release: 2024.10.2

website/docs: 2024.10.2 release notes (#12025)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2024.12.2
+current_version = 2024.10.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize =
+serialize = 
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 
 [bumpversion:part:rc_t]
-values =
+values = 
 	rc
 	final
 optional_value = final
@@ -30,5 +30,3 @@ optional_value = final
 [bumpversion:file:internal/constants/constants.go]
 
 [bumpversion:file:web/src/common/constants.ts]
-
-[bumpversion:file:lifecycle/aws/template.yaml]

.github/actions/comment-pr-instructions/action.yml

@@ -35,6 +35,14 @@ runs:
             AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
             ```
 
+            For arm64, use these values:
+
+            ```shell
+            AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
+            AUTHENTIK_TAG=${{ inputs.tag }}-arm64
+            AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
+            ```
+
             Afterwards, run the upgrade commands from the latest release notes.
           </details>
           <details>
@@ -52,6 +60,18 @@ runs:
                     tag: ${{ inputs.tag }}
             ```
 
+            For arm64, use these values:
+
+            ```yaml
+            authentik:
+                outposts:
+                    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
+            global:
+                image:
+                    repository: ghcr.io/goauthentik/dev-server
+                    tag: ${{ inputs.tag }}-arm64
+            ```
+
             Afterwards, run the upgrade commands from the latest release notes.
           </details>
         edit-mode: replace

.github/actions/docker-push-variables/action.yml

@@ -11,9 +11,9 @@ inputs:
     description: "Docker image arch"
 
 outputs:
-  shouldPush:
-    description: "Whether to push the image or not"
-    value: ${{ steps.ev.outputs.shouldPush }}
+  shouldBuild:
+    description: "Whether to build image or not"
+    value: ${{ steps.ev.outputs.shouldBuild }}
 
   sha:
     description: "sha"
@@ -29,15 +29,9 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
-  imageTagsJSON:
-    description: "Docker image tags, as a JSON array"
-    value: ${{ steps.ev.outputs.imageTagsJSON }}
   attestImageNames:
     description: "Docker image names used for attestation"
     value: ${{ steps.ev.outputs.attestImageNames }}
-  cacheTo:
-    description: "cache-to value for the docker build step"
-    value: ${{ steps.ev.outputs.cacheTo }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}

.github/actions/docker-push-variables/push_vars.py

@@ -2,20 +2,12 @@
 
 import configparser
 import os
-from json import dumps
 from time import time
 
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
 
-# Decide if we should push the image or not
-should_push = True
-if len(os.environ.get("DOCKER_USERNAME", "")) < 1:
-    # Don't push if we don't have DOCKER_USERNAME, i.e. no secrets are available
-    should_push = False
-if os.environ.get("GITHUB_REPOSITORY").lower() == "goauthentik/authentik-internal":
-    # Don't push on the internal repo
-    should_push = False
+should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
 
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
@@ -49,7 +41,7 @@ if is_release:
             ]
 else:
     suffix = ""
-    if image_arch:
+    if image_arch and image_arch != "amd64":
         suffix = f"-{image_arch}"
     for name in image_names:
         image_tags += [
@@ -71,23 +63,12 @@ def get_attest_image_names(image_with_tags: list[str]):
     return ",".join(set(image_tags))
 
 
-# Generate `cache-to` param
-cache_to = ""
-if should_push:
-    _cache_tag = "buildcache"
-    if image_arch:
-        _cache_tag += f"-{image_arch}"
-    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"
-
-
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
-    print(f"shouldPush={str(should_push).lower()}", file=_output)
+    print(f"shouldBuild={should_build}", file=_output)
     print(f"sha={sha}", file=_output)
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)
     print(f"imageTags={','.join(image_tags)}", file=_output)
-    print(f"imageTagsJSON={dumps(image_tags)}", file=_output)
     print(f"attestImageNames={get_attest_image_names(image_tags)}", file=_output)
     print(f"imageMainTag={image_main_tag}", file=_output)
     print(f"imageMainName={image_tags[0]}", file=_output)
-    print(f"cacheTo={cache_to}", file=_output)

.github/actions/docker-push-variables/test.sh

@@ -1,18 +1,7 @@
 #!/bin/bash -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-# Non-pushing PR
 GITHUB_OUTPUT=/dev/stdout \
     GITHUB_REF=ref \
     GITHUB_SHA=sha \
     IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
-    GITHUB_REPOSITORY=goauthentik/authentik \
-    python $SCRIPT_DIR/push_vars.py
-
-# Pushing PR/main
-GITHUB_OUTPUT=/dev/stdout \
-    GITHUB_REF=ref \
-    GITHUB_SHA=sha \
-    IMAGE_NAME=ghcr.io/goauthentik/server,beryju/authentik \
-    GITHUB_REPOSITORY=goauthentik/authentik \
-    DOCKER_USERNAME=foo \
     python $SCRIPT_DIR/push_vars.py

.github/actions/setup/action.yml

@@ -35,7 +35,7 @@ runs:
       run: |
         export PSQL_TAG=${{ inputs.postgresql_version }}
         docker compose -f .github/actions/setup/docker-compose.yml up -d
-        poetry install --sync
+        poetry install
         cd web && npm ci
     - name: Generate config
       shell: poetry run python {0}

.github/dependabot.yml

@@ -82,16 +82,6 @@ updates:
       docusaurus:
         patterns:
           - "@docusaurus/*"
-  - package-ecosystem: npm
-    directory: "/lifecycle/aws"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "lifecycle/aws:"
-    labels:
-      - dependencies
   - package-ecosystem: pip
     directory: "/"
     schedule:

.github/workflows/_reusable-docker-build-single.yaml

@@ -1,94 +0,0 @@
-# Re-usable workflow for a single-architecture build
-name: Single-arch Container build
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        required: true
-        type: string
-      image_arch:
-        required: true
-        type: string
-      runs-on:
-        required: true
-        type: string
-      registry_dockerhub:
-        default: false
-        type: boolean
-      registry_ghcr:
-        default: false
-        type: boolean
-      release:
-        default: false
-        type: boolean
-    outputs:
-      image-digest:
-        value: ${{ jobs.build.outputs.image-digest }}
-
-jobs:
-  build:
-    name: Build ${{ inputs.image_arch }}
-    runs-on: ${{ inputs.runs-on }}
-    outputs:
-      image-digest: ${{ steps.push.outputs.digest }}
-    permissions:
-      # Needed to upload container images to ghcr.io
-      packages: write
-      # Needed for attestation
-      id-token: write
-      attestations: write
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.3.0
-      - uses: docker/setup-buildx-action@v3
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-          image-arch: ${{ inputs.image_arch }}
-      - name: Login to Docker Hub
-        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: make empty clients
-        if: ${{ inputs.release }}
-        run: |
-          mkdir -p ./gen-ts-api
-          mkdir -p ./gen-go-api
-      - name: generate ts client
-        if: ${{ !inputs.release }}
-        run: make gen-client-ts
-      - name: Build Docker Image
-        uses: docker/build-push-action@v6
-        id: push
-        with:
-          context: .
-          push: true
-          secrets: |
-            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
-            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
-          build-args: |
-            VERSION=${{ github.ref }}
-          tags: ${{ steps.ev.outputs.imageTags }}
-          platforms: linux/${{ inputs.image_arch }}
-          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
-          cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true

.github/workflows/_reusable-docker-build.yaml

@@ -1,102 +0,0 @@
-# Re-usable workflow for a multi-architecture build
-name: Multi-arch container build
-
-on:
-  workflow_call:
-    inputs:
-      image_name:
-        required: true
-        type: string
-      registry_dockerhub:
-        default: false
-        type: boolean
-      registry_ghcr:
-        default: true
-        type: boolean
-      release:
-        default: false
-        type: boolean
-    outputs: {}
-
-jobs:
-  build-server-amd64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
-    secrets: inherit
-    with:
-      image_name: ${{ inputs.image_name }}
-      image_arch: amd64
-      runs-on: ubuntu-latest
-      registry_dockerhub: ${{ inputs.registry_dockerhub }}
-      registry_ghcr: ${{ inputs.registry_ghcr }}
-      release: ${{ inputs.release }}
-  build-server-arm64:
-    uses: ./.github/workflows/_reusable-docker-build-single.yaml
-    secrets: inherit
-    with:
-      image_name: ${{ inputs.image_name }}
-      image_arch: arm64
-      runs-on: ubuntu-22.04-arm
-      registry_dockerhub: ${{ inputs.registry_dockerhub }}
-      registry_ghcr: ${{ inputs.registry_ghcr }}
-      release: ${{ inputs.release }}
-  get-tags:
-    runs-on: ubuntu-latest
-    needs:
-      - build-server-amd64
-      - build-server-arm64
-    outputs:
-      tags: ${{ steps.ev.outputs.imageTagsJSON }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-  merge-server:
-    runs-on: ubuntu-latest
-    needs:
-      - get-tags
-      - build-server-amd64
-      - build-server-arm64
-    strategy:
-      fail-fast: false
-      matrix:
-        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
-    steps:
-      - uses: actions/checkout@v4
-      - name: prepare variables
-        uses: ./.github/actions/docker-push-variables
-        id: ev
-        env:
-          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        with:
-          image-name: ${{ inputs.image_name }}
-      - name: Login to Docker Hub
-        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@v2
-        id: build
-        with:
-          tags: ${{ matrix.tag }}
-          sources: |
-            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
-            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@v2
-        id: attest
-        with:
-          subject-name: ${{ steps.ev.outputs.attestImageNames }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true

.github/workflows/api-py-publish.yml

@@ -7,7 +7,6 @@ on:
   workflow_dispatch:
 jobs:
   build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     permissions:
       id-token: write

.github/workflows/api-ts-publish.yml

@@ -7,7 +7,6 @@ on:
   workflow_dispatch:
 jobs:
   build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token

.github/workflows/ci-aws-cfn.yml

@@ -1,46 +0,0 @@
-name: authentik-ci-aws-cfn
-
-on:
-  push:
-    branches:
-      - main
-      - next
-      - version-*
-  pull_request:
-    branches:
-      - main
-      - version-*
-
-env:
-  POSTGRES_DB: authentik
-  POSTGRES_USER: authentik
-  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
-
-jobs:
-  check-changes-applied:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: lifecycle/aws/package.json
-          cache: "npm"
-          cache-dependency-path: lifecycle/aws/package-lock.json
-      - working-directory: lifecycle/aws/
-        run: |
-          npm ci
-      - name: Check changes have been applied
-        run: |
-          poetry run make aws-cfn
-          git diff --exit-code
-  ci-aws-cfn-mark:
-    if: always()
-    needs:
-      - check-changes-applied
-    runs-on: ubuntu-latest
-    steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}

.github/workflows/ci-main.yml

@@ -116,7 +116,7 @@ jobs:
           poetry run make test
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           flags: unit
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -134,13 +134,13 @@ jobs:
       - name: Setup authentik env
         uses: ./.github/actions/setup
       - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.12.0
+        uses: helm/kind-action@v1.10.0
       - name: run integration
         run: |
           poetry run coverage run manage.py test tests/integration
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           flags: integration
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -198,7 +198,7 @@ jobs:
           poetry run coverage run manage.py test ${{ matrix.job.glob }}
           poetry run coverage xml
       - if: ${{ always() }}
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           flags: e2e
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -209,7 +209,6 @@ jobs:
           file: unittest.xml
           token: ${{ secrets.CODECOV_TOKEN }}
   ci-core-mark:
-    if: always()
     needs:
       - lint
       - test-migrations
@@ -219,22 +218,70 @@ jobs:
       - test-e2e
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark
   build:
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - amd64
+          - arm64
+    needs: ci-core-mark
+    runs-on: ubuntu-latest
     permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
       packages: write
       # Needed for attestation
       id-token: write
       attestations: write
-    needs: ci-core-mark
-    uses: ./.github/workflows/_reusable-docker-build.yaml
-    secrets: inherit
-    with:
-      image_name: ghcr.io/goauthentik/dev-server
-      release: false
+    timeout-minutes: 120
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.2.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/dev-server
+          image-arch: ${{ matrix.arch }}
+      - name: Login to Container Registry
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: generate ts client
+        run: make gen-client-ts
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+          build-args: |
+            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
+          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
+          platforms: linux/${{ matrix.arch }}
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   pr-comment:
     needs:
       - build
@@ -256,7 +303,7 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: ./.github/actions/comment-pr-instructions
         with:
           tag: ${{ steps.ev.outputs.imageMainTag }}

.github/workflows/ci-outpost.yml

@@ -49,15 +49,12 @@ jobs:
         run: |
           go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./...
   ci-outpost-mark:
-    if: always()
     needs:
       - lint-golint
       - test-unittest
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark
   build-container:
     timeout-minutes: 120
     needs:
@@ -72,7 +69,7 @@ jobs:
           - rac
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
       packages: write
       # Needed for attestation
       id-token: write
@@ -82,7 +79,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.3.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -93,7 +90,7 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -107,16 +104,16 @@ jobs:
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
-          push: ${{ steps.ev.outputs.shouldPush == 'true' }}
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           platforms: linux/amd64,linux/arm64
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@v2
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+      - uses: actions/attest-build-provenance@v1
         id: attest
-        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
           subject-digest: ${{ steps.push.outputs.digest }}

.github/workflows/ci-web.yml

@@ -61,15 +61,12 @@ jobs:
         working-directory: web/
         run: npm run build
   ci-web-mark:
-    if: always()
     needs:
       - build
       - lint
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark
   test:
     needs:
       - ci-web-mark

.github/workflows/ci-website.yml

@@ -62,13 +62,10 @@ jobs:
         working-directory: website/
         run: npm run ${{ matrix.job }}
   ci-website-mark:
-    if: always()
     needs:
       - lint
       - test
       - build
     runs-on: ubuntu-latest
     steps:
-      - uses: re-actors/alls-green@release/v1
-        with:
-          jobs: ${{ toJSON(needs) }}
+      - run: echo mark

.github/workflows/gen-update-webauthn-mds.yml

@@ -11,7 +11,6 @@ env:
 
 jobs:
   build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token

.github/workflows/ghcr-retention.yml

@@ -7,7 +7,6 @@ on:
 
 jobs:
   clean-ghcr:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     name: Delete old unused container images
     runs-on: ubuntu-latest
     steps:

.github/workflows/publish-source-docs.yml

@@ -12,7 +12,6 @@ env:
 
 jobs:
   publish-source-docs:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     timeout-minutes: 120
     steps:

.github/workflows/release-next-branch.yml

@@ -11,7 +11,6 @@ permissions:
 
 jobs:
   update-next:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     environment: internal-production
     steps:

.github/workflows/release-publish.yml

@@ -7,15 +7,64 @@ on:
 
 jobs:
   build-server:
-    uses: ./.github/workflows/_reusable-docker-build.yaml
-    secrets: inherit
-    with:
-      image_name: ghcr.io/goauthentik/server,beryju/authentik
-      release: true
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload contianer images to ghcr.io
+      packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.2.0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: prepare variables
+        uses: ./.github/actions/docker-push-variables
+        id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        with:
+          image-name: ghcr.io/goauthentik/server,beryju/authentik
+      - name: Docker Login Registry
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: make empty clients
+        run: |
+          mkdir -p ./gen-ts-api
+          mkdir -p ./gen-go-api
+      - name: Build Docker Image
+        uses: docker/build-push-action@v6
+        id: push
+        with:
+          context: .
+          push: true
+          secrets: |
+            GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
+            GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
+          build-args: |
+            VERSION=${{ github.ref }}
+          tags: ${{ steps.ev.outputs.imageTags }}
+          platforms: linux/amd64,linux/arm64
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.attestImageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload container images to ghcr.io
+      # Needed to upload contianer images to ghcr.io
       packages: write
       # Needed for attestation
       id-token: write
@@ -34,7 +83,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.3.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -70,7 +119,7 @@ jobs:
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest-build-provenance@v1
         id: attest
         with:
           subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -120,27 +169,6 @@ jobs:
           file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
           tag: ${{ github.ref }}
-  upload-aws-cfn-template:
-    permissions:
-      # Needed for AWS login
-      id-token: write
-      contents: read
-    needs:
-      - build-server
-      - build-outpost
-    env:
-      AWS_REGION: eu-central-1
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
-          aws-region: ${{ env.AWS_REGION }}
-      - name: Upload template
-        run: |
-          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml
-          aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml
   test-release:
     needs:
       - build-server

.github/workflows/repo-mirror.yml

@@ -1,21 +0,0 @@
-name: "authentik-repo-mirror"
-
-on: [push, delete]
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: pixta-dev/repository-mirroring-action@v1
-        with:
-          target_repo_url:
-            git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key:
-            ${{ secrets.GH_MIRROR_KEY }}
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}

.github/workflows/repo-stale.yml

@@ -11,7 +11,6 @@ permissions:
 
 jobs:
   stale:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
     runs-on: ubuntu-latest
     steps:
       - id: generate_token

.vscode/settings.json

@@ -33,8 +33,7 @@
         "!If sequence",
         "!Index scalar",
         "!KeyOf scalar",
-        "!Value scalar",
-        "!AtIndex scalar"
+        "!Value scalar"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",

CODEOWNERS

@@ -15,23 +15,14 @@ go.mod                          @goauthentik/backend
 go.sum                          @goauthentik/backend
 # Infrastructure
 .github/                        @goauthentik/infrastructure
-lifecycle/aws/                  @goauthentik/infrastructure
 Dockerfile                      @goauthentik/infrastructure
 *Dockerfile                     @goauthentik/infrastructure
 .dockerignore                   @goauthentik/infrastructure
 docker-compose.yml              @goauthentik/infrastructure
-Makefile                        @goauthentik/infrastructure
-.editorconfig                   @goauthentik/infrastructure
-CODEOWNERS                      @goauthentik/infrastructure
 # Web
 web/                            @goauthentik/frontend
 tests/wdio/                     @goauthentik/frontend
-# Locale
-locale/                         @goauthentik/backend @goauthentik/frontend
-web/xliff/                      @goauthentik/backend @goauthentik/frontend
 # Docs & Website
 website/                        @goauthentik/docs
-CODE_OF_CONDUCT.md              @goauthentik/docs
 # Security
-SECURITY.md                     @goauthentik/security @goauthentik/docs
-website/docs/security/          @goauthentik/security @goauthentik/docs
+website/docs/security/          @goauthentik/security

CONTRIBUTING.md

@@ -1 +1 @@
-website/docs/developer-docs/index.md
+website/developer-docs/index.md

Dockerfile

@@ -80,7 +80,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
     go build -o /go/authentik ./cmd/server
 
 # Stage 4: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.0 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.0.1 AS geoip
 
 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
@@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
     /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 
 # Stage 5: Python dependencies
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips AS python-deps
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS python-deps
 
 ARG TARGETARCH
 ARG TARGETVARIANT
@@ -116,29 +116,15 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     --mount=type=bind,target=./poetry.lock,src=./poetry.lock \
     --mount=type=cache,target=/root/.cache/pip \
     --mount=type=cache,target=/root/.cache/pypoetry \
-    pip install --no-cache cffi && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        build-essential libffi-dev \
-        # Required for cryptography
-        curl pkg-config \
-        # Required for lxml
-        libxslt-dev zlib1g-dev \
-        # Required for xmlsec
-        libltdl-dev \
-        # Required for kadmin
-        sccache clang && \
-    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
-    . "$HOME/.cargo/env" && \
     python -m venv /ak-root/venv/ && \
     bash -c "source ${VENV_PATH}/bin/activate && \
     pip3 install --upgrade pip && \
     pip3 install poetry && \
-    poetry config --local installer.no-binary cryptography,xmlsec,lxml,python-kadmin-rs && \
-    poetry install --only=main --no-ansi --no-interaction --no-root"
+    poetry install --only=main --no-ansi --no-interaction --no-root && \
+    pip install --force-reinstall /wheels/*"
 
 # Stage 6: Run
-FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips AS final-image
+FROM ghcr.io/goauthentik/fips-python:3.12.7-slim-bookworm-fips-full AS final-image
 
 ARG VERSION
 ARG GIT_BUILD_HASH
@@ -150,34 +136,37 @@ LABEL org.opencontainers.image.source=https://github.com/goauthentik/authentik
 LABEL org.opencontainers.image.version=${VERSION}
 LABEL org.opencontainers.image.revision=${GIT_BUILD_HASH}
 
+WORKDIR /
+
 # We cannot cache this layer otherwise we'll end up with a bigger image
 RUN apt-get update && \
     # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
+    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
     apt-get clean && \
     rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
-    adduser --system --no-create-home --uid 1000 --group --home /ak-root authentik && \
+    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
     mkdir -p /certs /media /blueprints && \
-    mkdir -p /ak-root/authentik/.ssh && \
-    chown authentik:authentik /certs /media /ak-root/authentik/.ssh /ak-root
+    mkdir -p /authentik/.ssh && \
+    mkdir -p /ak-root && \
+    chown authentik:authentik /certs /media /authentik/.ssh /ak-root
 
-COPY ./authentik/ /ak-root/authentik
-COPY ./pyproject.toml /ak-root
-COPY ./poetry.lock /ak-root
-COPY ./schemas /ak-root/schemas
-COPY ./locale /ak-root/locale
-COPY ./tests /ak-root/tests
-COPY ./manage.py /ak-root
+COPY ./authentik/ /authentik
+COPY ./pyproject.toml /
+COPY ./poetry.lock /
+COPY ./schemas /schemas
+COPY ./locale /locale
+COPY ./tests /tests
+COPY ./manage.py /
 COPY ./blueprints /blueprints
-COPY ./lifecycle/ /ak-root/lifecycle
+COPY ./lifecycle/ /lifecycle
 COPY ./authentik/sources/kerberos/krb5.conf /etc/krb5.conf
 COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv
-COPY --from=web-builder /work/web/dist/ /ak-root/web/dist/
-COPY --from=web-builder /work/web/authentik/ /ak-root/web/authentik/
-COPY --from=website-builder /work/website/build/ /ak-root/website/help/
+COPY --from=web-builder /work/web/dist/ /web/dist/
+COPY --from=web-builder /work/web/authentik/ /web/authentik/
+COPY --from=website-builder /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000
@@ -185,13 +174,12 @@ USER 1000
 ENV TMPDIR=/dev/shm/ \
     PYTHONDONTWRITEBYTECODE=1 \
     PYTHONUNBUFFERED=1 \
-    PATH="/ak-root/venv/bin:/ak-root/lifecycle:$PATH" \
+    PATH="/ak-root/venv/bin:/lifecycle:$PATH" \
     VENV_PATH="/ak-root/venv" \
-    POETRY_VIRTUALENVS_CREATE=false \
-    GOFIPS=1
+    POETRY_VIRTUALENVS_CREATE=false
+
+ENV GOFIPS=1
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=60s --retries=3 CMD [ "ak", "healthcheck" ]
 
-WORKDIR /ak-root
-
 ENTRYPOINT [ "dumb-init", "--", "ak" ]

Makefile

@@ -78,9 +78,6 @@ migrate: ## Run the Authentik Django server's migrations
 
 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service
 
-aws-cfn:
-	cd lifecycle/aws && npm run aws-cfn
-
 core-i18n-extract:
 	ak makemessages \
 		--add-location file \

SECURITY.md

@@ -2,7 +2,7 @@ authentik takes security very seriously. We follow the rules of [responsible di
 
 ## Independent audits and pentests
 
-We are committed to engaging in regular pentesting and security audits of authentik. Defining and adhering to a cadence of external testing ensures a stronger probability that our code base, our features, and our architecture is as secure and non-exploitable as possible. For more details about specfic audits and pentests, refer to "Audits and Certificates" in our [Security documentation](https://docs.goauthentik.io/docs/security).
+In May/June of 2023 [Cure53](https://cure53.de) conducted an audit and pentest. The [results](https://cure53.de/pentest-report_authentik.pdf) are published on the [Cure53 website](https://cure53.de/#publications-2023). For more details about authentik's response to the findings of the audit refer to [2023-06 Cure53 Code audit](https://goauthentik.io/docs/security/2023-06-cure53).
 
 ## What authentik classifies as a CVE
 
@@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni
 
 | Version   | Supported |
 | --------- | --------- |
+| 2024.8.x  | ✅        |
 | 2024.10.x | ✅        |
-| 2024.12.x | ✅        |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.12.2"
+__version__ = "2024.10.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 
@@ -16,5 +16,5 @@ def get_full_version() -> str:
     """Get full version, with build hash appended"""
     version = __version__
     if (build_hash := get_build_hash()) != "":
-        return f"{version}+{build_hash}"
+        version += "." + build_hash
     return version

authentik/admin/api/system.py

@@ -7,9 +7,7 @@ from sys import version as python_version
 from typing import TypedDict
 
 from cryptography.hazmat.backends.openssl.backend import backend
-from django.conf import settings
 from django.utils.timezone import now
-from django.views.debug import SafeExceptionReporterFilter
 from drf_spectacular.utils import extend_schema
 from rest_framework.fields import SerializerMethodField
 from rest_framework.request import Request
@@ -54,16 +52,10 @@ class SystemInfoSerializer(PassiveSerializer):
     def get_http_headers(self, request: Request) -> dict[str, str]:
         """Get HTTP Request headers"""
         headers = {}
-        raw_session = request._request.COOKIES.get(settings.SESSION_COOKIE_NAME)
         for key, value in request.META.items():
             if not isinstance(value, str):
                 continue
-            actual_value = value
-            if raw_session in actual_value:
-                actual_value = actual_value.replace(
-                    raw_session, SafeExceptionReporterFilter.cleansed_substitute
-                )
-            headers[key] = actual_value
+            headers[key] = value
         return headers
 
     def get_http_host(self, request: Request) -> str:

authentik/admin/api/workers.py

@@ -1,16 +1,12 @@
 """authentik administration overview"""
 
-from socket import gethostname
-
 from django.conf import settings
 from drf_spectacular.utils import extend_schema, inline_serializer
-from packaging.version import parse
-from rest_framework.fields import BooleanField, CharField
+from rest_framework.fields import IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
 
-from authentik import get_full_version
 from authentik.rbac.permissions import HasPermission
 from authentik.root.celery import CELERY_APP
 
@@ -20,38 +16,11 @@ class WorkerView(APIView):
 
     permission_classes = [HasPermission("authentik_rbac.view_system_info")]
 
-    @extend_schema(
-        responses=inline_serializer(
-            "Worker",
-            fields={
-                "worker_id": CharField(),
-                "version": CharField(),
-                "version_matching": BooleanField(),
-            },
-            many=True,
-        )
-    )
+    @extend_schema(responses=inline_serializer("Workers", fields={"count": IntegerField()}))
     def get(self, request: Request) -> Response:
         """Get currently connected worker count."""
-        raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
-        our_version = parse(get_full_version())
-        response = []
-        for worker in raw:
-            key = list(worker.keys())[0]
-            version = worker[key].get("version")
-            version_matching = False
-            if version:
-                version_matching = parse(version) == our_version
-            response.append(
-                {"worker_id": key, "version": version, "version_matching": version_matching}
-            )
+        count = len(CELERY_APP.control.ping(timeout=0.5))
         # In debug we run with `task_always_eager`, so tasks are ran on the main process
         if settings.DEBUG:  # pragma: no cover
-            response.append(
-                {
-                    "worker_id": f"authentik-debug@{gethostname()}",
-                    "version": get_full_version(),
-                    "version_matching": True,
-                }
-            )
-        return Response(response)
+            count += 1
+        return Response({"count": count})

authentik/admin/apps.py

@@ -1,10 +1,11 @@
 """authentik admin app config"""
 
-from prometheus_client import Info
+from prometheus_client import Gauge, Info
 
 from authentik.blueprints.apps import ManagedAppConfig
 
 PROM_INFO = Info("authentik_version", "Currently running authentik version")
+GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
 
 
 class AuthentikAdminConfig(ManagedAppConfig):

authentik/admin/signals.py

@@ -1,35 +1,14 @@
 """admin signals"""
 
 from django.dispatch import receiver
-from packaging.version import parse
-from prometheus_client import Gauge
 
-from authentik import get_full_version
+from authentik.admin.apps import GAUGE_WORKERS
 from authentik.root.celery import CELERY_APP
 from authentik.root.monitoring import monitoring_set
 
-GAUGE_WORKERS = Gauge(
-    "authentik_admin_workers",
-    "Currently connected workers, their versions and if they are the same version as authentik",
-    ["version", "version_matched"],
-)
-
-
-_version = parse(get_full_version())
-
 
 @receiver(monitoring_set)
 def monitoring_set_workers(sender, **kwargs):
     """Set worker gauge"""
-    raw: list[dict[str, dict]] = CELERY_APP.control.ping(timeout=0.5)
-    worker_version_count = {}
-    for worker in raw:
-        key = list(worker.keys())[0]
-        version = worker[key].get("version")
-        version_matching = False
-        if version:
-            version_matching = parse(version) == _version
-        worker_version_count.setdefault(version, {"count": 0, "matching": version_matching})
-        worker_version_count[version]["count"] += 1
-    for version, stats in worker_version_count.items():
-        GAUGE_WORKERS.labels(version, stats["matching"]).set(stats["count"])
+    count = len(CELERY_APP.control.ping(timeout=0.5))
+    GAUGE_WORKERS.set(count)

authentik/admin/tests/test_api.py

@@ -34,7 +34,7 @@ class TestAdminAPI(TestCase):
         response = self.client.get(reverse("authentik_api:admin_workers"))
         self.assertEqual(response.status_code, 200)
         body = loads(response.content)
-        self.assertEqual(len(body), 0)
+        self.assertEqual(body["count"], 0)
 
     def test_metrics(self):
         """Test metrics API"""

authentik/api/authorization.py

@@ -0,0 +1,67 @@
+"""API Authorization"""
+
+from django.conf import settings
+from django.db.models import Model
+from django.db.models.query import QuerySet
+from django_filters.rest_framework import DjangoFilterBackend
+from rest_framework.authentication import get_authorization_header
+from rest_framework.filters import BaseFilterBackend
+from rest_framework.permissions import BasePermission
+from rest_framework.request import Request
+
+from authentik.api.authentication import validate_auth
+from authentik.rbac.filters import ObjectFilter
+
+
+class OwnerFilter(BaseFilterBackend):
+    """Filter objects by their owner"""
+
+    owner_key = "user"
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        if request.user.is_superuser:
+            return queryset
+        return queryset.filter(**{self.owner_key: request.user})
+
+
+class SecretKeyFilter(DjangoFilterBackend):
+    """Allow access to all objects when authenticated with secret key as token.
+
+    Replaces both DjangoFilterBackend and ObjectFilter"""
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        auth_header = get_authorization_header(request)
+        token = validate_auth(auth_header)
+        if token and token == settings.SECRET_KEY:
+            return queryset
+        queryset = ObjectFilter().filter_queryset(request, queryset, view)
+        return super().filter_queryset(request, queryset, view)
+
+
+class OwnerPermissions(BasePermission):
+    """Authorize requests by an object's owner matching the requesting user"""
+
+    owner_key = "user"
+
+    def has_permission(self, request: Request, view) -> bool:
+        """If the user is authenticated, we allow all requests here. For listing, the
+        object-level permissions are done by the filter backend"""
+        return request.user.is_authenticated
+
+    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
+        """Check if the object's owner matches the currently logged in user"""
+        if not hasattr(obj, self.owner_key):
+            return False
+        owner = getattr(obj, self.owner_key)
+        if owner != request.user:
+            return False
+        return True
+
+
+class OwnerSuperuserPermissions(OwnerPermissions):
+    """Similar to OwnerPermissions, except always allow access for superusers"""
+
+    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
+        if request.user.is_superuser:
+            return True
+        return super().has_object_permission(request, view, obj)

authentik/blueprints/management/commands/blueprint_shell.py

@@ -1,68 +0,0 @@
-"""Test and debug Blueprints"""
-
-import atexit
-import readline
-from pathlib import Path
-from pprint import pformat
-from sys import exit as sysexit
-from textwrap import indent
-
-from django.core.management.base import BaseCommand, no_translations
-from structlog.stdlib import get_logger
-from yaml import load
-
-from authentik.blueprints.v1.common import BlueprintLoader, EntryInvalidError
-from authentik.core.management.commands.shell import get_banner_text
-from authentik.lib.utils.errors import exception_to_string
-
-LOGGER = get_logger()
-
-
-class Command(BaseCommand):
-    """Test and debug Blueprints"""
-
-    lines = []
-
-    def __init__(self, *args, **kwargs) -> None:
-        super().__init__(*args, **kwargs)
-        histfolder = Path("~").expanduser() / Path(".local/share/authentik")
-        histfolder.mkdir(parents=True, exist_ok=True)
-        histfile = histfolder / Path("blueprint_shell_history")
-        readline.parse_and_bind("tab: complete")
-        readline.parse_and_bind("set editing-mode vi")
-
-        try:
-            readline.read_history_file(str(histfile))
-        except FileNotFoundError:
-            pass
-
-        atexit.register(readline.write_history_file, str(histfile))
-
-    @no_translations
-    def handle(self, *args, **options):
-        """Interactively debug blueprint files"""
-        self.stdout.write(get_banner_text("Blueprint shell"))
-        self.stdout.write("Type '.eval' to evaluate previously entered statement(s).")
-
-        def do_eval():
-            yaml_input = "\n".join([line for line in self.lines if line])
-            data = load(yaml_input, BlueprintLoader)
-            self.stdout.write(pformat(data))
-            self.lines = []
-
-        while True:
-            try:
-                line = input("> ")
-                if line == ".eval":
-                    do_eval()
-                else:
-                    self.lines.append(line)
-            except EntryInvalidError as exc:
-                self.stdout.write("Failed to evaluate expression:")
-                self.stdout.write(indent(exception_to_string(exc), prefix="  "))
-            except EOFError:
-                break
-            except KeyboardInterrupt:
-                self.stdout.write()
-                sysexit(0)
-        self.stdout.write()

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -126,7 +126,7 @@ class Command(BaseCommand):
         def_name_perm = f"model_{model_path}_permissions"
         def_path_perm = f"#/$defs/{def_name_perm}"
         self.schema["$defs"][def_name_perm] = self.model_permissions(model)
-        template = {
+        return {
             "type": "object",
             "required": ["model", "identifiers"],
             "properties": {
@@ -143,11 +143,6 @@ class Command(BaseCommand):
                 "identifiers": {"$ref": def_path},
             },
         }
-        # Meta models don't require identifiers, as there's no matching database model to find
-        if issubclass(model, BaseMetaModel):
-            del template["properties"]["identifiers"]
-            template["required"].remove("identifiers")
-        return template
 
     def field_to_jsonschema(self, field: Field) -> dict:
         """Convert a single field to json schema"""

authentik/blueprints/tests/fixtures/tags.yaml

@@ -146,10 +146,6 @@ entries:
                   ]
               ]
               nested_context: !Context context2
-              at_index_sequence: !AtIndex [!Context sequence, 0]
-              at_index_sequence_default: !AtIndex [!Context sequence, 100, "non existent"]
-              at_index_mapping: !AtIndex [!Context mapping, "key2"]
-              at_index_mapping_default: !AtIndex [!Context mapping, "invalid", "non existent"]
       identifiers:
           name: test
       conditions:

authentik/blueprints/tests/test_v1.py

@@ -215,10 +215,6 @@ class TestBlueprintsV1(TransactionTestCase):
                     },
                     "nested_context": "context-nested-value",
                     "env_null": None,
-                    "at_index_sequence": "foo",
-                    "at_index_sequence_default": "non existent",
-                    "at_index_mapping": 2,
-                    "at_index_mapping_default": "non existent",
                 }
             ).exists()
         )

authentik/blueprints/v1/common.py

@@ -24,10 +24,6 @@ from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.models import PolicyBindingModel
 
 
-class UNSET:
-    """Used to test whether a key has not been set."""
-
-
 def get_attrs(obj: SerializerModel) -> dict[str, Any]:
     """Get object's attributes via their serializer, and convert it to a normal dict"""
     serializer: Serializer = obj.serializer(obj)
@@ -202,9 +198,6 @@ class Blueprint:
 class YAMLTag:
     """Base class for all YAML Tags"""
 
-    def __repr__(self) -> str:
-        return str(self.resolve(BlueprintEntry(""), Blueprint()))
-
     def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
         """Implement yaml tag logic"""
         raise NotImplementedError
@@ -563,53 +556,6 @@ class Value(EnumeratedItem):
             raise EntryInvalidError.from_entry(f"Empty/invalid context: {context}", entry) from exc
 
 
-class AtIndex(YAMLTag):
-    """Get value at index of a sequence or mapping"""
-
-    obj: YAMLTag | dict | list | tuple
-    attribute: int | str | YAMLTag
-    default: Any | UNSET
-
-    def __init__(self, loader: "BlueprintLoader", node: SequenceNode) -> None:
-        super().__init__()
-        self.obj = loader.construct_object(node.value[0])
-        self.attribute = loader.construct_object(node.value[1])
-        if len(node.value) == 2:  # noqa: PLR2004
-            self.default = UNSET
-        else:
-            self.default = loader.construct_object(node.value[2])
-
-    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        if isinstance(self.obj, YAMLTag):
-            obj = self.obj.resolve(entry, blueprint)
-        else:
-            obj = self.obj
-        if isinstance(self.attribute, YAMLTag):
-            attribute = self.attribute.resolve(entry, blueprint)
-        else:
-            attribute = self.attribute
-
-        if isinstance(obj, list | tuple):
-            try:
-                return obj[attribute]
-            except TypeError as exc:
-                raise EntryInvalidError.from_entry(
-                    f"Invalid index for list: {attribute}", entry
-                ) from exc
-            except IndexError as exc:
-                if self.default is UNSET:
-                    raise EntryInvalidError.from_entry(
-                        f"Index out of range: {attribute}", entry
-                    ) from exc
-                return self.default
-        if attribute in obj:
-            return obj[attribute]
-        else:
-            if self.default is UNSET:
-                raise EntryInvalidError.from_entry(f"Key does not exist: {attribute}", entry)
-            return self.default
-
-
 class BlueprintDumper(SafeDumper):
     """Dump dataclasses to yaml"""
 
@@ -660,7 +606,6 @@ class BlueprintLoader(SafeLoader):
         self.add_constructor("!Enumerate", Enumerate)
         self.add_constructor("!Value", Value)
         self.add_constructor("!Index", Index)
-        self.add_constructor("!AtIndex", AtIndex)
 
 
 class EntryInvalidError(SentryIgnoredException):

authentik/blueprints/v1/importer.py

@@ -65,12 +65,7 @@ from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
-from authentik.providers.oauth2.models import (
-    AccessToken,
-    AuthorizationCode,
-    DeviceToken,
-    RefreshToken,
-)
+from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
 from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
@@ -130,7 +125,6 @@ def excluded_models() -> list[type[Model]]:
         MicrosoftEntraProviderGroup,
         EndpointDevice,
         EndpointDeviceConnection,
-        DeviceToken,
     )
 
 
@@ -299,11 +293,7 @@ class Importer:
 
         serializer_kwargs = {}
         model_instance = existing_models.first()
-        if (
-            not isinstance(model(), BaseMetaModel)
-            and model_instance
-            and entry.state != BlueprintEntryDesiredState.MUST_CREATED
-        ):
+        if not isinstance(model(), BaseMetaModel) and model_instance:
             self.logger.debug(
                 "Initialise serializer with instance",
                 model=model,
@@ -313,12 +303,11 @@ class Importer:
             serializer_kwargs["instance"] = model_instance
             serializer_kwargs["partial"] = True
         elif model_instance and entry.state == BlueprintEntryDesiredState.MUST_CREATED:
-            msg = (
-                f"State is set to {BlueprintEntryDesiredState.MUST_CREATED.value} "
-                "and object exists already",
-            )
             raise EntryInvalidError.from_entry(
-                ValidationError({k: msg for k in entry.identifiers.keys()}, "unique"),
+                (
+                    f"State is set to {BlueprintEntryDesiredState.MUST_CREATED} "
+                    "and object exists already",
+                ),
                 entry,
             )
         else:

authentik/blueprints/v1/tasks.py

@@ -159,7 +159,7 @@ def blueprints_discovery(self: SystemTask, path: str | None = None):
         check_blueprint_v1_file(blueprint)
         count += 1
     self.set_status(
-        TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=count))
+        TaskStatus.SUCCESSFUL, _("Successfully imported %(count)d files." % {"count": count})
     )
 
 

authentik/brands/api.py

@@ -14,10 +14,10 @@ from rest_framework.response import Response
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.api.authorization import SecretKeyFilter
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
-from authentik.rbac.filters import SecretKeyFilter
 from authentik.tenants.utils import get_current_tenant
 
 
@@ -84,8 +84,8 @@ class CurrentBrandSerializer(PassiveSerializer):
 
     matched_domain = CharField(source="domain")
     branding_title = CharField()
-    branding_logo = CharField(source="branding_logo_url")
-    branding_favicon = CharField(source="branding_favicon_url")
+    branding_logo = CharField()
+    branding_favicon = CharField()
     ui_footer_links = ListField(
         child=FooterLinkSerializer(),
         read_only=True,

authentik/brands/middleware.py

@@ -4,7 +4,7 @@ from collections.abc import Callable
 
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
-from django.utils.translation import override
+from django.utils.translation import activate
 
 from authentik.brands.utils import get_brand_for_request
 
@@ -18,14 +18,10 @@ class BrandMiddleware:
         self.get_response = get_response
 
     def __call__(self, request: HttpRequest) -> HttpResponse:
-        locale_to_set = None
         if not hasattr(request, "brand"):
             brand = get_brand_for_request(request)
             request.brand = brand
             locale = brand.default_locale
             if locale != "":
-                locale_to_set = locale
-        if locale_to_set:
-            with override(locale_to_set):
-                return self.get_response(request)
+                activate(locale)
         return self.get_response(request)

authentik/brands/models.py

@@ -10,7 +10,6 @@ from structlog.stdlib import get_logger
 
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
-from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 
 LOGGER = get_logger()
@@ -72,18 +71,6 @@ class Brand(SerializerModel):
     )
     attributes = models.JSONField(default=dict, blank=True)
 
-    def branding_logo_url(self) -> str:
-        """Get branding_logo with the correct prefix"""
-        if self.branding_logo.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.branding_logo
-        return self.branding_logo
-
-    def branding_favicon_url(self) -> str:
-        """Get branding_favicon with the correct prefix"""
-        if self.branding_favicon.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.branding_favicon
-        return self.branding_favicon
-
     @property
     def serializer(self) -> Serializer:
         from authentik.brands.api import BrandSerializer

authentik/core/api/application_entitlements.py

@@ -1,58 +0,0 @@
-"""Application Roles API Viewset"""
-
-from django.http import HttpRequest
-from django.utils.translation import gettext_lazy as _
-from rest_framework.exceptions import ValidationError
-from rest_framework.viewsets import ModelViewSet
-
-from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
-from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import ModelSerializer
-from authentik.core.models import (
-    Application,
-    ApplicationEntitlement,
-)
-
-
-class ApplicationEntitlementSerializer(ModelSerializer):
-    """ApplicationEntitlement Serializer"""
-
-    def validate_app(self, app: Application) -> Application:
-        """Ensure user has permission to view"""
-        request: HttpRequest = self.context.get("request")
-        if not request and SERIALIZER_CONTEXT_BLUEPRINT in self.context:
-            return app
-        user = request.user
-        if user.has_perm("view_application", app) or user.has_perm(
-            "authentik_core.view_application"
-        ):
-            return app
-        raise ValidationError(_("User does not have access to application."), code="invalid")
-
-    class Meta:
-        model = ApplicationEntitlement
-        fields = [
-            "pbm_uuid",
-            "name",
-            "app",
-            "attributes",
-        ]
-
-
-class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
-    """ApplicationEntitlement Viewset"""
-
-    queryset = ApplicationEntitlement.objects.all()
-    serializer_class = ApplicationEntitlementSerializer
-    search_fields = [
-        "pbm_uuid",
-        "name",
-        "app",
-        "attributes",
-    ]
-    filterset_fields = [
-        "pbm_uuid",
-        "name",
-        "app",
-    ]
-    ordering = ["name"]

authentik/core/api/authenticated_sessions.py

@@ -2,12 +2,16 @@
 
 from typing import TypedDict
 
+from django_filters.rest_framework import DjangoFilterBackend
+from guardian.utils import get_anonymous_user
 from rest_framework import mixins
 from rest_framework.fields import SerializerMethodField
+from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 
+from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.core.models import AuthenticatedSession
@@ -106,4 +110,11 @@ class AuthenticatedSessionViewSet(
     search_fields = ["user__username", "last_ip", "last_user_agent"]
     filterset_fields = ["user__username", "last_ip", "last_user_agent"]
     ordering = ["user__username"]
-    owner_field = "user"
+    permission_classes = [OwnerSuperuserPermissions]
+    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
+
+    def get_queryset(self):
+        user = self.request.user if self.request else get_anonymous_user()
+        if user.is_superuser:
+            return super().get_queryset()
+        return super().get_queryset().filter(user=user.pk)

authentik/core/api/sources.py

@@ -2,16 +2,19 @@
 
 from collections.abc import Iterable
 
+from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, ReadOnlyField, SerializerMethodField
+from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 
+from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
@@ -156,9 +159,9 @@ class SourceViewSet(
 
 
 class UserSourceConnectionSerializer(SourceSerializer):
-    """User source connection"""
+    """OAuth Source Serializer"""
 
-    source_obj = SourceSerializer(read_only=True, source="source")
+    source = SourceSerializer(read_only=True)
 
     class Meta:
         model = UserSourceConnection
@@ -166,10 +169,10 @@ class UserSourceConnectionSerializer(SourceSerializer):
             "pk",
             "user",
             "source",
-            "source_obj",
             "created",
         ]
         extra_kwargs = {
+            "user": {"read_only": True},
             "created": {"read_only": True},
         }
 
@@ -186,16 +189,17 @@ class UserSourceConnectionViewSet(
 
     queryset = UserSourceConnection.objects.all()
     serializer_class = UserSourceConnectionSerializer
+    permission_classes = [OwnerSuperuserPermissions]
     filterset_fields = ["user", "source__slug"]
     search_fields = ["source__slug"]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
     ordering = ["source__slug", "pk"]
-    owner_field = "user"
 
 
 class GroupSourceConnectionSerializer(SourceSerializer):
-    """Group Source Connection"""
+    """Group Source Connection Serializer"""
 
-    source_obj = SourceSerializer(read_only=True)
+    source = SourceSerializer(read_only=True)
 
     class Meta:
         model = GroupSourceConnection
@@ -203,11 +207,12 @@ class GroupSourceConnectionSerializer(SourceSerializer):
             "pk",
             "group",
             "source",
-            "source_obj",
             "identifier",
             "created",
         ]
         extra_kwargs = {
+            "group": {"read_only": True},
+            "identifier": {"read_only": True},
             "created": {"read_only": True},
         }
 
@@ -224,7 +229,8 @@ class GroupSourceConnectionViewSet(
 
     queryset = GroupSourceConnection.objects.all()
     serializer_class = GroupSourceConnectionSerializer
+    permission_classes = [OwnerSuperuserPermissions]
     filterset_fields = ["group", "source__slug"]
     search_fields = ["source__slug"]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
     ordering = ["source__slug", "pk"]
-    owner_field = "user"

authentik/core/api/tokens.py

@@ -3,15 +3,18 @@
 from typing import Any
 
 from django.utils.timezone import now
+from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
 from guardian.shortcuts import assign_perm, get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
+from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
@@ -135,8 +138,8 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
         "managed",
     ]
     ordering = ["identifier", "expires"]
-    owner_field = "user"
-    rbac_allow_create_without_perm = True
+    permission_classes = [OwnerSuperuserPermissions]
+    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
 
     def get_queryset(self):
         user = self.request.user if self.request else get_anonymous_user()

authentik/core/api/transactional_applications.py

@@ -1,12 +1,10 @@
 """transactional application and provider creation"""
 
 from django.apps import apps
-from django.db.models import Model
-from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.exceptions import ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.views import APIView
@@ -22,9 +20,8 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.importer import Importer
 from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.utils import PassiveSerializer
-from authentik.core.models import Application, Provider
+from authentik.core.models import Provider
 from authentik.lib.utils.reflection import all_subclasses
-from authentik.policies.api.bindings import PolicyBindingSerializer
 
 
 def get_provider_serializer_mapping():
@@ -48,20 +45,6 @@ class TransactionProviderField(DictField):
     """Dictionary field which can hold provider creation data"""
 
 
-class TransactionPolicyBindingSerializer(PolicyBindingSerializer):
-    """PolicyBindingSerializer which does not require target as target is set implicitly"""
-
-    def validate(self, attrs):
-        # As the PolicyBindingSerializer checks that the correct things can be bound to a target
-        # but we don't have a target here as that's set by the blueprint, pass in an empty app
-        # which will have the correct allowed combination of group/user/policy.
-        attrs["target"] = Application()
-        return super().validate(attrs)
-
-    class Meta(PolicyBindingSerializer.Meta):
-        fields = [x for x in PolicyBindingSerializer.Meta.fields if x != "target"]
-
-
 class TransactionApplicationSerializer(PassiveSerializer):
     """Serializer for creating a provider and an application in one transaction"""
 
@@ -69,8 +52,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
     provider_model = ChoiceField(choices=list(get_provider_serializer_mapping().keys()))
     provider = TransactionProviderField()
 
-    policy_bindings = TransactionPolicyBindingSerializer(many=True, required=False)
-
     _provider_model: type[Provider] = None
 
     def validate_provider_model(self, fq_model_name: str) -> str:
@@ -115,19 +96,6 @@ class TransactionApplicationSerializer(PassiveSerializer):
                 id="app",
             )
         )
-        for binding in attrs.get("policy_bindings", []):
-            binding["target"] = KeyOf(None, ScalarNode(tag="", value="app"))
-            for key, value in binding.items():
-                if not isinstance(value, Model):
-                    continue
-                binding[key] = value.pk
-            blueprint.entries.append(
-                BlueprintEntry(
-                    model="authentik_policies.policybinding",
-                    state=BlueprintEntryDesiredState.MUST_CREATED,
-                    identifiers=binding,
-                )
-            )
         importer = Importer(blueprint, {})
         try:
             valid, _ = importer.validate(raise_validation_errors=True)
@@ -152,7 +120,8 @@ class TransactionApplicationResponseSerializer(PassiveSerializer):
 class TransactionalApplicationView(APIView):
     """Create provider and application and attach them in a single transaction"""
 
-    permission_classes = [IsAuthenticated]
+    # TODO: Migrate to a more specific permission
+    permission_classes = [IsAdminUser]
 
     @extend_schema(
         request=TransactionApplicationSerializer(),
@@ -164,23 +133,8 @@ class TransactionalApplicationView(APIView):
         """Convert data into a blueprint, validate it and apply it"""
         data = TransactionApplicationSerializer(data=request.data)
         data.is_valid(raise_exception=True)
-        blueprint: Blueprint = data.validated_data
-        for entry in blueprint.entries:
-            full_model = entry.get_model(blueprint)
-            app, __, model = full_model.partition(".")
-            if not request.user.has_perm(f"{app}.add_{model}"):
-                raise PermissionDenied(
-                    {
-                        entry.id: _(
-                            "User lacks permission to create {model}".format_map(
-                                {
-                                    "model": full_model,
-                                }
-                            )
-                        )
-                    }
-                )
-        importer = Importer(blueprint, {})
+
+        importer = Importer(data.validated_data, {})
         applied = importer.apply()
         response = {"applied": False, "logs": []}
         response["applied"] = applied

authentik/core/api/users.py

@@ -427,7 +427,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
     queryset = User.objects.none()
     ordering = ["username"]
     serializer_class = UserSerializer
-    search_fields = ["username", "name", "is_active", "email", "uuid", "attributes"]
+    search_fields = ["username", "name", "is_active", "email", "uuid"]
     filterset_class = UsersFilter
 
     def get_queryset(self):
@@ -585,7 +585,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         """Set password for user"""
         user: User = self.get_object()
         try:
-            user.set_password(request.data.get("password"), request=request)
+            user.set_password(request.data.get("password"))
             user.save()
         except (ValidationError, IntegrityError) as exc:
             LOGGER.debug("Failed to set password", exc=exc)
@@ -666,12 +666,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
 
     @permission_required("authentik_core.impersonate")
     @extend_schema(
-        request=inline_serializer(
-            "ImpersonationSerializer",
-            {
-                "reason": CharField(required=True),
-            },
-        ),
+        request=OpenApiTypes.NONE,
         responses={
             "204": OpenApiResponse(description="Successfully started impersonation"),
             "401": OpenApiResponse(description="Access denied"),
@@ -684,7 +679,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
             LOGGER.debug("User attempted to impersonate", user=request.user)
             return Response(status=401)
         user_to_be = self.get_object()
-        reason = request.data.get("reason", "")
         # Check both object-level perms and global perms
         if not request.user.has_perm(
             "authentik_core.impersonate", user_to_be
@@ -694,16 +688,11 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         if user_to_be.pk == self.request.user.pk:
             LOGGER.debug("User attempted to impersonate themselves", user=request.user)
             return Response(status=401)
-        if not reason and request.tenant.impersonation_require_reason:
-            LOGGER.debug(
-                "User attempted to impersonate without providing a reason", user=request.user
-            )
-            return Response(status=401)
 
         request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
         request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
 
-        Event.new(EventAction.IMPERSONATION_STARTED, reason=reason).from_http(request, user_to_be)
+        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
 
         return Response(status=201)
 

authentik/core/auth.py

@@ -44,12 +44,13 @@ class TokenBackend(InbuiltBackend):
         self, request: HttpRequest, username: str | None, password: str | None, **kwargs: Any
     ) -> User | None:
         try:
+
             user = User._default_manager.get_by_natural_key(username)
 
         except User.DoesNotExist:
             # Run the default password hasher once to reduce the timing
             # difference between an existing and a nonexistent user (#20760).
-            User().set_password(password, request=request)
+            User().set_password(password)
             return None
 
         tokens = Token.filter_not_expired(

authentik/core/expression/evaluator.py

@@ -58,7 +58,6 @@ class PropertyMappingEvaluator(BaseEvaluator):
             self._context["user"] = user
         if request:
             req.http_request = request
-            self._context["http_request"] = request
         req.context.update(**kwargs)
         self._context["request"] = req
         self._context.update(**kwargs)

authentik/core/management/commands/shell.py

@@ -17,9 +17,7 @@ from authentik.events.middleware import should_log_model
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import model_to_dict
 
-
-def get_banner_text(shell_type="shell") -> str:
-    return f"""### authentik {shell_type} ({get_full_version()})
+BANNER_TEXT = f"""### authentik shell ({get_full_version()})
 ### Node {platform.node()} | Arch {platform.machine()} | Python {platform.python_version()} """
 
 
@@ -116,4 +114,4 @@ class Command(BaseCommand):
             readline.parse_and_bind("tab: complete")
 
         # Run interactive shell
-        code.interact(banner=get_banner_text(), local=namespace)
+        code.interact(banner=BANNER_TEXT, local=namespace)

authentik/core/middleware.py

@@ -5,7 +5,7 @@ from contextvars import ContextVar
 from uuid import uuid4
 
 from django.http import HttpRequest, HttpResponse
-from django.utils.translation import override
+from django.utils.translation import activate
 from sentry_sdk.api import set_tag
 from structlog.contextvars import STRUCTLOG_KEY_PREFIX
 
@@ -31,20 +31,16 @@ class ImpersonateMiddleware:
     def __call__(self, request: HttpRequest) -> HttpResponse:
         # No permission checks are done here, they need to be checked before
         # SESSION_KEY_IMPERSONATE_USER is set.
-        locale_to_set = None
         if request.user.is_authenticated:
             locale = request.user.locale(request)
             if locale != "":
-                locale_to_set = locale
+                activate(locale)
 
         if SESSION_KEY_IMPERSONATE_USER in request.session:
             request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
             # Ensure that the user is active, otherwise nothing will work
             request.user.is_active = True
 
-        if locale_to_set:
-            with override(locale_to_set):
-                return self.get_response(request)
         return self.get_response(request)
 
 

authentik/core/migrations/0041_applicationentitlement.py

@@ -1,45 +0,0 @@
-# Generated by Django 5.0.9 on 2024-11-20 15:16
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0040_provider_invalidation_flow"),
-        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name="ApplicationEntitlement",
-            fields=[
-                (
-                    "policybindingmodel_ptr",
-                    models.OneToOneField(
-                        auto_created=True,
-                        on_delete=django.db.models.deletion.CASCADE,
-                        parent_link=True,
-                        primary_key=True,
-                        serialize=False,
-                        to="authentik_policies.policybindingmodel",
-                    ),
-                ),
-                ("attributes", models.JSONField(blank=True, default=dict)),
-                ("name", models.TextField()),
-                (
-                    "app",
-                    models.ForeignKey(
-                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.application"
-                    ),
-                ),
-            ],
-            options={
-                "verbose_name": "Application Entitlement",
-                "verbose_name_plural": "Application Entitlements",
-                "unique_together": {("app", "name")},
-            },
-            bases=("authentik_policies.policybindingmodel", models.Model),
-        ),
-    ]

authentik/core/migrations/0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more.py

@@ -1,45 +0,0 @@
-# Generated by Django 5.0.10 on 2025-01-13 18:05
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0041_applicationentitlement"),
-    ]
-
-    operations = [
-        migrations.AddIndex(
-            model_name="authenticatedsession",
-            index=models.Index(fields=["expires"], name="authentik_c_expires_08251d_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="authenticatedsession",
-            index=models.Index(fields=["expiring"], name="authentik_c_expirin_9cd839_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="authenticatedsession",
-            index=models.Index(
-                fields=["expiring", "expires"], name="authentik_c_expirin_195a84_idx"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="authenticatedsession",
-            index=models.Index(fields=["session_key"], name="authentik_c_session_d0f005_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="token",
-            index=models.Index(fields=["expires"], name="authentik_c_expires_a62b4b_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="token",
-            index=models.Index(fields=["expiring"], name="authentik_c_expirin_a1b838_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="token",
-            index=models.Index(
-                fields=["expiring", "expires"], name="authentik_c_expirin_ba04d9_idx"
-            ),
-        ),
-    ]

authentik/core/models.py

@@ -314,32 +314,6 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
         always_merger.merge(final_attributes, self.attributes)
         return final_attributes
 
-    def app_entitlements(self, app: "Application | None") -> QuerySet["ApplicationEntitlement"]:
-        """Get all entitlements this user has for `app`."""
-        if not app:
-            return []
-        all_groups = self.all_groups()
-        qs = app.applicationentitlement_set.filter(
-            Q(
-                Q(bindings__user=self) | Q(bindings__group__in=all_groups),
-                bindings__negate=False,
-            )
-            | Q(
-                Q(~Q(bindings__user=self), bindings__user__isnull=False)
-                | Q(~Q(bindings__group__in=all_groups), bindings__group__isnull=False),
-                bindings__negate=True,
-            ),
-            bindings__enabled=True,
-        ).order_by("name")
-        return qs
-
-    def app_entitlements_attributes(self, app: "Application | None") -> dict:
-        """Get a dictionary containing all merged attributes from app entitlements for `app`."""
-        final_attributes = {}
-        for attrs in self.app_entitlements(app).values_list("attributes", flat=True):
-            always_merger.merge(final_attributes, attrs)
-        return final_attributes
-
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.users import UserSerializer
@@ -356,13 +330,13 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
         """superuser == staff user"""
         return self.is_superuser  # type: ignore
 
-    def set_password(self, raw_password, signal=True, sender=None, request=None):
+    def set_password(self, raw_password, signal=True, sender=None):
         if self.pk and signal:
             from authentik.core.signals import password_changed
 
             if not sender:
                 sender = self
-            password_changed.send(sender=sender, user=self, password=raw_password, request=request)
+            password_changed.send(sender=sender, user=self, password=raw_password)
         self.password_change_date = now()
         return super().set_password(raw_password)
 
@@ -607,31 +581,6 @@ class Application(SerializerModel, PolicyBindingModel):
         verbose_name_plural = _("Applications")
 
 
-class ApplicationEntitlement(AttributesMixin, SerializerModel, PolicyBindingModel):
-    """Application-scoped entitlement to control authorization in an application"""
-
-    name = models.TextField()
-
-    app = models.ForeignKey(Application, on_delete=models.CASCADE)
-
-    class Meta:
-        verbose_name = _("Application Entitlement")
-        verbose_name_plural = _("Application Entitlements")
-        unique_together = (("app", "name"),)
-
-    def __str__(self):
-        return f"Application Entitlement {self.name} for app {self.app_id}"
-
-    @property
-    def serializer(self) -> type[Serializer]:
-        from authentik.core.api.application_entitlements import ApplicationEntitlementSerializer
-
-        return ApplicationEntitlementSerializer
-
-    def supported_policy_binding_targets(self):
-        return ["group", "user"]
-
-
 class SourceUserMatchingModes(models.TextChoices):
     """Different modes a source can handle new/returning users"""
 
@@ -846,11 +795,6 @@ class ExpiringModel(models.Model):
 
     class Meta:
         abstract = True
-        indexes = [
-            models.Index(fields=["expires"]),
-            models.Index(fields=["expiring"]),
-            models.Index(fields=["expiring", "expires"]),
-        ]
 
     def expire_action(self, *args, **kwargs):
         """Handler which is called when this object is expired. By
@@ -906,7 +850,7 @@ class Token(SerializerModel, ManagedModel, ExpiringModel):
     class Meta:
         verbose_name = _("Token")
         verbose_name_plural = _("Tokens")
-        indexes = ExpiringModel.Meta.indexes + [
+        indexes = [
             models.Index(fields=["identifier"]),
             models.Index(fields=["key"]),
         ]
@@ -1006,9 +950,6 @@ class AuthenticatedSession(ExpiringModel):
     class Meta:
         verbose_name = _("Authenticated Session")
         verbose_name_plural = _("Authenticated Sessions")
-        indexes = ExpiringModel.Meta.indexes + [
-            models.Index(fields=["session_key"]),
-        ]
 
     def __str__(self) -> str:
         return f"Authenticated Session {self.session_key[:10]}"

authentik/core/sources/flow_manager.py

@@ -129,11 +129,6 @@ class SourceFlowManager:
             )
             new_connection.user = self.request.user
             new_connection = self.update_user_connection(new_connection, **kwargs)
-            if existing := self.user_connection_type.objects.filter(
-                source=self.source, identifier=self.identifier
-            ).first():
-                existing = self.update_user_connection(existing)
-                return Action.AUTH, existing
             return Action.LINK, new_connection
 
         action, connection = self.matcher.get_user_action(self.identifier, self.user_properties)
@@ -238,7 +233,13 @@ class SourceFlowManager:
                 self.request.GET,
                 flow_slug=flow_slug,
             )
-        flow_context.setdefault(PLAN_CONTEXT_REDIRECT, final_redirect)
+        # Ensure redirect is carried through when user was trying to
+        # authorize application
+        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
+            NEXT_ARG_NAME, "authentik_core:if-user"
+        )
+        if PLAN_CONTEXT_REDIRECT not in flow_context:
+            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect
 
         if not flow:
             return bad_request_message(
@@ -259,7 +260,12 @@ class SourceFlowManager:
         if stages:
             for stage in stages:
                 plan.append_stage(stage)
-        return plan.to_redirect(self.request, flow)
+        self.request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            self.request.GET,
+            flow_slug=flow.slug,
+        )
 
     def handle_auth(
         self,

authentik/core/templates/base/header_js.html

@@ -9,9 +9,6 @@
         versionFamily: "{{ version_family }}",
         versionSubdomain: "{{ version_subdomain }}",
         build: "{{ build }}",
-        api: {
-            base: "{{ base_url }}",
-        },
     };
     window.addEventListener("DOMContentLoaded", function () {
         {% for message in messages %}

authentik/core/templates/base/skeleton.html

@@ -9,8 +9,8 @@
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
         <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="icon" href="{{ brand.branding_favicon }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">

authentik/core/templates/login/base_full.html

@@ -4,7 +4,7 @@
 {% load i18n %}
 
 {% block head_before %}
-<link rel="prefetch" href="{% static 'dist/assets/images/flow_background.jpg' %}" />
+<link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
@@ -13,7 +13,7 @@
 {% block head %}
 <style>
 :root {
-    --ak-flow-background: url("{% static 'dist/assets/images/flow_background.jpg' %}");
+    --ak-flow-background: url("/static/dist/assets/images/flow_background.jpg");
     --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
     --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
@@ -50,7 +50,7 @@
     <div class="ak-login-container">
         <main class="pf-c-login__main">
             <div class="pf-c-login__main-header pf-c-brand ak-brand">
-                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
+                <img src="{{ brand.branding_logo }}" alt="authentik Logo" />
             </div>
             <header class="pf-c-login__main-header">
                 <h1 class="pf-c-title pf-m-3xl">

authentik/core/tests/test_application_entitlements.py

@@ -1,153 +0,0 @@
-"""Test Application Entitlements API"""
-
-from django.urls import reverse
-from guardian.shortcuts import assign_perm
-from rest_framework.test import APITestCase
-
-from authentik.core.models import Application, ApplicationEntitlement, Group
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_user
-from authentik.lib.generators import generate_id
-from authentik.policies.dummy.models import DummyPolicy
-from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider
-
-
-class TestApplicationEntitlements(APITestCase):
-    """Test application entitlements"""
-
-    def setUp(self) -> None:
-        self.user = create_test_user()
-        self.other_user = create_test_user()
-        self.provider = OAuth2Provider.objects.create(
-            name="test",
-            authorization_flow=create_test_flow(),
-        )
-        self.app: Application = Application.objects.create(
-            name=generate_id(),
-            slug=generate_id(),
-            provider=self.provider,
-        )
-
-    def test_user(self):
-        """Test user-direct assignment"""
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        PolicyBinding.objects.create(target=ent, user=self.user, order=0)
-        ents = self.user.app_entitlements(self.app)
-        self.assertEqual(len(ents), 1)
-        self.assertEqual(ents[0].name, ent.name)
-
-    def test_group(self):
-        """Test direct group"""
-        group = Group.objects.create(name=generate_id())
-        self.user.ak_groups.add(group)
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        PolicyBinding.objects.create(target=ent, group=group, order=0)
-        ents = self.user.app_entitlements(self.app)
-        self.assertEqual(len(ents), 1)
-        self.assertEqual(ents[0].name, ent.name)
-
-    def test_group_indirect(self):
-        """Test indirect group"""
-        parent = Group.objects.create(name=generate_id())
-        group = Group.objects.create(name=generate_id(), parent=parent)
-        self.user.ak_groups.add(group)
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        PolicyBinding.objects.create(target=ent, group=parent, order=0)
-        ents = self.user.app_entitlements(self.app)
-        self.assertEqual(len(ents), 1)
-        self.assertEqual(ents[0].name, ent.name)
-
-    def test_negate_user(self):
-        """Test with negate flag"""
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        PolicyBinding.objects.create(target=ent, user=self.other_user, order=0, negate=True)
-        ents = self.user.app_entitlements(self.app)
-        self.assertEqual(len(ents), 1)
-        self.assertEqual(ents[0].name, ent.name)
-
-    def test_negate_group(self):
-        """Test with negate flag"""
-        other_group = Group.objects.create(name=generate_id())
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        PolicyBinding.objects.create(target=ent, group=other_group, order=0, negate=True)
-        ents = self.user.app_entitlements(self.app)
-        self.assertEqual(len(ents), 1)
-        self.assertEqual(ents[0].name, ent.name)
-
-    def test_api_perms_global(self):
-        """Test API creation with global permissions"""
-        assign_perm("authentik_core.add_applicationentitlement", self.user)
-        assign_perm("authentik_core.view_application", self.user)
-        self.client.force_login(self.user)
-        res = self.client.post(
-            reverse("authentik_api:applicationentitlement-list"),
-            data={
-                "name": generate_id(),
-                "app": self.app.pk,
-            },
-        )
-        self.assertEqual(res.status_code, 201)
-
-    def test_api_perms_scoped(self):
-        """Test API creation with scoped permissions"""
-        assign_perm("authentik_core.add_applicationentitlement", self.user)
-        assign_perm("authentik_core.view_application", self.user, self.app)
-        self.client.force_login(self.user)
-        res = self.client.post(
-            reverse("authentik_api:applicationentitlement-list"),
-            data={
-                "name": generate_id(),
-                "app": self.app.pk,
-            },
-        )
-        self.assertEqual(res.status_code, 201)
-
-    def test_api_perms_missing(self):
-        """Test API creation with no permissions"""
-        assign_perm("authentik_core.add_applicationentitlement", self.user)
-        self.client.force_login(self.user)
-        res = self.client.post(
-            reverse("authentik_api:applicationentitlement-list"),
-            data={
-                "name": generate_id(),
-                "app": self.app.pk,
-            },
-        )
-        self.assertEqual(res.status_code, 400)
-        self.assertJSONEqual(res.content, {"app": ["User does not have access to application."]})
-
-    def test_api_bindings_policy(self):
-        """Test that API doesn't allow policies to be bound to this"""
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        policy = DummyPolicy.objects.create(name=generate_id())
-        admin = create_test_admin_user()
-        self.client.force_login(admin)
-        response = self.client.post(
-            reverse("authentik_api:policybinding-list"),
-            data={
-                "target": ent.pbm_uuid,
-                "policy": policy.pk,
-                "order": 0,
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"non_field_errors": ["One of 'group', 'user' must be set."]},
-        )
-
-    def test_api_bindings_group(self):
-        """Test that API doesn't allow policies to be bound to this"""
-        ent = ApplicationEntitlement.objects.create(app=self.app, name=generate_id())
-        group = Group.objects.create(name=generate_id())
-        admin = create_test_admin_user()
-        self.client.force_login(admin)
-        response = self.client.post(
-            reverse("authentik_api:policybinding-list"),
-            data={
-                "target": ent.pbm_uuid,
-                "group": group.pk,
-                "order": 0,
-            },
-        )
-        self.assertEqual(response.status_code, 201)
-        self.assertTrue(PolicyBinding.objects.filter(target=ent.pbm_uuid).exists())

authentik/core/tests/test_applications_api.py

@@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 from authentik.providers.proxy.models import ProxyProvider
 from authentik.providers.saml.models import SAMLProvider
 
@@ -24,7 +24,7 @@ class TestApplicationsAPI(APITestCase):
         self.user = create_test_admin_user()
         self.provider = OAuth2Provider.objects.create(
             name="test",
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://some-other-domain")],
+            redirect_uris="http://some-other-domain",
             authorization_flow=create_test_flow(),
         )
         self.allowed: Application = Application.objects.create(

authentik/core/tests/test_impersonation.py

@@ -29,8 +29,7 @@ class TestImpersonation(APITestCase):
             reverse(
                 "authentik_api:user-impersonate",
                 kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
         )
 
         response = self.client.get(reverse("authentik_api:user-me"))
@@ -56,8 +55,7 @@ class TestImpersonation(APITestCase):
             reverse(
                 "authentik_api:user-impersonate",
                 kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
         )
         self.assertEqual(response.status_code, 201)
 
@@ -77,8 +75,7 @@ class TestImpersonation(APITestCase):
             reverse(
                 "authentik_api:user-impersonate",
                 kwargs={"pk": self.other_user.pk},
-            ),
-            data={"reason": "some reason"},
+            )
         )
         self.assertEqual(response.status_code, 201)
 
@@ -92,8 +89,7 @@ class TestImpersonation(APITestCase):
         self.client.force_login(self.other_user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": "some reason"},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
         )
         self.assertEqual(response.status_code, 403)
 
@@ -109,8 +105,7 @@ class TestImpersonation(APITestCase):
         self.client.force_login(self.user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk}),
-            data={"reason": "some reason"},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.other_user.pk})
         )
         self.assertEqual(response.status_code, 401)
 
@@ -123,22 +118,7 @@ class TestImpersonation(APITestCase):
         self.client.force_login(self.user)
 
         response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": "some reason"},
-        )
-        self.assertEqual(response.status_code, 401)
-
-        response = self.client.get(reverse("authentik_api:user-me"))
-        response_body = loads(response.content.decode())
-        self.assertEqual(response_body["user"]["username"], self.user.username)
-
-    def test_impersonate_reason_required(self):
-        """test impersonation that user must provide reason"""
-        self.client.force_login(self.user)
-
-        response = self.client.post(
-            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}),
-            data={"reason": ""},
+            reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk})
         )
         self.assertEqual(response.status_code, 401)
 

authentik/core/tests/test_source_flow_manager.py

@@ -81,22 +81,6 @@ class TestSourceFlowManager(TestCase):
             reverse("authentik_core:if-user") + "#/settings;page-sources",
         )
 
-    def test_authenticated_auth(self):
-        """Test authenticated user linking"""
-        user = User.objects.create(username="foo", email="foo@bar.baz")
-        UserOAuthSourceConnection.objects.create(
-            user=user, source=self.source, identifier=self.identifier
-        )
-        request = get_request("/", user=user)
-        flow_manager = OAuthSourceFlowManager(
-            self.source, request, self.identifier, {"info": {}}, {}
-        )
-        action, connection = flow_manager.get_action()
-        self.assertEqual(action, Action.AUTH)
-        self.assertIsNotNone(connection.pk)
-        response = flow_manager.get_flow()
-        self.assertEqual(response.status_code, 302)
-
     def test_unauthenticated_link(self):
         """Test un-authenticated user linking"""
         flow_manager = OAuthSourceFlowManager(

authentik/core/tests/test_transactional_applications_api.py

@@ -1,13 +1,11 @@
 """Test Transactional API"""
 
 from django.urls import reverse
-from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 
-from authentik.core.models import Application, Group
-from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
-from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.models import OAuth2Provider
 
 
@@ -15,9 +13,7 @@ class TestTransactionalApplicationsAPI(APITestCase):
     """Test Transactional API"""
 
     def setUp(self) -> None:
-        self.user = create_test_user()
-        assign_perm("authentik_core.add_application", self.user)
-        assign_perm("authentik_providers_oauth2.add_oauth2provider", self.user)
+        self.user = create_test_admin_user()
 
     def test_create_transactional(self):
         """Test transactional Application + provider creation"""
@@ -35,7 +31,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
                     "name": uid,
                     "authorization_flow": str(create_test_flow().pk),
                     "invalidation_flow": str(create_test_flow().pk),
-                    "redirect_uris": [],
                 },
             },
         )
@@ -46,66 +41,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
         self.assertIsNotNone(app)
         self.assertEqual(app.provider.pk, provider.pk)
 
-    def test_create_transactional_permission_denied(self):
-        """Test transactional Application + provider creation (missing permissions)"""
-        self.client.force_login(self.user)
-        uid = generate_id()
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_saml.samlprovider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(create_test_flow().pk),
-                    "invalidation_flow": str(create_test_flow().pk),
-                    "acs_url": "https://goauthentik.io",
-                },
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"provider": "User lacks permission to create authentik_providers_saml.samlprovider"},
-        )
-
-    def test_create_transactional_bindings(self):
-        """Test transactional Application + provider creation"""
-        assign_perm("authentik_policies.add_policybinding", self.user)
-        self.client.force_login(self.user)
-        uid = generate_id()
-        group = Group.objects.create(name=generate_id())
-        authorization_flow = create_test_flow()
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_oauth2.oauth2provider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(authorization_flow.pk),
-                    "invalidation_flow": str(authorization_flow.pk),
-                    "redirect_uris": [],
-                },
-                "policy_bindings": [{"group": group.pk, "order": 0}],
-            },
-        )
-        self.assertJSONEqual(response.content.decode(), {"applied": True, "logs": []})
-        provider = OAuth2Provider.objects.filter(name=uid).first()
-        self.assertIsNotNone(provider)
-        app = Application.objects.filter(slug=uid).first()
-        self.assertIsNotNone(app)
-        self.assertEqual(app.provider.pk, provider.pk)
-        binding = PolicyBinding.objects.filter(target=app).first()
-        self.assertIsNotNone(binding)
-        self.assertEqual(binding.target, app)
-        self.assertEqual(binding.group, group)
-
     def test_create_transactional_invalid(self):
         """Test transactional Application + provider creation"""
         self.client.force_login(self.user)
@@ -122,7 +57,6 @@ class TestTransactionalApplicationsAPI(APITestCase):
                     "name": uid,
                     "authorization_flow": "",
                     "invalidation_flow": "",
-                    "redirect_uris": [],
                 },
             },
         )
@@ -135,32 +69,3 @@ class TestTransactionalApplicationsAPI(APITestCase):
                 }
             },
         )
-
-    def test_create_transactional_duplicate_name_provider(self):
-        """Test transactional Application + provider creation"""
-        self.client.force_login(self.user)
-        uid = generate_id()
-        OAuth2Provider.objects.create(
-            name=uid,
-            authorization_flow=create_test_flow(),
-            invalidation_flow=create_test_flow(),
-        )
-        response = self.client.put(
-            reverse("authentik_api:core-transactional-application"),
-            data={
-                "app": {
-                    "name": uid,
-                    "slug": uid,
-                },
-                "provider_model": "authentik_providers_oauth2.oauth2provider",
-                "provider": {
-                    "name": uid,
-                    "authorization_flow": str(create_test_flow().pk),
-                    "invalidation_flow": str(create_test_flow().pk),
-                },
-            },
-        )
-        self.assertJSONEqual(
-            response.content.decode(),
-            {"provider": {"name": ["State is set to must_created and object exists already"]}},
-        )

authentik/core/urls.py

@@ -6,7 +6,6 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 
-from authentik.core.api.application_entitlements import ApplicationEntitlementViewSet
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
 from authentik.core.api.devices import AdminDeviceViewSet, DeviceViewSet
@@ -70,7 +69,6 @@ urlpatterns = [
 api_urlpatterns = [
     ("core/authenticated_sessions", AuthenticatedSessionViewSet),
     ("core/applications", ApplicationViewSet),
-    ("core/application_entitlements", ApplicationEntitlementViewSet),
     path(
         "core/transactional/applications/",
         TransactionalApplicationView.as_view(),

authentik/core/views/apps.py

@@ -17,8 +17,10 @@ from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import (
     SESSION_KEY_APPLICATION_PRE,
+    SESSION_KEY_PLAN,
     ToDefaultFlow,
 )
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.stages.consent.stage import (
     PLAN_CONTEXT_CONSENT_HEADER,
     PLAN_CONTEXT_CONSENT_PERMISSIONS,
@@ -56,7 +58,8 @@ class RedirectToAppLaunch(View):
         except FlowNonApplicableException:
             raise Http404 from None
         plan.insert_stage(in_memory_stage(RedirectToAppStage))
-        return plan.to_redirect(request, flow)
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)
 
 
 class RedirectToAppStage(ChallengeStageView):

authentik/core/views/interface.py

@@ -16,7 +16,6 @@ from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
 from authentik.brands.models import Brand
 from authentik.core.models import UserTypes
-from authentik.lib.config import CONFIG
 from authentik.policies.denied import AccessDeniedResponse
 
 
@@ -52,7 +51,6 @@ class InterfaceView(TemplateView):
         kwargs["version_subdomain"] = f"version-{LOCAL_VERSION.major}-{LOCAL_VERSION.minor}"
         kwargs["build"] = get_build_hash()
         kwargs["url_kwargs"] = self.kwargs
-        kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
         return super().get_context_data(**kwargs)
 
 

authentik/crypto/api.py

@@ -28,6 +28,7 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
+from authentik.api.authorization import SecretKeyFilter
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.crypto.apps import MANAGED_KEY
@@ -35,7 +36,7 @@ from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
 from authentik.crypto.models import CertificateKeyPair
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
-from authentik.rbac.filters import ObjectFilter, SecretKeyFilter
+from authentik.rbac.filters import ObjectFilter
 
 LOGGER = get_logger()
 

authentik/crypto/tasks.py

@@ -85,5 +85,5 @@ def certificate_discovery(self: SystemTask):
         if dirty:
             cert.save()
     self.set_status(
-        TaskStatus.SUCCESSFUL, _("Successfully imported {count} files.".format(count=discovered))
+        TaskStatus.SUCCESSFUL, _("Successfully imported %(count)d files." % {"count": discovered})
     )

authentik/crypto/tests.py

@@ -18,7 +18,7 @@ from authentik.crypto.models import CertificateKeyPair
 from authentik.crypto.tasks import MANAGED_DISCOVERED, certificate_discovery
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id, generate_key
-from authentik.providers.oauth2.models import OAuth2Provider, RedirectURI, RedirectURIMatchingMode
+from authentik.providers.oauth2.models import OAuth2Provider
 
 
 class TestCrypto(APITestCase):
@@ -274,7 +274,7 @@ class TestCrypto(APITestCase):
             client_id="test",
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
             signing_key=keypair,
         )
         response = self.client.get(
@@ -306,7 +306,7 @@ class TestCrypto(APITestCase):
             client_id="test",
             client_secret=generate_key(),
             authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
+            redirect_uris="http://localhost",
             signing_key=keypair,
         )
         response = self.client.get(

authentik/enterprise/middleware.py

@@ -6,7 +6,6 @@ from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.urls import resolve
 from structlog.stdlib import BoundLogger, get_logger
 
-from authentik.core.api.users import UserViewSet
 from authentik.enterprise.api import LicenseViewSet
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsageStatus
@@ -60,9 +59,6 @@ class EnterpriseMiddleware:
         # Flow executor is mounted as an API path but explicitly allowed
         if request.resolver_match._func_path == class_to_path(FlowExecutorView):
             return True
-        # Always allow making changes to users, even in case the license has ben exceeded
-        if request.resolver_match._func_path == class_to_path(UserViewSet):
-            return True
         # Only apply these restrictions to the API
         if "authentik_api" not in request.resolver_match.app_names:
             return True

authentik/enterprise/migrations/0004_licenseusage_authentik_e_expires_3f2956_idx_and_more.py

@@ -1,27 +0,0 @@
-# Generated by Django 5.0.10 on 2025-01-13 18:05
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_enterprise", "0003_remove_licenseusage_within_limits_and_more"),
-    ]
-
-    operations = [
-        migrations.AddIndex(
-            model_name="licenseusage",
-            index=models.Index(fields=["expires"], name="authentik_e_expires_3f2956_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="licenseusage",
-            index=models.Index(fields=["expiring"], name="authentik_e_expirin_11d3d7_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="licenseusage",
-            index=models.Index(
-                fields=["expiring", "expires"], name="authentik_e_expirin_4d558f_idx"
-            ),
-        ),
-    ]

authentik/enterprise/models.py

@@ -93,4 +93,3 @@ class LicenseUsage(ExpiringModel):
     class Meta:
         verbose_name = _("License Usage")
         verbose_name_plural = _("License Usage Records")
-        indexes = ExpiringModel.Meta.indexes

authentik/enterprise/providers/rac/api/connection_tokens.py

@@ -1,8 +1,11 @@
 """RAC Provider API Views"""
 
+from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
+from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.viewsets import GenericViewSet
 
+from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
@@ -31,6 +34,12 @@ class ConnectionTokenSerializer(EnterpriseRequiredMixin, ModelSerializer):
         ]
 
 
+class ConnectionTokenOwnerFilter(OwnerFilter):
+    """Owner filter for connection tokens (checks session's user)"""
+
+    owner_key = "session__user"
+
+
 class ConnectionTokenViewSet(
     mixins.RetrieveModelMixin,
     mixins.UpdateModelMixin,
@@ -46,4 +55,10 @@ class ConnectionTokenViewSet(
     filterset_fields = ["endpoint", "session__user", "provider"]
     search_fields = ["endpoint__name", "provider__name"]
     ordering = ["endpoint__name", "provider__name"]
-    owner_field = "session__user"
+    permission_classes = [OwnerSuperuserPermissions]
+    filter_backends = [
+        ConnectionTokenOwnerFilter,
+        DjangoFilterBackend,
+        OrderingFilter,
+        SearchFilter,
+    ]

authentik/enterprise/providers/rac/migrations/0006_connectiontoken_authentik_p_expires_91f148_idx_and_more.py

@@ -1,28 +0,0 @@
-# Generated by Django 5.0.10 on 2025-01-13 18:05
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0042_authenticatedsession_authentik_c_expires_08251d_idx_and_more"),
-        ("authentik_providers_rac", "0005_alter_racpropertymapping_options"),
-    ]
-
-    operations = [
-        migrations.AddIndex(
-            model_name="connectiontoken",
-            index=models.Index(fields=["expires"], name="authentik_p_expires_91f148_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="connectiontoken",
-            index=models.Index(fields=["expiring"], name="authentik_p_expirin_59a5a7_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="connectiontoken",
-            index=models.Index(
-                fields=["expiring", "expires"], name="authentik_p_expirin_aed3ca_idx"
-            ),
-        ),
-    ]

authentik/enterprise/providers/rac/models.py

@@ -159,9 +159,9 @@ class ConnectionToken(ExpiringModel):
             default_settings["port"] = str(port)
         else:
             default_settings["hostname"] = self.endpoint.host
-        if self.endpoint.protocol == Protocols.RDP:
-            default_settings["resize-method"] = "display-update"
-        default_settings["client-name"] = f"authentik - {self.session.user}"
+        default_settings["client-name"] = "authentik"
+        # default_settings["enable-drive"] = "true"
+        # default_settings["drive-name"] = "authentik"
         settings = {}
         always_merger.merge(settings, default_settings)
         always_merger.merge(settings, self.endpoint.provider.settings)
@@ -211,4 +211,3 @@ class ConnectionToken(ExpiringModel):
     class Meta:
         verbose_name = _("RAC Connection token")
         verbose_name_plural = _("RAC Connection tokens")
-        indexes = ExpiringModel.Meta.indexes

authentik/enterprise/providers/rac/templates/if/rac.html

@@ -6,8 +6,8 @@
 <script src="{% versioned_script 'dist/enterprise/rac/index-%v.js' %}" type="module"></script>
 <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
 <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
-<link rel="icon" href="{{ tenant.branding_favicon_url }}">
-<link rel="shortcut icon" href="{{ tenant.branding_favicon_url }}">
+<link rel="icon" href="{{ tenant.branding_favicon }}">
+<link rel="shortcut icon" href="{{ tenant.branding_favicon }}">
 {% include "base/header_js.html" %}
 {% endblock %}
 

authentik/enterprise/providers/rac/tests/test_models.py

@@ -50,10 +50,9 @@ class TestModels(TransactionTestCase):
             {
                 "hostname": self.endpoint.host.split(":")[0],
                 "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                 "drive-path": path,
                 "create-drive-path": "true",
-                "resize-method": "display-update",
             },
         )
         # Set settings in provider
@@ -64,11 +63,10 @@ class TestModels(TransactionTestCase):
             {
                 "hostname": self.endpoint.host.split(":")[0],
                 "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                 "drive-path": path,
                 "create-drive-path": "true",
                 "level": "provider",
-                "resize-method": "display-update",
             },
         )
         # Set settings in endpoint
@@ -81,11 +79,10 @@ class TestModels(TransactionTestCase):
             {
                 "hostname": self.endpoint.host.split(":")[0],
                 "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                 "drive-path": path,
                 "create-drive-path": "true",
                 "level": "endpoint",
-                "resize-method": "display-update",
             },
         )
         # Set settings in token
@@ -98,11 +95,10 @@ class TestModels(TransactionTestCase):
             {
                 "hostname": self.endpoint.host.split(":")[0],
                 "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                 "drive-path": path,
                 "create-drive-path": "true",
                 "level": "token",
-                "resize-method": "display-update",
             },
         )
         # Set settings in property mapping (provider)
@@ -118,11 +114,10 @@ class TestModels(TransactionTestCase):
             {
                 "hostname": self.endpoint.host.split(":")[0],
                 "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                 "drive-path": path,
                 "create-drive-path": "true",
                 "level": "property_mapping_provider",
-                "resize-method": "display-update",
             },
         )
         # Set settings in property mapping (endpoint)
@@ -140,12 +135,11 @@ class TestModels(TransactionTestCase):
             {
                 "hostname": self.endpoint.host.split(":")[0],
                 "port": "1324",
-                "client-name": f"authentik - {self.user}",
+                "client-name": "authentik",
                 "drive-path": path,
                 "create-drive-path": "true",
                 "level": "property_mapping_endpoint",
                 "foo": "true",
                 "bar": "6",
-                "resize-method": "display-update",
             },
         )

authentik/enterprise/providers/rac/views.py

@@ -18,7 +18,9 @@ from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import RedirectStage
+from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.utils.time import timedelta_from_string
+from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.engine import PolicyEngine
 
 
@@ -54,7 +56,12 @@ class RACStartView(EnterprisePolicyAccessView):
                 provider=self.provider,
             )
         )
-        return plan.to_redirect(request, self.provider.authorization_flow)
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_core:if-flow",
+            request.GET,
+            flow_slug=self.provider.authorization_flow.slug,
+        )
 
 
 class RACInterface(InterfaceView):

authentik/enterprise/stages/authenticator_endpoint_gdtc/api.py

@@ -1,11 +1,14 @@
 """AuthenticatorEndpointGDTCStage API Views"""
 
+from django_filters.rest_framework.backends import DjangoFilterBackend
 from rest_framework import mixins
+from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.permissions import IsAdminUser
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 from structlog.stdlib import get_logger
 
+from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
@@ -64,7 +67,8 @@ class EndpointDeviceViewSet(
     search_fields = ["name"]
     filterset_fields = ["name"]
     ordering = ["name"]
-    owner_field = "user"
+    permission_classes = [OwnerPermissions]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
 
 
 class EndpointAdminDeviceViewSet(ModelViewSet):

authentik/enterprise/stages/authenticator_endpoint_gdtc/views/dtc.py

@@ -4,9 +4,7 @@ from typing import Any
 from django.http import HttpRequest, HttpResponse, HttpResponseRedirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
-from django.utils.decorators import method_decorator
 from django.views import View
-from django.views.decorators.clickjacking import xframe_options_sameorigin
 from googleapiclient.discovery import build
 
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import (
@@ -28,7 +26,6 @@ HEADER_ACCESS_CHALLENGE_RESPONSE = "X-Verified-Access-Challenge-Response"
 DEVICE_TRUST_VERIFIED_ACCESS = "VerifiedAccess"
 
 
-@method_decorator(xframe_options_sameorigin, name="dispatch")
 class GoogleChromeDeviceTrustConnector(View):
     """Google Chrome Device-trust connector based endpoint authenticator"""
 

authentik/enterprise/tests/test_read_only.py

@@ -215,49 +215,3 @@ class TestReadOnly(FlowTestCase):
             {"detail": "Request denied due to expired/invalid license.", "code": "denied_license"},
         )
         self.assertEqual(response.status_code, 400)
-
-    @patch(
-        "authentik.enterprise.license.LicenseKey.validate",
-        MagicMock(
-            return_value=LicenseKey(
-                aud="",
-                exp=expiry_valid,
-                name=generate_id(),
-                internal_users=100,
-                external_users=100,
-            )
-        ),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_internal_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.get_external_user_count",
-        MagicMock(return_value=1000),
-    )
-    @patch(
-        "authentik.enterprise.license.LicenseKey.record_usage",
-        MagicMock(),
-    )
-    def test_manage_users(self):
-        """Test that managing users is still possible"""
-        License.objects.create(key=generate_id())
-        usage = LicenseUsage.objects.create(
-            internal_user_count=100,
-            external_user_count=100,
-            status=LicenseUsageStatus.VALID,
-        )
-        usage.record_date = now() - timedelta(weeks=THRESHOLD_READ_ONLY_WEEKS + 1)
-        usage.save(update_fields=["record_date"])
-
-        admin = create_test_admin_user()
-        self.client.force_login(admin)
-
-        # Reading is always allowed
-        response = self.client.get(reverse("authentik_api:user-list"))
-        self.assertEqual(response.status_code, 200)
-
-        # Writing should also be allowed
-        response = self.client.patch(reverse("authentik_api:user-detail", kwargs={"pk": admin.pk}))
-        self.assertEqual(response.status_code, 200)

authentik/events/api/notifications.py

@@ -1,15 +1,17 @@
 """Notification API Views"""
 
+from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
 
+from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer
 from authentik.events.api.events import EventSerializer
@@ -55,7 +57,8 @@ class NotificationViewSet(
         "seen",
         "user",
     ]
-    owner_field = "user"
+    permission_classes = [OwnerPermissions]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
 
     @extend_schema(
         request=OpenApiTypes.NONE,
@@ -63,7 +66,7 @@ class NotificationViewSet(
             204: OpenApiResponse(description="Marked tasks as read successfully."),
         },
     )
-    @action(detail=False, methods=["post"], permission_classes=[IsAuthenticated])
+    @action(detail=False, methods=["post"])
     def mark_all_seen(self, request: Request) -> Response:
         """Mark all the user's notifications as seen"""
         Notification.objects.filter(user=request.user, seen=False).update(seen=True)

authentik/events/migrations/0008_event_authentik_e_expires_8c73a8_idx_and_more.py

@@ -1,41 +0,0 @@
-# Generated by Django 5.0.10 on 2025-01-13 18:05
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_events", "0007_event_authentik_e_action_9a9dd9_idx_and_more"),
-    ]
-
-    operations = [
-        migrations.AddIndex(
-            model_name="event",
-            index=models.Index(fields=["expires"], name="authentik_e_expires_8c73a8_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="event",
-            index=models.Index(fields=["expiring"], name="authentik_e_expirin_b5cb5e_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="event",
-            index=models.Index(
-                fields=["expiring", "expires"], name="authentik_e_expirin_e37180_idx"
-            ),
-        ),
-        migrations.AddIndex(
-            model_name="systemtask",
-            index=models.Index(fields=["expires"], name="authentik_e_expires_4d3985_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="systemtask",
-            index=models.Index(fields=["expiring"], name="authentik_e_expirin_81d649_idx"),
-        ),
-        migrations.AddIndex(
-            model_name="systemtask",
-            index=models.Index(
-                fields=["expiring", "expires"], name="authentik_e_expirin_eb3598_idx"
-            ),
-        ),
-    ]

authentik/events/models.py

@@ -60,7 +60,7 @@ def default_event_duration():
     """Default duration an Event is saved.
     This is used as a fallback when no brand is available"""
     try:
-        tenant = get_current_tenant(only=["event_retention"])
+        tenant = get_current_tenant()
         return now() + timedelta_from_string(tenant.event_retention)
     except Tenant.DoesNotExist:
         return now() + timedelta(days=365)
@@ -306,7 +306,7 @@ class Event(SerializerModel, ExpiringModel):
     class Meta:
         verbose_name = _("Event")
         verbose_name_plural = _("Events")
-        indexes = ExpiringModel.Meta.indexes + [
+        indexes = [
             models.Index(fields=["action"]),
             models.Index(fields=["user"]),
             models.Index(fields=["app"]),
@@ -694,4 +694,3 @@ class SystemTask(SerializerModel, ExpiringModel):
         permissions = [("run_task", _("Run task"))]
         verbose_name = _("System Task")
         verbose_name_plural = _("System Tasks")
-        indexes = ExpiringModel.Meta.indexes

authentik/events/signals.py

@@ -106,9 +106,9 @@ def on_invitation_used(sender, request: HttpRequest, invitation: Invitation, **_
 
 
 @receiver(password_changed)
-def on_password_changed(sender, user: User, password: str, request: HttpRequest | None, **_):
+def on_password_changed(sender, user: User, password: str, **_):
     """Log password change"""
-    Event.new(EventAction.PASSWORD_SET).from_http(request, user=user)
+    Event.new(EventAction.PASSWORD_SET).from_http(None, user=user)
 
 
 @receiver(post_save, sender=Event)

authentik/events/tasks.py

@@ -138,6 +138,7 @@ def notification_cleanup(self: SystemTask):
     """Cleanup seen notifications and notifications whose event expired."""
     notifications = Notification.objects.filter(Q(event=None) | Q(seen=True))
     amount = notifications.count()
-    notifications.delete()
+    for notification in notifications:
+        notification.delete()
     LOGGER.debug("Expired notifications", amount=amount)
     self.set_status(TaskStatus.SUCCESSFUL, f"Expired {amount} Notifications")

authentik/flows/api/stages.py

@@ -1,7 +1,5 @@
 """Flow Stage API Views"""
 
-from uuid import uuid4
-
 from django.urls.base import reverse
 from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
@@ -29,11 +27,6 @@ class StageSerializer(ModelSerializer, MetaNameSerializer):
     component = SerializerMethodField()
     flow_set = FlowSetSerializer(many=True, required=False)
 
-    def to_representation(self, instance: Stage):
-        if isinstance(instance, Stage) and instance.is_in_memory:
-            instance.stage_uuid = uuid4()
-        return super().to_representation(instance)
-
     def get_component(self, obj: Stage) -> str:
         """Get object type so that we know how to edit the object"""
         if obj.__class__ == Stage:

authentik/flows/migrations/0012_auto_20200908_1542_squashed_0017_auto_20210329_1334.py

@@ -88,8 +88,7 @@ class Migration(migrations.Migration):
             model_name="flowstagebinding",
             name="re_evaluate_policies",
             field=models.BooleanField(
-                default=False,
-                help_text="Evaluate policies when the Stage is presented to the user.",
+                default=False, help_text="Evaluate policies when the Stage is present to the user."
             ),
         ),
         migrations.AddField(

authentik/flows/migrations/0025_alter_flowstagebinding_evaluate_on_plan_and_more.py

@@ -20,7 +20,7 @@ class Migration(migrations.Migration):
             model_name="flowstagebinding",
             name="re_evaluate_policies",
             field=models.BooleanField(
-                default=True, help_text="Evaluate policies when the Stage is presented to the user."
+                default=True, help_text="Evaluate policies when the Stage is present to the user."
             ),
         ),
     ]

authentik/flows/migrations/0027_auto_20231028_1424.py

@@ -40,7 +40,6 @@ class Migration(migrations.Migration):
                     ("require_authenticated", "Require Authenticated"),
                     ("require_unauthenticated", "Require Unauthenticated"),
                     ("require_superuser", "Require Superuser"),
-                    ("require_redirect", "Require Redirect"),
                     ("require_outpost", "Require Outpost"),
                 ],
                 default="none",

authentik/flows/models.py

@@ -14,7 +14,6 @@ from structlog.stdlib import get_logger
 from authentik.core.models import Token
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.challenge import FlowLayout
-from authentik.lib.config import CONFIG
 from authentik.lib.models import InheritanceForeignKey, SerializerModel
 from authentik.lib.utils.reflection import class_to_path
 from authentik.policies.models import PolicyBindingModel
@@ -33,7 +32,6 @@ class FlowAuthenticationRequirement(models.TextChoices):
     REQUIRE_AUTHENTICATED = "require_authenticated"
     REQUIRE_UNAUTHENTICATED = "require_unauthenticated"
     REQUIRE_SUPERUSER = "require_superuser"
-    REQUIRE_REDIRECT = "require_redirect"
     REQUIRE_OUTPOST = "require_outpost"
 
 
@@ -102,12 +100,8 @@ class Stage(SerializerModel):
         user settings are available, or a challenge."""
         return None
 
-    @property
-    def is_in_memory(self):
-        return hasattr(self, "__in_memory_type")
-
     def __str__(self):
-        if self.is_in_memory:
+        if hasattr(self, "__in_memory_type"):
             return f"In-memory Stage {getattr(self, '__in_memory_type')}"
         return f"Stage {self.name}"
 
@@ -183,13 +177,9 @@ class Flow(SerializerModel, PolicyBindingModel):
         """Get the URL to the background image. If the name is /static or starts with http
         it is returned as-is"""
         if not self.background:
-            return (
-                CONFIG.get("web.path", "/")[:-1] + "/static/dist/assets/images/flow_background.jpg"
-            )
-        if self.background.name.startswith("http"):
+            return "/static/dist/assets/images/flow_background.jpg"
+        if self.background.name.startswith("http") or self.background.name.startswith("/static"):
             return self.background.name
-        if self.background.name.startswith("/static"):
-            return CONFIG.get("web.path", "/")[:-1] + self.background.name
         return self.background.url
 
     stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)
@@ -231,7 +221,7 @@ class FlowStageBinding(SerializerModel, PolicyBindingModel):
     )
     re_evaluate_policies = models.BooleanField(
         default=True,
-        help_text=_("Evaluate policies when the Stage is presented to the user."),
+        help_text=_("Evaluate policies when the Stage is present to the user."),
     )
 
     invalid_response_action = models.TextField(

authentik/flows/planner.py

@@ -1,10 +1,10 @@
 """Flows Planner"""
 
 from dataclasses import dataclass, field
-from typing import TYPE_CHECKING, Any
+from typing import Any
 
 from django.core.cache import cache
-from django.http import HttpRequest, HttpResponse
+from django.http import HttpRequest
 from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
@@ -23,15 +23,10 @@ from authentik.flows.models import (
     in_memory_stage,
 )
 from authentik.lib.config import CONFIG
-from authentik.lib.utils.urls import redirect_with_qs
 from authentik.outposts.models import Outpost
 from authentik.policies.engine import PolicyEngine
 from authentik.root.middleware import ClientIPMiddleware
 
-if TYPE_CHECKING:
-    from authentik.flows.stage import StageView
-
-
 LOGGER = get_logger()
 PLAN_CONTEXT_PENDING_USER = "pending_user"
 PLAN_CONTEXT_SSO = "is_sso"
@@ -42,8 +37,6 @@ PLAN_CONTEXT_OUTPOST = "outpost"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
-PLAN_CONTEXT_IS_REDIRECTED = "is_redirected"
-PLAN_CONTEXT_REDIRECT_STAGE_TARGET = "redirect_stage_target"
 CACHE_TIMEOUT = CONFIG.get_int("cache.timeout_flows")
 CACHE_PREFIX = "goauthentik.io/flows/planner/"
 
@@ -117,62 +110,6 @@ class FlowPlan:
         """Check if there are any stages left in this plan"""
         return len(self.markers) + len(self.bindings) > 0
 
-    def requires_flow_executor(
-        self,
-        allowed_silent_types: list["StageView"] | None = None,
-    ):
-        # Check if we actually need to show the Flow executor, or if we can jump straight to the end
-        found_unskippable = True
-        if allowed_silent_types:
-            LOGGER.debug("Checking if we can skip the flow executor...")
-            # Policies applied to the flow have already been evaluated, so we're checking for stages
-            # allow-listed or bindings that require a policy re-eval
-            found_unskippable = False
-            for binding, marker in zip(self.bindings, self.markers, strict=True):
-                if binding.stage.view not in allowed_silent_types:
-                    found_unskippable = True
-                if marker and isinstance(marker, ReevaluateMarker):
-                    found_unskippable = True
-        LOGGER.debug("Required flow executor status", status=found_unskippable)
-        return found_unskippable
-
-    def to_redirect(
-        self,
-        request: HttpRequest,
-        flow: Flow,
-        allowed_silent_types: list["StageView"] | None = None,
-    ) -> HttpResponse:
-        """Redirect to the flow executor for this flow plan"""
-        from authentik.flows.views.executor import (
-            SESSION_KEY_PLAN,
-            FlowExecutorView,
-        )
-
-        request.session[SESSION_KEY_PLAN] = self
-        requires_flow_executor = self.requires_flow_executor(allowed_silent_types)
-
-        if not requires_flow_executor:
-            # No unskippable stages found, so we can directly return the response of the last stage
-            final_stage: type[StageView] = self.bindings[-1].stage.view
-            temp_exec = FlowExecutorView(flow=flow, request=request, plan=self)
-            temp_exec.current_stage = self.bindings[-1].stage
-            stage = final_stage(request=request, executor=temp_exec)
-            return stage.dispatch(request)
-
-        get_qs = request.GET.copy()
-        if request.user.is_authenticated and (
-            # Object-scoped permission or global permission
-            request.user.has_perm("authentik_flows.inspect_flow", flow)
-            or request.user.has_perm("authentik_flows.inspect_flow")
-        ):
-            get_qs["inspector"] = "available"
-
-        return redirect_with_qs(
-            "authentik_core:if-flow",
-            get_qs,
-            flow_slug=flow.slug,
-        )
-
 
 class FlowPlanner:
     """Execute all policies to plan out a flat list of all Stages
@@ -191,7 +128,7 @@ class FlowPlanner:
         self.flow = flow
         self._logger = get_logger().bind(flow_slug=flow.slug)
 
-    def _check_authentication(self, request: HttpRequest, context: dict[str, Any]):
+    def _check_authentication(self, request: HttpRequest):
         """Check the flow's authentication level is matched by `request`"""
         if (
             self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_AUTHENTICATED
@@ -208,11 +145,6 @@ class FlowPlanner:
             and not request.user.is_superuser
         ):
             raise FlowNonApplicableException()
-        if (
-            self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_REDIRECT
-            and context.get(PLAN_CONTEXT_IS_REDIRECTED) is None
-        ):
-            raise FlowNonApplicableException()
         outpost_user = ClientIPMiddleware.get_outpost_user(request)
         if self.flow.authentication == FlowAuthenticationRequirement.REQUIRE_OUTPOST:
             if not outpost_user:
@@ -244,13 +176,18 @@ class FlowPlanner:
             )
             context = default_context or {}
             # Bit of a workaround here, if there is a pending user set in the default context
-            # we use that user for our cache key to make sure they don't get the generic response
+            # we use that user for our cache key
+            # to make sure they don't get the generic response
             if context and PLAN_CONTEXT_PENDING_USER in context:
                 user = context[PLAN_CONTEXT_PENDING_USER]
             else:
                 user = request.user
-
-            context.update(self._check_authentication(request, context))
+                # We only need to check the flow authentication if it's planned without a user
+                # in the context, as a user in the context can only be set via the explicit code API
+                # or if a flow is restarted due to `invalid_response_action` being set to
+                # `restart_with_context`, which can only happen if the user was already authorized
+                # to use the flow
+                context.update(self._check_authentication(request))
             # First off, check the flow's direct policy bindings
             # to make sure the user even has access to the flow
             engine = PolicyEngine(self.flow, user, request)

authentik/flows/stage.py

@@ -2,7 +2,6 @@
 
 from typing import TYPE_CHECKING
 
-from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
@@ -93,11 +92,7 @@ class ChallengeStageView(StageView):
 
     def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
         """Return a challenge for the frontend to solve"""
-        try:
-            challenge = self._get_challenge(*args, **kwargs)
-        except StageInvalidException as exc:
-            self.logger.debug("Got StageInvalidException", exc=exc)
-            return self.executor.stage_invalid()
+        challenge = self._get_challenge(*args, **kwargs)
         if not challenge.is_valid():
             self.logger.warning(
                 "f(ch): Invalid challenge",
@@ -173,7 +168,11 @@ class ChallengeStageView(StageView):
                 stage_type=self.__class__.__name__, method="get_challenge"
             ).time(),
         ):
-            challenge = self.get_challenge(*args, **kwargs)
+            try:
+                challenge = self.get_challenge(*args, **kwargs)
+            except StageInvalidException as exc:
+                self.logger.debug("Got StageInvalidException", exc=exc)
+                return self.executor.stage_invalid()
         with start_span(
             op="authentik.flow.stage._get_challenge",
             name=self.__class__.__name__,
@@ -225,14 +224,6 @@ class ChallengeStageView(StageView):
                 full_errors[field].append(field_error)
         challenge_response.initial_data["response_errors"] = full_errors
         if not challenge_response.is_valid():
-            if settings.TEST:
-                raise StageInvalidException(
-                    (
-                        f"Invalid challenge response: \n\t{challenge_response.errors}"
-                        f"\n\nValidated data:\n\t {challenge_response.data}"
-                        f"\n\nInitial data:\n\t {challenge_response.initial_data}"
-                    ),
-                )
             self.logger.error(
                 "f(ch): invalid challenge response",
                 errors=challenge_response.errors,

authentik/flows/templates/if/flow-sfe.html

@@ -9,8 +9,8 @@
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
         <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
-        <link rel="icon" href="{{ brand.branding_favicon_url }}">
-        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
+        <link rel="icon" href="{{ brand.branding_favicon }}">
+        <link rel="shortcut icon" href="{{ brand.branding_favicon }}">
         {% block head_before %}
         {% endblock %}
         <link rel="stylesheet" type="text/css" href="{% static 'dist/sfe/bootstrap.min.css' %}">

authentik/flows/tests/test_executor.py

@@ -7,8 +7,8 @@ from django.http import HttpRequest, HttpResponse
 from django.test.client import RequestFactory
 from django.urls import reverse
 
-from authentik.core.models import Group, User
-from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.core.models import User
+from authentik.core.tests.utils import create_test_flow
 from authentik.flows.markers import ReevaluateMarker, StageMarker
 from authentik.flows.models import (
     FlowDeniedAction,
@@ -255,11 +255,7 @@ class TestFlowExecutor(FlowTestCase):
         )
 
         binding = FlowStageBinding.objects.create(
-            target=flow,
-            stage=DummyStage.objects.create(name=generate_id()),
-            order=0,
-            evaluate_on_plan=True,
-            re_evaluate_policies=False,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
         )
         binding2 = FlowStageBinding.objects.create(
             target=flow,
@@ -282,8 +278,8 @@ class TestFlowExecutor(FlowTestCase):
             self.assertEqual(plan.bindings[0], binding)
             self.assertEqual(plan.bindings[1], binding2)
 
-            self.assertEqual(plan.markers[0].__class__, StageMarker)
-            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
+            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
 
             # Second request, this passes the first dummy stage
             response = self.client.post(exec_url)
@@ -305,11 +301,7 @@ class TestFlowExecutor(FlowTestCase):
         )
 
         binding = FlowStageBinding.objects.create(
-            target=flow,
-            stage=DummyStage.objects.create(name=generate_id()),
-            order=0,
-            evaluate_on_plan=True,
-            re_evaluate_policies=False,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
         )
         binding2 = FlowStageBinding.objects.create(
             target=flow,
@@ -318,11 +310,7 @@ class TestFlowExecutor(FlowTestCase):
             re_evaluate_policies=True,
         )
         binding3 = FlowStageBinding.objects.create(
-            target=flow,
-            stage=DummyStage.objects.create(name=generate_id()),
-            order=2,
-            evaluate_on_plan=True,
-            re_evaluate_policies=False,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=2
         )
 
         PolicyBinding.objects.create(policy=false_policy, target=binding2, order=0)
@@ -340,9 +328,9 @@ class TestFlowExecutor(FlowTestCase):
             self.assertEqual(plan.bindings[1], binding2)
             self.assertEqual(plan.bindings[2], binding3)
 
-            self.assertEqual(plan.markers[0].__class__, StageMarker)
-            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
-            self.assertEqual(plan.markers[2].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
+            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
+            self.assertIsInstance(plan.markers[2], StageMarker)
 
             # Second request, this passes the first dummy stage
             response = self.client.post(exec_url)
@@ -353,8 +341,8 @@ class TestFlowExecutor(FlowTestCase):
             self.assertEqual(plan.bindings[0], binding2)
             self.assertEqual(plan.bindings[1], binding3)
 
-            self.assertEqual(plan.markers[0].__class__, ReevaluateMarker)
-            self.assertEqual(plan.markers[1].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
+            self.assertIsInstance(plan.markers[1], StageMarker)
 
         # third request, this should trigger the re-evaluate
         # We do this request without the patch, so the policy results in false
@@ -372,11 +360,7 @@ class TestFlowExecutor(FlowTestCase):
         )
 
         binding = FlowStageBinding.objects.create(
-            target=flow,
-            stage=DummyStage.objects.create(name=generate_id()),
-            order=0,
-            evaluate_on_plan=True,
-            re_evaluate_policies=False,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
         )
         binding2 = FlowStageBinding.objects.create(
             target=flow,
@@ -385,11 +369,7 @@ class TestFlowExecutor(FlowTestCase):
             re_evaluate_policies=True,
         )
         binding3 = FlowStageBinding.objects.create(
-            target=flow,
-            stage=DummyStage.objects.create(name=generate_id()),
-            order=2,
-            evaluate_on_plan=True,
-            re_evaluate_policies=False,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=2
         )
 
         PolicyBinding.objects.create(policy=true_policy, target=binding2, order=0)
@@ -407,9 +387,9 @@ class TestFlowExecutor(FlowTestCase):
             self.assertEqual(plan.bindings[1], binding2)
             self.assertEqual(plan.bindings[2], binding3)
 
-            self.assertEqual(plan.markers[0].__class__, StageMarker)
-            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
-            self.assertEqual(plan.markers[2].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
+            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
+            self.assertIsInstance(plan.markers[2], StageMarker)
 
             # Second request, this passes the first dummy stage
             response = self.client.post(exec_url)
@@ -420,8 +400,8 @@ class TestFlowExecutor(FlowTestCase):
             self.assertEqual(plan.bindings[0], binding2)
             self.assertEqual(plan.bindings[1], binding3)
 
-            self.assertEqual(plan.markers[0].__class__, ReevaluateMarker)
-            self.assertEqual(plan.markers[1].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
+            self.assertIsInstance(plan.markers[1], StageMarker)
 
             # Third request, this passes the first dummy stage
             response = self.client.post(exec_url)
@@ -431,7 +411,7 @@ class TestFlowExecutor(FlowTestCase):
 
             self.assertEqual(plan.bindings[0], binding3)
 
-            self.assertEqual(plan.markers[0].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
 
         # third request, this should trigger the re-evaluate
         # We do this request without the patch, so the policy results in false
@@ -449,11 +429,7 @@ class TestFlowExecutor(FlowTestCase):
         )
 
         binding = FlowStageBinding.objects.create(
-            target=flow,
-            stage=DummyStage.objects.create(name=generate_id()),
-            order=0,
-            evaluate_on_plan=True,
-            re_evaluate_policies=False,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
         )
         binding2 = FlowStageBinding.objects.create(
             target=flow,
@@ -468,11 +444,7 @@ class TestFlowExecutor(FlowTestCase):
             re_evaluate_policies=True,
         )
         binding4 = FlowStageBinding.objects.create(
-            target=flow,
-            stage=DummyStage.objects.create(name=generate_id()),
-            order=2,
-            evaluate_on_plan=True,
-            re_evaluate_policies=False,
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=2
         )
 
         PolicyBinding.objects.create(policy=false_policy, target=binding2, order=0)
@@ -493,10 +465,10 @@ class TestFlowExecutor(FlowTestCase):
             self.assertEqual(plan.bindings[2], binding3)
             self.assertEqual(plan.bindings[3], binding4)
 
-            self.assertEqual(plan.markers[0].__class__, StageMarker)
-            self.assertEqual(plan.markers[1].__class__, ReevaluateMarker)
-            self.assertEqual(plan.markers[2].__class__, ReevaluateMarker)
-            self.assertEqual(plan.markers[3].__class__, StageMarker)
+            self.assertIsInstance(plan.markers[0], StageMarker)
+            self.assertIsInstance(plan.markers[1], ReevaluateMarker)
+            self.assertIsInstance(plan.markers[2], ReevaluateMarker)
+            self.assertIsInstance(plan.markers[3], StageMarker)
 
         # Second request, this passes the first dummy stage
         response = self.client.post(exec_url)
@@ -547,9 +519,9 @@ class TestFlowExecutor(FlowTestCase):
         )
         # Stage 0 is a deny stage that is added dynamically
         # when the reputation policy says so
-        deny_stage = DenyStage.objects.create(name=generate_id())
+        deny_stage = DenyStage.objects.create(name="deny")
         reputation_policy = ReputationPolicy.objects.create(
-            name=generate_id(), threshold=-1, check_ip=False
+            name="reputation", threshold=-1, check_ip=False
         )
         deny_binding = FlowStageBinding.objects.create(
             target=flow,
@@ -562,7 +534,7 @@ class TestFlowExecutor(FlowTestCase):
 
         # Stage 1 is an identification stage
         ident_stage = IdentificationStage.objects.create(
-            name=generate_id(),
+            name="ident",
             user_fields=[UserFields.E_MAIL],
             pretend_user_exists=False,
         )
@@ -587,64 +559,3 @@ class TestFlowExecutor(FlowTestCase):
         )
         response = self.client.post(exec_url, {"uid_field": "invalid-string"}, follow=True)
         self.assertStageResponse(response, flow, component="ak-stage-access-denied")
-
-    def test_re_evaluate_group_binding(self):
-        """Test re-evaluate stage binding that has a policy binding to a group"""
-        flow = create_test_flow()
-
-        user_group_membership = create_test_user()
-        user_direct_binding = create_test_user()
-        user_other = create_test_user()
-
-        group_a = Group.objects.create(name=generate_id())
-        user_group_membership.ak_groups.add(group_a)
-
-        # Stage 0 is an identification stage
-        ident_stage = IdentificationStage.objects.create(
-            name=generate_id(),
-            user_fields=[UserFields.USERNAME],
-            pretend_user_exists=False,
-        )
-        FlowStageBinding.objects.create(
-            target=flow,
-            stage=ident_stage,
-            order=0,
-        )
-
-        # Stage 1 is a dummy stage that is only shown for users in group_a
-        dummy_stage = DummyStage.objects.create(name=generate_id())
-        dummy_binding = FlowStageBinding.objects.create(target=flow, stage=dummy_stage, order=1)
-        PolicyBinding.objects.create(group=group_a, target=dummy_binding, order=0)
-        PolicyBinding.objects.create(user=user_direct_binding, target=dummy_binding, order=0)
-
-        # Stage 2 is a deny stage that (in this case) only user_b will see
-        deny_stage = DenyStage.objects.create(name=generate_id())
-        FlowStageBinding.objects.create(target=flow, stage=deny_stage, order=2)
-
-        exec_url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})
-
-        with self.subTest(f"Test user access through group: {user_group_membership}"):
-            self.client.logout()
-            # First request, run the planner
-            response = self.client.get(exec_url)
-            self.assertStageResponse(response, flow, component="ak-stage-identification")
-            response = self.client.post(
-                exec_url, {"uid_field": user_group_membership.username}, follow=True
-            )
-            self.assertStageResponse(response, flow, component="ak-stage-dummy")
-        with self.subTest(f"Test user access through user: {user_direct_binding}"):
-            self.client.logout()
-            # First request, run the planner
-            response = self.client.get(exec_url)
-            self.assertStageResponse(response, flow, component="ak-stage-identification")
-            response = self.client.post(
-                exec_url, {"uid_field": user_direct_binding.username}, follow=True
-            )
-            self.assertStageResponse(response, flow, component="ak-stage-dummy")
-        with self.subTest(f"Test user has no access: {user_other}"):
-            self.client.logout()
-            # First request, run the planner
-            response = self.client.get(exec_url)
-            self.assertStageResponse(response, flow, component="ak-stage-identification")
-            response = self.client.post(exec_url, {"uid_field": user_other.username}, follow=True)
-            self.assertStageResponse(response, flow, component="ak-stage-access-denied")