
 """test SAML Source"""
 
+from pathlib import Path
 from time import sleep
 from typing import Any
 
@@ -88,8 +89,20 @@ class TestSourceSAML(SeleniumTestCase):
                 interval=5 * 1_000 * 1_000_000,
                 start_period=1 * 1_000 * 1_000_000,
             ),
+            "volumes": {
+                str(
+                    (Path(__file__).parent / Path("test-saml-idp/saml20-sp-remote.php")).absolute()
+                ): {
+                    "bind": "/var/www/simplesamlphp/metadata/saml20-sp-remote.php",
+                    "mode": "ro",
+                }
+            },
             "environment": {
                 "SIMPLESAMLPHP_SP_ENTITY_ID": "entity-id",
+                "SIMPLESAMLPHP_SP_NAME_ID_FORMAT": (
+                    "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+                ),
+                "SIMPLESAMLPHP_SP_NAME_ID_ATTRIBUTE": "email",
                 "SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE": (
                     self.url("authentik_sources_saml:acs", source_slug=self.slug)
                 ),
@@ -318,3 +331,109 @@ class TestSourceSAML(SeleniumTestCase):
             .exclude(pk=self.user.pk)
             .first()
         )
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @apply_blueprint(
+        "default/flow-default-source-authentication.yaml",
+        "default/flow-default-source-enrollment.yaml",
+        "default/flow-default-source-pre-authentication.yaml",
+    )
+    def test_idp_post_auto_enroll_auth(self):
+        """test SAML Source With post binding (auto redirect)"""
+        # Bootstrap all needed objects
+        authentication_flow = Flow.objects.get(slug="default-source-authentication")
+        enrollment_flow = Flow.objects.get(slug="default-source-enrollment")
+        pre_authentication_flow = Flow.objects.get(slug="default-source-pre-authentication")
+        keypair = CertificateKeyPair.objects.create(
+            name=generate_id(),
+            certificate_data=IDP_CERT,
+            key_data=IDP_KEY,
+        )
+
+        source = SAMLSource.objects.create(
+            name=generate_id(),
+            slug=self.slug,
+            authentication_flow=authentication_flow,
+            enrollment_flow=enrollment_flow,
+            pre_authentication_flow=pre_authentication_flow,
+            issuer="entity-id",
+            sso_url=f"http://{self.host}:8080/simplesaml/saml2/idp/SSOService.php",
+            binding_type=SAMLBindingTypes.POST_AUTO,
+            signing_kp=keypair,
+        )
+        ident_stage = IdentificationStage.objects.first()
+        ident_stage.sources.set([source])
+        ident_stage.save()
+
+        self.driver.get(self.live_server_url)
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
+
+        wait.until(
+            ec.presence_of_element_located(
+                (By.CSS_SELECTOR, ".pf-c-login__main-footer-links-item > button")
+            )
+        )
+        identification_stage.find_element(
+            By.CSS_SELECTOR, ".pf-c-login__main-footer-links-item > button"
+        ).click()
+
+        # Now we should be at the IDP, wait for the username field
+        self.wait.until(ec.presence_of_element_located((By.ID, "username")))
+        self.driver.find_element(By.ID, "username").send_keys("user1")
+        self.driver.find_element(By.ID, "password").send_keys("user1pass")
+        self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)
+
+        # Wait until we're logged in
+        self.wait_for_url(self.if_user_url("/library"))
+        self.driver.get(self.if_user_url("/settings"))
+
+        self.assert_user(
+            User.objects.exclude(username="akadmin")
+            .exclude(username__startswith="ak-outpost")
+            .exclude_anonymous()
+            .exclude(pk=self.user.pk)
+            .first()
+        )
+
+        # Clear all cookies and log in again
+        self.driver.delete_all_cookies()
+        self.driver.get(self.live_server_url)
+
+        flow_executor = self.get_shadow_root("ak-flow-executor")
+        identification_stage = self.get_shadow_root("ak-stage-identification", flow_executor)
+        wait = WebDriverWait(identification_stage, self.wait_timeout)
+
+        wait.until(
+            ec.presence_of_element_located(
+                (By.CSS_SELECTOR, ".pf-c-login__main-footer-links-item > button")
+            )
+        )
+        identification_stage.find_element(
+            By.CSS_SELECTOR, ".pf-c-login__main-footer-links-item > button"
+        ).click()
+
+        # Now we should be at the IDP, wait for the username field
+        self.wait.until(ec.presence_of_element_located((By.ID, "username")))
+        self.driver.find_element(By.ID, "username").send_keys("user1")
+        self.driver.find_element(By.ID, "password").send_keys("user1pass")
+        self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)
+
+        # Wait until we're logged in
+        self.wait_for_url(self.if_user_url("/library"))
+        self.driver.get(self.if_user_url("/settings"))
+
+        # sleep(999999)
+        self.assert_user(
+            User.objects.exclude(username="akadmin")
+            .exclude(username__startswith="ak-outpost")
+            .exclude_anonymous()
+            .exclude(pk=self.user.pk)
+            .first()
+        )

web/package.json

@@ -38,7 +38,7 @@
         "@codemirror/theme-one-dark": "^6.1.2",
         "@formatjs/intl-listformat": "^7.5.7",
         "@fortawesome/fontawesome-free": "^6.5.2",
-        "@goauthentik/api": "^2024.4.2-1718378698",
+        "@goauthentik/api": "^2024.6.0-1719577139",
         "@lit/context": "^1.1.2",
         "@lit/localize": "^0.12.1",
         "@lit/reactive-element": "^2.0.4",

web/sfe/index.ts

@@ -0,0 +1,529 @@
+import { fromByteArray } from "base64-js";
+import "formdata-polyfill";
+import $ from "jquery";
+import "weakmap-polyfill";
+
+import {
+    type AuthenticatorValidationChallenge,
+    type AutosubmitChallenge,
+    type ChallengeTypes,
+    ChallengeTypesFromJSON,
+    type ContextualFlowInfo,
+    type DeviceChallenge,
+    type ErrorDetail,
+    type IdentificationChallenge,
+    type PasswordChallenge,
+    type RedirectChallenge,
+} from "@goauthentik/api";
+
+interface GlobalAuthentik {
+    brand: {
+        branding_logo: string;
+    };
+}
+
+function ak(): GlobalAuthentik {
+    return (
+        window as unknown as {
+            authentik: GlobalAuthentik;
+        }
+    ).authentik;
+}
+
+class SimpleFlowExecutor {
+    challenge?: ChallengeTypes;
+    flowSlug: string;
+    container: HTMLDivElement;
+
+    constructor(container: HTMLDivElement) {
+        this.flowSlug = window.location.pathname.split("/")[3];
+        this.container = container;
+    }
+
+    get apiURL() {
+        return `/api/v3/flows/executor/${this.flowSlug}/?query=${encodeURIComponent(window.location.search.substring(1))}`;
+    }
+
+    start() {
+        $.ajax({
+            type: "GET",
+            url: this.apiURL,
+            success: (data) => {
+                this.challenge = ChallengeTypesFromJSON(data);
+                this.renderChallenge();
+            },
+        });
+    }
+
+    submit(data: { [key: string]: unknown } | FormData) {
+        $("button[type=submit]").addClass("disabled")
+            .html(`<span class="spinner-border spinner-border-sm" aria-hidden="true"></span>
+                <span role="status">Loading...</span>`);
+        let finalData: { [key: string]: unknown } = {};
+        if (data instanceof FormData) {
+            finalData = {};
+            data.forEach((value, key) => {
+                finalData[key] = value;
+            });
+        } else {
+            finalData = data;
+        }
+        $.ajax({
+            type: "POST",
+            url: this.apiURL,
+            data: JSON.stringify(finalData),
+            success: (data) => {
+                this.challenge = ChallengeTypesFromJSON(data);
+                this.renderChallenge();
+            },
+            contentType: "application/json",
+            dataType: "json",
+        });
+    }
+
+    renderChallenge() {
+        switch (this.challenge?.component) {
+            case "ak-stage-identification":
+                new IdentificationStage(this, this.challenge).render();
+                return;
+            case "ak-stage-password":
+                new PasswordStage(this, this.challenge).render();
+                return;
+            case "xak-flow-redirect":
+                new RedirectStage(this, this.challenge).render();
+                return;
+            case "ak-stage-autosubmit":
+                new AutosubmitStage(this, this.challenge).render();
+                return;
+            case "ak-stage-authenticator-validate":
+                new AuthenticatorValidateStage(this, this.challenge).render();
+                return;
+            default:
+                this.container.innerText = "Unsupported stage: " + this.challenge?.component;
+                return;
+        }
+    }
+}
+
+export interface FlowInfoChallenge {
+    flowInfo?: ContextualFlowInfo;
+    responseErrors?: {
+        [key: string]: Array<ErrorDetail>;
+    };
+}
+
+class Stage<T extends FlowInfoChallenge> {
+    constructor(
+        public executor: SimpleFlowExecutor,
+        public challenge: T,
+    ) {}
+
+    error(fieldName: string) {
+        if (!this.challenge.responseErrors) {
+            return [];
+        }
+        return this.challenge.responseErrors[fieldName] || [];
+    }
+
+    renderInputError(fieldName: string) {
+        return `${this.error(fieldName)
+            .map((error) => {
+                return `<div class="invalid-feedback">
+                    ${error.string}
+                </div>`;
+            })
+            .join("")}`;
+    }
+
+    renderNonFieldErrors() {
+        return `${this.error("non_field_errors")
+            .map((error) => {
+                return `<div class="alert alert-danger" role="alert">
+                    ${error.string}
+                </div>`;
+            })
+            .join("")}`;
+    }
+
+    html(html: string) {
+        this.executor.container.innerHTML = html;
+    }
+
+    render() {
+        throw new Error("Abstract method");
+    }
+}
+
+class IdentificationStage extends Stage<IdentificationChallenge> {
+    render() {
+        this.html(`
+            <form id="ident-form">
+                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
+                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
+                ${
+                    this.challenge.applicationPre
+                        ? `<p>
+                              Login to continue to ${this.challenge.applicationPre}.
+                          </p>`
+                        : ""
+                }
+                <div class="form-label-group my-3 has-validation">
+                    <input type="text" autofocus class="form-control" name="uid_field" placeholder="Email / Username">
+                </div>
+                ${
+                    this.challenge.passwordFields
+                        ? `<div class="form-label-group my-3 has-validation">
+                                <input type="password" class="form-control ${this.error("password").length > 0 ? "is-invalid" : ""}" name="password" placeholder="Password">
+                                ${this.renderInputError("password")}
+                        </div>`
+                        : ""
+                }
+                ${this.renderNonFieldErrors()}
+                <button class="btn btn-primary w-100 py-2" type="submit">${this.challenge.primaryAction}</button>
+            </form>`);
+        $("#ident-form input[name=uid_field]").trigger("focus");
+        $("#ident-form").on("submit", (ev) => {
+            ev.preventDefault();
+            const data = new FormData(ev.target as HTMLFormElement);
+            this.executor.submit(data);
+        });
+    }
+}
+
+class PasswordStage extends Stage<PasswordChallenge> {
+    render() {
+        this.html(`
+            <form id="password-form">
+                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
+                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
+                <div class="form-label-group my-3 has-validation">
+                    <input type="password" autofocus class="form-control ${this.error("password").length > 0 ? "is-invalid" : ""}" name="password" placeholder="Password">
+                    ${this.renderInputError("password")}
+                </div>
+                <button class="btn btn-primary w-100 py-2" type="submit">Continue</button>
+            </form>`);
+        $("#password-form input").trigger("focus");
+        $("#password-form").on("submit", (ev) => {
+            ev.preventDefault();
+            const data = new FormData(ev.target as HTMLFormElement);
+            this.executor.submit(data);
+        });
+    }
+}
+
+class RedirectStage extends Stage<RedirectChallenge> {
+    render() {
+        window.location.assign(this.challenge.to);
+    }
+}
+
+class AutosubmitStage extends Stage<AutosubmitChallenge> {
+    render() {
+        this.html(`
+            <form id="autosubmit-form" action="${this.challenge.url}" method="POST">
+                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
+                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
+                ${Object.entries(this.challenge.attrs).map(([key, value]) => {
+                    return `<input
+                            type="hidden"
+                            name="${key}"
+                            value="${value}"
+                        />`;
+                })}
+                <div class="d-flex justify-content-center">
+                    <div class="spinner-border" role="status">
+                        <span class="sr-only">Loading...</span>
+                    </div>
+                </div>
+            </form>`);
+        $("#autosubmit-form").submit();
+    }
+}
+
+export interface Assertion {
+    id: string;
+    rawId: string;
+    type: string;
+    registrationClientExtensions: string;
+    response: {
+        clientDataJSON: string;
+        attestationObject: string;
+    };
+}
+
+export interface AuthAssertion {
+    id: string;
+    rawId: string;
+    type: string;
+    assertionClientExtensions: string;
+    response: {
+        clientDataJSON: string;
+        authenticatorData: string;
+        signature: string;
+        userHandle: string | null;
+    };
+}
+
+class AuthenticatorValidateStage extends Stage<AuthenticatorValidationChallenge> {
+    deviceChallenge?: DeviceChallenge;
+
+    b64enc(buf: Uint8Array): string {
+        return fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    }
+
+    b64RawEnc(buf: Uint8Array): string {
+        return fromByteArray(buf).replace(/\+/g, "-").replace(/\//g, "_");
+    }
+
+    u8arr(input: string): Uint8Array {
+        return Uint8Array.from(atob(input.replace(/_/g, "/").replace(/-/g, "+")), (c) =>
+            c.charCodeAt(0),
+        );
+    }
+
+    checkWebAuthnSupport(): boolean {
+        if ("credentials" in navigator) {
+            return true;
+        }
+        if (window.location.protocol === "http:" && window.location.hostname !== "localhost") {
+            console.warn("WebAuthn requires this page to be accessed via HTTPS.");
+            return false;
+        }
+        console.warn("WebAuthn not supported by browser.");
+        return false;
+    }
+
+    /**
+     * Transforms items in the credentialCreateOptions generated on the server
+     * into byte arrays expected by the navigator.credentials.create() call
+     */
+    transformCredentialCreateOptions(
+        credentialCreateOptions: PublicKeyCredentialCreationOptions,
+        userId: string,
+    ): PublicKeyCredentialCreationOptions {
+        const user = credentialCreateOptions.user;
+        // Because json can't contain raw bytes, the server base64-encodes the User ID
+        // So to get the base64 encoded byte array, we first need to convert it to a regular
+        // string, then a byte array, re-encode it and wrap that in an array.
+        const stringId = decodeURIComponent(window.atob(userId));
+        user.id = this.u8arr(this.b64enc(this.u8arr(stringId)));
+        const challenge = this.u8arr(credentialCreateOptions.challenge.toString());
+
+        const transformedCredentialCreateOptions = Object.assign({}, credentialCreateOptions, {
+            challenge,
+            user,
+        });
+
+        return transformedCredentialCreateOptions;
+    }
+
+    /**
+     * Transforms the binary data in the credential into base64 strings
+     * for posting to the server.
+     * @param {PublicKeyCredential} newAssertion
+     */
+    transformNewAssertionForServer(newAssertion: PublicKeyCredential): Assertion {
+        const attObj = new Uint8Array(
+            (newAssertion.response as AuthenticatorAttestationResponse).attestationObject,
+        );
+        const clientDataJSON = new Uint8Array(newAssertion.response.clientDataJSON);
+        const rawId = new Uint8Array(newAssertion.rawId);
+
+        const registrationClientExtensions = newAssertion.getClientExtensionResults();
+        return {
+            id: newAssertion.id,
+            rawId: this.b64enc(rawId),
+            type: newAssertion.type,
+            registrationClientExtensions: JSON.stringify(registrationClientExtensions),
+            response: {
+                clientDataJSON: this.b64enc(clientDataJSON),
+                attestationObject: this.b64enc(attObj),
+            },
+        };
+    }
+
+    transformCredentialRequestOptions(
+        credentialRequestOptions: PublicKeyCredentialRequestOptions,
+    ): PublicKeyCredentialRequestOptions {
+        const challenge = this.u8arr(credentialRequestOptions.challenge.toString());
+
+        const allowCredentials = (credentialRequestOptions.allowCredentials || []).map(
+            (credentialDescriptor) => {
+                const id = this.u8arr(credentialDescriptor.id.toString());
+                return Object.assign({}, credentialDescriptor, { id });
+            },
+        );
+
+        const transformedCredentialRequestOptions = Object.assign({}, credentialRequestOptions, {
+            challenge,
+            allowCredentials,
+        });
+
+        return transformedCredentialRequestOptions;
+    }
+
+    /**
+     * Encodes the binary data in the assertion into strings for posting to the server.
+     * @param {PublicKeyCredential} newAssertion
+     */
+    transformAssertionForServer(newAssertion: PublicKeyCredential): AuthAssertion {
+        const response = newAssertion.response as AuthenticatorAssertionResponse;
+        const authData = new Uint8Array(response.authenticatorData);
+        const clientDataJSON = new Uint8Array(response.clientDataJSON);
+        const rawId = new Uint8Array(newAssertion.rawId);
+        const sig = new Uint8Array(response.signature);
+        const assertionClientExtensions = newAssertion.getClientExtensionResults();
+
+        return {
+            id: newAssertion.id,
+            rawId: this.b64enc(rawId),
+            type: newAssertion.type,
+            assertionClientExtensions: JSON.stringify(assertionClientExtensions),
+
+            response: {
+                clientDataJSON: this.b64RawEnc(clientDataJSON),
+                signature: this.b64RawEnc(sig),
+                authenticatorData: this.b64RawEnc(authData),
+                userHandle: null,
+            },
+        };
+    }
+
+    render() {
+        if (!this.deviceChallenge) {
+            return this.renderChallengePicker();
+        }
+        switch (this.deviceChallenge.deviceClass) {
+            case "static":
+            case "totp":
+                this.renderCodeInput();
+                break;
+            case "webauthn":
+                this.renderWebauthn();
+                break;
+            default:
+                break;
+        }
+    }
+
+    renderChallengePicker() {
+        const challenges = this.challenge.deviceChallenges.filter((challenge) => {
+            if (challenge.deviceClass === "webauthn") {
+                if (!this.checkWebAuthnSupport()) {
+                    return undefined;
+                }
+            }
+            return challenge;
+        });
+        this.html(`<form id="picker-form">
+                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
+                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
+                ${
+                    challenges.length > 0
+                        ? "<p>Select an authentication method.</p>"
+                        : `
+                    <p>No compatible authentication method available</p>
+                    `
+                }
+                ${challenges
+                    .map((challenge) => {
+                        let label = undefined;
+                        switch (challenge.deviceClass) {
+                            case "static":
+                                label = "Recovery keys";
+                                break;
+                            case "totp":
+                                label = "Traditional authenticator";
+                                break;
+                            case "webauthn":
+                                label = "Security key";
+                                break;
+                        }
+                        if (!label) {
+                            return "";
+                        }
+                        return `<div class="form-label-group my-3 has-validation">
+                            <button id="${challenge.deviceClass}-${challenge.deviceUid}" class="btn btn-secondary w-100 py-2" type="button">
+                                ${label}
+                            </button>
+                        </div>`;
+                    })
+                    .join("")}
+            </form>`);
+        this.challenge.deviceChallenges.forEach((challenge) => {
+            $(`#picker-form button#${challenge.deviceClass}-${challenge.deviceUid}`).on(
+                "click",
+                () => {
+                    this.deviceChallenge = challenge;
+                    this.render();
+                },
+            );
+        });
+    }
+
+    renderCodeInput() {
+        this.html(`
+            <form id="totp-form">
+                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
+                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
+                <div class="form-label-group my-3 has-validation">
+                    <input type="text" autofocus class="form-control ${this.error("code").length > 0 ? "is-invalid" : ""}" name="code" placeholder="Please enter your code" autocomplete="one-time-code">
+                    ${this.renderInputError("code")}
+                </div>
+                <button class="btn btn-primary w-100 py-2" type="submit">Continue</button>
+            </form>`);
+        $("#totp-form input").trigger("focus");
+        $("#totp-form").on("submit", (ev) => {
+            ev.preventDefault();
+            const data = new FormData(ev.target as HTMLFormElement);
+            this.executor.submit(data);
+        });
+    }
+
+    renderWebauthn() {
+        this.html(`
+            <form id="totp-form">
+                <img class="mb-4 brand-icon" src="${ak().brand.branding_logo}" alt="">
+                <h1 class="h3 mb-3 fw-normal text-center">${this.challenge?.flowInfo?.title}</h1>
+                <div class="d-flex justify-content-center">
+                    <div class="spinner-border" role="status">
+                        <span class="sr-only">Loading...</span>
+                    </div>
+                </div>
+            </form>
+            `);
+        navigator.credentials
+            .get({
+                publicKey: this.transformCredentialRequestOptions(
+                    this.deviceChallenge?.challenge as PublicKeyCredentialRequestOptions,
+                ),
+            })
+            .then((assertion) => {
+                if (!assertion) {
+                    throw new Error("No assertion");
+                }
+                try {
+                    // we now have an authentication assertion! encode the byte arrays contained
+                    // in the assertion data as strings for posting to the server
+                    const transformedAssertionForServer = this.transformAssertionForServer(
+                        assertion as PublicKeyCredential,
+                    );
+
+                    // post the assertion to the server for verification.
+                    this.executor.submit({
+                        webauthn: transformedAssertionForServer,
+                    });
+                } catch (err) {
+                    throw new Error(`Error when validating assertion on server: ${err}`);
+                }
+            })
+            .catch((error) => {
+                console.warn(error);
+                this.deviceChallenge = undefined;
+                this.render();
+            });
+    }
+}
+
+const sfe = new SimpleFlowExecutor($("#flow-sfe-container")[0] as HTMLDivElement);
+sfe.start();

web/sfe/package.json

@@ -0,0 +1,28 @@
+{
+    "name": "@goauthentik/web-sfe",
+    "version": "0.0.0",
+    "private": true,
+    "license": "MIT",
+    "dependencies": {
+        "@goauthentik/api": "^2024.6.0-1719577139",
+        "base64-js": "^1.5.1",
+        "bootstrap": "^4.6.1",
+        "formdata-polyfill": "^4.0.10",
+        "jquery": "^3.7.1",
+        "weakmap-polyfill": "^2.0.4"
+    },
+    "scripts": {
+        "build": "rollup -c rollup.config.js --bundleConfigAsCjs",
+        "watch": "rollup -w -c rollup.config.js --bundleConfigAsCjs"
+    },
+    "devDependencies": {
+        "@rollup/plugin-commonjs": "^26.0.1",
+        "@rollup/plugin-node-resolve": "^15.2.3",
+        "@rollup/plugin-swc": "^0.3.1",
+        "@swc/cli": "^0.3.14",
+        "@swc/core": "^1.6.6",
+        "@types/jquery": "^3.5.30",
+        "rollup": "^4.18.0",
+        "rollup-plugin-copy": "^3.5.0"
+    }
+}

web/sfe/rollup.config.js

@@ -0,0 +1,40 @@
+import commonjs from "@rollup/plugin-commonjs";
+import resolve from "@rollup/plugin-node-resolve";
+import swc from "@rollup/plugin-swc";
+import copy from "rollup-plugin-copy";
+
+export default {
+    input: "index.ts",
+    output: {
+        dir: "../dist/sfe",
+        format: "cjs",
+    },
+    context: "window",
+    plugins: [
+        copy({
+            targets: [
+                { src: "node_modules/bootstrap/dist/css/bootstrap.min.css", dest: "../dist/sfe" },
+            ],
+        }),
+        resolve({ browser: true }),
+        commonjs(),
+        swc({
+            swc: {
+                jsc: {
+                    loose: false,
+                    externalHelpers: false,
+                    // Requires v1.2.50 or upper and requires target to be es2016 or upper.
+                    keepClassNames: false,
+                },
+                minify: false,
+                env: {
+                    targets: {
+                        edge: "17",
+                        ie: "11",
+                    },
+                    mode: "entry",
+                },
+            },
+        }),
+    ],
+};

web/sfe/tsconfig.json

@@ -0,0 +1,7 @@
+{
+    "compilerOptions": {
+        "types": ["jquery"],
+        "esModuleInterop": true,
+        "lib": ["DOM", "ES2015", "ES2017"]
+    },
+}

web/src/admin/admin-overview/AdminOverviewPage.ts

@@ -208,7 +208,14 @@ export class AdminOverviewPage extends AdminOverviewBase {
 
             return html`<li>
                 ${ex(
-                    () => html`<a href="${url}" class="pf-u-mb-xl" target="_blank">${content}</a>`,
+                    () =>
+                        html`<a
+                            href="${url}"
+                            class="pf-u-mb-xl"
+                            rel="noopener noreferrer"
+                            target="_blank"
+                            >${content}</a
+                        >`,
                     () => html`<a href="${url}" class="pf-u-mb-xl" )>${content}</a>`,
                 )}
             </li>`;

web/src/admin/admin-overview/cards/VersionStatusCard.ts

@@ -56,6 +56,6 @@ export class VersionStatusCard extends AdminStatusCard<Version> {
             text = this.value.buildHash?.substring(0, 7);
             link = `https://github.com/goauthentik/authentik/commit/${this.value.buildHash}`;
         }
-        return html`<a href=${link} target="_blank">${text}</a>`;
+        return html`<a rel="noopener noreferrer" href=${link} target="_blank">${text}</a>`;
     }
 }

web/src/admin/admin-overview/charts/OutpostStatusChart.ts

@@ -56,6 +56,7 @@ export class OutpostStatusChart extends AKChart<SummarizedSyncStatus[]> {
             }),
         );
         this.centerText = outposts.pagination.count.toString();
+        outpostStats.sort((a, b) => a.label.localeCompare(b.label));
         return outpostStats;
     }
 

web/src/admin/applications/components/ak-provider-search-input.ts

@@ -15,7 +15,6 @@ const doGroupBy = (items: Provider[]) => groupBy(items, (item) => item.verboseNa
 async function fetch(query?: string) {
     const args: ProvidersAllListRequest = {
         ordering: "name",
-        backchannel: false,
     };
     if (query !== undefined) {
         args.search = query;

web/src/admin/blueprints/BlueprintForm.ts

@@ -157,6 +157,7 @@ export class BlueprintForm extends ModelForm<BlueprintInstance, string> {
                                   ${msg("See more about OCI support here:")}&nbsp;
                                   <a
                                       target="_blank"
+                                      rel="noopener noreferrer"
                                       href="${docLink(
                                           "/developer-docs/blueprints/?utm_source=authentik#storage---oci",
                                       )}"

web/src/admin/outposts/OutpostDeploymentModal.ts

@@ -23,6 +23,7 @@ export class OutpostDeploymentModal extends ModalButton {
                     <a
                         target="_blank"
                         href="${docLink("/docs/outposts?utm_source=authentik#deploy")}"
+                        rel="noopener noreferrer"
                         >${msg("View deployment documentation")}</a
                     >
                 </p>

web/src/admin/outposts/OutpostForm.ts

@@ -210,9 +210,11 @@ export class OutpostForm extends ModelForm<Outpost, string> {
                     )}
                 </p>
                 <p class="pf-c-form__helper-text">
-                    See
-                    <a target="_blank" href="${docLink("/docs/outposts?utm_source=authentik")}"
-                        >documentation</a
+                    <a
+                        target="_blank"
+                        rel="noopener noreferrer"
+                        href="${docLink("/docs/outposts?utm_source=authentik")}"
+                        >${msg("See documentation")}</a
                     >.
                 </p>
             </ak-form-element-horizontal>
@@ -245,6 +247,7 @@ export class OutpostForm extends ModelForm<Outpost, string> {
                             ${msg("See more here:")}&nbsp;
                             <a
                                 target="_blank"
+                                rel="noopener noreferrer"
                                 href="${docLink(
                                     "/docs/outposts?utm_source=authentik#configuration",
                                 )}"

web/src/admin/policies/expression/ExpressionPolicyForm.ts

@@ -85,6 +85,7 @@ export class ExpressionPolicyForm extends BasePolicyForm<ExpressionPolicy> {
                         <p class="pf-c-form__helper-text">
                             ${msg("Expression using Python.")}
                             <a
+                                rel="noopener noreferrer"
                                 target="_blank"
                                 href="${docLink("/docs/policies/expression?utm_source=authentik")}"
                             >

web/src/admin/property-mappings/PropertyMappingGoogleWorkspaceForm.ts

@@ -62,6 +62,7 @@ export class PropertyMappingGoogleWorkspaceForm extends BasePropertyMappingForm<
                     ${msg("Expression using Python.")}
                     <a
                         target="_blank"
+                        rel="noopener noreferrer"
                         href="${docLink("/docs/property-mappings/expression?utm_source=authentik")}"
                     >
                         ${msg("See documentation for a list of all variables.")}

web/src/admin/property-mappings/PropertyMappingLDAPForm.ts

@@ -71,6 +71,7 @@ export class PropertyMappingLDAPForm extends BasePropertyMappingForm<LDAPPropert
                     ${msg("Expression using Python.")}
                     <a
                         target="_blank"
+                        rel="noopener noreferrer"
                         href="${docLink("/docs/property-mappings/expression?utm_source=authentik")}"
                     >
                         ${msg("See documentation for a list of all variables.")}

web/src/admin/property-mappings/PropertyMappingMicrosoftEntraForm.ts

@@ -62,6 +62,7 @@ export class PropertyMappingMicrosoftEntraForm extends BasePropertyMappingForm<M
                     ${msg("Expression using Python.")}
                     <a
                         target="_blank"
+                        rel="noopener noreferrer"
                         href="${docLink("/docs/property-mappings/expression?utm_source=authentik")}"
                     >
                         ${msg("See documentation for a list of all variables.")}

web/src/admin/property-mappings/PropertyMappingNotification.ts

@@ -62,6 +62,7 @@ export class PropertyMappingNotification extends ModelForm<NotificationWebhookMa
                     ${msg("Expression using Python.")}
                     <a
                         target="_blank"
+                        rel="noopener noreferrer"
                         href="${docLink("/docs/property-mappings/expression?utm_source=authentik")}"
                     >
                         ${msg("See documentation for a list of all variables.")}

web/src/admin/property-mappings/PropertyMappingRACForm.ts

@@ -160,6 +160,7 @@ export class PropertyMappingLDAPForm extends ModelForm<RACPropertyMapping, strin
                             ${msg("Expression using Python.")}
                             <a
                                 target="_blank"
+                                rel="noopener noreferrer"
                                 href="${docLink(
                                     "/docs/property-mappings/expression?utm_source=authentik",
                                 )}"

web/src/admin/property-mappings/PropertyMappingSAMLForm.ts

@@ -83,6 +83,7 @@ export class PropertyMappingSAMLForm extends BasePropertyMappingForm<SAMLPropert
                     ${msg("Expression using Python.")}
                     <a
                         target="_blank"
+                        rel="noopener noreferrer"
                         href="${docLink("/docs/property-mappings/expression?utm_source=authentik")}"
                     >
                         ${msg("See documentation for a list of all variables.")}

web/src/admin/property-mappings/PropertyMappingSCIMForm.ts

@@ -56,6 +56,7 @@ export class PropertyMappingSCIMForm extends BasePropertyMappingForm<SCIMMapping
                     ${msg("Expression using Python.")}
                     <a
                         target="_blank"
+                        rel="noopener noreferrer"
                         href="${docLink("/docs/property-mappings/expression?utm_source=authentik")}"
                     >
                         ${msg("See documentation for a list of all variables.")}