add timeout

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
small fixes
2025-02-17 02:43:09 +01:00 · 2025-02-17 02:36:56 +01:00 · 2025-02-17 02:36:56 +01:00 · 2025-02-17 02:36:56 +01:00 · 2025-02-16 18:06:59 +01:00 · 2025-02-16 17:35:38 +01:00
431 changed files with 29282 additions and 12715 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.12.2
+current_version = 2024.12.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
@ -31,4 +31,4 @@ optional_value = final

 [bumpversion:file:web/src/common/constants.ts]

-[bumpversion:file:website/docs/install-config/install/aws/template.yaml]
+[bumpversion:file:lifecycle/aws/template.yaml]
--- a/.github/actions/comment-pr-instructions/action.yml
+++ b/.github/actions/comment-pr-instructions/action.yml
@ -35,14 +35,6 @@ runs:
            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
            ```

-            For arm64, use these values:
-
-            ```shell
-            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
-            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
-            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            ```
-
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
          <details>
@ -60,18 +52,6 @@ runs:
                    tag: ${{ inputs.tag }}
            ```

-            For arm64, use these values:
-
-            ```yaml
-            authentik:
-                outposts:
-                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            global:
-                image:
-                    repository: ghcr.io/goauthentik/dev-server
-                    tag: ${{ inputs.tag }}-arm64
-            ```
-
            Afterwards, run the upgrade commands from the latest release notes.
          </details>
        edit-mode: replace
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -9,6 +9,9 @@ inputs:
  image-arch:
    required: false
    description: "Docker image arch"
+  release:
+    required: true
+    description: "True if this is a release build, false if this is a dev/PR build"

 outputs:
  shouldPush:
@ -29,15 +32,24 @@ outputs:
  imageTags:
    description: "Docker image tags"
    value: ${{ steps.ev.outputs.imageTags }}
+  imageTagsJSON:
+    description: "Docker image tags, as a JSON array"
+    value: ${{ steps.ev.outputs.imageTagsJSON }}
  attestImageNames:
    description: "Docker image names used for attestation"
    value: ${{ steps.ev.outputs.attestImageNames }}
+  cacheTo:
+    description: "cache-to value for the docker build step"
+    value: ${{ steps.ev.outputs.cacheTo }}
  imageMainTag:
    description: "Docker image main tag"
    value: ${{ steps.ev.outputs.imageMainTag }}
  imageMainName:
    description: "Docker image main name"
    value: ${{ steps.ev.outputs.imageMainName }}
+  imageBuildArgs:
+    description: "Docker image build args"
+    value: ${{ steps.ev.outputs.imageBuildArgs }}

 runs:
  using: "composite"
@ -48,6 +60,8 @@ runs:
      env:
        IMAGE_NAME: ${{ inputs.image-name }}
        IMAGE_ARCH: ${{ inputs.image-arch }}
+        RELEASE: ${{ inputs.release }}
        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        REF: ${{ github.ref }}
      run: |
        python3 ${{ github.action_path }}/push_vars.py
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@ -2,6 +2,7 @@

 import configparser
 import os
+from json import dumps
 from time import time

 parser = configparser.ConfigParser()
@ -48,7 +49,7 @@ if is_release:
            ]
 else:
    suffix = ""
-    if image_arch and image_arch != "amd64":
+    if image_arch:
        suffix = f"-{image_arch}"
    for name in image_names:
        image_tags += [
@ -70,12 +71,31 @@ def get_attest_image_names(image_with_tags: list[str]):
    return ",".join(set(image_tags))


+# Generate `cache-to` param
+cache_to = ""
+if should_push:
+    _cache_tag = "buildcache"
+    if image_arch:
+        _cache_tag += f"-{image_arch}"
+    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
+
+
+image_build_args = []
+if os.getenv("RELEASE", "false").lower() == "true":
+    image_build_args = [f"VERSION={os.getenv('REF')}"]
+else:
+    image_build_args = [f"GIT_BUILD_HASH={sha}"]
+image_build_args = "\n".join(image_build_args)
+
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
    print(f"shouldPush={str(should_push).lower()}", file=_output)
    print(f"sha={sha}", file=_output)
    print(f"version={version}", file=_output)
    print(f"prerelease={prerelease}", file=_output)
    print(f"imageTags={','.join(image_tags)}", file=_output)
+    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
    print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
    print(f"imageMainTag={image_main_tag}", file=_output)
    print(f"imageMainName={image_tags[0]}", file=_output)
+    print(f"cacheTo={cache_to}", file=_output)
+    print(f"imageBuildArgs={image_build_args}", file=_output)
--- a/.github/actions/docker-push-variables/test.sh
+++ b/.github/actions/docker-push-variables/test.sh
@ -1,7 +1,18 @@
 #!/bin/bash -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+# Non-pushing PR
 GITHUB_OUTPUT=/dev/stdout \
    GITHUB_REF=ref \
    GITHUB_SHA=sha \
    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
+    GITHUB_REPOSITORY=goauthentik/authentik \
+    python $SCRIPT_DIR/push_vars.py
+
+# Pushing PR/main
+GITHUB_OUTPUT=/dev/stdout \
+    GITHUB_REF=ref \
+    GITHUB_SHA=sha \
+    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
+    GITHUB_REPOSITORY=goauthentik/authentik \
+    DOCKER_USERNAME=foo \
    python $SCRIPT_DIR/push_vars.py
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -82,6 +82,16 @@ updates:
      docusaurus:
        patterns:
          - "@docusaurus/*"
+  - package-ecosystem: npm
+    directory: "/lifecycle/aws"
+    schedule:
+      interval: daily
+      time: "04:00"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "lifecycle/aws:"
+    labels:
+      - dependencies
  - package-ecosystem: pip
    directory: "/"
    schedule:
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@ -0,0 +1,96 @@
+# Re-usable workflow for a single-architecture build
+name: Single-arch Container build
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string
+      image_arch:
+        required: true
+        type: string
+      runs-on:
+        required: true
+        type: string
+      registry_dockerhub:
+        default: false
+        type: boolean
+      registry_ghcr:
+        default: false
+        type: boolean
+      release:
+        default: false
+        type: boolean
+    outputs:
+      image-digest:
+        value: ${{ jobs.build.outputs.image-digest }}
+
+jobs:
+  build:
+    name: Build ${{ inputs.image_arch }}
+    runs-on: ${{ inputs.runs-on }}
+    outputs:
+      image-digest: ${{ steps.push.outputs.digest }}
+    permissions:
+      # Needed to upload container images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3.4.0
+      - uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+          image-arch: ${{ inputs.image_arch }}
+          release: ${{ inputs.release }}
+      - name: Login to Docker Hub
+        if: ${{ inputs.registry_dockerhub }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: ${{ inputs.registry_ghcr }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty clients
+        if: ${{ inputs.release }}
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
+      - name: generate ts client
+        if: ${{ !inputs.release }}
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          build-args: |
+            ${{ steps.ev.outputs.imageBuildArgs }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          platforms: linux/${{ inputs.image_arch }}
+          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
+          cache-to: ${{ steps.ev.outputs.cacheTo }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
--- a/.github/workflows/_reusable-docker-build.yaml
+++ b/.github/workflows/_reusable-docker-build.yaml
@ -0,0 +1,104 @@
+# Re-usable workflow for a multi-architecture build
+name: Multi-arch container build
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string
+      registry_dockerhub:
+        default: false
+        type: boolean
+      registry_ghcr:
+        default: true
+        type: boolean
+      release:
+        default: false
+        type: boolean
+    outputs: {}
+
+jobs:
+  build-server-amd64:
+    uses: ./.github/workflows/_reusable-docker-build-single.yaml
+    secrets: inherit
+    with:
+      image_name: ${{ inputs.image_name }}
+      image_arch: amd64
+      runs-on: ubuntu-latest
+      registry_dockerhub: ${{ inputs.registry_dockerhub }}
+      registry_ghcr: ${{ inputs.registry_ghcr }}
+      release: ${{ inputs.release }}
+  build-server-arm64:
+    uses: ./.github/workflows/_reusable-docker-build-single.yaml
+    secrets: inherit
+    with:
+      image_name: ${{ inputs.image_name }}
+      image_arch: arm64
+      runs-on: ubuntu-22.04-arm
+      registry_dockerhub: ${{ inputs.registry_dockerhub }}
+      registry_ghcr: ${{ inputs.registry_ghcr }}
+      release: ${{ inputs.release }}
+  get-tags:
+    runs-on: ubuntu-latest
+    needs:
+      - build-server-amd64
+      - build-server-arm64
+    outputs:
+      tags: ${{ steps.ev.outputs.imageTagsJSON }}
+      shouldPush: ${{ steps.ev.outputs.shouldPush }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+  merge-server:
+    runs-on: ubuntu-latest
+    if: ${{ needs.get-tags.outputs.shouldPush == 'true' }}
+    needs:
+      - get-tags
+      - build-server-amd64
+      - build-server-arm64
+    strategy:
+      fail-fast: false
+      matrix:
+        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ${{ inputs.image_name }}
+      - name: Login to Docker Hub
+        if: ${{ inputs.registry_dockerhub }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: ${{ inputs.registry_ghcr }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: int128/docker-manifest-create-action@v2
+        id: build
+        with:
+          tags: ${{ matrix.tag }}
+          sources: |
+            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
+            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
+      - uses: actions/attest-build-provenance@v2
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@ -25,10 +25,10 @@ jobs:
        uses: ./.github/actions/setup
      - uses: actions/setup-node@v4
        with:
-          node-version-file: website/package.json
+          node-version-file: lifecycle/aws/package.json
          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
+          cache-dependency-path: lifecycle/aws/package-lock.json
+      - working-directory: lifecycle/aws/
        run: |
          npm ci
      - name: Check changes have been applied
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@ -0,0 +1,28 @@
+---
+name: authentik-ci-main-daily
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Every night at 3am
+    - cron: "0 3 * * *"
+
+jobs:
+  test-container:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+          - docs
+          - version-2024-12
+          - version-2024-10
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          current="$(pwd)"
+          dir="/tmp/authentik/${{ matrix.version }}"
+          mkdir -p $dir
+          cd $dir
+          wget https://${{ matrix.version }}.goauthentik.io/docker-compose.yml
+          ${current}/scripts/test_docker.sh
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -43,15 +43,26 @@ jobs:
        uses: ./.github/actions/setup
      - name: run migrations
        run: poetry run python -m lifecycle.migrate
-  test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }}
+  test-make-seed:
    runs-on: ubuntu-latest
+    steps:
+      - id: seed
+        run: |
+          echo "seed=$(printf "%d\n" "0x$(openssl rand -hex 4)")" >> "$GITHUB_OUTPUT"
+    outputs:
+      seed: ${{ steps.seed.outputs.seed }}
+  test-migrations-from-stable:
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    needs: test-make-seed
    strategy:
      fail-fast: false
      matrix:
        psql:
          - 15-alpine
          - 16-alpine
+        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
        with:
@ -93,18 +104,23 @@ jobs:
        env:
          # Test in the main database that we just migrated from the previous stable version
          AUTHENTIK_POSTGRESQL__TEST__NAME: authentik
+          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
+          CI_RUN_ID: ${{ matrix.run_id }}
+          CI_TOTAL_RUNS: "5"
        run: |
-          poetry run make test
+          poetry run make ci-test
  test-unittest:
-    name: test-unittest - PostgreSQL ${{ matrix.psql }}
+    name: test-unittest - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
    runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 20
+    needs: test-make-seed
    strategy:
      fail-fast: false
      matrix:
        psql:
          - 15-alpine
          - 16-alpine
+        run_id: [1, 2, 3, 4, 5]
    steps:
      - uses: actions/checkout@v4
      - name: Setup authentik env
@ -112,9 +128,12 @@ jobs:
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: run unittest
+        env:
+          CI_TEST_SEED: ${{ needs.test-make-seed.outputs.seed }}
+          CI_RUN_ID: ${{ matrix.run_id }}
+          CI_TOTAL_RUNS: "5"
        run: |
-          poetry run make test
-          poetry run coverage xml
+          poetry run make ci-test
      - if: ${{ always() }}
        uses: codecov/codecov-action@v5
        with:
@ -223,68 +242,18 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  build:
-    strategy:
-      fail-fast: false
-      matrix:
-        arch:
-          - amd64
-          - arm64
-    needs: ci-core-mark
-    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
-    timeout-minutes: 120
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.3.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/dev-server
-          image-arch: ${{ matrix.arch }}
-      - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: generate ts client
-        run: make gen-client-ts
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
-          build-args: |
-            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
-          platforms: linux/${{ matrix.arch }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+    needs: ci-core-mark
+    uses: ./.github/workflows/_reusable-docker-build.yaml
+    secrets: inherit
+    with:
+      image_name: ghcr.io/goauthentik/dev-server
+      release: false
  pr-comment:
    needs:
      - build
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -72,7 +72,7 @@ jobs:
          - rac
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
@ -82,7 +82,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.3.0
+        uses: docker/setup-qemu-action@v3.4.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -7,64 +7,23 @@ on:

 jobs:
  build-server:
-    runs-on: ubuntu-latest
+    uses: ./.github/workflows/_reusable-docker-build.yaml
+    secrets: inherit
    permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.3.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ghcr.io/goauthentik/server,beryju/authentik
-      - name: Docker Login Registry
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
-        run: |
-          mkdir -p ./gen-ts-api
-          mkdir -p ./gen-go-api
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          push: true
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          build-args: |
-            VERSION=${{ github.ref }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          platforms: linux/amd64,linux/arm64
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+    with:
+      image_name: ghcr.io/goauthentik/server,beryju/authentik
+      release: true
+      registry_dockerhub: true
+      registry_ghcr: true
  build-outpost:
    runs-on: ubuntu-latest
    permissions:
-      # Needed to upload contianer images to ghcr.io
+      # Needed to upload container images to ghcr.io
      packages: write
      # Needed for attestation
      id-token: write
@ -83,7 +42,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.3.0
+        uses: docker/setup-qemu-action@v3.4.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
@ -188,8 +147,8 @@ jobs:
          aws-region: ${{ env.AWS_REGION }}
      - name: Upload template
        run: |
-          aws s3 cp --acl=public-read website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
-          aws s3 cp --acl=public-read website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
+          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
+          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
  test-release:
    needs:
      - build-server
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -14,16 +14,7 @@ jobs:
      - uses: actions/checkout@v4
      - name: Pre-release test
        run: |
-          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
-          echo "AUTHENTIK_SECRET_KEY=$(openssl rand 32 | base64 -w 0)" >> .env
-          docker buildx install
-          mkdir -p ./gen-ts-api
-          docker build -t testing:latest .
-          echo "AUTHENTIK_IMAGE=testing" >> .env
-          echo "AUTHENTIK_TAG=latest" >> .env
-          docker compose up --no-start
-          docker compose start postgresql redis
-          docker compose run -u root server test-all
+          make test-docker
      - id: generate_token
        uses: tibdex/github-app-token@v2
        with:
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@ -1,8 +1,8 @@
-name: 'authentik-repo-stale'
+name: "authentik-repo-stale"

 on:
  schedule:
-    - cron: '30 1 * * *'
+    - cron: "30 1 * * *"
  workflow_dispatch:

 permissions:
@ -25,7 +25,7 @@ jobs:
          days-before-stale: 60
          days-before-close: 7
          exempt-issue-labels: pinned,security,pr_wanted,enhancement,bug/confirmed,enhancement/confirmed,question,status/reviewing
-          stale-issue-label: wontfix
+          stale-issue-label: status/stale
          stale-issue-message: >
            This issue has been automatically marked as stale because it has not had
            recent activity. It will be closed if no further activity occurs. Thank you
--- a/.gitignore
+++ b/.gitignore
@ -209,3 +209,6 @@ source_docs/

 ### Golang ###
 /vendor/
+
+### Docker ###
+docker-compose.override.yml
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -2,6 +2,7 @@
    "recommendations": [
        "bashmish.es6-string-css",
        "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
+        "charliermarsh.ruff",
        "dbaeumer.vscode-eslint",
        "EditorConfig.EditorConfig",
        "esbenp.prettier-vscode",
@ -10,12 +11,12 @@
        "Gruntfuggly.todo-tree",
        "mechatroner.rainbow-csv",
        "ms-python.black-formatter",
-        "charliermarsh.ruff",
+        "ms-python.black-formatter",
+        "ms-python.debugpy",
        "ms-python.python",
        "ms-python.vscode-pylance",
-        "ms-python.black-formatter",
        "redhat.vscode-yaml",
        "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx"
+        "unifiedjs.vscode-mdx",
    ]
 }
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@ -2,26 +2,76 @@
    "version": "0.2.0",
    "configurations": [
        {
-            "name": "Python: PDB attach Server",
-            "type": "python",
+            "name": "Debug: Attach Server Core",
+            "type": "debugpy",
            "request": "attach",
            "connect": {
                "host": "localhost",
-                "port": 6800
+                "port": 9901
            },
-            "justMyCode": true,
+            "pathMappings": [
+                {
+                    "localRoot": "${workspaceFolder}",
+                    "remoteRoot": "."
+                }
+            ],
            "django": true
        },
        {
-            "name": "Python: PDB attach Worker",
-            "type": "python",
+            "name": "Debug: Attach Worker",
+            "type": "debugpy",
            "request": "attach",
            "connect": {
                "host": "localhost",
-                "port": 6900
+                "port": 9901
            },
-            "justMyCode": true,
+            "pathMappings": [
+                {
+                    "localRoot": "${workspaceFolder}",
+                    "remoteRoot": "."
+                }
+            ],
            "django": true
+        },
+        {
+            "name": "Debug: Start Server Router",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/server",
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug: Start LDAP Outpost",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/ldap",
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug: Start Proxy Outpost",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/proxy",
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug: Start RAC Outpost",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/rac",
+            "cwd": "${workspaceFolder}"
+        },
+        {
+            "name": "Debug: Start Radius Outpost",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/radius",
+            "cwd": "${workspaceFolder}"
        }
    ]
 }
--- a/1
+++ b/1
@ -15,6 +15,7 @@ go.mod                          @goauthentik/backend
 go.sum                          @goauthentik/backend
 # Infrastructure
 .github/                        @goauthentik/infrastructure
+lifecycle/aws/                  @goauthentik/infrastructure
 Dockerfile                      @goauthentik/infrastructure
 *Dockerfile                     @goauthentik/infrastructure
 .dockerignore                   @goauthentik/infrastructure
--- a/34
+++ b/34
@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS python-deps

 ARG TARGETARCH
 ARG TARGETVARIANT
@ -116,15 +116,30 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
    --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
    --mount=type=cache,target=/root/.cache/pip \
    --mount=type=cache,target=/root/.cache/pypoetry \
+    pip install --no-cache cffi && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends \
+        build-essential libffi-dev \
+        # Required for cryptography
+        curl pkg-config \
+        # Required for lxml
+        libxslt-dev zlib1g-dev \
+        # Required for xmlsec
+        libltdl-dev \
+        # Required for kadmin
+        sccache clang && \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
+    . "$HOME/.cargo/env" && \
    python -m venv /ak-root/venv/ && \
    bash -c "source ${VENV_PATH}/bin/activate && \
-    pip3 install --upgrade pip && \
-    pip3 install poetry && \
+    pip3 install --upgrade pip poetry && \
+    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
    poetry install --only=main --no-ansi --no-interaction --no-root && \
-    pip install --force-reinstall /wheels/*"
+    pip uninstall cryptography -y && \
+    poetry install --only=main --no-ansi --no-interaction --no-root"

 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.8-slim-bookworm-fips AS final-image

 ARG VERSION
 ARG GIT_BUILD_HASH
@ -140,10 +155,12 @@ WORKDIR /

 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
+    apt-get upgrade -y && \
    # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
+    pip3 install --no-cache-dir --upgrade pip && \
    apt-get clean && \
    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
@ -176,9 +193,8 @@ ENV TMPDIR=/dev/shm/ \
    PYTHONUNBUFFERED=1 \
    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
    VENV_PATH="/ak-root/venv" \
-    POETRY_VIRTUALENVS_CREATE=false
-
-ENV GOFIPS=1
+    POETRY_VIRTUALENVS_CREATE=false \
+    GOFIPS=1

 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]

--- a/40
+++ b/40
@ -5,7 +5,9 @@ PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
-PY_SOURCES = authentik tests scripts lifecycle .github website/docs/install-config/install/aws
+PY_SOURCES = authentik tests scripts lifecycle .github
+GO_SOURCES = cmd internal
+WEB_SOURCES = web/src web/packages
 DOCKER_IMAGE ?= "authentik:test"

 GEN_API_TS = "gen-ts-api"
@ -19,11 +21,12 @@ pg_name := $(shell python -m authentik.lib.config postgresql.name 2>/dev/null)
 CODESPELL_ARGS = -D - -D .github/codespell-dictionary.txt \
 		-I .github/codespell-words.txt \
 		-S 'web/src/locales/**' \
-		-S 'website/docs/developer-docs/api/reference/**' \
-		authentik \
-		internal \
-		cmd \
-		web/src \
+		-S 'website/developer-docs/api/reference/**' \
+		-S '**/node_modules/**' \
+		-S '**/dist/**' \
+		$(PY_SOURCES) \
+		$(GO_SOURCES) \
+		$(WEB_SOURCES) \
 		website/src \
 		website/blog \
 		website/docs \
@ -45,15 +48,6 @@ help:  ## Show this help
 go-test:
 	go test -timeout 0 -v -race -cover ./...

-test-docker:  ## Run all tests in a docker-compose
-	echo "PG_PASS=$(shell openssl rand 32 | base64 -w 0)" >> .env
-	echo "AUTHENTIK_SECRET_KEY=$(shell openssl rand 32 | base64 -w 0)" >> .env
-	docker compose pull -q
-	docker compose up --no-start
-	docker compose start postgresql redis
-	docker compose run -u root server test-all
-	rm -f .env
-
 test: ## Run the server tests and produce a coverage report (locally)
 	coverage run manage.py test --keepdb authentik
 	coverage html
@ -78,6 +72,9 @@ migrate: ## Run the Authentik Django server's migrations

 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service

+aws-cfn:
+	cd lifecycle/aws && npm run aws-cfn
+
 core-i18n-extract:
 	ak makemessages \
 		--add-location file \
@ -149,7 +146,7 @@ gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescri
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		docker.io/openapitools/openapi-generator-cli:v6.5.0 generate \
+		docker.io/openapitools/openapi-generator-cli:v7.11.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/${GEN_API_TS} \
@ -252,9 +249,6 @@ website-build:
 website-watch:  ## Build and watch the documentation website, updating automatically
 	cd website && npm run watch

-aws-cfn:
-	cd website && npm run aws-cfn
-
 #########################
 ## Docker
 #########################
@ -263,6 +257,9 @@ docker:  ## Build a docker image of the current source tree
 	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . --progress plain --tag ${DOCKER_IMAGE}

+test-docker:
+	BUILD=true ./scripts/test_docker.sh
+
 #########################
 ## CI
 #########################
@ -287,3 +284,8 @@ ci-bandit: ci--meta-debug

 ci-pending-migrations: ci--meta-debug
 	ak makemigrations --check
+
+ci-test: ci--meta-debug
+	coverage run manage.py test --keepdb --randomly-seed ${CI_TEST_SEED} authentik
+	coverage report
+	coverage xml
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2024.12.2"
+__version__ = "2024.12.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -51,6 +51,7 @@ from authentik.enterprise.providers.microsoft_entra.models import (
    MicrosoftEntraProviderUser,
 )
 from authentik.enterprise.providers.rac.models import ConnectionToken
+from authentik.enterprise.providers.ssf.models import StreamEvent
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
    EndpointDevice,
    EndpointDeviceConnection,
@ -131,6 +132,7 @@ def excluded_models() -> list[type[Model]]:
        EndpointDevice,
        EndpointDeviceConnection,
        DeviceToken,
+        StreamEvent,
    )


--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@ -3,6 +3,7 @@
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
+from guardian.shortcuts import get_objects_for_user
 from rest_framework.fields import (
    BooleanField,
    CharField,
@ -16,7 +17,6 @@ from rest_framework.viewsets import ViewSet

 from authentik.core.api.utils import MetaNameSerializer
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
-from authentik.rbac.decorators import permission_required
 from authentik.stages.authenticator import device_classes, devices_for_user
 from authentik.stages.authenticator.models import Device
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
@ -73,7 +73,9 @@ class AdminDeviceViewSet(ViewSet):
    def get_devices(self, **kwargs):
        """Get all devices in all child classes"""
        for model in device_classes():
-            device_set = model.objects.filter(**kwargs)
+            device_set = get_objects_for_user(
+                self.request.user, f"{model._meta.app_label}.view_{model._meta.model_name}", model
+            ).filter(**kwargs)
            yield from device_set

    @extend_schema(
@ -86,10 +88,6 @@ class AdminDeviceViewSet(ViewSet):
        ],
        responses={200: DeviceSerializer(many=True)},
    )
-    @permission_required(
-        None,
-        [f"{model._meta.app_label}.view_{model._meta.model_name}" for model in device_classes()],
-    )
    def list(self, request: Request) -> Response:
        """Get all devices for current user"""
        kwargs = {}
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -85,7 +85,7 @@ class SourceViewSet(
    serializer_class = SourceSerializer
    lookup_field = "slug"
    search_fields = ["slug", "name"]
-    filterset_fields = ["slug", "name", "managed"]
+    filterset_fields = ["slug", "name", "managed", "pbm_uuid"]

    def get_queryset(self):  # pragma: no cover
        return Source.objects.select_subclasses()
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -236,9 +236,11 @@ class UserSerializer(ModelSerializer):
            "path",
            "type",
            "uuid",
+            "password_change_date",
        ]
        extra_kwargs = {
            "name": {"allow_blank": True},
+            "password_change_date": {"read_only": True},
        }


@ -427,7 +429,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    queryset = User.objects.none()
    ordering = ["username"]
    serializer_class = UserSerializer
-    search_fields = ["username", "name", "is_active", "email", "uuid"]
+    search_fields = ["username", "name", "is_active", "email", "uuid", "attributes"]
    filterset_class = UsersFilter

    def get_queryset(self):
--- a/authentik/core/management/commands/dev_server.py
+++ b/authentik/core/management/commands/dev_server.py
@ -5,6 +5,7 @@ from typing import TextIO
 from daphne.management.commands.runserver import Command as RunServer
 from daphne.server import Server

+from authentik.lib.debug import start_debug_server
 from authentik.root.signals import post_startup, pre_startup, startup


@ -13,6 +14,7 @@ class SignalServer(Server):

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
+        start_debug_server()

        def ready_callable():
            pre_startup.send(sender=self)
--- a/authentik/core/management/commands/worker.py
+++ b/authentik/core/management/commands/worker.py
@ -9,6 +9,7 @@ from django.db import close_old_connections
 from structlog.stdlib import get_logger

 from authentik.lib.config import CONFIG
+from authentik.lib.debug import start_debug_server
 from authentik.root.celery import CELERY_APP

 LOGGER = get_logger()
@ -28,10 +29,7 @@ class Command(BaseCommand):
    def handle(self, **options):
        LOGGER.debug("Celery options", **options)
        close_old_connections()
-        if CONFIG.get_bool("remote_debug"):
-            import debugpy
-
-            debugpy.listen(("0.0.0.0", 6900))  # nosec
+        start_debug_server()
        worker: Worker = CELERY_APP.Worker(
            no_color=False,
            quiet=True,
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -599,6 +599,14 @@ class Application(SerializerModel, PolicyBindingModel):
            return None
        return candidates[-1]

+    def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
+        """Get Backchannel provider for a specific type"""
+        providers = self.backchannel_providers.filter(
+            **{f"{provider_type._meta.model_name}__isnull": False},
+            **kwargs,
+        )
+        return getattr(providers.first(), provider_type._meta.model_name)
+
    def __str__(self):
        return str(self.name)

--- a/authentik/enterprise/providers/ssf/init.py
+++ b/authentik/enterprise/providers/ssf/init.py
--- a/authentik/enterprise/providers/ssf/api/init.py
+++ b/authentik/enterprise/providers/ssf/api/init.py
--- a/authentik/enterprise/providers/ssf/api/providers.py
+++ b/authentik/enterprise/providers/ssf/api/providers.py
@ -0,0 +1,64 @@
+"""SSF Provider API Views"""
+
+from django.urls import reverse
+from rest_framework.fields import SerializerMethodField
+from rest_framework.request import Request
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.providers import ProviderSerializer
+from authentik.core.api.tokens import TokenSerializer
+from authentik.core.api.used_by import UsedByMixin
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.providers.ssf.models import SSFProvider
+
+
+class SSFProviderSerializer(EnterpriseRequiredMixin, ProviderSerializer):
+    """SSFProvider Serializer"""
+
+    ssf_url = SerializerMethodField()
+    token_obj = TokenSerializer(source="token", required=False, read_only=True)
+
+    def get_ssf_url(self, instance: SSFProvider) -> str | None:
+        request: Request = self._context.get("request")
+        if not request:
+            return None
+        if not instance.backchannel_application:
+            return None
+        return request.build_absolute_uri(
+            reverse(
+                "authentik_providers_ssf:configuration",
+                kwargs={
+                    "application_slug": instance.backchannel_application.slug,
+                },
+            )
+        )
+
+    class Meta:
+        model = SSFProvider
+        fields = [
+            "pk",
+            "name",
+            "component",
+            "verbose_name",
+            "verbose_name_plural",
+            "meta_model_name",
+            "signing_key",
+            "token_obj",
+            "oidc_auth_providers",
+            "ssf_url",
+            "event_retention",
+        ]
+        extra_kwargs = {}
+
+
+class SSFProviderViewSet(UsedByMixin, ModelViewSet):
+    """SSFProvider Viewset"""
+
+    queryset = SSFProvider.objects.all()
+    serializer_class = SSFProviderSerializer
+    filterset_fields = {
+        "application": ["isnull"],
+        "name": ["iexact"],
+    }
+    search_fields = ["name"]
+    ordering = ["name"]
--- a/authentik/enterprise/providers/ssf/api/streams.py
+++ b/authentik/enterprise/providers/ssf/api/streams.py
@ -0,0 +1,37 @@
+"""SSF Stream API Views"""
+
+from rest_framework.viewsets import ReadOnlyModelViewSet
+
+from authentik.core.api.utils import ModelSerializer
+from authentik.enterprise.providers.ssf.api.providers import SSFProviderSerializer
+from authentik.enterprise.providers.ssf.models import Stream
+
+
+class SSFStreamSerializer(ModelSerializer):
+    """SSFStream Serializer"""
+
+    provider_obj = SSFProviderSerializer(source="provider", read_only=True)
+
+    class Meta:
+        model = Stream
+        fields = [
+            "pk",
+            "provider",
+            "provider_obj",
+            "delivery_method",
+            "endpoint_url",
+            "events_requested",
+            "format",
+            "aud",
+            "iss",
+        ]
+
+
+class SSFStreamViewSet(ReadOnlyModelViewSet):
+    """SSFStream Viewset"""
+
+    queryset = Stream.objects.all()
+    serializer_class = SSFStreamSerializer
+    filterset_fields = ["provider", "endpoint_url", "delivery_method"]
+    search_fields = ["provider__name", "endpoint_url"]
+    ordering = ["provider", "uuid"]
--- a/authentik/enterprise/providers/ssf/apps.py
+++ b/authentik/enterprise/providers/ssf/apps.py
@ -0,0 +1,13 @@
+"""SSF app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseProviderSSF(EnterpriseConfig):
+    """authentik enterprise ssf app config"""
+
+    name = "authentik.enterprise.providers.ssf"
+    label = "authentik_providers_ssf"
+    verbose_name = "authentik Enterprise.Providers.SSF"
+    default = True
+    mountpoint = ""
--- a/authentik/enterprise/providers/ssf/migrations/0001_initial.py
+++ b/authentik/enterprise/providers/ssf/migrations/0001_initial.py
@ -0,0 +1,201 @@
+# Generated by Django 5.0.11 on 2025-02-05 16:20
+
+import authentik.lib.utils.time
+import django.contrib.postgres.fields
+import django.db.models.deletion
+import uuid
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
+        ("authentik_crypto", "0004_alter_certificatekeypair_name"),
+        ("authentik_providers_oauth2", "0027_accesstoken_authentik_p_expires_9f24a5_idx_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="SSFProvider",
+            fields=[
+                (
+                    "provider_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_core.provider",
+                    ),
+                ),
+                (
+                    "event_retention",
+                    models.TextField(
+                        default="days=30",
+                        validators=[authentik.lib.utils.time.timedelta_string_validator],
+                    ),
+                ),
+                (
+                    "oidc_auth_providers",
+                    models.ManyToManyField(
+                        blank=True, default=None, to="authentik_providers_oauth2.oauth2provider"
+                    ),
+                ),
+                (
+                    "signing_key",
+                    models.ForeignKey(
+                        help_text="Key used to sign the SSF Events.",
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_crypto.certificatekeypair",
+                        verbose_name="Signing Key",
+                    ),
+                ),
+                (
+                    "token",
+                    models.ForeignKey(
+                        default=None,
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_core.token",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Shared Signals Framework Provider",
+                "verbose_name_plural": "Shared Signals Framework Providers",
+                "permissions": [("add_stream", "Add stream to SSF provider")],
+            },
+            bases=("authentik_core.provider",),
+        ),
+        migrations.CreateModel(
+            name="Stream",
+            fields=[
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
+                    ),
+                ),
+                (
+                    "delivery_method",
+                    models.TextField(
+                        choices=[
+                            (
+                                "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                                "Risc Push",
+                            ),
+                            (
+                                "https://schemas.openid.net/secevent/risc/delivery-method/poll",
+                                "Risc Poll",
+                            ),
+                        ]
+                    ),
+                ),
+                ("endpoint_url", models.TextField(null=True)),
+                (
+                    "events_requested",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.TextField(
+                            choices=[
+                                (
+                                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                                    "Caep Session Revoked",
+                                ),
+                                (
+                                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                                    "Caep Credential Change",
+                                ),
+                                (
+                                    "https://schemas.openid.net/secevent/ssf/event-type/verification",
+                                    "Set Verification",
+                                ),
+                            ]
+                        ),
+                        default=list,
+                        size=None,
+                    ),
+                ),
+                ("format", models.TextField()),
+                (
+                    "aud",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.TextField(), default=list, size=None
+                    ),
+                ),
+                ("iss", models.TextField()),
+                (
+                    "provider",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_ssf.ssfprovider",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SSF Stream",
+                "verbose_name_plural": "SSF Streams",
+                "default_permissions": ["change", "delete", "view"],
+            },
+        ),
+        migrations.CreateModel(
+            name="StreamEvent",
+            fields=[
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                ("expires", models.DateTimeField(default=None, null=True)),
+                ("expiring", models.BooleanField(default=True)),
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4, editable=False, primary_key=True, serialize=False
+                    ),
+                ),
+                (
+                    "status",
+                    models.TextField(
+                        choices=[
+                            ("pending_new", "Pending New"),
+                            ("pending_failed", "Pending Failed"),
+                            ("sent", "Sent"),
+                        ]
+                    ),
+                ),
+                (
+                    "type",
+                    models.TextField(
+                        choices=[
+                            (
+                                "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                                "Caep Session Revoked",
+                            ),
+                            (
+                                "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                                "Caep Credential Change",
+                            ),
+                            (
+                                "https://schemas.openid.net/secevent/ssf/event-type/verification",
+                                "Set Verification",
+                            ),
+                        ]
+                    ),
+                ),
+                ("payload", models.JSONField(default=dict)),
+                (
+                    "stream",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to="authentik_providers_ssf.stream",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SSF Stream Event",
+                "verbose_name_plural": "SSF Stream Events",
+                "ordering": ("-created",),
+            },
+        ),
+    ]
--- a/authentik/enterprise/providers/ssf/migrations/init.py
+++ b/authentik/enterprise/providers/ssf/migrations/init.py
--- a/authentik/enterprise/providers/ssf/models.py
+++ b/authentik/enterprise/providers/ssf/models.py
@ -0,0 +1,178 @@
+from datetime import datetime
+from functools import cached_property
+from uuid import uuid4
+
+from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
+from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes
+from django.contrib.postgres.fields import ArrayField
+from django.db import models
+from django.templatetags.static import static
+from django.utils.timezone import now
+from django.utils.translation import gettext_lazy as _
+from jwt import encode
+
+from authentik.core.models import BackchannelProvider, ExpiringModel, Token
+from authentik.crypto.models import CertificateKeyPair
+from authentik.lib.models import CreatedUpdatedModel
+from authentik.lib.utils.time import timedelta_from_string, timedelta_string_validator
+from authentik.providers.oauth2.models import JWTAlgorithms, OAuth2Provider
+
+
+class EventTypes(models.TextChoices):
+    """SSF Event types supported by authentik"""
+
+    CAEP_SESSION_REVOKED = "https://schemas.openid.net/secevent/caep/event-type/session-revoked"
+    CAEP_CREDENTIAL_CHANGE = "https://schemas.openid.net/secevent/caep/event-type/credential-change"
+    SET_VERIFICATION = "https://schemas.openid.net/secevent/ssf/event-type/verification"
+
+
+class DeliveryMethods(models.TextChoices):
+    """SSF Delivery methods"""
+
+    RISC_PUSH = "https://schemas.openid.net/secevent/risc/delivery-method/push"
+    RISC_POLL = "https://schemas.openid.net/secevent/risc/delivery-method/poll"
+
+
+class SSFEventStatus(models.TextChoices):
+    """SSF Event status"""
+
+    PENDING_NEW = "pending_new"
+    PENDING_FAILED = "pending_failed"
+    SENT = "sent"
+
+
+class SSFProvider(BackchannelProvider):
+    """Shared Signals Framework provider to allow applications to
+    receive user events from authentik."""
+
+    signing_key = models.ForeignKey(
+        CertificateKeyPair,
+        verbose_name=_("Signing Key"),
+        on_delete=models.CASCADE,
+        help_text=_("Key used to sign the SSF Events."),
+    )
+
+    oidc_auth_providers = models.ManyToManyField(OAuth2Provider, blank=True, default=None)
+
+    token = models.ForeignKey(Token, on_delete=models.CASCADE, null=True, default=None)
+
+    event_retention = models.TextField(
+        default="days=30",
+        validators=[timedelta_string_validator],
+    )
+
+    @cached_property
+    def jwt_key(self) -> tuple[PrivateKeyTypes, str]:
+        """Get either the configured certificate or the client secret"""
+        key: CertificateKeyPair = self.signing_key
+        private_key = key.private_key
+        if isinstance(private_key, RSAPrivateKey):
+            return private_key, JWTAlgorithms.RS256
+        if isinstance(private_key, EllipticCurvePrivateKey):
+            return private_key, JWTAlgorithms.ES256
+        raise ValueError(f"Invalid private key type: {type(private_key)}")
+
+    @property
+    def service_account_identifier(self) -> str:
+        return f"ak-providers-ssf-{self.pk}"
+
+    @property
+    def serializer(self):
+        from authentik.enterprise.providers.ssf.api.providers import SSFProviderSerializer
+
+        return SSFProviderSerializer
+
+    @property
+    def icon_url(self) -> str | None:
+        return static("authentik/sources/ssf.svg")
+
+    @property
+    def component(self) -> str:
+        return "ak-provider-ssf-form"
+
+    class Meta:
+        verbose_name = _("Shared Signals Framework Provider")
+        verbose_name_plural = _("Shared Signals Framework Providers")
+        permissions = [
+            # This overrides the default "add_stream" permission of the Stream object,
+            # as the user requesting to add a stream must have the permission on the provider
+            ("add_stream", _("Add stream to SSF provider")),
+        ]
+
+
+class Stream(models.Model):
+    """SSF Stream"""
+
+    uuid = models.UUIDField(default=uuid4, primary_key=True, editable=False)
+    provider = models.ForeignKey(SSFProvider, on_delete=models.CASCADE)
+
+    delivery_method = models.TextField(choices=DeliveryMethods.choices)
+    endpoint_url = models.TextField(null=True)
+
+    events_requested = ArrayField(models.TextField(choices=EventTypes.choices), default=list)
+    format = models.TextField()
+    aud = ArrayField(models.TextField(), default=list)
+
+    iss = models.TextField()
+
+    class Meta:
+        verbose_name = _("SSF Stream")
+        verbose_name_plural = _("SSF Streams")
+        default_permissions = ["change", "delete", "view"]
+
+    def __str__(self) -> str:
+        return "SSF Stream"
+
+    def prepare_event_payload(self, type: EventTypes, event_data: dict, **kwargs) -> dict:
+        jti = uuid4()
+        _now = now()
+        return {
+            "uuid": jti,
+            "stream_id": str(self.pk),
+            "type": type,
+            "expiring": True,
+            "status": SSFEventStatus.PENDING_NEW,
+            "expires": _now + timedelta_from_string(self.provider.event_retention),
+            "payload": {
+                "jti": jti.hex,
+                "aud": self.aud,
+                "iat": int(datetime.now().timestamp()),
+                "iss": self.iss,
+                "events": {type: event_data},
+                **kwargs,
+            },
+        }
+
+    def encode(self, data: dict) -> str:
+        headers = {}
+        if self.provider.signing_key:
+            headers["kid"] = self.provider.signing_key.kid
+        key, alg = self.provider.jwt_key
+        return encode(data, key, algorithm=alg, headers=headers)
+
+
+class StreamEvent(CreatedUpdatedModel, ExpiringModel):
+    """Single stream event to be sent"""
+
+    uuid = models.UUIDField(default=uuid4, primary_key=True, editable=False)
+
+    stream = models.ForeignKey(Stream, on_delete=models.CASCADE)
+    status = models.TextField(choices=SSFEventStatus.choices)
+
+    type = models.TextField(choices=EventTypes.choices)
+    payload = models.JSONField(default=dict)
+
+    def expire_action(self, *args, **kwargs):
+        """Only allow automatic cleanup of successfully sent event"""
+        if self.status != SSFEventStatus.SENT:
+            return
+        return super().expire_action(*args, **kwargs)
+
+    def __str__(self):
+        return f"Stream event {self.type}"
+
+    class Meta:
+        verbose_name = _("SSF Stream Event")
+        verbose_name_plural = _("SSF Stream Events")
+        ordering = ("-created",)
--- a/authentik/enterprise/providers/ssf/signals.py
+++ b/authentik/enterprise/providers/ssf/signals.py
@ -0,0 +1,193 @@
+from hashlib import sha256
+
+from django.contrib.auth.signals import user_logged_out
+from django.db.models import Model
+from django.db.models.signals import post_delete, post_save, pre_delete
+from django.dispatch import receiver
+from django.http.request import HttpRequest
+from guardian.shortcuts import assign_perm
+
+from authentik.core.models import (
+    USER_PATH_SYSTEM_PREFIX,
+    AuthenticatedSession,
+    Token,
+    TokenIntents,
+    User,
+    UserTypes,
+)
+from authentik.core.signals import password_changed
+from authentik.enterprise.providers.ssf.models import (
+    EventTypes,
+    SSFProvider,
+)
+from authentik.enterprise.providers.ssf.tasks import send_ssf_event
+from authentik.events.middleware import audit_ignore
+from authentik.stages.authenticator.models import Device
+from authentik.stages.authenticator_duo.models import DuoDevice
+from authentik.stages.authenticator_static.models import StaticDevice
+from authentik.stages.authenticator_totp.models import TOTPDevice
+from authentik.stages.authenticator_webauthn.models import (
+    UNKNOWN_DEVICE_TYPE_AAGUID,
+    WebAuthnDevice,
+)
+
+USER_PATH_PROVIDERS_SSF = USER_PATH_SYSTEM_PREFIX + "/providers/ssf"
+
+
+@receiver(post_save, sender=SSFProvider)
+def ssf_providers_post_save(sender: type[Model], instance: SSFProvider, created: bool, **_):
+    """Create service account before provider is saved"""
+    identifier = instance.service_account_identifier
+    user, _ = User.objects.update_or_create(
+        username=identifier,
+        defaults={
+            "name": f"SSF Provider {instance.name} Service-Account",
+            "type": UserTypes.INTERNAL_SERVICE_ACCOUNT,
+            "path": USER_PATH_PROVIDERS_SSF,
+        },
+    )
+    assign_perm("add_stream", user, instance)
+    token, token_created = Token.objects.update_or_create(
+        identifier=identifier,
+        defaults={
+            "user": user,
+            "intent": TokenIntents.INTENT_API,
+            "expiring": False,
+            "managed": f"goauthentik.io/providers/ssf/{instance.pk}",
+        },
+    )
+    if created or token_created:
+        with audit_ignore():
+            instance.token = token
+            instance.save()
+
+
+@receiver(user_logged_out)
+def ssf_user_logged_out_session_revoked(sender, request: HttpRequest, user: User, **_):
+    """Session revoked trigger (user logged out)"""
+    if not request.session or not request.session.session_key or not user:
+        return
+    send_ssf_event(
+        EventTypes.CAEP_SESSION_REVOKED,
+        {
+            "initiating_entity": "user",
+        },
+        sub_id={
+            "format": "complex",
+            "session": {
+                "format": "opaque",
+                "id": sha256(request.session.session_key.encode("ascii")).hexdigest(),
+            },
+            "user": {
+                "format": "email",
+                "email": user.email,
+            },
+        },
+        request=request,
+    )
+
+
+@receiver(pre_delete, sender=AuthenticatedSession)
+def ssf_user_session_delete_session_revoked(sender, instance: AuthenticatedSession, **_):
+    """Session revoked trigger (users' session has been deleted)
+
+    As this signal is also triggered with a regular logout, we can't be sure
+    if the session has been deleted by an admin or by the user themselves."""
+    send_ssf_event(
+        EventTypes.CAEP_SESSION_REVOKED,
+        {
+            "initiating_entity": "user",
+        },
+        sub_id={
+            "format": "complex",
+            "session": {
+                "format": "opaque",
+                "id": sha256(instance.session_key.encode("ascii")).hexdigest(),
+            },
+            "user": {
+                "format": "email",
+                "email": instance.user.email,
+            },
+        },
+    )
+
+
+@receiver(password_changed)
+def ssf_password_changed_cred_change(sender, user: User, password: str | None, **_):
+    """Credential change trigger (password changed)"""
+    send_ssf_event(
+        EventTypes.CAEP_CREDENTIAL_CHANGE,
+        {
+            "credential_type": "password",
+            "change_type": "revoke" if password is None else "update",
+        },
+        sub_id={
+            "format": "complex",
+            "user": {
+                "format": "email",
+                "email": user.email,
+            },
+        },
+    )
+
+
+device_type_map = {
+    StaticDevice: "pin",
+    TOTPDevice: "pin",
+    WebAuthnDevice: "fido-u2f",
+    DuoDevice: "app",
+}
+
+
+@receiver(post_save)
+def ssf_device_post_save(sender: type[Model], instance: Device, created: bool, **_):
+    if not isinstance(instance, Device):
+        return
+    if not instance.confirmed:
+        return
+    device_type = device_type_map.get(instance.__class__)
+    data = {
+        "credential_type": device_type,
+        "change_type": "create" if created else "update",
+        "friendly_name": instance.name,
+    }
+    if isinstance(instance, WebAuthnDevice) and instance.aaguid != UNKNOWN_DEVICE_TYPE_AAGUID:
+        data["fido2_aaguid"] = instance.aaguid
+    send_ssf_event(
+        EventTypes.CAEP_CREDENTIAL_CHANGE,
+        data,
+        sub_id={
+            "format": "complex",
+            "user": {
+                "format": "email",
+                "email": instance.user.email,
+            },
+        },
+    )
+
+
+@receiver(post_delete)
+def ssf_device_post_delete(sender: type[Model], instance: Device, **_):
+    if not isinstance(instance, Device):
+        return
+    if not instance.confirmed:
+        return
+    device_type = device_type_map.get(instance.__class__)
+    data = {
+        "credential_type": device_type,
+        "change_type": "delete",
+        "friendly_name": instance.name,
+    }
+    if isinstance(instance, WebAuthnDevice) and instance.aaguid != UNKNOWN_DEVICE_TYPE_AAGUID:
+        data["fido2_aaguid"] = instance.aaguid
+    send_ssf_event(
+        EventTypes.CAEP_CREDENTIAL_CHANGE,
+        data,
+        sub_id={
+            "format": "complex",
+            "user": {
+                "format": "email",
+                "email": instance.user.email,
+            },
+        },
+    )
--- a/authentik/enterprise/providers/ssf/tasks.py
+++ b/authentik/enterprise/providers/ssf/tasks.py
@ -0,0 +1,136 @@
+from celery import group
+from django.http import HttpRequest
+from django.utils.timezone import now
+from django.utils.translation import gettext_lazy as _
+from requests.exceptions import RequestException
+from structlog.stdlib import get_logger
+
+from authentik.core.models import User
+from authentik.enterprise.providers.ssf.models import (
+    DeliveryMethods,
+    EventTypes,
+    SSFEventStatus,
+    Stream,
+    StreamEvent,
+)
+from authentik.events.logs import LogEvent
+from authentik.events.models import TaskStatus
+from authentik.events.system_tasks import SystemTask
+from authentik.lib.utils.http import get_http_session
+from authentik.lib.utils.time import timedelta_from_string
+from authentik.policies.engine import PolicyEngine
+from authentik.root.celery import CELERY_APP
+
+session = get_http_session()
+LOGGER = get_logger()
+
+
+def send_ssf_event(
+    event_type: EventTypes,
+    data: dict,
+    stream_filter: dict | None = None,
+    request: HttpRequest | None = None,
+    **extra_data,
+):
+    """Wrapper to send an SSF event to multiple streams"""
+    payload = []
+    if not stream_filter:
+        stream_filter = {}
+    stream_filter["events_requested__contains"] = [event_type]
+    if request and hasattr(request, "request_id"):
+        extra_data.setdefault("txn", request.request_id)
+    for stream in Stream.objects.filter(**stream_filter):
+        event_data = stream.prepare_event_payload(event_type, data, **extra_data)
+        payload.append((str(stream.uuid), event_data))
+    return _send_ssf_event.delay(payload)
+
+
+def _check_app_access(stream_uuid: str, event_data: dict) -> bool:
+    """Check if event is related to user and if so, check
+    if the user has access to the application"""
+    stream = Stream.objects.filter(pk=stream_uuid).first()
+    if not stream:
+        return False
+    # `event_data` is a dict version of a StreamEvent
+    sub_id = event_data.get("payload", {}).get("sub_id", {})
+    email = sub_id.get("user", {}).get("email", None)
+    if not email:
+        return True
+    user = User.objects.filter(email=email).first()
+    if not user:
+        return True
+    engine = PolicyEngine(stream.provider.backchannel_application, user)
+    engine.use_cache = False
+    engine.build()
+    return engine.passing
+
+
+@CELERY_APP.task()
+def _send_ssf_event(event_data: list[tuple[str, dict]]):
+    tasks = []
+    for stream, data in event_data:
+        if not _check_app_access(stream, data):
+            continue
+        event = StreamEvent.objects.create(**data)
+        tasks.extend(send_single_ssf_event(stream, str(event.uuid)))
+    main_task = group(*tasks)
+    main_task()
+
+
+def send_single_ssf_event(stream_id: str, evt_id: str):
+    stream = Stream.objects.filter(pk=stream_id).first()
+    if not stream:
+        return
+    event = StreamEvent.objects.filter(pk=evt_id).first()
+    if not event:
+        return
+    if event.status == SSFEventStatus.SENT:
+        return
+    if stream.delivery_method == DeliveryMethods.RISC_PUSH:
+        return [ssf_push_event.si(str(event.pk))]
+    return []
+
+
+@CELERY_APP.task(bind=True, base=SystemTask)
+def ssf_push_event(self: SystemTask, event_id: str):
+    self.save_on_success = False
+    event = StreamEvent.objects.filter(pk=event_id).first()
+    if not event:
+        return
+    self.set_uid(event_id)
+    if event.status == SSFEventStatus.SENT:
+        self.set_status(TaskStatus.SUCCESSFUL)
+        return
+    try:
+        response = session.post(
+            event.stream.endpoint_url,
+            data=event.stream.encode(event.payload),
+            headers={"Content-Type": "application/secevent+jwt", "Accept": "application/json"},
+        )
+        response.raise_for_status()
+        event.status = SSFEventStatus.SENT
+        event.save()
+        self.set_status(TaskStatus.SUCCESSFUL)
+        return
+    except RequestException as exc:
+        LOGGER.warning("Failed to send SSF event", exc=exc)
+        self.set_status(TaskStatus.ERROR)
+        attrs = {}
+        if exc.response:
+            attrs["response"] = {
+                "content": exc.response.text,
+                "status": exc.response.status_code,
+            }
+        self.set_error(
+            exc,
+            LogEvent(
+                _("Failed to send request"),
+                log_level="warning",
+                logger=self.__name__,
+                attributes=attrs,
+            ),
+        )
+        # Re-up the expiry of the stream event
+        event.expires = now() + timedelta_from_string(event.stream.provider.event_retention)
+        event.status = SSFEventStatus.PENDING_FAILED
+        event.save()
--- a/authentik/enterprise/providers/ssf/tests/init.py
+++ b/authentik/enterprise/providers/ssf/tests/init.py
--- a/authentik/enterprise/providers/ssf/tests/test_config.py
+++ b/authentik/enterprise/providers/ssf/tests/test_config.py
@ -0,0 +1,46 @@
+import json
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_cert
+from authentik.enterprise.providers.ssf.models import (
+    SSFProvider,
+)
+from authentik.lib.generators import generate_id
+
+
+class TestConfiguration(APITestCase):
+    def setUp(self):
+        self.application = Application.objects.create(name=generate_id(), slug=generate_id())
+        self.provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+            backchannel_application=self.application,
+        )
+
+    def test_config_fetch(self):
+        """test SSF configuration (unauthenticated)"""
+        res = self.client.get(
+            reverse(
+                "authentik_providers_ssf:configuration",
+                kwargs={"application_slug": self.application.slug},
+            ),
+        )
+        self.assertEqual(res.status_code, 200)
+        content = json.loads(res.content)
+        self.assertEqual(content["spec_version"], "1_0-ID2")
+
+    def test_config_fetch_authenticated(self):
+        """test SSF configuration (authenticated)"""
+        res = self.client.get(
+            reverse(
+                "authentik_providers_ssf:configuration",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 200)
+        content = json.loads(res.content)
+        self.assertEqual(content["spec_version"], "1_0-ID2")
--- a/authentik/enterprise/providers/ssf/tests/test_jwks.py
+++ b/authentik/enterprise/providers/ssf/tests/test_jwks.py
@ -0,0 +1,51 @@
+"""JWKS tests"""
+
+import base64
+import json
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.x509 import load_der_x509_certificate
+from django.test import TestCase
+from django.urls.base import reverse
+from jwt import PyJWKSet
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_cert
+from authentik.enterprise.providers.ssf.models import SSFProvider
+from authentik.lib.generators import generate_id
+
+
+class TestJWKS(TestCase):
+    """Test JWKS view"""
+
+    def test_rs256(self):
+        """Test JWKS request with RS256"""
+        provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
+        app.backchannel_providers.add(provider)
+        response = self.client.get(
+            reverse("authentik_providers_ssf:jwks", kwargs={"application_slug": app.slug})
+        )
+        body = json.loads(response.content.decode())
+        self.assertEqual(len(body["keys"]), 1)
+        PyJWKSet.from_dict(body)
+        key = body["keys"][0]
+        load_der_x509_certificate(base64.b64decode(key["x5c"][0]), default_backend()).public_key()
+
+    def test_es256(self):
+        """Test JWKS request with ES256"""
+        provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
+        app.backchannel_providers.add(provider)
+        response = self.client.get(
+            reverse("authentik_providers_ssf:jwks", kwargs={"application_slug": app.slug})
+        )
+        body = json.loads(response.content.decode())
+        self.assertEqual(len(body["keys"]), 1)
+        PyJWKSet.from_dict(body)
--- a/authentik/enterprise/providers/ssf/tests/test_signals.py
+++ b/authentik/enterprise/providers/ssf/tests/test_signals.py
@ -0,0 +1,168 @@
+from uuid import uuid4
+
+from django.urls import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application, Group
+from authentik.core.tests.utils import (
+    create_test_cert,
+    create_test_user,
+)
+from authentik.enterprise.providers.ssf.models import (
+    EventTypes,
+    SSFEventStatus,
+    SSFProvider,
+    Stream,
+    StreamEvent,
+)
+from authentik.lib.generators import generate_id
+from authentik.policies.models import PolicyBinding
+from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
+
+
+class TestSignals(APITestCase):
+    """Test individual SSF Signals"""
+
+    def setUp(self):
+        self.application = Application.objects.create(name=generate_id(), slug=generate_id())
+        self.provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+            backchannel_application=self.application,
+        )
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 201, res.content)
+
+    def test_signal_logout(self):
+        """Test user logout"""
+        user = create_test_user()
+        self.client.force_login(user)
+        self.client.logout()
+
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        event_payload = event.payload["events"][
+            "https://schemas.openid.net/secevent/caep/event-type/session-revoked"
+        ]
+        self.assertEqual(event_payload["initiating_entity"], "user")
+        self.assertEqual(event.payload["sub_id"]["format"], "complex")
+        self.assertEqual(event.payload["sub_id"]["session"]["format"], "opaque")
+        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
+        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
+
+    def test_signal_password_change(self):
+        """Test user password change"""
+        user = create_test_user()
+        self.client.force_login(user)
+        user.set_password(generate_id())
+        user.save()
+
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        event_payload = event.payload["events"][
+            "https://schemas.openid.net/secevent/caep/event-type/credential-change"
+        ]
+        self.assertEqual(event_payload["change_type"], "update")
+        self.assertEqual(event_payload["credential_type"], "password")
+        self.assertEqual(event.payload["sub_id"]["format"], "complex")
+        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
+        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
+
+    def test_signal_authenticator_added(self):
+        """Test authenticator creation signal"""
+        user = create_test_user()
+        self.client.force_login(user)
+        dev = WebAuthnDevice.objects.create(
+            user=user,
+            name=generate_id(),
+            credential_id=generate_id(),
+            public_key=generate_id(),
+            aaguid=str(uuid4()),
+        )
+
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).exclude().first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        event_payload = event.payload["events"][
+            "https://schemas.openid.net/secevent/caep/event-type/credential-change"
+        ]
+        self.assertEqual(event_payload["change_type"], "create")
+        self.assertEqual(event_payload["fido2_aaguid"], dev.aaguid)
+        self.assertEqual(event_payload["friendly_name"], dev.name)
+        self.assertEqual(event_payload["credential_type"], "fido-u2f")
+        self.assertEqual(event.payload["sub_id"]["format"], "complex")
+        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
+        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
+
+    def test_signal_authenticator_deleted(self):
+        """Test authenticator deletion signal"""
+        user = create_test_user()
+        self.client.force_login(user)
+        dev = WebAuthnDevice.objects.create(
+            user=user,
+            name=generate_id(),
+            credential_id=generate_id(),
+            public_key=generate_id(),
+            aaguid=str(uuid4()),
+        )
+        dev.delete()
+
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).exclude().first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        event_payload = event.payload["events"][
+            "https://schemas.openid.net/secevent/caep/event-type/credential-change"
+        ]
+        self.assertEqual(event_payload["change_type"], "delete")
+        self.assertEqual(event_payload["fido2_aaguid"], dev.aaguid)
+        self.assertEqual(event_payload["friendly_name"], dev.name)
+        self.assertEqual(event_payload["credential_type"], "fido-u2f")
+        self.assertEqual(event.payload["sub_id"]["format"], "complex")
+        self.assertEqual(event.payload["sub_id"]["user"]["format"], "email")
+        self.assertEqual(event.payload["sub_id"]["user"]["email"], user.email)
+
+    def test_signal_policy_ignore(self):
+        """Test event not being created for user that doesn't have access to the application"""
+        PolicyBinding.objects.create(
+            target=self.application, group=Group.objects.create(name=generate_id()), order=0
+        )
+        user = create_test_user()
+        self.client.force_login(user)
+        user.set_password(generate_id())
+        user.save()
+
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(
+            stream=stream, type=EventTypes.CAEP_CREDENTIAL_CHANGE
+        ).first()
+        self.assertIsNone(event)
--- a/authentik/enterprise/providers/ssf/tests/test_stream.py
+++ b/authentik/enterprise/providers/ssf/tests/test_stream.py
@ -0,0 +1,154 @@
+import json
+from dataclasses import asdict
+
+from django.urls import reverse
+from django.utils import timezone
+from rest_framework.test import APITestCase
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
+from authentik.enterprise.providers.ssf.models import (
+    SSFEventStatus,
+    SSFProvider,
+    Stream,
+    StreamEvent,
+)
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.id_token import IDToken
+from authentik.providers.oauth2.models import AccessToken, OAuth2Provider
+
+
+class TestStream(APITestCase):
+    def setUp(self):
+        self.application = Application.objects.create(name=generate_id(), slug=generate_id())
+        self.provider = SSFProvider.objects.create(
+            name=generate_id(),
+            signing_key=create_test_cert(),
+            backchannel_application=self.application,
+        )
+
+    def test_stream_add_token(self):
+        """test stream add (token auth)"""
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 201)
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        self.assertEqual(
+            event.payload["events"],
+            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
+        )
+
+    def test_stream_add_poll(self):
+        """test stream add - poll method"""
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/poll",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 400)
+        self.assertJSONEqual(
+            res.content,
+            {"delivery": {"method": ["Polling for SSF events is not currently supported."]}},
+        )
+
+    def test_stream_add_oidc(self):
+        """test stream add (oidc auth)"""
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authorization_flow=create_test_flow(),
+        )
+        self.application.provider = provider
+        self.application.save()
+        user = create_test_admin_user()
+        token = AccessToken.objects.create(
+            provider=provider,
+            user=user,
+            token=generate_id(),
+            auth_time=timezone.now(),
+            _scope="openid user profile",
+            _id_token=json.dumps(
+                asdict(
+                    IDToken("foo", "bar"),
+                )
+            ),
+        )
+
+        res = self.client.post(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            data={
+                "iss": "https://authentik.company/.well-known/ssf-configuration/foo/5",
+                "aud": ["https://app.authentik.company"],
+                "delivery": {
+                    "method": "https://schemas.openid.net/secevent/risc/delivery-method/push",
+                    "endpoint_url": "https://app.authentik.company",
+                },
+                "events_requested": [
+                    "https://schemas.openid.net/secevent/caep/event-type/credential-change",
+                    "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
+                ],
+                "format": "iss_sub",
+            },
+            HTTP_AUTHORIZATION=f"Bearer {token.token}",
+        )
+        self.assertEqual(res.status_code, 201)
+        stream = Stream.objects.filter(provider=self.provider).first()
+        self.assertIsNotNone(stream)
+        event = StreamEvent.objects.filter(stream=stream).first()
+        self.assertIsNotNone(event)
+        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
+        self.assertEqual(
+            event.payload["events"],
+            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
+        )
+
+    def test_stream_delete(self):
+        """delete stream"""
+        stream = Stream.objects.create(provider=self.provider)
+        res = self.client.delete(
+            reverse(
+                "authentik_providers_ssf:stream",
+                kwargs={"application_slug": self.application.slug},
+            ),
+            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
+        )
+        self.assertEqual(res.status_code, 204)
+        self.assertFalse(Stream.objects.filter(pk=stream.pk).exists())
--- a/authentik/enterprise/providers/ssf/urls.py
+++ b/authentik/enterprise/providers/ssf/urls.py
@ -0,0 +1,32 @@
+"""SSF provider URLs"""
+
+from django.urls import path
+
+from authentik.enterprise.providers.ssf.api.providers import SSFProviderViewSet
+from authentik.enterprise.providers.ssf.api.streams import SSFStreamViewSet
+from authentik.enterprise.providers.ssf.views.configuration import ConfigurationView
+from authentik.enterprise.providers.ssf.views.jwks import JWKSview
+from authentik.enterprise.providers.ssf.views.stream import StreamView
+
+urlpatterns = [
+    path(
+        "application/ssf/<slug:application_slug>/ssf-jwks/",
+        JWKSview.as_view(),
+        name="jwks",
+    ),
+    path(
+        ".well-known/ssf-configuration/<slug:application_slug>",
+        ConfigurationView.as_view(),
+        name="configuration",
+    ),
+    path(
+        "application/ssf/<slug:application_slug>/stream/",
+        StreamView.as_view(),
+        name="stream",
+    ),
+]
+
+api_urlpatterns = [
+    ("providers/ssf", SSFProviderViewSet),
+    ("ssf/streams", SSFStreamViewSet),
+]
--- a/authentik/enterprise/providers/ssf/views/init.py
+++ b/authentik/enterprise/providers/ssf/views/init.py
--- a/authentik/enterprise/providers/ssf/views/auth.py
+++ b/authentik/enterprise/providers/ssf/views/auth.py
@ -0,0 +1,66 @@
+"""SSF Token auth"""
+
+from typing import TYPE_CHECKING, Any
+
+from django.db.models import Q
+from rest_framework.authentication import BaseAuthentication, get_authorization_header
+from rest_framework.request import Request
+
+from authentik.core.models import Token, TokenIntents, User
+from authentik.enterprise.providers.ssf.models import SSFProvider
+from authentik.providers.oauth2.models import AccessToken
+
+if TYPE_CHECKING:
+    from authentik.enterprise.providers.ssf.views.base import SSFView
+
+
+class SSFTokenAuth(BaseAuthentication):
+    """SSF Token auth"""
+
+    view: "SSFView"
+
+    def __init__(self, view: "SSFView") -> None:
+        super().__init__()
+        self.view = view
+
+    def check_token(self, key: str) -> Token | None:
+        """Check that a token exists, is not expired, and is assigned to the correct provider"""
+        token = Token.filter_not_expired(key=key, intent=TokenIntents.INTENT_API).first()
+        if not token:
+            return None
+        provider: SSFProvider = token.ssfprovider_set.first()
+        if not provider:
+            return None
+        self.view.application = provider.backchannel_application
+        self.view.provider = provider
+        return token
+
+    def check_jwt(self, jwt: str) -> AccessToken | None:
+        """Check JWT-based authentication, this supports tokens issued either by providers
+        configured directly in the provider, and by providers assigned to the application
+        that the SSF provider is a backchannel provider of."""
+        token = AccessToken.filter_not_expired(token=jwt, revoked=False).first()
+        if not token:
+            return None
+        ssf_provider = SSFProvider.objects.filter(
+            Q(oidc_auth_providers__in=[token.provider])
+            | Q(backchannel_application__provider__in=[token.provider]),
+        ).first()
+        if not ssf_provider:
+            return None
+        self.view.application = ssf_provider.backchannel_application
+        self.view.provider = ssf_provider
+        return token
+
+    def authenticate(self, request: Request) -> tuple[User, Any] | None:
+        auth = get_authorization_header(request).decode()
+        auth_type, _, key = auth.partition(" ")
+        if auth_type != "Bearer":
+            return None
+        token = self.check_token(key)
+        if token:
+            return (token.user, token)
+        jwt_token = self.check_jwt(key)
+        if jwt_token:
+            return (jwt_token.user, token)
+        return None
--- a/authentik/enterprise/providers/ssf/views/base.py
+++ b/authentik/enterprise/providers/ssf/views/base.py
@ -0,0 +1,23 @@
+from django.http import HttpRequest
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.views import APIView
+from structlog.stdlib import BoundLogger, get_logger
+
+from authentik.core.models import Application
+from authentik.enterprise.providers.ssf.models import SSFProvider
+from authentik.enterprise.providers.ssf.views.auth import SSFTokenAuth
+
+
+class SSFView(APIView):
+    application: Application
+    provider: SSFProvider
+    logger: BoundLogger
+
+    permission_classes = [IsAuthenticated]
+
+    def setup(self, request: HttpRequest, *args, **kwargs) -> None:
+        self.logger = get_logger().bind()
+        super().setup(request, *args, **kwargs)
+
+    def get_authenticators(self):
+        return [SSFTokenAuth(self)]
--- a/authentik/enterprise/providers/ssf/views/configuration.py
+++ b/authentik/enterprise/providers/ssf/views/configuration.py
@ -0,0 +1,55 @@
+from django.http import Http404, HttpRequest, HttpResponse, JsonResponse
+from django.shortcuts import get_object_or_404
+from django.urls import reverse
+from rest_framework.permissions import AllowAny
+
+from authentik.core.models import Application
+from authentik.enterprise.providers.ssf.models import DeliveryMethods, SSFProvider
+from authentik.enterprise.providers.ssf.views.base import SSFView
+
+
+class ConfigurationView(SSFView):
+    """SSF configuration endpoint"""
+
+    permission_classes = [AllowAny]
+
+    def get_authenticators(self):
+        return []
+
+    def get(self, request: HttpRequest, application_slug: str, *args, **kwargs) -> HttpResponse:
+        application = get_object_or_404(Application, slug=application_slug)
+        provider = application.backchannel_provider_for(SSFProvider)
+        if not provider:
+            raise Http404
+        data = {
+            "spec_version": "1_0-ID2",
+            "issuer": self.request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_ssf:configuration",
+                    kwargs={
+                        "application_slug": application.slug,
+                    },
+                )
+            ),
+            "jwks_uri": self.request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_ssf:jwks",
+                    kwargs={
+                        "application_slug": application.slug,
+                    },
+                )
+            ),
+            "configuration_endpoint": self.request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_ssf:stream",
+                    kwargs={
+                        "application_slug": application.slug,
+                    },
+                )
+            ),
+            "delivery_methods_supported": [
+                DeliveryMethods.RISC_PUSH,
+            ],
+            "authorization_schemes": [{"spec_urn": "urn:ietf:rfc:6749"}],
+        }
+        return JsonResponse(data)
--- a/authentik/enterprise/providers/ssf/views/jwks.py
+++ b/authentik/enterprise/providers/ssf/views/jwks.py
@ -0,0 +1,31 @@
+from django.http import Http404, HttpRequest, HttpResponse, JsonResponse
+from django.shortcuts import get_object_or_404
+from django.views import View
+
+from authentik.core.models import Application
+from authentik.crypto.models import CertificateKeyPair
+from authentik.enterprise.providers.ssf.models import SSFProvider
+from authentik.providers.oauth2.views.jwks import JWKSView as OAuthJWKSView
+
+
+class JWKSview(View):
+    """SSF JWKS endpoint, similar to the OAuth2 provider's endpoint"""
+
+    def get(self, request: HttpRequest, application_slug: str) -> HttpResponse:
+        """Show JWK Key data for Provider"""
+        application = get_object_or_404(Application, slug=application_slug)
+        provider = application.backchannel_provider_for(SSFProvider)
+        if not provider:
+            raise Http404
+        signing_key: CertificateKeyPair = provider.signing_key
+
+        response_data = {}
+
+        jwk = OAuthJWKSView.get_jwk_for_key(signing_key, "sig")
+        if jwk:
+            response_data["keys"] = [jwk]
+
+        response = JsonResponse(response_data)
+        response["Access-Control-Allow-Origin"] = "*"
+
+        return response
--- a/authentik/enterprise/providers/ssf/views/stream.py
+++ b/authentik/enterprise/providers/ssf/views/stream.py
@ -0,0 +1,130 @@
+from django.http import HttpRequest
+from django.urls import reverse
+from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.fields import CharField, ChoiceField, ListField, SerializerMethodField
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import ModelSerializer
+from structlog.stdlib import get_logger
+
+from authentik.core.api.utils import PassiveSerializer
+from authentik.enterprise.providers.ssf.models import (
+    DeliveryMethods,
+    EventTypes,
+    SSFProvider,
+    Stream,
+)
+from authentik.enterprise.providers.ssf.tasks import send_ssf_event
+from authentik.enterprise.providers.ssf.views.base import SSFView
+
+LOGGER = get_logger()
+
+
+class StreamDeliverySerializer(PassiveSerializer):
+    method = ChoiceField(choices=[(x.value, x.value) for x in DeliveryMethods])
+    endpoint_url = CharField(required=False)
+
+    def validate_method(self, method: DeliveryMethods):
+        """Currently only push is supported"""
+        if method == DeliveryMethods.RISC_POLL:
+            raise ValidationError("Polling for SSF events is not currently supported.")
+        return method
+
+    def validate(self, attrs: dict) -> dict:
+        if attrs["method"] == DeliveryMethods.RISC_PUSH:
+            if not attrs.get("endpoint_url"):
+                raise ValidationError("Endpoint URL is required when using push.")
+        return attrs
+
+
+class StreamSerializer(ModelSerializer):
+    delivery = StreamDeliverySerializer()
+    events_requested = ListField(
+        child=ChoiceField(choices=[(x.value, x.value) for x in EventTypes])
+    )
+    format = CharField()
+    aud = ListField(child=CharField())
+
+    def create(self, validated_data):
+        provider: SSFProvider = validated_data["provider"]
+        request: HttpRequest = self.context["request"]
+        iss = request.build_absolute_uri(
+            reverse(
+                "authentik_providers_ssf:configuration",
+                kwargs={
+                    "application_slug": provider.backchannel_application.slug,
+                },
+            )
+        )
+        # Ensure that streams always get SET verification events sent to them
+        validated_data["events_requested"].append(EventTypes.SET_VERIFICATION)
+        return super().create(
+            {
+                "delivery_method": validated_data["delivery"]["method"],
+                "endpoint_url": validated_data["delivery"].get("endpoint_url"),
+                "format": validated_data["format"],
+                "provider": validated_data["provider"],
+                "events_requested": validated_data["events_requested"],
+                "aud": validated_data["aud"],
+                "iss": iss,
+            }
+        )
+
+    class Meta:
+        model = Stream
+        fields = [
+            "delivery",
+            "events_requested",
+            "format",
+            "aud",
+        ]
+
+
+class StreamResponseSerializer(PassiveSerializer):
+    stream_id = CharField(source="pk")
+    iss = CharField()
+    aud = ListField(child=CharField())
+    delivery = SerializerMethodField()
+    format = CharField()
+
+    events_requested = ListField(child=CharField())
+    events_supported = SerializerMethodField()
+    events_delivered = ListField(child=CharField(), source="events_requested")
+
+    def get_delivery(self, instance: Stream) -> StreamDeliverySerializer:
+        return {
+            "method": instance.delivery_method,
+            "endpoint_url": instance.endpoint_url,
+        }
+
+    def get_events_supported(self, instance: Stream) -> list[str]:
+        return [x.value for x in EventTypes]
+
+
+class StreamView(SSFView):
+    def post(self, request: Request, *args, **kwargs) -> Response:
+        stream = StreamSerializer(data=request.data, context={"request": request})
+        stream.is_valid(raise_exception=True)
+        if not request.user.has_perm("authentik_providers_ssf.add_stream", self.provider):
+            raise PermissionDenied(
+                "User does not have permission to create stream for this provider."
+            )
+        instance: Stream = stream.save(provider=self.provider)
+        send_ssf_event(
+            EventTypes.SET_VERIFICATION,
+            {
+                "state": None,
+            },
+            stream_filter={"pk": instance.uuid},
+            sub_id={"format": "opaque", "id": str(instance.uuid)},
+        )
+        response = StreamResponseSerializer(instance=instance, context={"request": request}).data
+        return Response(response, status=201)
+
+    def delete(self, request: Request, *args, **kwargs) -> Response:
+        streams = Stream.objects.filter(provider=self.provider)
+        # Technically this parameter is required by the spec...
+        if "stream_id" in request.query_params:
+            streams = streams.filter(stream_id=request.query_params["stream_id"])
+        streams.delete()
+        return Response(status=204)
--- a/authentik/enterprise/settings.py
+++ b/authentik/enterprise/settings.py
@ -17,6 +17,7 @@ TENANT_APPS = [
    "authentik.enterprise.providers.google_workspace",
    "authentik.enterprise.providers.microsoft_entra",
    "authentik.enterprise.providers.rac",
+    "authentik.enterprise.providers.ssf",
    "authentik.enterprise.stages.authenticator_endpoint_gdtc",
    "authentik.enterprise.stages.source",
 ]
--- a/authentik/events/system_tasks.py
+++ b/authentik/events/system_tasks.py
@ -53,12 +53,13 @@ class SystemTask(TenantTask):
            if not isinstance(msg, LogEvent):
                self._messages[idx] = LogEvent(msg, logger=self.__name__, log_level="info")

-    def set_error(self, exception: Exception):
+    def set_error(self, exception: Exception, *messages: LogEvent):
        """Set result to error and save exception"""
        self._status = TaskStatus.ERROR
-        self._messages = [
-            LogEvent(exception_to_string(exception), logger=self.__name__, log_level="error")
-        ]
+        self._messages = list(messages)
+        self._messages.extend(
+            [LogEvent(exception_to_string(exception), logger=self.__name__, log_level="error")]
+        )

    def before_start(self, task_id, args, kwargs):
        self._start_precise = perf_counter()
--- a/authentik/flows/markers.py
+++ b/authentik/flows/markers.py
@ -3,6 +3,7 @@
 from dataclasses import dataclass
 from typing import TYPE_CHECKING

+from django.contrib.messages import INFO, add_message
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger

@ -61,6 +62,8 @@ class ReevaluateMarker(StageMarker):
        engine.request.context.update(plan.context)
        engine.build()
        result = engine.result
+        for message in result.messages:
+            add_message(http_request, INFO, message)
        if result.passing:
            return binding
        LOGGER.warning(
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -109,6 +109,8 @@ class FlowPlan:

    def pop(self):
        """Pop next pending stage from bottom of list"""
+        if not self.markers and not self.bindings:
+            return
        self.markers.pop(0)
        self.bindings.pop(0)

@ -156,8 +158,13 @@ class FlowPlan:
            final_stage: type[StageView] = self.bindings[-1].stage.view
            temp_exec = FlowExecutorView(flow=flow, request=request, plan=self)
            temp_exec.current_stage = self.bindings[-1].stage
+            temp_exec.current_stage_view = final_stage
+            temp_exec.setup(request, flow.slug)
            stage = final_stage(request=request, executor=temp_exec)
-            return stage.dispatch(request)
+            response = stage.dispatch(request)
+            # Ensure we clean the flow state we have in the session before we redirect away
+            temp_exec.stage_ok()
+            return response

        get_qs = request.GET.copy()
        if request.user.is_authenticated and (
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -103,7 +103,7 @@ class FlowExecutorView(APIView):

    permission_classes = [AllowAny]

-    flow: Flow
+    flow: Flow = None

    plan: FlowPlan | None = None
    current_binding: FlowStageBinding | None = None
@ -114,7 +114,8 @@ class FlowExecutorView(APIView):

    def setup(self, request: HttpRequest, flow_slug: str):
        super().setup(request, flow_slug=flow_slug)
-        self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
+        if not self.flow:
+            self.flow = get_object_or_404(Flow.objects.select_related(), slug=flow_slug)
        self._logger = get_logger().bind(flow_slug=flow_slug)
        set_tag("authentik.flow", self.flow.slug)

--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -283,12 +283,15 @@ class ConfigLoader:
    def get_optional_int(self, path: str, default=None) -> int | None:
        """Wrapper for get that converts value into int or None if set"""
        value = self.get(path, default)
-
+        if value is UNSET:
+            return default
        try:
            return int(value)
        except (ValueError, TypeError) as exc:
            if value is None or (isinstance(value, str) and value.lower() == "null"):
-                return None
+                return default
+            if value is UNSET:
+                return default
            self.log("warning", "Failed to parse config as int", path=path, exc=str(exc))
            return default

@ -421,4 +424,4 @@ if __name__ == "__main__":
    if len(argv) < 2:  # noqa: PLR2004
        print(dumps(CONFIG.raw, indent=4, cls=AttrEncoder))
    else:
-        print(CONFIG.get(argv[1]))
+        print(CONFIG.get(argv[-1]))
--- a/authentik/lib/debug.py
+++ b/authentik/lib/debug.py
@ -0,0 +1,26 @@
+from structlog.stdlib import get_logger
+
+from authentik.lib.config import CONFIG
+
+LOGGER = get_logger()
+
+
+def start_debug_server(**kwargs) -> bool:
+    """Attempt to start a debugpy server in the current process.
+    Returns true if the server was started successfully, otherwise false"""
+    if not CONFIG.get_bool("debug") and not CONFIG.get_bool("debugger"):
+        return
+    try:
+        import debugpy
+    except ImportError:
+        LOGGER.warning(
+            "Failed to import debugpy. debugpy is not included "
+            "in the default release dependencies and must be installed manually"
+        )
+        return False
+
+    listen: str = CONFIG.get("listen.listen_debug_py", "127.0.0.1:9901")
+    host, _, port = listen.rpartition(":")
+    debugpy.listen((host, int(port)), **kwargs)  # nosec
+    LOGGER.debug("Starting debug server", host=host, port=port)
+    return True
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -8,6 +8,7 @@ postgresql:
  password: "env://POSTGRES_PASSWORD"
  test:
    name: test_authentik
+  default_schema: public
  read_replicas: {}
  # For example
  # 0:
@ -21,6 +22,7 @@ listen:
  listen_radius: 0.0.0.0:1812
  listen_metrics: 0.0.0.0:9300
  listen_debug: 0.0.0.0:9900
+  listen_debug_py: 0.0.0.0:9901
  trusted_proxy_cidrs:
    - 127.0.0.0/8
    - 10.0.0.0/8
@ -57,7 +59,7 @@ cache:
 #   transport_options: ""

 debug: false
-remote_debug: false
+debugger: false

 log_level: info

--- a/authentik/lib/sync/outgoing/models.py
+++ b/authentik/lib/sync/outgoing/models.py
@ -22,9 +22,9 @@ class OutgoingSyncProvider(Model):
    class Meta:
        abstract = True

-    def client_for_model[
-        T: User | Group
-    ](self, model: type[T]) -> BaseOutgoingSyncClient[T, Any, Any, Self]:
+    def client_for_model[T: User | Group](
+        self, model: type[T]
+    ) -> BaseOutgoingSyncClient[T, Any, Any, Self]:
        raise NotImplementedError

    def get_object_qs[T: User | Group](self, type: type[T]) -> QuerySet[T]:
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -42,6 +42,8 @@ class DebugSession(Session):

 def get_http_session() -> Session:
    """Get a requests session with common headers"""
-    session = DebugSession() if CONFIG.get_bool("debug") else Session()
+    session = Session()
+    if CONFIG.get_bool("debug") or CONFIG.get("log_level") == "trace":
+        session = DebugSession()
    session.headers["User-Agent"] = authentik_user_agent()
    return session
--- a/authentik/outposts/consumer.py
+++ b/authentik/outposts/consumer.py
@ -128,6 +128,12 @@ class OutpostConsumer(JsonWebsocketConsumer):
            state.args.update(msg.args)
        elif msg.instruction == WebsocketMessageInstruction.ACK:
            return
+        elif msg.instruction == WebsocketMessageInstruction.PROVIDER_SPECIFIC:
+            if "response_channel" not in msg.args:
+                return
+            self.logger.debug("Posted response to channel", msg=msg)
+            async_to_sync(self.channel_layer.send)(msg.args.get("response_channel"), content)
+            return
        GAUGE_OUTPOSTS_LAST_UPDATE.labels(
            tenant=connection.schema_name,
            outpost=self.outpost.name,
--- a/authentik/outposts/http.py
+++ b/authentik/outposts/http.py
@ -0,0 +1,86 @@
+from base64 import b64decode
+from dataclasses import asdict, dataclass
+from random import choice
+from typing import Any
+from uuid import uuid4
+
+from asgiref.sync import async_to_sync
+from channels.layers import get_channel_layer
+from channels_redis.pubsub import RedisPubSubChannelLayer
+from requests.adapters import BaseAdapter
+from requests.models import PreparedRequest, Response
+from requests.utils import CaseInsensitiveDict
+from structlog.stdlib import get_logger
+
+from authentik.outposts.models import Outpost
+
+
+@dataclass
+class OutpostPreparedRequest:
+    uid: str
+    method: str
+    url: str
+    headers: dict[str, str]
+    body: Any
+    ssl_verify: bool
+    timeout: int
+
+    @staticmethod
+    def from_requests(req: PreparedRequest) -> "OutpostPreparedRequest":
+        return OutpostPreparedRequest(
+            uid=str(uuid4()),
+            method=req.method,
+            url=req.url,
+            headers=req.headers._store,
+            body=req.body,
+            ssl_verify=True,
+            timeout=0,
+        )
+
+    @property
+    def response_channel(self) -> str:
+        return f"authentik_outpost_http_response_{self.uid}"
+
+
+class OutpostHTTPAdapter(BaseAdapter):
+    """Requests Adapter that sends HTTP requests via a specified Outpost"""
+
+    def __init__(self, outpost: Outpost, default_timeout=10):
+        super().__init__()
+        self.__outpost = outpost
+        self.__logger = get_logger().bind()
+        self.__layer: RedisPubSubChannelLayer = get_channel_layer()
+        self.default_timeout = default_timeout
+
+    def parse_response(self, raw_response: dict, req: PreparedRequest) -> Response:
+        res = Response()
+        res.request = req
+        res.status_code = raw_response.get("status")
+        res.url = raw_response.get("final_url")
+        res.headers = CaseInsensitiveDict(raw_response.get("headers"))
+        res._content = b64decode(raw_response.get("body"))
+        return res
+
+    def send(self, request, stream=False, timeout=None, verify=True, cert=None, proxies=None):
+        # Convert request so we can send it to the outpost
+        converted = OutpostPreparedRequest.from_requests(request)
+        converted.ssl_verify = verify
+        converted.timeout = timeout if timeout else self.default_timeout
+        # Pick one of the outpost instances
+        state = choice(self.__outpost.state)  # nosec
+        self.__logger.debug("sending HTTP request to outpost", uid=converted.uid)
+        async_to_sync(self.__layer.send)(
+            state.uid,
+            {
+                "type": "event.provider.specific",
+                "sub_type": "http_request",
+                "response_channel": converted.response_channel,
+                "request": asdict(converted),
+            },
+        )
+        self.__logger.debug("receiving HTTP response from outpost", uid=converted.uid)
+        raw_response = async_to_sync(self.__layer.receive)(
+            converted.response_channel,
+        )
+        self.__logger.debug("received HTTP response from outpost", uid=converted.uid)
+        return self.parse_response(raw_response.get("args", {}).get("response", {}), request)
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -98,6 +98,7 @@ class OutpostType(models.TextChoices):
    LDAP = "ldap"
    RADIUS = "radius"
    RAC = "rac"
+    SCIM = "scim"


 def default_outpost_config(host: str | None = None):
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@ -43,13 +43,15 @@ from authentik.providers.proxy.controllers.docker import ProxyDockerController
 from authentik.providers.proxy.controllers.kubernetes import ProxyKubernetesController
 from authentik.providers.radius.controllers.docker import RadiusDockerController
 from authentik.providers.radius.controllers.kubernetes import RadiusKubernetesController
+from authentik.providers.scim.controllers.docker import SCIMDockerController
+from authentik.providers.scim.controllers.kubernetes import SCIMKubernetesController
 from authentik.root.celery import CELERY_APP

 LOGGER = get_logger()
 CACHE_KEY_OUTPOST_DOWN = "goauthentik.io/outposts/teardown/%s"


-def controller_for_outpost(outpost: Outpost) -> type[BaseController] | None:
+def controller_for_outpost(outpost: Outpost) -> type[BaseController] | None:  # noqa: PLR0911
    """Get a controller for the outpost, when a service connection is defined"""
    if not outpost.service_connection:
        return None
@ -74,6 +76,11 @@ def controller_for_outpost(outpost: Outpost) -> type[BaseController] | None:
            return RACDockerController
        if isinstance(service_connection, KubernetesServiceConnection):
            return RACKubernetesController
+    if outpost.type == OutpostType.SCIM:
+        if isinstance(service_connection, DockerServiceConnection):
+            return SCIMDockerController
+        if isinstance(service_connection, KubernetesServiceConnection):
+            return SCIMKubernetesController
    return None


--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -281,7 +281,6 @@ class OAuth2Provider(WebfingerProvider, Provider):
                },
            )
            return request.build_absolute_uri(url)
-
        except Provider.application.RelatedObjectDoesNotExist:
            return None

--- a/authentik/providers/oauth2/signals.py
+++ b/authentik/providers/oauth2/signals.py
@ -1,9 +1,10 @@
 from django.contrib.auth.signals import user_logged_out
+from django.db.models.signals import post_save
 from django.dispatch import receiver
 from django.http import HttpRequest

 from authentik.core.models import User
-from authentik.providers.oauth2.models import AccessToken
+from authentik.providers.oauth2.models import AccessToken, DeviceToken, RefreshToken


@receiver(user_logged_out)
@ -12,3 +13,13 @@ def user_logged_out_oauth_access_token(sender, request: HttpRequest, user: User,
    if not request.session or not request.session.session_key:
        return
    AccessToken.objects.filter(user=user, session__session_key=request.session.session_key).delete()
+
+
+@receiver(post_save, sender=User)
+def user_deactivated(sender, instance: User, **_):
+    """Remove user tokens when deactivated"""
+    if instance.is_active:
+        return
+    AccessToken.objects.filter(session__user=instance).delete()
+    RefreshToken.objects.filter(session__user=instance).delete()
+    DeviceToken.objects.filter(session__user=instance).delete()
--- a/authentik/providers/oauth2/tests/test_token.py
+++ b/authentik/providers/oauth2/tests/test_token.py
@ -150,6 +150,7 @@ class TestToken(OAuthTestCase):
                "id_token": provider.encode(
                    access.id_token.to_dict(),
                ),
+                "scope": "",
            },
        )
        self.validate_jwt(access, provider)
@ -242,6 +243,7 @@ class TestToken(OAuthTestCase):
                "id_token": provider.encode(
                    access.id_token.to_dict(),
                ),
+                "scope": "offline_access",
            },
        )
        self.validate_jwt(access, provider)
@ -301,6 +303,7 @@ class TestToken(OAuthTestCase):
                "id_token": provider.encode(
                    access.id_token.to_dict(),
                ),
+                "scope": "offline_access",
            },
        )

--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -499,11 +499,11 @@ class OAuthFulfillmentStage(StageView):
            )

            challenge.is_valid()
-
+            self.executor.stage_ok()
            return HttpChallengeResponse(
                challenge=challenge,
            )
-
+        self.executor.stage_ok()
        return HttpResponseRedirectScheme(uri, allowed_schemes=[parsed.scheme])

    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
--- a/authentik/providers/oauth2/views/jwks.py
+++ b/authentik/providers/oauth2/views/jwks.py
@ -64,7 +64,8 @@ def to_base64url_uint(val: int, min_length: int = 0) -> bytes:
 class JWKSView(View):
    """Show RSA Key data for Provider"""

-    def get_jwk_for_key(self, key: CertificateKeyPair, use: str) -> dict | None:
+    @staticmethod
+    def get_jwk_for_key(key: CertificateKeyPair, use: str) -> dict | None:
        """Convert a certificate-key pair into JWK"""
        private_key = key.private_key
        key_data = None
@ -123,12 +124,12 @@ class JWKSView(View):
        response_data = {}

        if signing_key := provider.signing_key:
-            jwk = self.get_jwk_for_key(signing_key, "sig")
+            jwk = JWKSView.get_jwk_for_key(signing_key, "sig")
            if jwk:
                response_data.setdefault("keys", [])
                response_data["keys"].append(jwk)
        if encryption_key := provider.encryption_key:
-            jwk = self.get_jwk_for_key(encryption_key, "enc")
+            jwk = JWKSView.get_jwk_for_key(encryption_key, "enc")
            if jwk:
                response_data.setdefault("keys", [])
                response_data["keys"].append(jwk)
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -627,6 +627,7 @@ class TokenView(View):
        response = {
            "access_token": access_token.token,
            "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
            "expires_in": int(
                timedelta_from_string(self.provider.access_token_validity).total_seconds()
            ),
@ -710,6 +711,7 @@ class TokenView(View):
            "access_token": access_token.token,
            "refresh_token": refresh_token.token,
            "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
            "expires_in": int(
                timedelta_from_string(self.provider.access_token_validity).total_seconds()
            ),
@ -736,6 +738,7 @@ class TokenView(View):
        return {
            "access_token": access_token.token,
            "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
            "expires_in": int(
                timedelta_from_string(self.provider.access_token_validity).total_seconds()
            ),
@ -767,6 +770,7 @@ class TokenView(View):
        response = {
            "access_token": access_token.token,
            "token_type": TOKEN_TYPE,
+            "scope": " ".join(access_token.scope),
            "expires_in": int(
                timedelta_from_string(self.provider.access_token_validity).total_seconds()
            ),
--- a/authentik/providers/scim/clients/base.py
+++ b/authentik/providers/scim/clients/base.py
@ -19,6 +19,7 @@ from authentik.lib.sync.outgoing.exceptions import (
    TransientSyncException,
 )
 from authentik.lib.utils.http import get_http_session
+from authentik.outposts.http import OutpostHTTPAdapter
 from authentik.providers.scim.clients.exceptions import SCIMRequestException
 from authentik.providers.scim.clients.schema import ServiceProviderConfiguration
 from authentik.providers.scim.models import SCIMProvider
@ -41,8 +42,7 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](

    def __init__(self, provider: SCIMProvider):
        super().__init__(provider)
-        self._session = get_http_session()
-        self._session.verify = provider.verify_certificates
+        self._session = self.get_session(provider)
        self.provider = provider
        # Remove trailing slashes as we assume the URL doesn't have any
        base_url = provider.url
@ -52,6 +52,15 @@ class SCIMClient[TModel: "Model", TConnection: "Model", TSchema: "BaseModel"](
        self.token = provider.token
        self._config = self.get_service_provider_config()

+    def get_session(self, provider: SCIMProvider):
+        session = get_http_session()
+        if self.provider.outpost_set.exists():
+            adapter = OutpostHTTPAdapter()
+            session.mount("https://", adapter)
+            session.mount("http://", adapter)
+        session.verify = provider.verify_certificates
+        return session
+
    def _request(self, method: str, path: str, **kwargs) -> dict:
        """Wrapper to send a request to the full URL"""
        try:
--- a/authentik/providers/scim/controllers/init.py
+++ b/authentik/providers/scim/controllers/init.py
--- a/authentik/providers/scim/controllers/docker.py
+++ b/authentik/providers/scim/controllers/docker.py
@ -0,0 +1,12 @@
+"""SCIM Provider Docker Controller"""
+
+from authentik.outposts.controllers.docker import DockerController
+from authentik.outposts.models import DockerServiceConnection, Outpost
+
+
+class SCIMDockerController(DockerController):
+    """SCIM Provider Docker Controller"""
+
+    def __init__(self, outpost: Outpost, connection: DockerServiceConnection):
+        super().__init__(outpost, connection)
+        self.deployment_ports = []
--- a/authentik/providers/scim/controllers/kubernetes.py
+++ b/authentik/providers/scim/controllers/kubernetes.py
@ -0,0 +1,14 @@
+"""SCIM Provider Kubernetes Controller"""
+
+from authentik.outposts.controllers.k8s.service import ServiceReconciler
+from authentik.outposts.controllers.kubernetes import KubernetesController
+from authentik.outposts.models import KubernetesServiceConnection, Outpost
+
+
+class SCIMKubernetesController(KubernetesController):
+    """SCIM Provider Kubernetes Controller"""
+
+    def __init__(self, outpost: Outpost, connection: KubernetesServiceConnection):
+        super().__init__(outpost, connection)
+        self.deployment_ports = []
+        del self.reconcilers[ServiceReconciler.reconciler_name()]
--- a/authentik/rbac/api/rbac.py
+++ b/authentik/rbac/api/rbac.py
@ -2,7 +2,7 @@

 from django.apps import apps
 from django.contrib.auth.models import Permission
-from django.db.models import QuerySet
+from django.db.models import Q, QuerySet
 from django_filters.filters import ModelChoiceFilter
 from django_filters.filterset import FilterSet
 from django_filters.rest_framework import DjangoFilterBackend
@ -18,6 +18,7 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.viewsets import ReadOnlyModelViewSet

+from authentik.blueprints.v1.importer import excluded_models
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import User
 from authentik.lib.validators import RequiredTogetherValidator
@ -105,13 +106,13 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
    ]

    def get_queryset(self) -> QuerySet:
-        return (
-            Permission.objects.all()
-            .select_related("content_type")
-            .filter(
-                content_type__app_label__startswith="authentik",
+        query = Q()
+        for model in excluded_models():
+            query |= Q(
+                content_type__app_label=model._meta.app_label,
+                content_type__model=model._meta.model_name,
            )
-        )
+        return Permission.objects.all().select_related("content_type").exclude(query)


 class PermissionAssignSerializer(PassiveSerializer):
--- a/authentik/root/install_id.py
+++ b/authentik/root/install_id.py
@ -7,7 +7,12 @@ from psycopg import connect

 from authentik.lib.config import CONFIG

-QUERY = """SELECT id FROM public.authentik_install_id ORDER BY id LIMIT 1;"""
+# We need to string format the query as tables and schemas can't be set by parameters
+# not a security issue as the config value is set by the person installing authentik
+# which also has postgres credentials etc
+QUERY = """SELECT id FROM {}.authentik_install_id ORDER BY id LIMIT 1;""".format(  # nosec
+    CONFIG.get("postgresql.default_schema")
+)


@lru_cache
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -129,6 +129,7 @@ TENANT_DOMAIN_MODEL = "authentik_tenants.Domain"

 TENANT_CREATION_FAKES_MIGRATIONS = True
 TENANT_BASE_SCHEMA = "template"
+PUBLIC_SCHEMA_NAME = CONFIG.get("postgresql.default_schema")

 GUARDIAN_MONKEY_PATCH = False

--- a/authentik/root/test_plugin.py
+++ b/authentik/root/test_plugin.py
@ -1,3 +1,4 @@
+import math
 from os import environ
 from ssl import OPENSSL_VERSION

@ -24,3 +25,20 @@ def pytest_report_header(*_, **__):
        f"authentik version: {get_full_version()}",
        f"OpenSSL version: {OPENSSL_VERSION}, FIPS: {backend._fips_enabled}",
    ]
+
+
+def pytest_collection_modifyitems(config: pytest.Config, items: list[pytest.Item]) -> None:
+    current_id = int(environ.get("CI_RUN_ID", 0)) - 1
+    total_ids = int(environ.get("CI_TOTAL_RUNS", 0))
+
+    if total_ids:
+        num_tests = len(items)
+        matrix_size = math.ceil(num_tests / total_ids)
+
+        start = current_id * matrix_size
+        end = (current_id + 1) * matrix_size
+
+        deselected_items = items[:start] + items[end:]
+        config.hook.pytest_deselected(items=deselected_items)
+        items[:] = items[start:end]
+        print(f" Executing {start} - {end} tests")
--- a/authentik/sources/kerberos/api/source.py
+++ b/authentik/sources/kerberos/api/source.py
@ -66,6 +66,7 @@ class KerberosSourceViewSet(UsedByMixin, ModelViewSet):
    serializer_class = KerberosSourceSerializer
    lookup_field = "slug"
    filterset_fields = [
+        "pbm_uuid",
        "name",
        "slug",
        "enabled",
--- a/authentik/sources/kerberos/models.py
+++ b/authentik/sources/kerberos/models.py
@ -12,6 +12,7 @@ from django.db.models.fields import b64decode
 from django.http import HttpRequest
 from django.shortcuts import reverse
 from django.templatetags.static import static
+from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from kadmin import KAdmin, KAdminApiVersion
 from kadmin.exceptions import PyKAdminException
@ -173,12 +174,18 @@ class KerberosSource(Source):
    def get_base_user_properties(self, principal: str, **kwargs):
        localpart, _ = principal.rsplit("@", 1)

-        return {
+        properties = {
            "username": localpart,
            "type": UserTypes.INTERNAL,
            "path": self.get_user_path(),
        }

+        if "principal_obj" in kwargs:
+            princ_expiry = kwargs["principal_obj"].expire_time
+            properties["is_active"] = princ_expiry is None or princ_expiry > now()
+
+        return properties
+
    def get_base_group_properties(self, group_id: str, **kwargs):
        return {
            "name": group_id,
--- a/authentik/sources/ldap/api.py
+++ b/authentik/sources/ldap/api.py
@ -110,6 +110,7 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
    serializer_class = LDAPSourceSerializer
    lookup_field = "slug"
    filterset_fields = [
+        "pbm_uuid",
        "name",
        "slug",
        "enabled",
--- a/authentik/sources/oauth/api/source.py
+++ b/authentik/sources/oauth/api/source.py
@ -152,6 +152,7 @@ class OAuthSourceFilter(FilterSet):
    class Meta:
        model = OAuthSource
        fields = [
+            "pbm_uuid",
            "name",
            "slug",
            "enabled",
--- a/authentik/sources/oauth/clients/oauth2.py
+++ b/authentik/sources/oauth/clients/oauth2.py
@ -81,7 +81,12 @@ class OAuth2Client(BaseOAuthClient):
            if self.source.source_type.urls_customizable and self.source.access_token_url:
                access_token_url = self.source.access_token_url
            response = self.do_request(
-                "post", access_token_url, data=args, headers=self._default_headers, **request_kwargs
+                "post",
+                access_token_url,
+                auth=(self.get_client_id(), self.get_client_secret()),
+                data=args,
+                headers=self._default_headers,
+                **request_kwargs,
            )
            response.raise_for_status()
        except RequestException as exc:
--- a/authentik/sources/plex/api/source.py
+++ b/authentik/sources/plex/api/source.py
@ -52,6 +52,7 @@ class PlexSourceViewSet(UsedByMixin, ModelViewSet):
    serializer_class = PlexSourceSerializer
    lookup_field = "slug"
    filterset_fields = [
+        "pbm_uuid",
        "name",
        "slug",
        "enabled",
--- a/authentik/sources/saml/api/source.py
+++ b/authentik/sources/saml/api/source.py
@ -44,6 +44,7 @@ class SAMLSourceViewSet(UsedByMixin, ModelViewSet):
    serializer_class = SAMLSourceSerializer
    lookup_field = "slug"
    filterset_fields = [
+        "pbm_uuid",
        "name",
        "slug",
        "enabled",
--- a/authentik/sources/scim/api/sources.py
+++ b/authentik/sources/scim/api/sources.py
@ -53,6 +53,6 @@ class SCIMSourceViewSet(UsedByMixin, ModelViewSet):
    queryset = SCIMSource.objects.all()
    serializer_class = SCIMSourceSerializer
    lookup_field = "slug"
-    filterset_fields = ["name", "slug"]
+    filterset_fields = ["pbm_uuid", "name", "slug"]
    search_fields = ["name", "slug", "token__identifier", "token__user__username"]
    ordering = ["name"]
--- a/authentik/sources/scim/views/v2/base.py
+++ b/authentik/sources/scim/views/v2/base.py
@ -114,7 +114,7 @@ class SCIMView(APIView):


 class SCIMObjectView(SCIMView):
-    """Base SCIM View for object management"""
+    """Base SCIM View for object management"""

    mapper: SourceMapper
    manager: PropertyMappingManager
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/authentik/stages/prompt/stage.py
+++ b/authentik/stages/prompt/stage.py
@ -5,6 +5,7 @@ from email.policy import Policy
 from types import MethodType
 from typing import Any

+from django.contrib.messages import INFO, add_message
 from django.db.models.query import QuerySet
 from django.http import HttpRequest, HttpResponse
 from django.http.request import QueryDict
@ -147,6 +148,9 @@ class PromptChallengeResponse(ChallengeResponse):
        result = engine.result
        if not result.passing:
            raise ValidationError(list(result.messages))
+        else:
+            for msg in result.messages:
+                add_message(self.request, INFO, msg)
        return attrs


--- a/authentik/stages/redirect/stage.py
+++ b/authentik/stages/redirect/stage.py
@ -20,7 +20,7 @@ from authentik.flows.planner import (
    FlowPlanner,
 )
 from authentik.flows.stage import ChallengeStageView
-from authentik.flows.views.executor import SESSION_KEY_PLAN, InvalidStageError
+from authentik.flows.views.executor import SESSION_KEY_GET, SESSION_KEY_PLAN, InvalidStageError
 from authentik.lib.utils.urls import reverse_with_qs
 from authentik.stages.redirect.models import RedirectMode, RedirectStage

@ -72,7 +72,9 @@ class RedirectStageView(ChallengeStageView):
        self.request.session[SESSION_KEY_PLAN] = plan
        kwargs = self.executor.kwargs
        kwargs.update({"flow_slug": flow.slug})
-        return reverse_with_qs("authentik_core:if-flow", self.request.GET, kwargs=kwargs)
+        return reverse_with_qs(
+            "authentik_core:if-flow", self.request.session[SESSION_KEY_GET], kwargs=kwargs
+        )

    def get_challenge(self, *args, **kwargs) -> Challenge:
        """Get the redirect target. Prioritize `redirect_stage_target` if present."""
--- a/authentik/stages/redirect/tests.py
+++ b/authentik/stages/redirect/tests.py
@ -1,5 +1,7 @@
 """Test Redirect stage"""

+from urllib.parse import urlencode
+
 from django.urls.base import reverse
 from rest_framework.exceptions import ValidationError

@ -58,6 +60,23 @@ class TestRedirectStage(FlowTestCase):
            response, reverse("authentik_core:if-flow", kwargs={"flow_slug": self.target_flow.slug})
        )

+    def test_flow_query(self):
+        self.stage.mode = RedirectMode.FLOW
+        self.stage.save()
+
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+            + "?"
+            + urlencode({"query": urlencode({"test": "foo"})})
+        )
+
+        self.assertStageRedirects(
+            response,
+            reverse("authentik_core:if-flow", kwargs={"flow_slug": self.target_flow.slug})
+            + "?"
+            + urlencode({"test": "foo"}),
+        )
+
    def test_override_static(self):
        policy = ExpressionPolicy.objects.create(
            name=generate_id(),
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2024.12.2 Blueprint schema",
+    "title": "authentik 2024.12.3 Blueprint schema",
    "required": [
        "version",
        "entries"
@ -3601,6 +3601,46 @@
                            }
                        }
                    },
+                    {
+                        "type": "object",
+                        "required": [
+                            "model",
+                            "identifiers"
+                        ],
+                        "properties": {
+                            "model": {
+                                "const": "authentik_providers_ssf.ssfprovider"
+                            },
+                            "id": {
+                                "type": "string"
+                            },
+                            "state": {
+                                "type": "string",
+                                "enum": [
+                                    "absent",
+                                    "present",
+                                    "created",
+                                    "must_created"
+                                ],
+                                "default": "present"
+                            },
+                            "conditions": {
+                                "type": "array",
+                                "items": {
+                                    "type": "boolean"
+                                }
+                            },
+                            "permissions": {
+                                "$ref": "#/$defs/model_authentik_providers_ssf.ssfprovider_permissions"
+                            },
+                            "attrs": {
+                                "$ref": "#/$defs/model_authentik_providers_ssf.ssfprovider"
+                            },
+                            "identifiers": {
+                                "$ref": "#/$defs/model_authentik_providers_ssf.ssfprovider"
+                            }
+                        }
+                    },
                    {
                        "type": "object",
                        "required": [
@ -4341,7 +4381,8 @@
                        "proxy",
                        "ldap",
                        "radius",
-                        "rac"
+                        "rac",
+                        "scim"
                    ],
                    "title": "Type"
                },
@ -4583,6 +4624,7 @@
                        "authentik.enterprise.providers.google_workspace",
                        "authentik.enterprise.providers.microsoft_entra",
                        "authentik.enterprise.providers.rac",
+                        "authentik.enterprise.providers.ssf",
                        "authentik.enterprise.stages.authenticator_endpoint_gdtc",
                        "authentik.enterprise.stages.source",
                        "authentik.events"
@ -4686,6 +4728,7 @@
                        "authentik_providers_rac.racprovider",
                        "authentik_providers_rac.endpoint",
                        "authentik_providers_rac.racpropertymapping",
+                        "authentik_providers_ssf.ssfprovider",
                        "authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage",
                        "authentik_stages_source.sourcestage",
                        "authentik_events.event",
@ -6687,6 +6730,18 @@
                            "authentik_providers_scim.view_scimprovider",
                            "authentik_providers_scim.view_scimprovidergroup",
                            "authentik_providers_scim.view_scimprovideruser",
+                            "authentik_providers_ssf.add_ssfprovider",
+                            "authentik_providers_ssf.add_stream",
+                            "authentik_providers_ssf.add_streamevent",
+                            "authentik_providers_ssf.change_ssfprovider",
+                            "authentik_providers_ssf.change_stream",
+                            "authentik_providers_ssf.change_streamevent",
+                            "authentik_providers_ssf.delete_ssfprovider",
+                            "authentik_providers_ssf.delete_stream",
+                            "authentik_providers_ssf.delete_streamevent",
+                            "authentik_providers_ssf.view_ssfprovider",
+                            "authentik_providers_ssf.view_stream",
+                            "authentik_providers_ssf.view_streamevent",
                            "authentik_rbac.access_admin_interface",
                            "authentik_rbac.add_role",
                            "authentik_rbac.assign_role_permissions",
@ -12936,6 +12991,18 @@
                            "authentik_providers_scim.view_scimprovider",
                            "authentik_providers_scim.view_scimprovidergroup",
                            "authentik_providers_scim.view_scimprovideruser",
+                            "authentik_providers_ssf.add_ssfprovider",
+                            "authentik_providers_ssf.add_stream",
+                            "authentik_providers_ssf.add_streamevent",
+                            "authentik_providers_ssf.change_ssfprovider",
+                            "authentik_providers_ssf.change_stream",
+                            "authentik_providers_ssf.change_streamevent",
+                            "authentik_providers_ssf.delete_ssfprovider",
+                            "authentik_providers_ssf.delete_stream",
+                            "authentik_providers_ssf.delete_streamevent",
+                            "authentik_providers_ssf.view_ssfprovider",
+                            "authentik_providers_ssf.view_stream",
+                            "authentik_providers_ssf.view_streamevent",
                            "authentik_rbac.access_admin_interface",
                            "authentik_rbac.add_role",
                            "authentik_rbac.assign_role_permissions",
@ -13988,6 +14055,62 @@
                }
            }
        },
+        "model_authentik_providers_ssf.ssfprovider": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Name"
+                },
+                "signing_key": {
+                    "type": "string",
+                    "format": "uuid",
+                    "title": "Signing Key",
+                    "description": "Key used to sign the SSF Events."
+                },
+                "oidc_auth_providers": {
+                    "type": "array",
+                    "items": {
+                        "type": "integer"
+                    },
+                    "title": "Oidc auth providers"
+                },
+                "event_retention": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Event retention"
+                }
+            },
+            "required": []
+        },
+        "model_authentik_providers_ssf.ssfprovider_permissions": {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": [
+                    "permission"
+                ],
+                "properties": {
+                    "permission": {
+                        "type": "string",
+                        "enum": [
+                            "add_stream",
+                            "add_ssfprovider",
+                            "change_ssfprovider",
+                            "delete_ssfprovider",
+                            "view_ssfprovider"
+                        ]
+                    },
+                    "user": {
+                        "type": "integer"
+                    },
+                    "role": {
+                        "type": "string"
+                    }
+                }
+            }
+        },
        "model_authentik_stages_authenticator_endpoint_gdtc.authenticatorendpointgdtcstage": {
            "type": "object",
            "properties": {
--- a/cmd/scim/main.go
+++ b/cmd/scim/main.go
@ -0,0 +1,185 @@
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/base64"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"time"
+
+	"github.com/mitchellh/mapstructure"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"goauthentik.io/internal/common"
+	"goauthentik.io/internal/debug"
+	"goauthentik.io/internal/outpost/ak"
+	"goauthentik.io/internal/outpost/ak/healthcheck"
+)
+
+const helpMessage = `authentik SCIM
+
+Required environment variables:
+- AUTHENTIK_HOST: URL to connect to (format "http://authentik.company")
+- AUTHENTIK_TOKEN: Token to authenticate with
+- AUTHENTIK_INSECURE: Skip SSL Certificate verification`
+
+var rootCmd = &cobra.Command{
+	Long: helpMessage,
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		log.SetLevel(log.DebugLevel)
+		log.SetFormatter(&log.JSONFormatter{
+			FieldMap: log.FieldMap{
+				log.FieldKeyMsg:  "event",
+				log.FieldKeyTime: "timestamp",
+			},
+			DisableHTMLEscape: true,
+		})
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		debug.EnableDebugServer()
+		akURL, found := os.LookupEnv("AUTHENTIK_HOST")
+		if !found {
+			fmt.Println("env AUTHENTIK_HOST not set!")
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+		akToken, found := os.LookupEnv("AUTHENTIK_TOKEN")
+		if !found {
+			fmt.Println("env AUTHENTIK_TOKEN not set!")
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+
+		akURLActual, err := url.Parse(akURL)
+		if err != nil {
+			fmt.Println(err)
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+
+		ex := common.Init()
+		defer common.Defer()
+		go func() {
+			for {
+				<-ex
+				os.Exit(0)
+			}
+		}()
+
+		ac := ak.NewAPIController(*akURLActual, akToken)
+		if ac == nil {
+			os.Exit(1)
+		}
+		defer ac.Shutdown()
+
+		ac.Server = &SCIMOutpost{
+			ac:  ac,
+			log: log.WithField("logger", "authentik.outpost.scim"),
+		}
+
+		err = ac.Start()
+		if err != nil {
+			log.WithError(err).Panic("Failed to run server")
+		}
+
+		for {
+			<-ex
+		}
+	},
+}
+
+type HTTPRequest struct {
+	Uid       string              `mapstructure:"uid"`
+	Method    string              `mapstructure:"method"`
+	URL       string              `mapstructure:"url"`
+	Headers   map[string][]string `mapstructure:"headers"`
+	Body      interface{}         `mapstructure:"body"`
+	SSLVerify bool                `mapstructure:"ssl_verify"`
+	Timeout   int                 `mapstructure:"timeout"`
+}
+
+type RequestArgs struct {
+	Request         HTTPRequest `mapstructure:"request"`
+	ResponseChannel string      `mapstructure:"response_channel"`
+}
+
+type SCIMOutpost struct {
+	ac  *ak.APIController
+	log *log.Entry
+}
+
+func (s *SCIMOutpost) Type() string                         { return "SCIM" }
+func (s *SCIMOutpost) Stop() error                          { return nil }
+func (s *SCIMOutpost) Refresh() error                       { return nil }
+func (s *SCIMOutpost) TimerFlowCacheExpiry(context.Context) {}
+
+func (s *SCIMOutpost) Start() error {
+	s.ac.AddWSHandler(func(ctx context.Context, args map[string]interface{}) {
+		rd := RequestArgs{}
+		err := mapstructure.Decode(args, &rd)
+		if err != nil {
+			s.log.WithError(err).Warning("failed to parse http request")
+			return
+		}
+		s.log.WithField("rd", rd).WithField("raw", args).Debug("request data")
+		ctx, canc := context.WithTimeout(ctx, time.Duration(rd.Request.Timeout)*time.Second)
+		defer canc()
+
+		req, err := http.NewRequestWithContext(ctx, rd.Request.Method, rd.Request.URL, nil)
+		if err != nil {
+			s.log.WithError(err).Warning("failed to create request")
+			return
+		}
+
+		tr := &http.Transport{
+			TLSClientConfig:       &tls.Config{InsecureSkipVerify: !rd.Request.SSLVerify},
+			TLSHandshakeTimeout:   time.Duration(rd.Request.Timeout) * time.Second,
+			IdleConnTimeout:       time.Duration(rd.Request.Timeout) * time.Second,
+			ResponseHeaderTimeout: time.Duration(rd.Request.Timeout) * time.Second,
+			ExpectContinueTimeout: time.Duration(rd.Request.Timeout) * time.Second,
+		}
+		c := &http.Client{
+			Transport: tr,
+		}
+		s.log.WithField("url", req.URL.Host).Debug("sending HTTP request")
+		res, err := c.Do(req)
+		if err != nil {
+			s.log.WithError(err).Warning("failed to send request")
+			return
+		}
+		body, err := io.ReadAll(res.Body)
+		if err != nil {
+			s.log.WithError(err).Warning("failed to read body")
+			return
+		}
+		s.log.WithField("res", res.StatusCode).Debug("sending HTTP response")
+		err = s.ac.SendWS(ak.WebsocketInstructionProviderSpecific, map[string]interface{}{
+			"sub_type":         "http_response",
+			"response_channel": rd.ResponseChannel,
+			"response": map[string]interface{}{
+				"status":    res.StatusCode,
+				"final_url": res.Request.URL.String(),
+				"headers":   res.Header,
+				"body":      base64.StdEncoding.EncodeToString(body),
+			},
+		})
+		if err != nil {
+			s.log.WithError(err).Warning("failed to send http response")
+			return
+		}
+	})
+	return nil
+}
+
+func main() {
+	rootCmd.AddCommand(healthcheck.Command)
+	err := rootCmd.Execute()
+	if err != nil {
+		os.Exit(1)
+	}
+}
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.3}
    restart: unless-stopped
    command: server
    environment:
@ -54,7 +54,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.3}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -24,15 +24,15 @@ require (
 	github.com/pires/go-proxyproto v0.8.0
 	github.com/prometheus/client_golang v1.20.5
 	github.com/redis/go-redis/v9 v9.7.0
-	github.com/sethvargo/go-envconfig v1.1.0
+	github.com/sethvargo/go-envconfig v1.1.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024122.2
+	goauthentik.io/api/v3 v3.2024123.4
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.25.0
-	golang.org/x/sync v0.10.0
+	golang.org/x/oauth2 v0.26.0
+	golang.org/x/sync v0.11.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
 )
--- a/go.sum
+++ b/go.sum
@ -254,8 +254,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sethvargo/go-envconfig v1.1.0 h1:cWZiJxeTm7AlCvzGXrEXaSTCNgip5oJepekh/BOQuog=
-github.com/sethvargo/go-envconfig v1.1.0/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/6nRidxI8YvGiHw=
+github.com/sethvargo/go-envconfig v1.1.1 h1:JDu8Q9baIzJf47NPkzhIB6aLYL0vQ+pPypoYrejS9QY=
+github.com/sethvargo/go-envconfig v1.1.1/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/6nRidxI8YvGiHw=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024122.2 h1:QC+ZQ+AxlPwl9OG1X/Z62EVepmTGyfvJUxhUdFjs+4s=
-goauthentik.io/api/v3 v3.2024122.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024123.4 h1:JYLsUjkJ7kT+jHO72DyFTXFwKEGAcOOlLh36SRG9BDw=
+goauthentik.io/api/v3 v3.2024123.4/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -393,8 +393,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
-golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
+golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -408,8 +408,9 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2024.12.2"
+const VERSION = "2024.12.3"
--- a/internal/debug/debug.go
+++ b/internal/debug/debug.go
@ -15,7 +15,6 @@ import (
 func EnableDebugServer() {
 	l := log.WithField("logger", "authentik.go_debugger")
 	if !config.Get().Debug {
-		l.Info("not enabling debug server, set `AUTHENTIK_DEBUG` to `true` to enable it.")
 		return
 	}
 	h := mux.NewRouter()
--- a/internal/outpost/ak/api.go
+++ b/internal/outpost/ak/api.go
@ -95,7 +95,7 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 		time.Sleep(time.Second * 3)
 	}
 	if len(outposts.Results) < 1 {
-		panic("No outposts found with given token, ensure the given token corresponds to an authenitk Outpost")
+		panic("No outposts found with given token, ensure the given token corresponds to an authentik Outpost")
 	}
 	outpost := outposts.Results[0]

--- a/Show More
+++ b/Show More