Attempting coercion to ESM with Vite & Wdio

```
$ mkdir ./packages/common
$ git mv ./src/common ./packages/common/src
```

... and then added all of the boilerplate needed to drive with Wireit, build with ESlint, typecheck
with TSC, and then spell check documentation and comments, security checks of package.json and
package-lock.json, format.

... and _then_ fix all of the minor, nitpicky things ESLint 9 found in the package.

... and _then_ wire the whole thing into our build so that we can find it as a package, removing
it as an alias from the base package definition and turning it into a workspace.  Although it is
a workspace package, it's currently configured to build completely independently.

It could be published as an independent NPM package, although I don't recommended that at this time.

I've wanted to break the UI up into smaller, more digestible chunks for awhile, but was always
reluctant to, since I didn't want to mess with other teams' mental models of the code layout.
@Beryju, seeing the success of the Simple Flow Executor as an independent package, thought it might
be worthwhile to see what effort it took to break the graph of our independent apps (User, Flow, and
Admin) and their dependencies (Common <- Elements <- Components, Common <- Locales) into packages.

Turns out, it's not too bad.  It's going to be fiddly for awhile until things settle down, but
overall the experiment has been a success.

The `tsconfig.json` doesn't refer to the base because we want this to build independently; tooling
will be needed to ensure all of our `tsconfig` files in the future will be consistent across all
packages.

- We can use the ESLint boilerplate as-is.
- We have to run TSC as a separate (but fortunately parallel) build step, as client code will need
  the built types. Final builds will be fractionally slower, but Wireit can detect when a monorepo
  package is unchanged and can skip rebuilding `common` if it's not needed, so the development loop
  will be faster.
- The ESBuild boilerplate is different for libraries with UI, libraries without UI (like this one),
  and apps, and we'll have to have three different routines for them. Once we are building
  independent _apps_, getting them into the `dist` folder will be an interesting challenge; we may
  end up with two different builds, one to bundle it in *in the app*, and another to bundle it *for
  Django*. That's mostly an issue of targeting and integration, and shouldn't take too much time.
- Spelling, formatting, and package checking aren't affected.
- `Locales` is our biggest challenge, as usual. I have found only [one article on it
  anywhere](https://medium.com/tech-at-zet/streamlining-localization-in-a-monorepo-using-i18n-js-e7c521ff69d4),
  and it recommends creating a single package in which to keep all of the localizations and the
  localization machinery. That seems like a sound approach, but we haven't (yet) gotten there.

`common` is a bit of a junk drawer: there are global utilities in there, there are app-specific
helpers, there are plug-in specific helpers, and so on. Figuring out exactly what does what and
making more specific packages may be in our future.

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.6.0
+current_version = 2024.6.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/actions/comment-pr-instructions/action.yml

@@ -54,9 +54,10 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            image:
-                repository: ghcr.io/goauthentik/dev-server
-                tag: ${{ inputs.tag }}
+            global:
+                image:
+                    repository: ghcr.io/goauthentik/dev-server
+                    tag: ${{ inputs.tag }}
             ```
 
             For arm64, use these values:
@@ -65,9 +66,10 @@ runs:
             authentik:
                 outposts:
                     container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
-            image:
-                repository: ghcr.io/goauthentik/dev-server
-                tag: ${{ inputs.tag }}-arm64
+            global:
+                image:
+                    repository: ghcr.io/goauthentik/dev-server
+                    tag: ${{ inputs.tag }}-arm64
             ```
 
             Afterwards, run the upgrade commands from the latest release notes.

.github/actions/docker-push-variables/action.yml

@@ -29,9 +29,15 @@ outputs:
   imageTags:
     description: "Docker image tags"
     value: ${{ steps.ev.outputs.imageTags }}
+  imageNames:
+    description: "Docker image names"
+    value: ${{ steps.ev.outputs.imageNames }}
   imageMainTag:
     description: "Docker image main tag"
     value: ${{ steps.ev.outputs.imageMainTag }}
+  imageMainName:
+    description: "Docker image main name"
+    value: ${{ steps.ev.outputs.imageMainName }}
 
 runs:
   using: "composite"

.github/actions/docker-push-variables/push_vars.py

@@ -7,7 +7,7 @@ from time import time
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
 
-should_build = str(os.environ.get("DOCKER_USERNAME", None) is not None).lower()
+should_build = str(len(os.environ.get("DOCKER_USERNAME", "")) > 0).lower()
 
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
@@ -50,8 +50,9 @@ else:
             f"{name}:gh-{safe_branch_name}-{int(time())}-{sha[:7]}{suffix}",  # Use by FluxCD
         ]
 
-image_main_tag = image_tags[0]
+image_main_tag = image_tags[0].split(":")[-1]
 image_tags_rendered = ",".join(image_tags)
+image_names_rendered = ",".join(set(name.split(":")[0] for name in image_tags))
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"shouldBuild={should_build}", file=_output)
@@ -59,4 +60,6 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
     print(f"version={version}", file=_output)
     print(f"prerelease={prerelease}", file=_output)
     print(f"imageTags={image_tags_rendered}", file=_output)
+    print(f"imageNames={image_names_rendered}", file=_output)
     print(f"imageMainTag={image_main_tag}", file=_output)
+    print(f"imageMainName={image_tags[0]}", file=_output)

.github/workflows/api-ts-publish.yml

@@ -35,8 +35,8 @@ jobs:
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION
-      - name: Upgrade /web/sfe
-        working-directory: web/sfe
+      - name: Upgrade /web/packages/sfe
+        working-directory: web/packages/sfe
         run: |
           export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
           npm i @goauthentik/api@$VERSION

.github/workflows/ci-main.yml

@@ -213,13 +213,16 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     timeout-minutes: 120
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -241,6 +244,7 @@ jobs:
         run: make gen-client-ts
       - name: Build Docker Image
         uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           secrets: |
@@ -251,8 +255,15 @@ jobs:
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache
-          cache-to: type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-server:buildcache,mode=max' || '' }}
           platforms: linux/${{ matrix.arch }}
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   pr-comment:
     needs:
       - build
@@ -274,6 +285,7 @@ jobs:
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: ./.github/actions/comment-pr-instructions
         with:
-          tag: gh-${{ steps.ev.outputs.imageMainTag }}
+          tag: ${{ steps.ev.outputs.imageMainTag }}

.github/workflows/ci-outpost.yml

@@ -71,12 +71,15 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -96,6 +99,7 @@ jobs:
       - name: Generate API
         run: make gen-client-go
       - name: Build Docker Image
+        id: push
         uses: docker/build-push-action@v6
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
@@ -106,7 +110,14 @@ jobs:
           platforms: linux/amd64,linux/arm64
           context: .
           cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache,mode=max
+          cache-to: ${{ steps.ev.outputs.shouldBuild == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-binary:
     timeout-minutes: 120
     needs:

.github/workflows/ci-web.yml

@@ -28,15 +28,8 @@ jobs:
         include:
           - command: tsc
             project: web
-            extra_setup: |
-              cd sfe/ && npm ci
           - command: lit-analyse
             project: web
-            extra_setup: |
-              # lit-analyse doesn't understand path rewrites, so make it
-              # belive it's an actual module
-              cd node_modules/@goauthentik
-              ln -s ../../src/ web
         exclude:
           - command: lint:lockfile
             project: tests/wdio

.github/workflows/release-publish.yml

@@ -11,10 +11,13 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -41,6 +44,7 @@ jobs:
           mkdir -p ./gen-go-api
       - name: Build Docker Image
         uses: docker/build-push-action@v6
+        id: push
         with:
           context: .
           push: true
@@ -49,11 +53,20 @@ jobs:
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
           tags: ${{ steps.ev.outputs.imageTags }}
           platforms: linux/amd64,linux/arm64
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost:
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
+      # Needed for attestation
+      id-token: write
+      attestations: write
     strategy:
       fail-fast: false
       matrix:
@@ -68,7 +81,7 @@ jobs:
         with:
           go-version-file: "go.mod"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.1.0
+        uses: docker/setup-qemu-action@v3.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: prepare variables
@@ -95,12 +108,19 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build Docker Image
         uses: docker/build-push-action@v6
+        id: push
         with:
           push: true
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
           context: .
+      - uses: actions/attest-build-provenance@v1
+        id: attest
+        with:
+          subject-name: ${{ steps.ev.outputs.imageNames }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
   build-outpost-binary:
     timeout-minutes: 120
     runs-on: ubuntu-latest
@@ -178,8 +198,8 @@ jobs:
           image-name: ghcr.io/goauthentik/server
       - name: Get static files from docker image
         run: |
-          docker pull ${{ steps.ev.outputs.imageMainTag }}
-          container=$(docker container create ${{ steps.ev.outputs.imageMainTag }})
+          docker pull ${{ steps.ev.outputs.imageMainName }}
+          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
           docker cp ${container}:web/ .
       - name: Create a Sentry.io release
         uses: getsentry/action-release@v1

.vscode/extensions.json

@@ -16,6 +16,6 @@
         "ms-python.black-formatter",
         "redhat.vscode-yaml",
         "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx",
+        "unifiedjs.vscode-mdx"
     ]
 }

.vscode/launch.json

@@ -22,6 +22,6 @@
             },
             "justMyCode": true,
             "django": true
-        },
+        }
     ]
 }

.vscode/settings.json

@@ -18,20 +18,21 @@
         "sso",
         "totp",
         "traefik",
-        "webauthn",
+        "webauthn"
     ],
     "todo-tree.tree.showCountsInTree": true,
     "todo-tree.tree.showBadges": true,
     "yaml.customTags": [
-        "!Find sequence",
-        "!KeyOf scalar",
-        "!Context scalar",
-        "!Context sequence",
-        "!Format sequence",
         "!Condition sequence",
-        "!Env sequence",
+        "!Context scalar",
+        "!Enumerate sequence",
         "!Env scalar",
-        "!If sequence"
+        "!Find sequence",
+        "!Format sequence",
+        "!If sequence",
+        "!Index scalar",
+        "!KeyOf scalar",
+        "!Value scalar"
     ],
     "typescript.preferences.importModuleSpecifier": "non-relative",
     "typescript.preferences.importModuleSpecifierEnding": "index",
@@ -48,9 +49,7 @@
             "ignoreCase": false
         }
     ],
-    "go.testFlags": [
-        "-count=1"
-    ],
+    "go.testFlags": ["-count=1"],
     "github-actions.workflows.pinned.workflows": [
         ".github/workflows/ci-main.yml"
     ]

.vscode/tasks.json

@@ -2,85 +2,67 @@
     "version": "2.0.0",
     "tasks": [
         {
-            "label": "authentik[core]: format & test",
+            "label": "authentik/core: make",
             "command": "poetry",
-            "args": [
-                "run",
-                "make"
-            ],
-            "group": "build",
+            "args": ["run", "make", "lint-fix", "lint"],
+            "presentation": {
+                "panel": "new"
+            },
+            "group": "test"
         },
         {
-            "label": "authentik[core]: run",
+            "label": "authentik/core: run",
             "command": "poetry",
-            "args": [
-                "run",
-                "make",
-                "run",
-            ],
+            "args": ["run", "ak", "server"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            },
+            }
         },
         {
-            "label": "authentik[web]: format",
+            "label": "authentik/web: make",
             "command": "make",
             "args": ["web"],
-            "group": "build",
+            "group": "build"
         },
         {
-            "label": "authentik[web]: watch",
+            "label": "authentik/web: watch",
             "command": "make",
             "args": ["web-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            },
+            }
         },
         {
             "label": "authentik: install",
             "command": "make",
-            "args": ["install"],
-            "group": "build",
+            "args": ["install", "-j4"],
+            "group": "build"
         },
         {
-            "label": "authentik: i18n-extract",
-            "command": "poetry",
-            "args": [
-                "run",
-                "make",
-                "i18n-extract"
-            ],
-            "group": "build",
-        },
-        {
-            "label": "authentik[website]: format",
+            "label": "authentik/website: make",
             "command": "make",
             "args": ["website"],
-            "group": "build",
+            "group": "build"
         },
         {
-            "label": "authentik[website]: watch",
+            "label": "authentik/website: watch",
             "command": "make",
             "args": ["website-watch"],
             "group": "build",
             "presentation": {
                 "panel": "dedicated",
                 "group": "running"
-            },
+            }
         },
         {
-            "label": "authentik[api]: generate",
+            "label": "authentik/api: generate",
             "command": "poetry",
-            "args": [
-                "run",
-                "make",
-                "gen"
-            ],
+            "args": ["run", "make", "gen"],
             "group": "build"
-        },
+        }
     ]
 }

Dockerfile

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # Stage 1: Build website
-FROM --platform=${BUILDPLATFORM} docker.io/node:22 as website-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 as website-builder
 
 ENV NODE_ENV=production
 
@@ -20,7 +20,7 @@ COPY ./SECURITY.md /work/
 RUN npm run build-bundled
 
 # Stage 2: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/node:22 as web-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:22 as web-builder
 
 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -30,12 +30,9 @@ WORKDIR /work/web
 
 RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
     --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
-    --mount=type=bind,target=/work/web/sfe/package.json,src=./web/sfe/package.json \
-    --mount=type=bind,target=/work/web/sfe/package-lock.json,src=./web/sfe/package-lock.json \
+    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
     --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
     --mount=type=cache,id=npm-web,sharing=shared,target=/root/.npm \
-    npm ci --include=dev && \
-    cd sfe && \
     npm ci --include=dev
 
 COPY ./package.json /work
@@ -43,9 +40,7 @@ COPY ./web /work/web/
 COPY ./website /work/website/
 COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 
-RUN npm run build && \
-    cd sfe && \
-    npm run build
+RUN npm run build
 
 # Stage 3: Build go proxy
 FROM --platform=${BUILDPLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.22-fips-bookworm AS go-builder

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.6.0"
+__version__ = "2024.6.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/blueprints/management/commands/apply_blueprint.py

@@ -23,9 +23,11 @@ class Command(BaseCommand):
                 for blueprint_path in options.get("blueprints", []):
                     content = BlueprintInstance(path=blueprint_path).retrieve()
                     importer = Importer.from_string(content)
-                    valid, _ = importer.validate()
+                    valid, logs = importer.validate()
                     if not valid:
-                        self.stderr.write("blueprint invalid")
+                        self.stderr.write("Blueprint invalid")
+                        for log in logs:
+                            self.stderr.write(f"\t{log.logger}: {log.event}: {log.attributes}")
                         sys_exit(1)
                     importer.apply()
 

authentik/blueprints/management/commands/make_blueprint_schema.py

@@ -113,16 +113,19 @@ class Command(BaseCommand):
             )
             model_path = f"{model._meta.app_label}.{model._meta.model_name}"
             self.schema["properties"]["entries"]["items"]["oneOf"].append(
-                self.template_entry(model_path, serializer)
+                self.template_entry(model_path, model, serializer)
             )
 
-    def template_entry(self, model_path: str, serializer: Serializer) -> dict:
+    def template_entry(self, model_path: str, model: type[Model], serializer: Serializer) -> dict:
         """Template entry for a single model"""
         model_schema = self.to_jsonschema(serializer)
         model_schema["required"] = []
         def_name = f"model_{model_path}"
         def_path = f"#/$defs/{def_name}"
         self.schema["$defs"][def_name] = model_schema
+        def_name_perm = f"model_{model_path}_permissions"
+        def_path_perm = f"#/$defs/{def_name_perm}"
+        self.schema["$defs"][def_name_perm] = self.model_permissions(model)
         return {
             "type": "object",
             "required": ["model", "identifiers"],
@@ -135,6 +138,7 @@ class Command(BaseCommand):
                     "default": "present",
                 },
                 "conditions": {"type": "array", "items": {"type": "boolean"}},
+                "permissions": {"$ref": def_path_perm},
                 "attrs": {"$ref": def_path},
                 "identifiers": {"$ref": def_path},
             },
@@ -185,3 +189,20 @@ class Command(BaseCommand):
         if required:
             result["required"] = required
         return result
+
+    def model_permissions(self, model: type[Model]) -> dict:
+        perms = [x[0] for x in model._meta.permissions]
+        for action in model._meta.default_permissions:
+            perms.append(f"{action}_{model._meta.model_name}")
+        return {
+            "type": "array",
+            "items": {
+                "type": "object",
+                "required": ["permission"],
+                "properties": {
+                    "permission": {"type": "string", "enum": perms},
+                    "user": {"type": "integer"},
+                    "role": {"type": "string"},
+                },
+            },
+        }

authentik/blueprints/tests/fixtures/rbac_object.yaml

@@ -0,0 +1,24 @@
+version: 1
+entries:
+  - model: authentik_core.user
+    id: user
+    identifiers:
+      username: "%(id)s"
+    attrs:
+      name: "%(id)s"
+  - model: authentik_rbac.role
+    id: role
+    identifiers:
+      name: "%(id)s"
+  - model: authentik_flows.flow
+    identifiers:
+      slug: "%(id)s"
+    attrs:
+      designation: authentication
+      name: foo
+      title: foo
+    permissions:
+      - permission: view_flow
+        user: !KeyOf user
+      - permission: view_flow
+        role: !KeyOf role

authentik/blueprints/tests/fixtures/rbac_role.yaml

@@ -0,0 +1,8 @@
+version: 1
+entries:
+  - model: authentik_rbac.role
+    identifiers:
+      name: "%(id)s"
+    attrs:
+      permissions:
+        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/fixtures/rbac_user.yaml

@@ -0,0 +1,9 @@
+version: 1
+entries:
+  - model: authentik_core.user
+    identifiers:
+      username: "%(id)s"
+    attrs:
+      name: "%(id)s"
+      permissions:
+        - authentik_blueprints.view_blueprintinstance

authentik/blueprints/tests/test_v1_rbac.py

@@ -0,0 +1,57 @@
+"""Test blueprints v1"""
+
+from django.test import TransactionTestCase
+from guardian.shortcuts import get_perms
+
+from authentik.blueprints.v1.importer import Importer
+from authentik.core.models import User
+from authentik.flows.models import Flow
+from authentik.lib.generators import generate_id
+from authentik.lib.tests.utils import load_fixture
+from authentik.rbac.models import Role
+
+
+class TestBlueprintsV1RBAC(TransactionTestCase):
+    """Test Blueprints rbac attribute"""
+
+    def test_user_permission(self):
+        """Test permissions"""
+        uid = generate_id()
+        import_yaml = load_fixture("fixtures/rbac_user.yaml", id=uid)
+
+        importer = Importer.from_string(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        user = User.objects.filter(username=uid).first()
+        self.assertIsNotNone(user)
+        self.assertTrue(user.has_perms(["authentik_blueprints.view_blueprintinstance"]))
+
+    def test_role_permission(self):
+        """Test permissions"""
+        uid = generate_id()
+        import_yaml = load_fixture("fixtures/rbac_role.yaml", id=uid)
+
+        importer = Importer.from_string(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        role = Role.objects.filter(name=uid).first()
+        self.assertIsNotNone(role)
+        self.assertEqual(
+            list(role.group.permissions.all().values_list("codename", flat=True)),
+            ["view_blueprintinstance"],
+        )
+
+    def test_object_permission(self):
+        """Test permissions"""
+        uid = generate_id()
+        import_yaml = load_fixture("fixtures/rbac_object.yaml", id=uid)
+
+        importer = Importer.from_string(import_yaml)
+        self.assertTrue(importer.validate()[0])
+        self.assertTrue(importer.apply())
+        flow = Flow.objects.filter(slug=uid).first()
+        user = User.objects.filter(username=uid).first()
+        role = Role.objects.filter(name=uid).first()
+        self.assertIsNotNone(flow)
+        self.assertEqual(get_perms(user, flow), ["view_flow"])
+        self.assertEqual(get_perms(role.group, flow), ["view_flow"])

authentik/blueprints/v1/common.py

@@ -1,7 +1,7 @@
 """transfer common classes"""
 
 from collections import OrderedDict
-from collections.abc import Iterable, Mapping
+from collections.abc import Generator, Iterable, Mapping
 from copy import copy
 from dataclasses import asdict, dataclass, field, is_dataclass
 from enum import Enum
@@ -58,6 +58,15 @@ class BlueprintEntryDesiredState(Enum):
     MUST_CREATED = "must_created"
 
 
+@dataclass
+class BlueprintEntryPermission:
+    """Describe object-level permissions"""
+
+    permission: Union[str, "YAMLTag"]
+    user: Union[int, "YAMLTag", None] = field(default=None)
+    role: Union[str, "YAMLTag", None] = field(default=None)
+
+
 @dataclass
 class BlueprintEntry:
     """Single entry of a blueprint"""
@@ -69,6 +78,7 @@ class BlueprintEntry:
     conditions: list[Any] = field(default_factory=list)
     identifiers: dict[str, Any] = field(default_factory=dict)
     attrs: dict[str, Any] | None = field(default_factory=dict)
+    permissions: list[BlueprintEntryPermission] = field(default_factory=list)
 
     id: str | None = None
 
@@ -150,6 +160,17 @@ class BlueprintEntry:
         """Get the blueprint model, with yaml tags resolved if present"""
         return str(self.tag_resolver(self.model, blueprint))
 
+    def get_permissions(
+        self, blueprint: "Blueprint"
+    ) -> Generator[BlueprintEntryPermission, None, None]:
+        """Get permissions of this entry, with all yaml tags resolved"""
+        for perm in self.permissions:
+            yield BlueprintEntryPermission(
+                permission=self.tag_resolver(perm.permission, blueprint),
+                user=self.tag_resolver(perm.user, blueprint),
+                role=self.tag_resolver(perm.role, blueprint),
+            )
+
     def check_all_conditions_match(self, blueprint: "Blueprint") -> bool:
         """Check all conditions of this entry match (evaluate to True)"""
         return all(self.tag_resolver(self.conditions, blueprint))
@@ -307,7 +328,10 @@ class Find(YAMLTag):
         else:
             model_name = self.model_name
 
-        model_class = apps.get_model(*model_name.split("."))
+        try:
+            model_class = apps.get_model(*model_name.split("."))
+        except LookupError as exc:
+            raise EntryInvalidError.from_entry(exc, entry) from exc
 
         query = Q()
         for cond in self.conditions:

authentik/blueprints/v1/importer.py

@@ -16,6 +16,7 @@ from django.db.models.query_utils import Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from guardian.models import UserObjectPermission
+from guardian.shortcuts import assign_perm
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import BaseSerializer, Serializer
 from structlog.stdlib import BoundLogger, get_logger
@@ -32,9 +33,11 @@ from authentik.blueprints.v1.common import (
 from authentik.blueprints.v1.meta.registry import BaseMetaModel, registry
 from authentik.core.models import (
     AuthenticatedSession,
+    GroupSourceConnection,
     PropertyMapping,
     Provider,
     Source,
+    User,
     UserSourceConnection,
 )
 from authentik.enterprise.license import LicenseKey
@@ -54,11 +57,13 @@ from authentik.events.utils import cleanse_dict
 from authentik.flows.models import FlowToken, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.sentry import SentryIgnoredException
+from authentik.lib.utils.reflection import get_apps
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.policies.reputation.models import Reputation
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMProviderGroup, SCIMProviderUser
+from authentik.rbac.models import Role
 from authentik.sources.scim.models import SCIMSourceGroup, SCIMSourceUser
 from authentik.stages.authenticator_webauthn.models import WebAuthnDeviceType
 from authentik.tenants.models import Tenant
@@ -87,6 +92,7 @@ def excluded_models() -> list[type[Model]]:
         Source,
         PropertyMapping,
         UserSourceConnection,
+        GroupSourceConnection,
         Stage,
         OutpostServiceConnection,
         Policy,
@@ -136,6 +142,16 @@ def transaction_rollback():
         pass
 
 
+def rbac_models() -> dict:
+    models = {}
+    for app in get_apps():
+        for model in app.get_models():
+            if not is_model_allowed(model):
+                continue
+            models[model._meta.model_name] = app.label
+    return models
+
+
 class Importer:
     """Import Blueprint from raw dict or YAML/JSON"""
 
@@ -154,7 +170,10 @@ class Importer:
 
     def default_context(self):
         """Default context"""
-        return {"goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid()}
+        return {
+            "goauthentik.io/enterprise/licensed": LicenseKey.get_total().is_valid(),
+            "goauthentik.io/rbac/models": rbac_models(),
+        }
 
     @staticmethod
     def from_string(yaml_input: str, context: dict | None = None) -> "Importer":
@@ -214,14 +233,17 @@ class Importer:
 
         return main_query | sub_query
 
-    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:
+    def _validate_single(self, entry: BlueprintEntry) -> BaseSerializer | None:  # noqa: PLR0915
         """Validate a single entry"""
         if not entry.check_all_conditions_match(self._import):
             self.logger.debug("One or more conditions of this entry are not fulfilled, skipping")
             return None
 
         model_app_label, model_name = entry.get_model(self._import).split(".")
-        model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
+        try:
+            model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
+        except LookupError as exc:
+            raise EntryInvalidError.from_entry(exc, entry) from exc
         # Don't use isinstance since we don't want to check for inheritance
         if not is_model_allowed(model):
             raise EntryInvalidError.from_entry(f"Model {model} not allowed", entry)
@@ -296,10 +318,7 @@ class Importer:
         try:
             full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
         except ValueError as exc:
-            raise EntryInvalidError.from_entry(
-                exc,
-                entry,
-            ) from exc
+            raise EntryInvalidError.from_entry(exc, entry) from exc
         always_merger.merge(full_data, updated_identifiers)
         serializer_kwargs["data"] = full_data
 
@@ -320,6 +339,15 @@ class Importer:
             ) from exc
         return serializer
 
+    def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
+        """Apply object-level permissions for an entry"""
+        for perm in entry.get_permissions(self._import):
+            if perm.user is not None:
+                assign_perm(perm.permission, User.objects.get(pk=perm.user), instance)
+            if perm.role is not None:
+                role = Role.objects.get(pk=perm.role)
+                role.assign_permission(perm.permission, obj=instance)
+
     def apply(self) -> bool:
         """Apply (create/update) models yaml, in database transaction"""
         try:
@@ -384,6 +412,7 @@ class Importer:
                 if "pk" in entry.identifiers:
                     self.__pk_map[entry.identifiers["pk"]] = instance.pk
                 entry._state = BlueprintEntryState(instance)
+                self._apply_permissions(instance, entry)
             elif state == BlueprintEntryDesiredState.ABSENT:
                 instance: Model | None = serializer.instance
                 if instance.pk:

authentik/brands/api.py

@@ -55,6 +55,7 @@ class BrandSerializer(ModelSerializer):
             "flow_unenrollment",
             "flow_user_settings",
             "flow_device_code",
+            "default_application",
             "web_certificate",
             "attributes",
         ]

authentik/brands/apps.py

@@ -9,3 +9,6 @@ class AuthentikBrandsConfig(AppConfig):
     name = "authentik.brands"
     label = "authentik_brands"
     verbose_name = "authentik Brands"
+    mountpoints = {
+        "authentik.brands.urls_root": "",
+    }

authentik/brands/migrations/0007_brand_default_application.py

@@ -0,0 +1,26 @@
+# Generated by Django 5.0.6 on 2024-07-04 20:32
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_brands", "0006_brand_authentik_b_domain_b9b24a_idx_and_more"),
+        ("authentik_core", "0035_alter_group_options_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="brand",
+            name="default_application",
+            field=models.ForeignKey(
+                default=None,
+                help_text="When set, external users will be redirected to this application after authenticating.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.application",
+            ),
+        ),
+    ]

authentik/brands/models.py

@@ -3,6 +3,7 @@
 from uuid import uuid4
 
 from django.db import models
+from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
@@ -51,6 +52,16 @@ class Brand(SerializerModel):
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
     )
 
+    default_application = models.ForeignKey(
+        "authentik_core.Application",
+        null=True,
+        default=None,
+        on_delete=models.SET_DEFAULT,
+        help_text=_(
+            "When set, external users will be redirected to this application after authenticating."
+        ),
+    )
+
     web_certificate = models.ForeignKey(
         CertificateKeyPair,
         null=True,
@@ -88,3 +99,13 @@ class Brand(SerializerModel):
             models.Index(fields=["domain"]),
             models.Index(fields=["default"]),
         ]
+
+
+class WebfingerProvider(models.Model):
+    """Provider which supports webfinger discovery"""
+
+    class Meta:
+        abstract = True
+
+    def webfinger(self, resource: str, request: HttpRequest) -> dict:
+        raise NotImplementedError()

authentik/brands/tests.py

@@ -5,7 +5,11 @@ from rest_framework.test import APITestCase
 
 from authentik.brands.api import Themes
 from authentik.brands.models import Brand
+from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.saml.models import SAMLProvider
 
 
 class TestBrands(APITestCase):
@@ -75,3 +79,45 @@ class TestBrands(APITestCase):
             reverse("authentik_api:brand-list"), data={"domain": "bar", "default": True}
         )
         self.assertEqual(response.status_code, 400)
+
+    def test_webfinger_no_app(self):
+        """Test Webfinger"""
+        create_test_brand()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
+        )
+
+    def test_webfinger_not_supported(self):
+        """Test Webfinger"""
+        brand = create_test_brand()
+        provider = SAMLProvider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        brand.default_application = app
+        brand.save()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_brands:webfinger")).content.decode(), {}
+        )
+
+    def test_webfinger_oidc(self):
+        """Test Webfinger"""
+        brand = create_test_brand()
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+        )
+        app = Application.objects.create(name=generate_id(), slug=generate_id(), provider=provider)
+        brand.default_application = app
+        brand.save()
+        self.assertJSONEqual(
+            self.client.get(reverse("authentik_brands:webfinger")).content.decode(),
+            {
+                "links": [
+                    {
+                        "href": f"http://testserver/application/o/{app.slug}/",
+                        "rel": "http://openid.net/specs/connect/1.0/issuer",
+                    }
+                ],
+                "subject": None,
+            },
+        )

authentik/brands/urls_root.py

@@ -0,0 +1,9 @@
+"""authentik brand root URLs"""
+
+from django.urls import path
+
+from authentik.brands.views.webfinger import WebFingerView
+
+urlpatterns = [
+    path(".well-known/webfinger", WebFingerView.as_view(), name="webfinger"),
+]

authentik/brands/utils.py

@@ -5,7 +5,7 @@ from typing import Any
 from django.db.models import F, Q
 from django.db.models import Value as V
 from django.http.request import HttpRequest
-from sentry_sdk.hub import Hub
+from sentry_sdk import get_current_span
 
 from authentik import get_full_version
 from authentik.brands.models import Brand
@@ -33,7 +33,7 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
     brand = getattr(request, "brand", DEFAULT_BRAND)
     tenant = getattr(request, "tenant", Tenant())
     trace = ""
-    span = Hub.current.scope.span
+    span = get_current_span()
     if span:
         trace = span.to_traceparent()
     return {

authentik/brands/views/webfinger.py

@@ -0,0 +1,29 @@
+from typing import Any
+
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.views import View
+
+from authentik.brands.models import Brand, WebfingerProvider
+from authentik.core.models import Application
+
+
+class WebFingerView(View):
+    """Webfinger endpoint"""
+
+    def get(self, request: HttpRequest) -> HttpResponse:
+        brand: Brand = request.brand
+        if not brand.default_application:
+            return JsonResponse({})
+        application: Application = brand.default_application
+        provider = application.get_provider()
+        if not provider or not isinstance(provider, WebfingerProvider):
+            return JsonResponse({})
+        webfinger_data = provider.webfinger(request.GET.get("resource"), request)
+        return JsonResponse(webfinger_data)
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        response = super().dispatch(request, *args, **kwargs)
+        # RFC7033 spec
+        response["Access-Control-Allow-Origin"] = "*"
+        response["Content-Type"] = "application/jrd+json"
+        return response

authentik/core/api/applications.py

@@ -103,7 +103,12 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
     """Application Viewset"""
 
-    queryset = Application.objects.all().prefetch_related("provider").prefetch_related("policies")
+    queryset = (
+        Application.objects.all()
+        .with_provider()
+        .prefetch_related("policies")
+        .prefetch_related("backchannel_providers")
+    )
     serializer_class = ApplicationSerializer
     search_fields = [
         "name",
@@ -147,6 +152,15 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 applications.append(application)
         return applications
 
+    def _filter_applications_with_launch_url(
+        self, pagined_apps: Iterator[Application]
+    ) -> list[Application]:
+        applications = []
+        for app in pagined_apps:
+            if app.get_launch_url():
+                applications.append(app)
+        return applications
+
     @extend_schema(
         parameters=[
             OpenApiParameter(
@@ -204,6 +218,11 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                 location=OpenApiParameter.QUERY,
                 type=OpenApiTypes.INT,
             ),
+            OpenApiParameter(
+                name="only_with_launch_url",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
+            ),
         ]
     )
     def list(self, request: Request) -> Response:
@@ -216,6 +235,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         if superuser_full_list and request.user.is_superuser:
             return super().list(request)
 
+        only_with_launch_url = str(
+            request.query_params.get("only_with_launch_url", "false")
+        ).lower()
+
         queryset = self._filter_queryset_for_list(self.get_queryset())
         paginator: Pagination = self.paginator
         paginated_apps = paginator.paginate_queryset(queryset, request)
@@ -251,6 +274,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                     allowed_applications,
                     timeout=86400,
                 )
+
+        if only_with_launch_url == "true":
+            allowed_applications = self._filter_applications_with_launch_url(allowed_applications)
+
         serializer = self.get_serializer(allowed_applications, many=True)
         return self.get_paginated_response(serializer.data)
 

authentik/core/api/devices.py

@@ -2,7 +2,13 @@
 
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, extend_schema
-from rest_framework.fields import BooleanField, CharField, IntegerField, SerializerMethodField
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    DateTimeField,
+    IntegerField,
+    SerializerMethodField,
+)
 from rest_framework.permissions import IsAdminUser, IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -20,6 +26,9 @@ class DeviceSerializer(MetaNameSerializer):
     name = CharField()
     type = SerializerMethodField()
     confirmed = BooleanField()
+    created = DateTimeField(read_only=True)
+    last_updated = DateTimeField(read_only=True)
+    last_used = DateTimeField(read_only=True, allow_null=True)
 
     def get_type(self, instance: Device) -> str:
         """Get type of device"""

authentik/core/api/property_mappings.py

@@ -2,8 +2,15 @@
 
 from json import dumps
 
+from django_filters.filters import AllValuesMultipleFilter, BooleanFilter
+from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from drf_spectacular.utils import (
+    OpenApiParameter,
+    OpenApiResponse,
+    extend_schema,
+    extend_schema_field,
+)
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
@@ -67,6 +74,18 @@ class PropertyMappingSerializer(ManagedSerializer, ModelSerializer, MetaNameSeri
         ]
 
 
+class PropertyMappingFilterSet(FilterSet):
+    """Filter for PropertyMapping"""
+
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
+
+    managed__isnull = BooleanFilter(field_name="managed", lookup_expr="isnull")
+
+    class Meta:
+        model = PropertyMapping
+        fields = ["name", "managed"]
+
+
 class PropertyMappingViewSet(
     TypesMixin,
     mixins.RetrieveModelMixin,
@@ -87,11 +106,9 @@ class PropertyMappingViewSet(
 
     queryset = PropertyMapping.objects.select_subclasses()
     serializer_class = PropertyMappingSerializer
-    search_fields = [
-        "name",
-    ]
-    filterset_fields = {"managed": ["isnull"]}
+    filterset_class = PropertyMappingFilterSet
     ordering = ["name"]
+    search_fields = ["name"]
 
     @permission_required("authentik_core.view_propertymapping")
     @extend_schema(

authentik/core/api/sources.py

@@ -19,7 +19,7 @@ from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
-from authentik.core.models import Source, UserSourceConnection
+from authentik.core.models import GroupSourceConnection, Source, UserSourceConnection
 from authentik.core.types import UserSettingSerializer
 from authentik.lib.utils.file import (
     FilePathSerializer,
@@ -60,6 +60,8 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
             "enabled",
             "authentication_flow",
             "enrollment_flow",
+            "user_property_mappings",
+            "group_property_mappings",
             "component",
             "verbose_name",
             "verbose_name_plural",
@@ -188,6 +190,47 @@ class UserSourceConnectionViewSet(
     queryset = UserSourceConnection.objects.all()
     serializer_class = UserSourceConnectionSerializer
     permission_classes = [OwnerSuperuserPermissions]
-    filterset_fields = ["user"]
+    filterset_fields = ["user", "source__slug"]
+    search_fields = ["source__slug"]
     filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
-    ordering = ["pk"]
+    ordering = ["source__slug", "pk"]
+
+
+class GroupSourceConnectionSerializer(SourceSerializer):
+    """Group Source Connection Serializer"""
+
+    source = SourceSerializer(read_only=True)
+
+    class Meta:
+        model = GroupSourceConnection
+        fields = [
+            "pk",
+            "group",
+            "source",
+            "identifier",
+            "created",
+        ]
+        extra_kwargs = {
+            "group": {"read_only": True},
+            "identifier": {"read_only": True},
+            "created": {"read_only": True},
+        }
+
+
+class GroupSourceConnectionViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.UpdateModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """Group-source connection Viewset"""
+
+    queryset = GroupSourceConnection.objects.all()
+    serializer_class = GroupSourceConnectionSerializer
+    permission_classes = [OwnerSuperuserPermissions]
+    filterset_fields = ["group", "source__slug"]
+    search_fields = ["source__slug"]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    ordering = ["source__slug", "pk"]

authentik/core/api/users.py

@@ -5,6 +5,7 @@ from json import loads
 from typing import Any
 
 from django.contrib.auth import update_session_auth_hash
+from django.contrib.auth.models import Permission
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.db.models.functions import ExtractHour
@@ -33,15 +34,21 @@ from drf_spectacular.utils import (
 )
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, IntegerField, ListField, SerializerMethodField
+from rest_framework.exceptions import ValidationError
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    ChoiceField,
+    DateTimeField,
+    IntegerField,
+    ListField,
+    SerializerMethodField,
+)
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
-    BooleanField,
-    DateTimeField,
     ListSerializer,
     PrimaryKeyRelatedField,
-    ValidationError,
 )
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
@@ -78,6 +85,7 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.lib.avatars import get_avatar
 from authentik.rbac.decorators import permission_required
+from authentik.rbac.models import get_permission_choices
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@@ -141,12 +149,19 @@ class UserSerializer(ModelSerializer):
         super().__init__(*args, **kwargs)
         if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
             self.fields["password"] = CharField(required=False, allow_null=True)
+            self.fields["permissions"] = ListField(
+                required=False, child=ChoiceField(choices=get_permission_choices())
+            )
 
     def create(self, validated_data: dict) -> User:
         """If this serializer is used in the blueprint context, we allow for
         directly setting a password. However should be done via the `set_password`
         method instead of directly setting it like rest_framework."""
         password = validated_data.pop("password", None)
+        permissions = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        )
+        validated_data["user_permissions"] = permissions
         instance: User = super().create(validated_data)
         self._set_password(instance, password)
         return instance
@@ -155,6 +170,10 @@ class UserSerializer(ModelSerializer):
         """Same as `create` above, set the password directly if we're in a blueprint
         context"""
         password = validated_data.pop("password", None)
+        permissions = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        )
+        validated_data["user_permissions"] = permissions
         instance = super().update(instance, validated_data)
         self._set_password(instance, password)
         return instance

authentik/core/management/commands/change_user_type.py

@@ -0,0 +1,28 @@
+"""Change user type"""
+
+from authentik.core.models import User, UserTypes
+from authentik.tenants.management import TenantCommand
+
+
+class Command(TenantCommand):
+    """Change user type"""
+
+    def add_arguments(self, parser):
+        parser.add_argument("--type", type=str, required=True)
+        parser.add_argument("--all", action="store_true")
+        parser.add_argument("usernames", nargs="+", type=str)
+
+    def handle_per_tenant(self, **options):
+        new_type = UserTypes(options["type"])
+        qs = (
+            User.objects.exclude_anonymous()
+            .exclude(type=UserTypes.SERVICE_ACCOUNT)
+            .exclude(type=UserTypes.INTERNAL_SERVICE_ACCOUNT)
+        )
+        if options["usernames"] and options["all"]:
+            self.stderr.write("--all and usernames specified, only one can be specified")
+            return
+        if options["usernames"] and not options["all"]:
+            qs = qs.filter(username__in=options["usernames"])
+        updated = qs.update(type=new_type)
+        self.stdout.write(f"Updated {updated} users.")

authentik/core/migrations/0029_provider_backchannel_applications_and_more.py

@@ -7,12 +7,13 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 
 def backport_is_backchannel(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
     from authentik.providers.ldap.models import LDAPProvider
     from authentik.providers.scim.models import SCIMProvider
 
     for model in [LDAPProvider, SCIMProvider]:
         try:
-            for obj in model.objects.only("is_backchannel"):
+            for obj in model.objects.using(db_alias).only("is_backchannel"):
                 obj.is_backchannel = True
                 obj.save()
         except (DatabaseError, InternalError, ProgrammingError):

authentik/core/migrations/0036_source_group_property_mappings_and_more.py

@@ -0,0 +1,43 @@
+# Generated by Django 5.0.2 on 2024-02-29 11:05
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0035_alter_group_options_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="source",
+            name="group_property_mappings",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                related_name="source_grouppropertymappings_set",
+                to="authentik_core.propertymapping",
+            ),
+        ),
+        migrations.AddField(
+            model_name="source",
+            name="user_property_mappings",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                related_name="source_userpropertymappings_set",
+                to="authentik_core.propertymapping",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="source",
+            name="property_mappings",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                related_name="source_set",
+                to="authentik_core.propertymapping",
+            ),
+        ),
+    ]

authentik/core/migrations/0037_remove_source_property_mappings.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.0.2 on 2024-02-29 11:21
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_ldap", "0005_remove_ldappropertymapping_object_field_and_more"),
+        ("authentik_core", "0036_source_group_property_mappings_and_more"),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name="source",
+            name="property_mappings",
+        ),
+    ]

authentik/core/migrations/0038_source_authentik_c_enabled_d72365_idx.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.0.7 on 2024-07-22 13:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0037_remove_source_property_mappings"),
+        ("authentik_flows", "0027_auto_20231028_1424"),
+        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="source",
+            index=models.Index(fields=["enabled"], name="authentik_c_enabled_d72365_idx"),
+        ),
+    ]

authentik/core/migrations/0039_source_group_matching_mode_alter_group_name_and_more.py

@@ -0,0 +1,67 @@
+# Generated by Django 5.0.7 on 2024-08-01 18:52
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0038_source_authentik_c_enabled_d72365_idx"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="source",
+            name="group_matching_mode",
+            field=models.TextField(
+                choices=[
+                    ("identifier", "Use the source-specific identifier"),
+                    (
+                        "name_link",
+                        "Link to a group with identical name. Can have security implications when a group name is used with another source.",
+                    ),
+                    (
+                        "name_deny",
+                        "Use the group name, but deny enrollment when the name already exists.",
+                    ),
+                ],
+                default="identifier",
+                help_text="How the source determines if an existing group should be used or a new group created.",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="group",
+            name="name",
+            field=models.TextField(verbose_name="name"),
+        ),
+        migrations.CreateModel(
+            name="GroupSourceConnection",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                ("created", models.DateTimeField(auto_now_add=True)),
+                ("last_updated", models.DateTimeField(auto_now=True)),
+                ("identifier", models.TextField()),
+                (
+                    "group",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.group"
+                    ),
+                ),
+                (
+                    "source",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.source"
+                    ),
+                ),
+            ],
+            options={
+                "unique_together": {("group", "source")},
+            },
+        ),
+    ]

authentik/core/models.py

@@ -11,6 +11,7 @@ from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.db import models
 from django.db.models import Q, QuerySet, options
+from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
 from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.timezone import now
@@ -28,6 +29,7 @@ from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
 from authentik.lib.expression.exceptions import ControlFlowException
 from authentik.lib.generators import generate_id
+from authentik.lib.merge import MERGE_LIST_UNIQUE
 from authentik.lib.models import (
     CreatedUpdatedModel,
     DomainlessFormattedURLValidator,
@@ -100,6 +102,38 @@ class UserTypes(models.TextChoices):
     INTERNAL_SERVICE_ACCOUNT = "internal_service_account"
 
 
+class AttributesMixin(models.Model):
+    """Adds an attributes property to a model"""
+
+    attributes = models.JSONField(default=dict, blank=True)
+
+    class Meta:
+        abstract = True
+
+    def update_attributes(self, properties: dict[str, Any]):
+        """Update fields and attributes, but correctly by merging dicts"""
+        for key, value in properties.items():
+            if key == "attributes":
+                continue
+            setattr(self, key, value)
+        final_attributes = {}
+        MERGE_LIST_UNIQUE.merge(final_attributes, self.attributes)
+        MERGE_LIST_UNIQUE.merge(final_attributes, properties.get("attributes", {}))
+        self.attributes = final_attributes
+        self.save()
+
+    @classmethod
+    def update_or_create_attributes(
+        cls, query: dict[str, Any], properties: dict[str, Any]
+    ) -> tuple[models.Model, bool]:
+        """Same as django's update_or_create but correctly updates attributes by merging dicts"""
+        instance = cls.objects.filter(**query).first()
+        if not instance:
+            return cls.objects.create(**properties), True
+        instance.update_attributes(properties)
+        return instance, False
+
+
 class GroupQuerySet(CTEQuerySet):
     def with_children_recursive(self):
         """Recursively get all groups that have the current queryset as parents
@@ -134,12 +168,12 @@ class GroupQuerySet(CTEQuerySet):
         return cte.join(Group, group_uuid=cte.col.group_uuid).with_cte(cte)
 
 
-class Group(SerializerModel):
+class Group(SerializerModel, AttributesMixin):
     """Group model which supports a basic hierarchy and has attributes"""
 
     group_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
 
-    name = models.CharField(_("name"), max_length=80)
+    name = models.TextField(_("name"))
     is_superuser = models.BooleanField(
         default=False, help_text=_("Users added to this group will be superusers.")
     )
@@ -154,10 +188,27 @@ class Group(SerializerModel):
         on_delete=models.SET_NULL,
         related_name="children",
     )
-    attributes = models.JSONField(default=dict, blank=True)
 
     objects = GroupQuerySet.as_manager()
 
+    class Meta:
+        unique_together = (
+            (
+                "name",
+                "parent",
+            ),
+        )
+        indexes = [models.Index(fields=["name"])]
+        verbose_name = _("Group")
+        verbose_name_plural = _("Groups")
+        permissions = [
+            ("add_user_to_group", _("Add user to group")),
+            ("remove_user_from_group", _("Remove user from group")),
+        ]
+
+    def __str__(self):
+        return f"Group {self.name}"
+
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.groups import GroupSerializer
@@ -182,24 +233,6 @@ class Group(SerializerModel):
             qs = Group.objects.filter(group_uuid=self.group_uuid)
         return qs.with_children_recursive()
 
-    def __str__(self):
-        return f"Group {self.name}"
-
-    class Meta:
-        unique_together = (
-            (
-                "name",
-                "parent",
-            ),
-        )
-        indexes = [models.Index(fields=["name"])]
-        verbose_name = _("Group")
-        verbose_name_plural = _("Groups")
-        permissions = [
-            ("add_user_to_group", _("Add user to group")),
-            ("remove_user_from_group", _("Remove user from group")),
-        ]
-
 
 class UserQuerySet(models.QuerySet):
     """User queryset"""
@@ -225,7 +258,7 @@ class UserManager(DjangoUserManager):
         return self.get_queryset().exclude_anonymous()
 
 
-class User(SerializerModel, GuardianUserMixin, AbstractUser):
+class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
     """authentik User model, based on django's contrib auth user model."""
 
     uuid = models.UUIDField(default=uuid4, editable=False, unique=True)
@@ -237,10 +270,30 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
     ak_groups = models.ManyToManyField("Group", related_name="users")
     password_change_date = models.DateTimeField(auto_now_add=True)
 
-    attributes = models.JSONField(default=dict, blank=True)
-
     objects = UserManager()
 
+    class Meta:
+        verbose_name = _("User")
+        verbose_name_plural = _("Users")
+        permissions = [
+            ("reset_user_password", _("Reset Password")),
+            ("impersonate", _("Can impersonate other users")),
+            ("assign_user_permissions", _("Can assign permissions to users")),
+            ("unassign_user_permissions", _("Can unassign permissions from users")),
+            ("preview_user", _("Can preview user data sent to providers")),
+            ("view_user_applications", _("View applications the user has access to")),
+        ]
+        indexes = [
+            models.Index(fields=["last_login"]),
+            models.Index(fields=["password_change_date"]),
+            models.Index(fields=["uuid"]),
+            models.Index(fields=["path"]),
+            models.Index(fields=["type"]),
+        ]
+
+    def __str__(self):
+        return self.username
+
     @staticmethod
     def default_path() -> str:
         """Get the default user path"""
@@ -322,25 +375,6 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
         """Get avatar, depending on authentik.avatar setting"""
         return get_avatar(self)
 
-    class Meta:
-        verbose_name = _("User")
-        verbose_name_plural = _("Users")
-        permissions = [
-            ("reset_user_password", _("Reset Password")),
-            ("impersonate", _("Can impersonate other users")),
-            ("assign_user_permissions", _("Can assign permissions to users")),
-            ("unassign_user_permissions", _("Can unassign permissions from users")),
-            ("preview_user", _("Can preview user data sent to providers")),
-            ("view_user_applications", _("View applications the user has access to")),
-        ]
-        indexes = [
-            models.Index(fields=["last_login"]),
-            models.Index(fields=["password_change_date"]),
-            models.Index(fields=["uuid"]),
-            models.Index(fields=["path"]),
-            models.Index(fields=["type"]),
-        ]
-
 
 class Provider(SerializerModel):
     """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
@@ -428,6 +462,16 @@ class BackchannelProvider(Provider):
         abstract = True
 
 
+class ApplicationQuerySet(QuerySet):
+    def with_provider(self) -> "QuerySet[Application]":
+        qs = self.select_related("provider")
+        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
+            if LOOKUP_SEP in subclass:
+                continue
+            qs = qs.select_related(f"provider__{subclass}")
+        return qs
+
+
 class Application(SerializerModel, PolicyBindingModel):
     """Every Application which uses authentik for authentication/identification/authorization
     needs an Application record. Other authentication types can subclass this Model to
@@ -459,6 +503,8 @@ class Application(SerializerModel, PolicyBindingModel):
     meta_description = models.TextField(default="", blank=True)
     meta_publisher = models.TextField(default="", blank=True)
 
+    objects = ApplicationQuerySet.as_manager()
+
     @property
     def serializer(self) -> Serializer:
         from authentik.core.api.applications import ApplicationSerializer
@@ -495,16 +541,19 @@ class Application(SerializerModel, PolicyBindingModel):
         return url
 
     def get_provider(self) -> Provider | None:
-        """Get casted provider instance"""
+        """Get casted provider instance. Needs Application queryset with_provider"""
         if not self.provider:
             return None
-        # if the Application class has been cache, self.provider is set
-        # but doing a direct query lookup will fail.
-        # In that case, just return None
-        try:
-            return Provider.objects.get_subclass(pk=self.provider.pk)
-        except Provider.DoesNotExist:
-            return None
+
+        for subclass in Provider.objects.get_queryset()._get_subclasses_recurse(Provider):
+            # We don't care about recursion, skip nested models
+            if LOOKUP_SEP in subclass:
+                continue
+            try:
+                return getattr(self.provider, subclass)
+            except AttributeError:
+                pass
+        return None
 
     def __str__(self):
         return str(self.name)
@@ -534,6 +583,19 @@ class SourceUserMatchingModes(models.TextChoices):
     )
 
 
+class SourceGroupMatchingModes(models.TextChoices):
+    """Different modes a source can handle new/returning groups"""
+
+    IDENTIFIER = "identifier", _("Use the source-specific identifier")
+    NAME_LINK = "name_link", _(
+        "Link to a group with identical name. Can have security implications "
+        "when a group name is used with another source."
+    )
+    NAME_DENY = "name_deny", _(
+        "Use the group name, but deny enrollment when the name already exists."
+    )
+
+
 class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     """Base Authentication source, i.e. an OAuth Provider, SAML Remote or LDAP Server"""
 
@@ -543,7 +605,12 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
     user_path_template = models.TextField(default="goauthentik.io/sources/%(slug)s")
 
     enabled = models.BooleanField(default=True)
-    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
+    user_property_mappings = models.ManyToManyField(
+        "PropertyMapping", default=None, blank=True, related_name="source_userpropertymappings_set"
+    )
+    group_property_mappings = models.ManyToManyField(
+        "PropertyMapping", default=None, blank=True, related_name="source_grouppropertymappings_set"
+    )
     icon = models.FileField(
         upload_to="source-icons/",
         default=None,
@@ -578,6 +645,14 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
             "a new user enrolled."
         ),
     )
+    group_matching_mode = models.TextField(
+        choices=SourceGroupMatchingModes.choices,
+        default=SourceGroupMatchingModes.IDENTIFIER,
+        help_text=_(
+            "How the source determines if an existing group should be used or "
+            "a new group created."
+        ),
+    )
 
     objects = InheritanceManager()
 
@@ -607,6 +682,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         """Return component used to edit this object"""
         raise NotImplementedError
 
+    @property
+    def property_mapping_type(self) -> "type[PropertyMapping]":
+        """Return property mapping type used by this object"""
+        raise NotImplementedError
+
     def ui_login_button(self, request: HttpRequest) -> UILoginButton | None:
         """If source uses a http-based flow, return UI Information about the login
         button. If source doesn't use http-based flow, return None."""
@@ -617,6 +697,14 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         user settings are available, or UserSettingSerializer."""
         return None
 
+    def get_base_user_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
+        """Get base properties for a user to build final properties upon."""
+        raise NotImplementedError
+
+    def get_base_group_properties(self, **kwargs) -> dict[str, Any | dict[str, Any]]:
+        """Get base properties for a group to build final properties upon."""
+        raise NotImplementedError
+
     def __str__(self):
         return str(self.name)
 
@@ -632,6 +720,11 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
                     "name",
                 ]
             ),
+            models.Index(
+                fields=[
+                    "enabled",
+                ]
+            ),
         ]
 
 
@@ -655,6 +748,27 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
         unique_together = (("user", "source"),)
 
 
+class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
+    """Connection between Group and Source."""
+
+    group = models.ForeignKey(Group, on_delete=models.CASCADE)
+    source = models.ForeignKey(Source, on_delete=models.CASCADE)
+    identifier = models.TextField()
+
+    objects = InheritanceManager()
+
+    @property
+    def serializer(self) -> type[Serializer]:
+        """Get serializer for this model"""
+        raise NotImplementedError
+
+    def __str__(self) -> str:
+        return f"Group-source connection (group={self.group_id}, source={self.source_id})"
+
+    class Meta:
+        unique_together = (("group", "source"),)
+
+
 class ExpiringModel(models.Model):
     """Base Model which can expire, and is automatically cleaned up."""
 

authentik/core/signals.py

@@ -52,6 +52,8 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
 @receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
     """Delete AuthenticatedSession if it exists"""
+    if not request.session or not request.session.session_key:
+        return
     AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
 
 

authentik/core/sources/flow_manager.py

@@ -4,7 +4,7 @@ from enum import Enum
 from typing import Any
 
 from django.contrib import messages
-from django.db import IntegrityError
+from django.db import IntegrityError, transaction
 from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import redirect
@@ -12,8 +12,20 @@ from django.urls import reverse
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
 
-from authentik.core.models import Source, SourceUserMatchingModes, User, UserSourceConnection
-from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostSourceStage
+from authentik.core.models import (
+    Group,
+    GroupSourceConnection,
+    Source,
+    SourceGroupMatchingModes,
+    SourceUserMatchingModes,
+    User,
+    UserSourceConnection,
+)
+from authentik.core.sources.mapper import SourceMapper
+from authentik.core.sources.stage import (
+    PLAN_CONTEXT_SOURCES_CONNECTION,
+    PostSourceStage,
+)
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow, FlowToken, Stage, in_memory_stage
@@ -36,7 +48,10 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 
+LOGGER = get_logger()
+
 SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
+PLAN_CONTEXT_SOURCE_GROUPS = "source_groups"
 
 
 class Action(Enum):
@@ -70,48 +85,69 @@ class SourceFlowManager:
     or deny the request."""
 
     source: Source
+    mapper: SourceMapper
     request: HttpRequest
 
     identifier: str
 
-    connection_type: type[UserSourceConnection] = UserSourceConnection
+    user_connection_type: type[UserSourceConnection] = UserSourceConnection
+    group_connection_type: type[GroupSourceConnection] = GroupSourceConnection
 
-    enroll_info: dict[str, Any]
+    user_info: dict[str, Any]
     policy_context: dict[str, Any]
+    user_properties: dict[str, Any | dict[str, Any]]
+    groups_properties: dict[str, dict[str, Any | dict[str, Any]]]
 
     def __init__(
         self,
         source: Source,
         request: HttpRequest,
         identifier: str,
-        enroll_info: dict[str, Any],
+        user_info: dict[str, Any],
+        policy_context: dict[str, Any],
     ) -> None:
         self.source = source
+        self.mapper = SourceMapper(self.source)
         self.request = request
         self.identifier = identifier
-        self.enroll_info = enroll_info
+        self.user_info = user_info
         self._logger = get_logger().bind(source=source, identifier=identifier)
-        self.policy_context = {}
+        self.policy_context = policy_context
+
+        self.user_properties = self.mapper.build_object_properties(
+            object_type=User, request=request, user=None, **self.user_info
+        )
+        self.groups_properties = {
+            group_id: self.mapper.build_object_properties(
+                object_type=Group,
+                request=request,
+                user=None,
+                group_id=group_id,
+                **self.user_info,
+            )
+            for group_id in self.user_properties.setdefault("groups", [])
+        }
+        del self.user_properties["groups"]
 
     def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
         """decide which action should be taken"""
-        new_connection = self.connection_type(source=self.source, identifier=self.identifier)
+        new_connection = self.user_connection_type(source=self.source, identifier=self.identifier)
         # When request is authenticated, always link
         if self.request.user.is_authenticated:
             new_connection.user = self.request.user
-            new_connection = self.update_connection(new_connection, **kwargs)
+            new_connection = self.update_user_connection(new_connection, **kwargs)
             return Action.LINK, new_connection
 
-        existing_connections = self.connection_type.objects.filter(
+        existing_connections = self.user_connection_type.objects.filter(
             source=self.source, identifier=self.identifier
         )
         if existing_connections.exists():
             connection = existing_connections.first()
-            return Action.AUTH, self.update_connection(connection, **kwargs)
+            return Action.AUTH, self.update_user_connection(connection, **kwargs)
         # No connection exists, but we match on identifier, so enroll
         if self.source.user_matching_mode == SourceUserMatchingModes.IDENTIFIER:
             # We don't save the connection here cause it doesn't have a user assigned yet
-            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
+            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
 
         # Check for existing users with matching attributes
         query = Q()
@@ -120,24 +156,24 @@ class SourceFlowManager:
             SourceUserMatchingModes.EMAIL_LINK,
             SourceUserMatchingModes.EMAIL_DENY,
         ]:
-            if not self.enroll_info.get("email", None):
-                self._logger.warning("Refusing to use none email", source=self.source)
+            if not self.user_properties.get("email", None):
+                self._logger.warning("Refusing to use none email")
                 return Action.DENY, None
-            query = Q(email__exact=self.enroll_info.get("email", None))
+            query = Q(email__exact=self.user_properties.get("email", None))
         if self.source.user_matching_mode in [
             SourceUserMatchingModes.USERNAME_LINK,
             SourceUserMatchingModes.USERNAME_DENY,
         ]:
-            if not self.enroll_info.get("username", None):
-                self._logger.warning("Refusing to use none username", source=self.source)
+            if not self.user_properties.get("username", None):
+                self._logger.warning("Refusing to use none username")
                 return Action.DENY, None
-            query = Q(username__exact=self.enroll_info.get("username", None))
+            query = Q(username__exact=self.user_properties.get("username", None))
         self._logger.debug("trying to link with existing user", query=query)
         matching_users = User.objects.filter(query)
         # No matching users, always enroll
         if not matching_users.exists():
             self._logger.debug("no matching users found, enrolling")
-            return Action.ENROLL, self.update_connection(new_connection, **kwargs)
+            return Action.ENROLL, self.update_user_connection(new_connection, **kwargs)
 
         user = matching_users.first()
         if self.source.user_matching_mode in [
@@ -145,7 +181,7 @@ class SourceFlowManager:
             SourceUserMatchingModes.USERNAME_LINK,
         ]:
             new_connection.user = user
-            new_connection = self.update_connection(new_connection, **kwargs)
+            new_connection = self.update_user_connection(new_connection, **kwargs)
             return Action.LINK, new_connection
         if self.source.user_matching_mode in [
             SourceUserMatchingModes.EMAIL_DENY,
@@ -156,10 +192,10 @@ class SourceFlowManager:
         # Should never get here as default enroll case is returned above.
         return Action.DENY, None  # pragma: no cover
 
-    def update_connection(
+    def update_user_connection(
         self, connection: UserSourceConnection, **kwargs
     ) -> UserSourceConnection:  # pragma: no cover
-        """Optionally make changes to the connection after it is looked up/created."""
+        """Optionally make changes to the user connection after it is looked up/created."""
         return connection
 
     def get_flow(self, **kwargs) -> HttpResponse:
@@ -212,28 +248,34 @@ class SourceFlowManager:
 
     def _prepare_flow(
         self,
-        flow: Flow,
+        flow: Flow | None,
         connection: UserSourceConnection,
         stages: list[StageView] | None = None,
-        **kwargs,
+        **flow_context,
     ) -> HttpResponse:
         """Prepare Authentication Plan, redirect user FlowExecutor"""
-        kwargs.update(
+        # Ensure redirect is carried through when user was trying to
+        # authorize application
+        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
+            NEXT_ARG_NAME, "authentik_core:if-user"
+        )
+        flow_context.update(
             {
                 # Since we authenticate the user by their token, they have no backend set
                 PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
                 PLAN_CONTEXT_SSO: True,
                 PLAN_CONTEXT_SOURCE: self.source,
                 PLAN_CONTEXT_SOURCES_CONNECTION: connection,
+                PLAN_CONTEXT_SOURCE_GROUPS: self.groups_properties,
             }
         )
-        kwargs.update(self.policy_context)
+        flow_context.update(self.policy_context)
         if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
             token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
             self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
             plan = token.plan
             plan.context[PLAN_CONTEXT_IS_RESTORED] = token
-            plan.context.update(kwargs)
+            plan.context.update(flow_context)
             for stage in self.get_stages_to_append(flow):
                 plan.append_stage(stage)
             if stages:
@@ -252,8 +294,8 @@ class SourceFlowManager:
         final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
             NEXT_ARG_NAME, "authentik_core:if-user"
         )
-        if PLAN_CONTEXT_REDIRECT not in kwargs:
-            kwargs[PLAN_CONTEXT_REDIRECT] = final_redirect
+        if PLAN_CONTEXT_REDIRECT not in flow_context:
+            flow_context[PLAN_CONTEXT_REDIRECT] = final_redirect
 
         if not flow:
             return bad_request_message(
@@ -265,9 +307,12 @@ class SourceFlowManager:
         # We append some stages so the initial flow we get might be empty
         planner.allow_empty_flows = True
         planner.use_cache = False
-        plan = planner.plan(self.request, kwargs)
+        plan = planner.plan(self.request, flow_context)
         for stage in self.get_stages_to_append(flow):
             plan.append_stage(stage)
+        plan.append_stage(
+            in_memory_stage(GroupUpdateStage, group_connection_type=self.group_connection_type)
+        )
         if stages:
             for stage in stages:
                 plan.append_stage(stage)
@@ -309,6 +354,8 @@ class SourceFlowManager:
         # When request isn't authenticated we jump straight to auth
         if not self.request.user.is_authenticated:
             return self.handle_auth(connection)
+        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
+            return self._prepare_flow(None, connection)
         connection.save()
         Event.new(
             EventAction.SOURCE_LINKED,
@@ -352,7 +399,123 @@ class SourceFlowManager:
                 )
             ],
             **{
-                PLAN_CONTEXT_PROMPT: delete_none_values(self.enroll_info),
+                PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
                 PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
             },
         )
+
+
+class GroupUpdateStage(StageView):
+    """Dynamically injected stage which updates the user after enrollment/authentication."""
+
+    def get_action(
+        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
+    ) -> tuple[Action, GroupSourceConnection | None]:
+        """decide which action should be taken"""
+        new_connection = self.group_connection_type(source=self.source, identifier=group_id)
+
+        existing_connections = self.group_connection_type.objects.filter(
+            source=self.source, identifier=group_id
+        )
+        if existing_connections.exists():
+            return Action.LINK, existing_connections.first()
+        # No connection exists, but we match on identifier, so enroll
+        if self.source.group_matching_mode == SourceGroupMatchingModes.IDENTIFIER:
+            # We don't save the connection here cause it doesn't have a user assigned yet
+            return Action.ENROLL, new_connection
+
+        # Check for existing groups with matching attributes
+        query = Q()
+        if self.source.group_matching_mode in [
+            SourceGroupMatchingModes.NAME_LINK,
+            SourceGroupMatchingModes.NAME_DENY,
+        ]:
+            if not group_properties.get("name", None):
+                LOGGER.warning(
+                    "Refusing to use none group name", source=self.source, group_id=group_id
+                )
+                return Action.DENY, None
+            query = Q(name__exact=group_properties.get("name"))
+        LOGGER.debug(
+            "trying to link with existing group", source=self.source, query=query, group_id=group_id
+        )
+        matching_groups = Group.objects.filter(query)
+        # No matching groups, always enroll
+        if not matching_groups.exists():
+            LOGGER.debug(
+                "no matching groups found, enrolling", source=self.source, group_id=group_id
+            )
+            return Action.ENROLL, new_connection
+
+        group = matching_groups.first()
+        if self.source.group_matching_mode in [
+            SourceGroupMatchingModes.NAME_LINK,
+        ]:
+            new_connection.group = group
+            return Action.LINK, new_connection
+        if self.source.group_matching_mode in [
+            SourceGroupMatchingModes.NAME_DENY,
+        ]:
+            LOGGER.info(
+                "denying source because group exists",
+                source=self.source,
+                group=group,
+                group_id=group_id,
+            )
+            return Action.DENY, None
+        # Should never get here as default enroll case is returned above.
+        return Action.DENY, None  # pragma: no cover
+
+    def handle_group(
+        self, group_id: str, group_properties: dict[str, Any | dict[str, Any]]
+    ) -> Group | None:
+        action, connection = self.get_action(group_id, group_properties)
+        if action == Action.ENROLL:
+            group = Group.objects.create(**group_properties)
+            connection.group = group
+            connection.save()
+            return group
+        elif action == Action.LINK:
+            group = connection.group
+            group.update_attributes(group_properties)
+            connection.save()
+            return group
+
+        return None
+
+    def handle_groups(self) -> bool:
+        self.source: Source = self.executor.plan.context[PLAN_CONTEXT_SOURCE]
+        self.user: User = self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
+        self.group_connection_type: GroupSourceConnection = (
+            self.executor.current_stage.group_connection_type
+        )
+
+        raw_groups: dict[str, dict[str, Any | dict[str, Any]]] = self.executor.plan.context[
+            PLAN_CONTEXT_SOURCE_GROUPS
+        ]
+        groups: list[Group] = []
+
+        for group_id, group_properties in raw_groups.items():
+            group = self.handle_group(group_id, group_properties)
+            if not group:
+                return False
+            groups.append(group)
+
+        with transaction.atomic():
+            self.user.ak_groups.remove(
+                *self.user.ak_groups.filter(groupsourceconnection__source=self.source)
+            )
+            self.user.ak_groups.add(*groups)
+
+        return True
+
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Stage used after the user has been enrolled to sync their groups from source data"""
+        if self.handle_groups():
+            return self.executor.stage_ok()
+        else:
+            return self.executor.stage_invalid("Failed to update groups. Please try again later.")
+
+    def post(self, request: HttpRequest) -> HttpResponse:
+        """Wrapper for post requests"""
+        return self.get(request)

authentik/core/sources/mapper.py

@@ -0,0 +1,103 @@
+from typing import Any
+
+from django.http import HttpRequest
+from structlog.stdlib import get_logger
+
+from authentik.core.expression.exceptions import PropertyMappingExpressionException
+from authentik.core.models import Group, PropertyMapping, Source, User
+from authentik.events.models import Event, EventAction
+from authentik.lib.merge import MERGE_LIST_UNIQUE
+from authentik.lib.sync.mapper import PropertyMappingManager
+from authentik.policies.utils import delete_none_values
+
+LOGGER = get_logger()
+
+
+class SourceMapper:
+    def __init__(self, source: Source):
+        self.source = source
+
+    def get_manager(
+        self, object_type: type[User | Group], context_keys: list[str]
+    ) -> PropertyMappingManager:
+        """Get property mapping manager for this source."""
+
+        qs = PropertyMapping.objects.none()
+        if object_type == User:
+            qs = self.source.user_property_mappings.all().select_subclasses()
+        elif object_type == Group:
+            qs = self.source.group_property_mappings.all().select_subclasses()
+        qs = qs.order_by("name")
+        return PropertyMappingManager(
+            qs,
+            self.source.property_mapping_type,
+            ["source", "properties"] + context_keys,
+        )
+
+    def get_base_properties(
+        self, object_type: type[User | Group], **kwargs
+    ) -> dict[str, Any | dict[str, Any]]:
+        """Get base properties for a user or a group to build final properties upon."""
+        if object_type == User:
+            properties = self.source.get_base_user_properties(**kwargs)
+            properties.setdefault("path", self.source.get_user_path())
+            return properties
+        if object_type == Group:
+            return self.source.get_base_group_properties(**kwargs)
+        return {}
+
+    def build_object_properties(
+        self,
+        object_type: type[User | Group],
+        manager: "PropertyMappingManager | None" = None,
+        user: User | None = None,
+        request: HttpRequest | None = None,
+        **kwargs,
+    ) -> dict[str, Any | dict[str, Any]]:
+        """Build a user or group properties from the source configured property mappings."""
+
+        properties = self.get_base_properties(object_type, **kwargs)
+        if "attributes" not in properties:
+            properties["attributes"] = {}
+
+        if not manager:
+            manager = self.get_manager(object_type, list(kwargs.keys()))
+        evaluations = manager.iter_eval(
+            user=user,
+            request=request,
+            return_mapping=True,
+            source=self.source,
+            properties=properties,
+            **kwargs,
+        )
+        while True:
+            try:
+                value, mapping = next(evaluations)
+            except StopIteration:
+                break
+            except PropertyMappingExpressionException as exc:
+                Event.new(
+                    EventAction.CONFIGURATION_ERROR,
+                    message=f"Failed to evaluate property mapping: '{exc.mapping.name}'",
+                    source=self,
+                    mapping=exc.mapping,
+                ).save()
+                LOGGER.warning(
+                    "Mapping failed to evaluate",
+                    exc=exc,
+                    source=self,
+                    mapping=exc.mapping,
+                )
+                raise exc
+
+            if not value or not isinstance(value, dict):
+                LOGGER.debug(
+                    "Mapping evaluated to None or is not a dict. Skipping",
+                    source=self,
+                    mapping=mapping,
+                )
+                continue
+
+            MERGE_LIST_UNIQUE.merge(properties, value)
+
+        return delete_none_values(properties)

authentik/core/templates/base/skeleton.html

@@ -4,7 +4,7 @@
 
 <!DOCTYPE html>
 
-<html lang="en">
+<html>
     <head>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">

authentik/core/tests/test_source_flow_manager.py

@@ -38,7 +38,9 @@ class TestSourceFlowManager(TestCase):
     def test_unauthenticated_enroll(self):
         """Test un-authenticated user enrolling"""
         request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
         response = flow_manager.get_flow()
@@ -52,7 +54,9 @@ class TestSourceFlowManager(TestCase):
             user=get_anonymous_user(), source=self.source, identifier=self.identifier
         )
         request = get_request("/", user=AnonymousUser())
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.AUTH)
         response = flow_manager.get_flow()
@@ -64,7 +68,9 @@ class TestSourceFlowManager(TestCase):
         """Test authenticated user linking"""
         user = User.objects.create(username="foo", email="foo@bar.baz")
         request = get_request("/", user=user)
-        flow_manager = OAuthSourceFlowManager(self.source, request, self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, request, self.identifier, {"info": {}}, {}
+        )
         action, connection = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
         self.assertIsNone(connection.pk)
@@ -77,7 +83,9 @@ class TestSourceFlowManager(TestCase):
 
     def test_unauthenticated_link(self):
         """Test un-authenticated user linking"""
-        flow_manager = OAuthSourceFlowManager(self.source, get_request("/"), self.identifier, {})
+        flow_manager = OAuthSourceFlowManager(
+            self.source, get_request("/"), self.identifier, {"info": {}}, {}
+        )
         action, connection = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
         self.assertIsNone(connection.pk)
@@ -90,7 +98,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without email, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -100,7 +108,12 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"email": "foo@bar.baz"},
+            {
+                "info": {
+                    "email": "foo@bar.baz",
+                },
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -113,7 +126,7 @@ class TestSourceFlowManager(TestCase):
 
         # Without username, deny
         flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -123,7 +136,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.LINK)
@@ -140,8 +156,11 @@ class TestSourceFlowManager(TestCase):
             get_request("/", user=AnonymousUser()),
             self.identifier,
             {
-                "username": "bar",
+                "info": {
+                    "username": "bar",
+                },
             },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -151,7 +170,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.DENY)
@@ -165,7 +187,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)
@@ -191,7 +216,10 @@ class TestSourceFlowManager(TestCase):
             self.source,
             get_request("/", user=AnonymousUser()),
             self.identifier,
-            {"username": "foo"},
+            {
+                "info": {"username": "foo"},
+            },
+            {},
         )
         action, _ = flow_manager.get_action()
         self.assertEqual(action, Action.ENROLL)

authentik/core/tests/test_source_flow_manager_group_update_stage.py

@@ -0,0 +1,237 @@
+"""Test Source flow_manager group update stage"""
+
+from django.test import RequestFactory
+
+from authentik.core.models import Group, SourceGroupMatchingModes
+from authentik.core.sources.flow_manager import PLAN_CONTEXT_SOURCE_GROUPS, GroupUpdateStage
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.flows.models import in_memory_stage
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, PLAN_CONTEXT_SOURCE, FlowPlan
+from authentik.flows.tests import FlowTestCase
+from authentik.flows.views.executor import FlowExecutorView
+from authentik.lib.generators import generate_id
+from authentik.sources.oauth.models import GroupOAuthSourceConnection, OAuthSource
+
+
+class TestSourceFlowManager(FlowTestCase):
+    """Test Source flow_manager group update stage"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.factory = RequestFactory()
+        self.authentication_flow = create_test_flow()
+        self.enrollment_flow = create_test_flow()
+        self.source: OAuthSource = OAuthSource.objects.create(
+            name=generate_id(),
+            slug=generate_id(),
+            authentication_flow=self.authentication_flow,
+            enrollment_flow=self.enrollment_flow,
+        )
+        self.identifier = generate_id()
+        self.user = create_test_admin_user()
+
+    def test_nonexistant_group(self):
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(
+                group=Group.objects.get(name="group 1"), source=self.source
+            ).exists()
+        )
+
+    def test_nonexistant_group_name_link(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
+        self.source.save()
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(
+                group=Group.objects.get(name="group 1"), source=self.source
+            ).exists()
+        )
+
+    def test_existant_group_name_link(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
+        self.source.save()
+        group = Group.objects.create(name="group 1")
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
+        )
+
+    def test_nonexistant_group_name_deny(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_DENY
+        self.source.save()
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertTrue(Group.objects.filter(name="group 1").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertTrue(
+            GroupOAuthSourceConnection.objects.filter(
+                group=Group.objects.get(name="group 1"), source=self.source
+            ).exists()
+        )
+
+    def test_existant_group_name_deny(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_DENY
+        self.source.save()
+        group = Group.objects.create(name="group 1")
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "group 1": {
+                                "name": "group 1",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertFalse(stage.handle_groups())
+        self.assertFalse(self.user.ak_groups.filter(name="group 1").exists())
+        self.assertFalse(
+            GroupOAuthSourceConnection.objects.filter(group=group, source=self.source).exists()
+        )
+
+    def test_group_updates(self):
+        self.source.group_matching_mode = SourceGroupMatchingModes.NAME_LINK
+        self.source.save()
+
+        other_group = Group.objects.create(name="other group")
+        old_group = Group.objects.create(name="old group")
+        new_group = Group.objects.create(name="new group")
+        self.user.ak_groups.set([other_group, old_group])
+        GroupOAuthSourceConnection.objects.create(
+            group=old_group, source=self.source, identifier=old_group.name
+        )
+        GroupOAuthSourceConnection.objects.create(
+            group=new_group, source=self.source, identifier=new_group.name
+        )
+
+        request = self.factory.get("/")
+        stage = GroupUpdateStage(
+            FlowExecutorView(
+                current_stage=in_memory_stage(
+                    GroupUpdateStage, group_connection_type=GroupOAuthSourceConnection
+                ),
+                plan=FlowPlan(
+                    flow_pk=generate_id(),
+                    context={
+                        PLAN_CONTEXT_SOURCE: self.source,
+                        PLAN_CONTEXT_PENDING_USER: self.user,
+                        PLAN_CONTEXT_SOURCE_GROUPS: {
+                            "new group": {
+                                "name": "new group",
+                            },
+                        },
+                    },
+                ),
+            ),
+            request=request,
+        )
+        self.assertTrue(stage.handle_groups())
+        self.assertFalse(self.user.ak_groups.filter(name="old group").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="other group").exists())
+        self.assertTrue(self.user.ak_groups.filter(name="new group").exists())
+        self.assertEqual(self.user.ak_groups.count(), 2)

authentik/core/tests/test_source_property_mappings.py

@@ -0,0 +1,72 @@
+"""Test Source Property mappings"""
+
+from django.test import TestCase
+
+from authentik.core.models import Group, PropertyMapping, Source, User
+from authentik.core.sources.mapper import SourceMapper
+from authentik.lib.generators import generate_id
+
+
+class ProxySource(Source):
+    @property
+    def property_mapping_type(self):
+        return PropertyMapping
+
+    def get_base_user_properties(self, **kwargs):
+        return {
+            "username": kwargs.get("username", None),
+            "email": kwargs.get("email", "default@authentik"),
+        }
+
+    def get_base_group_properties(self, **kwargs):
+        return {"name": kwargs.get("name", None)}
+
+    class Meta:
+        proxy = True
+
+
+class TestSourcePropertyMappings(TestCase):
+    """Test Source PropertyMappings"""
+
+    def test_base_properties(self):
+        source = ProxySource.objects.create(name=generate_id(), slug=generate_id(), enabled=True)
+        mapper = SourceMapper(source)
+
+        user_base_properties = mapper.get_base_properties(User, username="test1")
+        self.assertEqual(
+            user_base_properties,
+            {
+                "username": "test1",
+                "email": "default@authentik",
+                "path": f"goauthentik.io/sources/{source.slug}",
+            },
+        )
+
+        group_base_properties = mapper.get_base_properties(Group)
+        self.assertEqual(group_base_properties, {"name": None})
+
+    def test_build_properties(self):
+        source = ProxySource.objects.create(name=generate_id(), slug=generate_id(), enabled=True)
+        mapper = SourceMapper(source)
+
+        source.user_property_mappings.add(
+            PropertyMapping.objects.create(
+                name=generate_id(),
+                expression="""
+                    return {"username": data.get("username", None), "email": None}
+                """,
+            )
+        )
+
+        properties = mapper.build_object_properties(
+            object_type=User, user=None, request=None, username="test1", data={"username": "test2"}
+        )
+
+        self.assertEqual(
+            properties,
+            {
+                "username": "test2",
+                "path": f"goauthentik.io/sources/{source.slug}",
+                "attributes": {},
+            },
+        )

authentik/core/urls.py

@@ -6,7 +6,6 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
-from django.views.generic import RedirectView
 
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@@ -18,9 +17,13 @@ from authentik.core.api.sources import SourceViewSet, UserSourceConnectionViewSe
 from authentik.core.api.tokens import TokenViewSet
 from authentik.core.api.transactional_applications import TransactionalApplicationView
 from authentik.core.api.users import UserViewSet
-from authentik.core.views import apps
+from authentik.core.views.apps import RedirectToAppLaunch
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import InterfaceView
+from authentik.core.views.interface import (
+    BrandDefaultRedirectView,
+    InterfaceView,
+    RootRedirectView,
+)
 from authentik.core.views.session import EndSessionView
 from authentik.flows.views.interface import FlowInterfaceView
 from authentik.root.asgi_middleware import SessionMiddleware
@@ -30,26 +33,24 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
     path(
         "",
-        login_required(
-            RedirectView.as_view(pattern_name="authentik_core:if-user", query_string=True)
-        ),
+        login_required(RootRedirectView.as_view()),
         name="root-redirect",
     ),
     path(
-        # We have to use this format since everything else uses applications/o or applications/saml
+        # We have to use this format since everything else uses application/o or application/saml
         "application/launch/<slug:application_slug>/",
-        apps.RedirectToAppLaunch.as_view(),
+        RedirectToAppLaunch.as_view(),
         name="application-launch",
     ),
     # Interfaces
     path(
         "if/admin/",
-        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/admin.html")),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
         name="if-admin",
     ),
     path(
         "if/user/",
-        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/user.html")),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
         name="if-user",
     ),
     path(

authentik/core/views/apps.py

@@ -8,7 +8,6 @@ from django.views import View
 from authentik.core.models import Application
 from authentik.flows.challenge import (
     ChallengeResponse,
-    ChallengeTypes,
     HttpChallengeResponse,
     RedirectChallenge,
 )
@@ -74,7 +73,6 @@ class RedirectToAppStage(ChallengeStageView):
             raise Http404
         return RedirectChallenge(
             instance={
-                "type": ChallengeTypes.REDIRECT.value,
                 "to": launch,
             }
         )

authentik/core/views/interface.py

@@ -3,13 +3,42 @@
 from json import dumps
 from typing import Any
 
-from django.views.generic.base import TemplateView
+from django.http import HttpRequest
+from django.http.response import HttpResponse
+from django.shortcuts import redirect
+from django.utils.translation import gettext as _
+from django.views.generic.base import RedirectView, TemplateView
 from rest_framework.request import Request
 
 from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
+from authentik.brands.models import Brand
+from authentik.core.models import UserTypes
+from authentik.policies.denied import AccessDeniedResponse
+
+
+class RootRedirectView(RedirectView):
+    """Root redirect view, redirect to brand's default application if set"""
+
+    pattern_name = "authentik_core:if-user"
+    query_string = True
+
+    def redirect_to_app(self, request: HttpRequest):
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+            brand: Brand = request.brand
+            if brand.default_application:
+                return redirect(
+                    "authentik_core:application-launch",
+                    application_slug=brand.default_application.slug,
+                )
+        return None
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        if redirect_response := RootRedirectView().redirect_to_app(request):
+            return redirect_response
+        return super().dispatch(request, *args, **kwargs)
 
 
 class InterfaceView(TemplateView):
@@ -23,3 +52,20 @@ class InterfaceView(TemplateView):
         kwargs["build"] = get_build_hash()
         kwargs["url_kwargs"] = self.kwargs
         return super().get_context_data(**kwargs)
+
+
+class BrandDefaultRedirectView(InterfaceView):
+    """By default redirect to default app"""
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+            brand: Brand = request.brand
+            if brand.default_application:
+                return redirect(
+                    "authentik_core:application-launch",
+                    application_slug=brand.default_application.slug,
+                )
+            response = AccessDeniedResponse(self.request)
+            response.error_message = _("Interface can only be accessed by internal users.")
+            return response
+        return super().dispatch(request, *args, **kwargs)

authentik/crypto/builder.py

@@ -76,7 +76,7 @@ class CertificateBuilder:
             .subject_name(
                 x509.Name(
                     [
-                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name),
+                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name[:64]),
                         x509.NameAttribute(NameOID.ORGANIZATION_NAME, "authentik"),
                         x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"),
                     ]

authentik/enterprise/providers/rac/api/connection_tokens.py

@@ -34,6 +34,12 @@ class ConnectionTokenSerializer(EnterpriseRequiredMixin, ModelSerializer):
         ]
 
 
+class ConnectionTokenOwnerFilter(OwnerFilter):
+    """Owner filter for connection tokens (checks session's user)"""
+
+    owner_key = "session__user"
+
+
 class ConnectionTokenViewSet(
     mixins.RetrieveModelMixin,
     mixins.UpdateModelMixin,
@@ -50,4 +56,9 @@ class ConnectionTokenViewSet(
     search_fields = ["endpoint__name", "provider__name"]
     ordering = ["endpoint__name", "provider__name"]
     permission_classes = [OwnerSuperuserPermissions]
-    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
+    filter_backends = [
+        ConnectionTokenOwnerFilter,
+        DjangoFilterBackend,
+        OrderingFilter,
+        SearchFilter,
+    ]

authentik/enterprise/providers/rac/signals.py

@@ -21,6 +21,8 @@ from authentik.enterprise.providers.rac.models import ConnectionToken, Endpoint
 @receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: User, **_):
     """Disconnect any open RAC connections"""
+    if not request.session or not request.session.session_key:
+        return
     layer = get_channel_layer()
     async_to_sync(layer.group_send)(
         RAC_CLIENT_GROUP_SESSION

authentik/enterprise/providers/rac/urls.py

@@ -5,7 +5,6 @@ from channels.sessions import CookieMiddleware
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
 
-from authentik.core.channels import TokenOutpostMiddleware
 from authentik.enterprise.providers.rac.api.connection_tokens import ConnectionTokenViewSet
 from authentik.enterprise.providers.rac.api.endpoints import EndpointViewSet
 from authentik.enterprise.providers.rac.api.property_mappings import RACPropertyMappingViewSet
@@ -13,6 +12,7 @@ from authentik.enterprise.providers.rac.api.providers import RACProviderViewSet
 from authentik.enterprise.providers.rac.consumer_client import RACClientConsumer
 from authentik.enterprise.providers.rac.consumer_outpost import RACOutpostConsumer
 from authentik.enterprise.providers.rac.views import RACInterface, RACStartView
+from authentik.outposts.channels import TokenOutpostMiddleware
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.middleware import ChannelsLoggingMiddleware
 

authentik/events/context_processors/asn.py

@@ -5,7 +5,7 @@ from typing import TYPE_CHECKING, Optional, TypedDict
 from django.http import HttpRequest
 from geoip2.errors import GeoIP2Error
 from geoip2.models import ASN
-from sentry_sdk import Hub
+from sentry_sdk import start_span
 
 from authentik.events.context_processors.mmdb import MMDBContextProcessor
 from authentik.lib.config import CONFIG
@@ -48,7 +48,7 @@ class ASNContextProcessor(MMDBContextProcessor):
 
     def asn(self, ip_address: str) -> ASN | None:
         """Wrapper for Reader.asn"""
-        with Hub.current.start_span(
+        with start_span(
             op="authentik.events.asn.asn",
             description=ip_address,
         ):

authentik/events/context_processors/geoip.py

@@ -5,7 +5,7 @@ from typing import TYPE_CHECKING, Optional, TypedDict
 from django.http import HttpRequest
 from geoip2.errors import GeoIP2Error
 from geoip2.models import City
-from sentry_sdk.hub import Hub
+from sentry_sdk import start_span
 
 from authentik.events.context_processors.mmdb import MMDBContextProcessor
 from authentik.lib.config import CONFIG
@@ -49,7 +49,7 @@ class GeoIPContextProcessor(MMDBContextProcessor):
 
     def city(self, ip_address: str) -> City | None:
         """Wrapper for Reader.city"""
-        with Hub.current.start_span(
+        with start_span(
             op="authentik.events.geo.city",
             description=ip_address,
         ):

authentik/events/middleware.py

@@ -35,6 +35,7 @@ IGNORED_MODELS = tuple(
 
 _CTX_OVERWRITE_USER = ContextVar[User | None]("authentik_events_log_overwrite_user", default=None)
 _CTX_IGNORE = ContextVar[bool]("authentik_events_log_ignore", default=False)
+_CTX_REQUEST = ContextVar[HttpRequest | None]("authentik_events_log_request", default=None)
 
 
 def should_log_model(model: Model) -> bool:
@@ -149,11 +150,13 @@ class AuditMiddleware:
         m2m_changed.disconnect(dispatch_uid=request.request_id)
 
     def __call__(self, request: HttpRequest) -> HttpResponse:
+        _CTX_REQUEST.set(request)
         self.connect(request)
 
         response = self.get_response(request)
 
         self.disconnect(request)
+        _CTX_REQUEST.set(None)
         return response
 
     def process_exception(self, request: HttpRequest, exception: Exception):
@@ -167,7 +170,7 @@ class AuditMiddleware:
             thread = EventNewThread(
                 EventAction.SUSPICIOUS_REQUEST,
                 request,
-                message=str(exception),
+                message=exception_to_string(exception),
             )
             thread.run()
         elif before_send({}, {"exc_info": (None, exception, None)}) is not None:
@@ -192,6 +195,8 @@ class AuditMiddleware:
             return
         if _CTX_IGNORE.get():
             return
+        if request.request_id != _CTX_REQUEST.get().request_id:
+            return
         user = self.get_user(request)
 
         action = EventAction.MODEL_CREATED if created else EventAction.MODEL_UPDATED
@@ -205,6 +210,8 @@ class AuditMiddleware:
             return
         if _CTX_IGNORE.get():
             return
+        if request.request_id != _CTX_REQUEST.get().request_id:
+            return
         user = self.get_user(request)
 
         EventNewThread(
@@ -230,6 +237,8 @@ class AuditMiddleware:
             return
         if _CTX_IGNORE.get():
             return
+        if request.request_id != _CTX_REQUEST.get().request_id:
+            return
         user = self.get_user(request)
 
         EventNewThread(

authentik/events/models.py

@@ -238,6 +238,8 @@ class Event(SerializerModel, ExpiringModel):
                 "args": cleanse_dict(QueryDict(request.META.get("QUERY_STRING", ""))),
                 "user_agent": request.META.get("HTTP_USER_AGENT", ""),
             }
+            if hasattr(request, "request_id"):
+                self.context["http_request"]["request_id"] = request.request_id
             # Special case for events created during flow execution
             # since they keep the http query within a wrapped query
             if QS_QUERY in self.context["http_request"]["args"]:

authentik/flows/challenge.py

@@ -32,14 +32,6 @@ class FlowLayout(models.TextChoices):
     SIDEBAR_RIGHT = "sidebar_right"
 
 
-class ChallengeTypes(Enum):
-    """Currently defined challenge types"""
-
-    NATIVE = "native"
-    SHELL = "shell"
-    REDIRECT = "redirect"
-
-
 class ErrorDetailSerializer(PassiveSerializer):
     """Serializer for rest_framework's error messages"""
 
@@ -60,9 +52,6 @@ class Challenge(PassiveSerializer):
     """Challenge that gets sent to the client based on which stage
     is currently active"""
 
-    type = ChoiceField(
-        choices=[(x.value, x.name) for x in ChallengeTypes],
-    )
     flow_info = ContextualFlowInfo(required=False)
     component = CharField(default="")
 
@@ -96,7 +85,6 @@ class FlowErrorChallenge(Challenge):
     """Challenge class when an unhandled error occurs during a stage. Normal users
     are shown an error message, superusers are shown a full stacktrace."""
 
-    type = CharField(default=ChallengeTypes.NATIVE.value)
     component = CharField(default="ak-stage-flow-error")
 
     request_id = CharField()

authentik/flows/migrations/0027_auto_20231028_1424.py

@@ -21,7 +21,9 @@ def set_oobe_flow_authentication(apps: Apps, schema_editor: BaseDatabaseSchemaEd
         pass
 
     if users.exists():
-        Flow.objects.filter(slug="initial-setup").update(authentication="require_superuser")
+        Flow.objects.using(db_alias).filter(slug="initial-setup").update(
+            authentication="require_superuser"
+        )
 
 
 class Migration(migrations.Migration):

authentik/flows/planner.py

@@ -5,7 +5,7 @@ from typing import Any
 
 from django.core.cache import cache
 from django.http import HttpRequest
-from sentry_sdk.hub import Hub
+from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
 
@@ -151,9 +151,7 @@ class FlowPlanner:
     def plan(self, request: HttpRequest, default_context: dict[str, Any] | None = None) -> FlowPlan:
         """Check each of the flows' policies, check policies for each stage with PolicyBinding
         and return ordered list"""
-        with Hub.current.start_span(
-            op="authentik.flow.planner.plan", description=self.flow.slug
-        ) as span:
+        with start_span(op="authentik.flow.planner.plan", description=self.flow.slug) as span:
             span: Span
             span.set_data("flow", self.flow)
             span.set_data("request", request)
@@ -218,7 +216,7 @@ class FlowPlanner:
         """Build flow plan by checking each stage in their respective
         order and checking the applied policies"""
         with (
-            Hub.current.start_span(
+            start_span(
                 op="authentik.flow.planner.build_plan",
                 description=self.flow.slug,
             ) as span,

authentik/flows/stage.py

@@ -10,7 +10,7 @@ from django.urls import reverse
 from django.views.generic.base import View
 from prometheus_client import Histogram
 from rest_framework.request import Request
-from sentry_sdk.hub import Hub
+from sentry_sdk import start_span
 from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.core.models import User
@@ -18,7 +18,6 @@ from authentik.flows.challenge import (
     AccessDeniedChallenge,
     Challenge,
     ChallengeResponse,
-    ChallengeTypes,
     ContextualFlowInfo,
     HttpChallengeResponse,
     RedirectChallenge,
@@ -124,7 +123,7 @@ class ChallengeStageView(StageView):
                 )
                 return self.executor.restart_flow(keep_context)
             with (
-                Hub.current.start_span(
+                start_span(
                     op="authentik.flow.stage.challenge_invalid",
                     description=self.__class__.__name__,
                 ),
@@ -134,7 +133,7 @@ class ChallengeStageView(StageView):
             ):
                 return self.challenge_invalid(challenge)
         with (
-            Hub.current.start_span(
+            start_span(
                 op="authentik.flow.stage.challenge_valid",
                 description=self.__class__.__name__,
             ),
@@ -160,7 +159,7 @@ class ChallengeStageView(StageView):
 
     def _get_challenge(self, *args, **kwargs) -> Challenge:
         with (
-            Hub.current.start_span(
+            start_span(
                 op="authentik.flow.stage.get_challenge",
                 description=self.__class__.__name__,
             ),
@@ -173,7 +172,7 @@ class ChallengeStageView(StageView):
             except StageInvalidException as exc:
                 self.logger.debug("Got StageInvalidException", exc=exc)
                 return self.executor.stage_invalid()
-        with Hub.current.start_span(
+        with start_span(
             op="authentik.flow.stage._get_challenge",
             description=self.__class__.__name__,
         ):
@@ -244,7 +243,6 @@ class AccessDeniedChallengeView(ChallengeStageView):
         return AccessDeniedChallenge(
             data={
                 "error_message": str(self.error_message or "Unknown error"),
-                "type": ChallengeTypes.NATIVE.value,
                 "component": "ak-stage-access-denied",
             }
         )
@@ -264,7 +262,6 @@ class RedirectStage(ChallengeStageView):
         )
         return RedirectChallenge(
             data={
-                "type": ChallengeTypes.REDIRECT.value,
                 "to": destination,
             }
         )

authentik/flows/tests/__init__.py

@@ -8,7 +8,6 @@ from django.urls.base import reverse
 from rest_framework.test import APITestCase
 
 from authentik.core.models import User
-from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import Flow
 
 
@@ -26,7 +25,6 @@ class FlowTestCase(APITestCase):
         self.assertEqual(response.status_code, 200)
         raw_response = loads(response.content.decode())
         self.assertIsNotNone(raw_response["component"])
-        self.assertIsNotNone(raw_response["type"])
         if flow:
             self.assertIn("flow_info", raw_response)
             self.assertEqual(raw_response["flow_info"]["background"], flow.background_url)
@@ -46,6 +44,4 @@ class FlowTestCase(APITestCase):
 
     def assertStageRedirects(self, response: HttpResponse, to: str) -> dict[str, Any]:
         """Wrapper around assertStageResponse that checks for a redirect"""
-        return self.assertStageResponse(
-            response, component="xak-flow-redirect", to=to, type=ChallengeTypes.REDIRECT.value
-        )
+        return self.assertStageResponse(response, component="xak-flow-redirect", to=to)

authentik/flows/tests/test_challenges.py

@@ -2,7 +2,7 @@
 
 from django.test import TestCase
 
-from authentik.flows.challenge import AutosubmitChallenge, ChallengeTypes
+from authentik.flows.challenge import AutosubmitChallenge
 
 
 class TestChallenges(TestCase):
@@ -12,7 +12,6 @@ class TestChallenges(TestCase):
         """Test blank autosubmit"""
         challenge = AutosubmitChallenge(
             data={
-                "type": ChallengeTypes.NATIVE.value,
                 "url": "http://localhost",
                 "attrs": {},
             }
@@ -21,7 +20,6 @@ class TestChallenges(TestCase):
         # Test with an empty value
         challenge = AutosubmitChallenge(
             data={
-                "type": ChallengeTypes.NATIVE.value,
                 "url": "http://localhost",
                 "attrs": {"foo": ""},
             }

authentik/flows/tests/test_inspector.py

@@ -7,7 +7,6 @@ from django.urls.base import reverse
 from rest_framework.test import APITestCase
 
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import FlowDesignation, FlowStageBinding, InvalidResponseAction
 from authentik.stages.dummy.models import DummyStage
 from authentik.stages.identification.models import IdentificationStage, UserFields
@@ -46,6 +45,7 @@ class TestFlowInspector(APITestCase):
         self.assertJSONEqual(
             res.content,
             {
+                "allow_show_password": False,
                 "component": "ak-stage-identification",
                 "flow_info": {
                     "background": flow.background_url,
@@ -54,7 +54,6 @@ class TestFlowInspector(APITestCase):
                     "layout": "stacked",
                 },
                 "flow_designation": "authentication",
-                "type": ChallengeTypes.NATIVE.value,
                 "password_fields": False,
                 "primary_action": "Log in",
                 "sources": [],

authentik/flows/views/executor.py

@@ -18,9 +18,8 @@ from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, PolymorphicProxySerializer, extend_schema
 from rest_framework.permissions import AllowAny
 from rest_framework.views import APIView
-from sentry_sdk import capture_exception
+from sentry_sdk import capture_exception, start_span
 from sentry_sdk.api import set_tag
-from sentry_sdk.hub import Hub
 from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.brands.models import Brand
@@ -30,7 +29,6 @@ from authentik.flows.apps import HIST_FLOW_EXECUTION_STAGE_TIME
 from authentik.flows.challenge import (
     Challenge,
     ChallengeResponse,
-    ChallengeTypes,
     FlowErrorChallenge,
     HttpChallengeResponse,
     RedirectChallenge,
@@ -155,9 +153,7 @@ class FlowExecutorView(APIView):
         return plan
 
     def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
-        with Hub.current.start_span(
-            op="authentik.flow.executor.dispatch", description=self.flow.slug
-        ) as span:
+        with start_span(op="authentik.flow.executor.dispatch", description=self.flow.slug) as span:
             span.set_data("authentik Flow", self.flow.slug)
             get_params = QueryDict(request.GET.get(QS_QUERY, ""))
             if QS_KEY_TOKEN in get_params:
@@ -275,7 +271,7 @@ class FlowExecutorView(APIView):
         )
         try:
             with (
-                Hub.current.start_span(
+                start_span(
                     op="authentik.flow.executor.stage",
                     description=class_path,
                 ) as span,
@@ -326,7 +322,7 @@ class FlowExecutorView(APIView):
         )
         try:
             with (
-                Hub.current.start_span(
+                start_span(
                     op="authentik.flow.executor.stage",
                     description=class_path,
                 ) as span,
@@ -552,7 +548,6 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
         return HttpChallengeResponse(
             RedirectChallenge(
                 {
-                    "type": ChallengeTypes.REDIRECT,
                     "to": str(redirect_url),
                 }
             )
@@ -561,7 +556,6 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
         return HttpChallengeResponse(
             ShellChallenge(
                 {
-                    "type": ChallengeTypes.SHELL,
                     "body": source.render().content.decode("utf-8"),
                 }
             )
@@ -571,7 +565,6 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
         return HttpChallengeResponse(
             ShellChallenge(
                 {
-                    "type": ChallengeTypes.SHELL,
                     "body": source.content.decode("utf-8"),
                 }
             )

authentik/lib/avatars.py

@@ -13,7 +13,7 @@ from lxml import etree  # nosec
 from lxml.etree import Element, SubElement  # nosec
 from requests.exceptions import ConnectionError, HTTPError, RequestException, Timeout
 
-from authentik.lib.config import get_path_from_dict
+from authentik.lib.utils.dict import get_path_from_dict
 from authentik.lib.utils.http import get_http_session
 from authentik.tenants.utils import get_current_tenant
 

authentik/lib/config.py

@@ -19,6 +19,8 @@ from urllib.parse import quote_plus, urlparse
 import yaml
 from django.conf import ImproperlyConfigured
 
+from authentik.lib.utils.dict import get_path_from_dict, set_path_in_dict
+
 SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] + glob(
     "/etc/authentik/config.d/*.yml", recursive=True
 )
@@ -47,29 +49,6 @@ DEPRECATIONS = {
 }
 
 
-def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
-    """Recursively walk through `root`, checking each part of `path` separated by `sep`.
-    If at any point a dict does not exist, return default"""
-    for comp in path.split(sep):
-        if root and comp in root:
-            root = root.get(comp)
-        else:
-            return default
-    return root
-
-
-def set_path_in_dict(root: dict, path: str, value: Any, sep="."):
-    """Recursively walk through `root`, checking each part of `path` separated by `sep`
-    and setting the last value to `value`"""
-    # Walk each component of the path
-    path_parts = path.split(sep)
-    for comp in path_parts[:-1]:
-        if comp not in root:
-            root[comp] = {}
-        root = root.get(comp, {})
-    root[path_parts[-1]] = value
-
-
 @dataclass(slots=True)
 class Attr:
     """Single configuration attribute"""

authentik/lib/expression/evaluator.py

@@ -13,7 +13,7 @@ from django.core.exceptions import FieldError
 from django.utils.text import slugify
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.serializers import ValidationError
-from sentry_sdk.hub import Hub
+from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger
 
@@ -195,7 +195,7 @@ class BaseEvaluator:
         """Parse and evaluate expression. If the syntax is incorrect, a SyntaxError is raised.
         If any exception is raised during execution, it is raised.
         The result is returned without any type-checking."""
-        with Hub.current.start_span(op="authentik.lib.evaluator.evaluate") as span:
+        with start_span(op="authentik.lib.evaluator.evaluate") as span:
             span: Span
             span.description = self._filename
             span.set_data("expression", expression_source)

authentik/lib/sentry.py

@@ -68,7 +68,7 @@ def sentry_init(**sentry_init_kwargs):
         integrations=[
             ArgvIntegration(),
             StdlibIntegration(),
-            DjangoIntegration(transaction_style="function_name"),
+            DjangoIntegration(transaction_style="function_name", cache_spans=True),
             CeleryIntegration(),
             RedisIntegration(),
             ThreadingIntegration(propagate_hub=True),

authentik/lib/sync/mapper.py

@@ -20,6 +20,10 @@ class PropertyMappingManager:
 
     _evaluators: list[PropertyMappingEvaluator]
 
+    globals: dict
+
+    __has_compiled: bool
+
     def __init__(
         self,
         qs: QuerySet[PropertyMapping],
@@ -30,10 +34,11 @@ class PropertyMappingManager:
         # we need a list of all parameter names that will be used during evaluation
         context_keys: list[str],
     ) -> None:
-        self.query_set = qs
+        self.query_set = qs.order_by("name")
         self.mapping_subclass = mapping_subclass
         self.context_keys = context_keys
-        self.compile()
+        self.globals = {}
+        self.__has_compiled = False
 
     def compile(self):
         self._evaluators = []
@@ -43,6 +48,7 @@ class PropertyMappingManager:
             evaluator = PropertyMappingEvaluator(
                 mapping, **{key: None for key in self.context_keys}
             )
+            evaluator._globals.update(self.globals)
             # Compile and cache expression
             evaluator.compile()
             self._evaluators.append(evaluator)
@@ -56,6 +62,9 @@ class PropertyMappingManager:
     ) -> Generator[tuple[dict, PropertyMapping], None]:
         """Iterate over all mappings that were pre-compiled and
         execute all of them with the given context"""
+        if not self.__has_compiled:
+            self.compile()
+            self.__has_compiled = True
         for mapping in self._evaluators:
             mapping.set_context(user, request, **kwargs)
             try:

authentik/lib/sync/outgoing/signals.py

@@ -2,6 +2,7 @@ from collections.abc import Callable
 
 from django.core.paginator import Paginator
 from django.db.models import Model
+from django.db.models.query import Q
 from django.db.models.signals import m2m_changed, post_save, pre_delete
 
 from authentik.core.models import Group, User
@@ -34,7 +35,9 @@ def register_signals(
 
     def model_post_save(sender: type[Model], instance: User | Group, created: bool, **_):
         """Post save handler"""
-        if not provider_type.objects.filter(backchannel_application__isnull=False).exists():
+        if not provider_type.objects.filter(
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+        ).exists():
             return
         task_sync_direct.delay(class_to_path(instance.__class__), instance.pk, Direction.add.value)
 
@@ -43,7 +46,9 @@ def register_signals(
 
     def model_pre_delete(sender: type[Model], instance: User | Group, **_):
         """Pre-delete handler"""
-        if not provider_type.objects.filter(backchannel_application__isnull=False).exists():
+        if not provider_type.objects.filter(
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+        ).exists():
             return
         task_sync_direct.delay(
             class_to_path(instance.__class__), instance.pk, Direction.remove.value
@@ -58,7 +63,9 @@ def register_signals(
         """Sync group membership"""
         if action not in ["post_add", "post_remove"]:
             return
-        if not provider_type.objects.filter(backchannel_application__isnull=False).exists():
+        if not provider_type.objects.filter(
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+        ).exists():
             return
         # reverse: instance is a Group, pk_set is a list of user pks
         # non-reverse: instance is a User, pk_set is a list of groups

authentik/lib/sync/outgoing/tasks.py

@@ -5,6 +5,7 @@ from celery.exceptions import Retry
 from celery.result import allow_join_result
 from django.core.paginator import Paginator
 from django.db.models import Model, QuerySet
+from django.db.models.query import Q
 from django.utils.text import slugify
 from django.utils.translation import gettext_lazy as _
 from structlog.stdlib import BoundLogger, get_logger
@@ -37,7 +38,9 @@ class SyncTasks:
         self._provider_model = provider_model
 
     def sync_all(self, single_sync: Callable[[int], None]):
-        for provider in self._provider_model.objects.filter(backchannel_application__isnull=False):
+        for provider in self._provider_model.objects.filter(
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+        ):
             self.trigger_single_task(provider, single_sync)
 
     def trigger_single_task(self, provider: OutgoingSyncProvider, sync_task: Callable[[int], None]):
@@ -62,7 +65,8 @@ class SyncTasks:
             provider_pk=provider_pk,
         )
         provider = self._provider_model.objects.filter(
-            pk=provider_pk, backchannel_application__isnull=False
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False),
+            pk=provider_pk,
         ).first()
         if not provider:
             return
@@ -204,7 +208,9 @@ class SyncTasks:
         if not instance:
             return
         operation = Direction(raw_op)
-        for provider in self._provider_model.objects.filter(backchannel_application__isnull=False):
+        for provider in self._provider_model.objects.filter(
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+        ):
             client = provider.client_for_model(instance.__class__)
             # Check if the object is allowed within the provider's restrictions
             queryset = provider.get_object_qs(instance.__class__)
@@ -223,6 +229,8 @@ class SyncTasks:
                     client.delete(instance)
             except TransientSyncException as exc:
                 raise Retry() from exc
+            except SkipObjectException:
+                continue
             except StopSync as exc:
                 self.logger.warning(exc, provider_pk=provider.pk)
 
@@ -233,7 +241,9 @@ class SyncTasks:
         group = Group.objects.filter(pk=group_pk).first()
         if not group:
             return
-        for provider in self._provider_model.objects.filter(backchannel_application__isnull=False):
+        for provider in self._provider_model.objects.filter(
+            Q(backchannel_application__isnull=False) | Q(application__isnull=False)
+        ):
             # Check if the object is allowed within the provider's restrictions
             queryset: QuerySet = provider.get_object_qs(Group)
             # The queryset we get from the provider must include the instance we've got given
@@ -251,5 +261,7 @@ class SyncTasks:
                 client.update_group(group, operation, pk_set)
             except TransientSyncException as exc:
                 raise Retry() from exc
+            except SkipObjectException:
+                continue
             except StopSync as exc:
                 self.logger.warning(exc, provider_pk=provider.pk)

authentik/lib/utils/dict.py

@@ -0,0 +1,24 @@
+from typing import Any
+
+
+def get_path_from_dict(root: dict, path: str, sep=".", default=None) -> Any:
+    """Recursively walk through `root`, checking each part of `path` separated by `sep`.
+    If at any point a dict does not exist, return default"""
+    for comp in path.split(sep):
+        if root and comp in root:
+            root = root.get(comp)
+        else:
+            return default
+    return root
+
+
+def set_path_in_dict(root: dict, path: str, value: Any, sep="."):
+    """Recursively walk through `root`, checking each part of `path` separated by `sep`
+    and setting the last value to `value`"""
+    # Walk each component of the path
+    path_parts = path.split(sep)
+    for comp in path_parts[:-1]:
+        if comp not in root:
+            root[comp] = {}
+        root = root.get(comp, {})
+    root[path_parts[-1]] = value

authentik/outposts/migrations/0001_squashed_0017_outpost_managed.py

@@ -13,16 +13,17 @@ import authentik.outposts.models
 
 
 def fix_missing_token_identifier(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
     User = apps.get_model("authentik_core", "User")
     Token = apps.get_model("authentik_core", "Token")
     from authentik.outposts.models import Outpost
 
-    for outpost in Outpost.objects.using(schema_editor.connection.alias).all().only("pk"):
+    for outpost in Outpost.objects.using(db_alias).all().only("pk"):
         user_identifier = outpost.user_identifier
-        users = User.objects.filter(username=user_identifier)
+        users = User.objects.using(db_alias).filter(username=user_identifier)
         if not users.exists():
             continue
-        tokens = Token.objects.filter(user=users.first())
+        tokens = Token.objects.using(db_alias).filter(user=users.first())
         for token in tokens:
             if token.identifier != outpost.token_identifier:
                 token.identifier = outpost.token_identifier
@@ -37,8 +38,8 @@ def migrate_to_service_connection(apps: Apps, schema_editor: BaseDatabaseSchemaE
         "authentik_outposts", "KubernetesServiceConnection"
     )
 
-    docker = DockerServiceConnection.objects.filter(local=True).first()
-    k8s = KubernetesServiceConnection.objects.filter(local=True).first()
+    docker = DockerServiceConnection.objects.using(db_alias).filter(local=True).first()
+    k8s = KubernetesServiceConnection.objects.using(db_alias).filter(local=True).first()
 
     try:
         for outpost in Outpost.objects.using(db_alias).all().exclude(deployment_type="custom"):
@@ -54,21 +55,21 @@ def migrate_to_service_connection(apps: Apps, schema_editor: BaseDatabaseSchemaE
 
 
 def remove_pb_prefix_users(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    alias = schema_editor.connection.alias
+    db_alias = schema_editor.connection.alias
     User = apps.get_model("authentik_core", "User")
     Outpost = apps.get_model("authentik_outposts", "Outpost")
 
-    for outpost in Outpost.objects.using(alias).all():
-        matching = User.objects.using(alias).filter(username=f"pb-outpost-{outpost.uuid.hex}")
+    for outpost in Outpost.objects.using(db_alias).all():
+        matching = User.objects.using(db_alias).filter(username=f"pb-outpost-{outpost.uuid.hex}")
         if matching.exists():
             matching.delete()
 
 
 def update_config_prefix(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    alias = schema_editor.connection.alias
+    db_alias = schema_editor.connection.alias
     Outpost = apps.get_model("authentik_outposts", "Outpost")
 
-    for outpost in Outpost.objects.using(alias).all():
+    for outpost in Outpost.objects.using(db_alias).all():
         config = outpost._config
         for key in list(config):
             if "passbook" in key:

authentik/outposts/tests/test_ws.py

@@ -2,7 +2,6 @@
 
 from dataclasses import asdict
 
-from channels.exceptions import DenyConnection
 from channels.routing import URLRouter
 from channels.testing import WebsocketCommunicator
 from django.test import TransactionTestCase
@@ -37,9 +36,8 @@ class TestOutpostWS(TransactionTestCase):
         communicator = WebsocketCommunicator(
             URLRouter(websocket.websocket_urlpatterns), f"/ws/outpost/{self.outpost.pk}/"
         )
-        with self.assertRaises(DenyConnection):
-            connected, _ = await communicator.connect()
-            self.assertFalse(connected)
+        connected, _ = await communicator.connect()
+        self.assertFalse(connected)
 
     async def test_auth_valid(self):
         """Test auth with token"""

authentik/outposts/urls.py

@@ -2,13 +2,13 @@
 
 from django.urls import path
 
-from authentik.core.channels import TokenOutpostMiddleware
 from authentik.outposts.api.outposts import OutpostViewSet
 from authentik.outposts.api.service_connections import (
     DockerServiceConnectionViewSet,
     KubernetesServiceConnectionViewSet,
     ServiceConnectionViewSet,
 )
+from authentik.outposts.channels import TokenOutpostMiddleware
 from authentik.outposts.consumer import OutpostConsumer
 from authentik.root.middleware import ChannelsLoggingMiddleware
 

authentik/policies/engine.py

@@ -7,7 +7,7 @@ from time import perf_counter
 
 from django.core.cache import cache
 from django.http import HttpRequest
-from sentry_sdk.hub import Hub
+from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
 
@@ -111,7 +111,7 @@ class PolicyEngine:
     def build(self) -> "PolicyEngine":
         """Build wrapper which monitors performance"""
         with (
-            Hub.current.start_span(
+            start_span(
                 op="authentik.policy.engine.build",
                 description=self.__pbm,
             ) as span,

authentik/policies/geoip/api.py

@@ -0,0 +1,55 @@
+"""GeoIP Policy API Views"""
+
+from django_countries import countries
+from django_countries.serializer_fields import CountryField
+from django_countries.serializers import CountryFieldMixin
+from rest_framework import serializers
+from rest_framework.generics import ListAPIView
+from rest_framework.permissions import AllowAny
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.policies.api.policies import PolicySerializer
+from authentik.policies.geoip.models import GeoIPPolicy
+from authentik.policies.geoip.serializer_fields import DetailedCountryField
+
+
+class DetailedCountrySerializer(serializers.Serializer):
+    code = CountryField()
+    name = serializers.CharField()
+
+
+class ISO3166View(ListAPIView):
+    """Get all countries in ISO-3166-1"""
+
+    permission_classes = [AllowAny]
+    queryset = [{"code": code, "name": name} for (code, name) in countries]
+    serializer_class = DetailedCountrySerializer
+    filter_backends = []
+    pagination_class = None
+
+
+class GeoIPPolicySerializer(CountryFieldMixin, PolicySerializer):
+    """GeoIP Policy Serializer"""
+
+    countries_obj = serializers.ListField(
+        child=DetailedCountryField(), source="countries", read_only=True
+    )
+
+    class Meta:
+        model = GeoIPPolicy
+        fields = PolicySerializer.Meta.fields + [
+            "asns",
+            "countries",
+            "countries_obj",
+        ]
+
+
+class GeoIPPolicyViewSet(UsedByMixin, ModelViewSet):
+    """GeoIP Viewset"""
+
+    queryset = GeoIPPolicy.objects.all()
+    serializer_class = GeoIPPolicySerializer
+    filterset_fields = ["name"]
+    ordering = ["name"]
+    search_fields = ["name"]

authentik/policies/geoip/apps.py

@@ -0,0 +1,11 @@
+"""Authentik policy geoip app config"""
+
+from django.apps import AppConfig
+
+
+class AuthentikPolicyGeoIPConfig(AppConfig):
+    """Authentik policy_geoip app config"""
+
+    name = "authentik.policies.geoip"
+    label = "authentik_policies_geoip"
+    verbose_name = "authentik Policies.GeoIP"

authentik/policies/geoip/exceptions.py

@@ -0,0 +1,5 @@
+from authentik.lib.sentry import SentryIgnoredException
+
+
+class GeoIPNotFoundException(SentryIgnoredException):
+    """Exception raised when an IP is not found in a GeoIP database"""

authentik/policies/geoip/migrations/0001_initial.py

@@ -0,0 +1,52 @@
+# Generated by Django 5.0.7 on 2024-07-16 11:23
+
+import django.contrib.postgres.fields
+import django.db.models.deletion
+import django_countries.fields
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_policies", "0011_policybinding_failure_result_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="GeoIPPolicy",
+            fields=[
+                (
+                    "policy_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_policies.policy",
+                    ),
+                ),
+                (
+                    "asns",
+                    django.contrib.postgres.fields.ArrayField(
+                        base_field=models.IntegerField(), blank=True, default=list, size=None
+                    ),
+                ),
+                (
+                    "countries",
+                    django_countries.fields.CountryField(blank=True, max_length=746, multiple=True),
+                ),
+            ],
+            options={
+                "verbose_name": "GeoIP Policy",
+                "verbose_name_plural": "GeoIP Policies",
+                "indexes": [
+                    models.Index(fields=["policy_ptr_id"], name="authentik_p_policy__5cc4a9_idx")
+                ],
+            },
+            bases=("authentik_policies.policy",),
+        ),
+    ]

authentik/policies/geoip/models.py

@@ -0,0 +1,92 @@
+"""GeoIP policy"""
+
+from itertools import chain
+
+from django.contrib.postgres.fields import ArrayField
+from django.db import models
+from django.utils.translation import gettext as _
+from django_countries.fields import CountryField
+from rest_framework.serializers import BaseSerializer
+
+from authentik.policies.exceptions import PolicyException
+from authentik.policies.geoip.exceptions import GeoIPNotFoundException
+from authentik.policies.models import Policy
+from authentik.policies.types import PolicyRequest, PolicyResult
+
+
+class GeoIPPolicy(Policy):
+    """Ensure the user satisfies requirements of geography or network topology, based on IP
+    address."""
+
+    asns = ArrayField(models.IntegerField(), blank=True, default=list)
+    countries = CountryField(multiple=True, blank=True)
+
+    @property
+    def serializer(self) -> type[BaseSerializer]:
+        from authentik.policies.geoip.api import GeoIPPolicySerializer
+
+        return GeoIPPolicySerializer
+
+    @property
+    def component(self) -> str:  # pragma: no cover
+        return "ak-policy-geoip-form"
+
+    def passes(self, request: PolicyRequest) -> PolicyResult:
+        """
+        Passes if any of the following is true:
+        - the client IP is advertised by an autonomous system with ASN in the `asns`
+        - the client IP is geolocated in a country of `countries`
+        """
+        results: list[PolicyResult] = []
+
+        if self.asns:
+            results.append(self.passes_asn(request))
+        if self.countries:
+            results.append(self.passes_country(request))
+
+        if not results:
+            return PolicyResult(True)
+
+        passing = any(r.passing for r in results)
+        messages = chain(*[r.messages for r in results])
+
+        result = PolicyResult(passing, *messages)
+        result.source_results = results
+
+        return result
+
+    def passes_asn(self, request: PolicyRequest) -> PolicyResult:
+        # This is not a single get chain because `request.context` can contain `{ "asn": None }`.
+        asn_data = request.context.get("asn")
+        asn = asn_data.get("asn") if asn_data else None
+
+        if not asn:
+            raise PolicyException(
+                GeoIPNotFoundException(_("GeoIP: client IP not found in ASN database."))
+            )
+
+        if asn not in self.asns:
+            message = _("Client IP is not part of an allowed autonomous system.")
+            return PolicyResult(False, message)
+
+        return PolicyResult(True)
+
+    def passes_country(self, request: PolicyRequest) -> PolicyResult:
+        # This is not a single get chain because `request.context` can contain `{ "geoip": None }`.
+        geoip_data = request.context.get("geoip")
+        country = geoip_data.get("country") if geoip_data else None
+
+        if not country:
+            raise PolicyException(
+                GeoIPNotFoundException(_("GeoIP: client IP address not found in City database."))
+            )
+
+        if country not in self.countries:
+            message = _("Client IP is not in an allowed country.")
+            return PolicyResult(False, message)
+
+        return PolicyResult(True)
+
+    class Meta(Policy.PolicyMeta):
+        verbose_name = _("GeoIP Policy")
+        verbose_name_plural = _("GeoIP Policies")

authentik/policies/geoip/serializer_fields.py

@@ -0,0 +1,21 @@
+"""Workaround for https://github.com/SmileyChris/django-countries/issues/441"""
+
+from django_countries.serializer_fields import CountryField
+from drf_spectacular.utils import extend_schema_field, inline_serializer
+from rest_framework import serializers
+
+DETAILED_COUNTRY_SCHEMA = {
+    "code": CountryField(),
+    "name": serializers.CharField(),
+}
+
+
+@extend_schema_field(
+    inline_serializer(
+        "DetailedCountryField",
+        DETAILED_COUNTRY_SCHEMA,
+    )
+)
+class DetailedCountryField(CountryField):
+    def __init__(self):
+        super().__init__(country_dict=True)

authentik/policies/geoip/tests.py

@@ -0,0 +1,128 @@
+"""geoip policy tests"""
+
+from django.test import TestCase
+from guardian.shortcuts import get_anonymous_user
+
+from authentik.policies.engine import PolicyRequest, PolicyResult
+from authentik.policies.exceptions import PolicyException
+from authentik.policies.geoip.exceptions import GeoIPNotFoundException
+from authentik.policies.geoip.models import GeoIPPolicy
+
+
+class TestGeoIPPolicy(TestCase):
+    """Test GeoIP Policy"""
+
+    def setUp(self):
+        super().setUp()
+
+        self.request = PolicyRequest(get_anonymous_user())
+
+        self.context_disabled_geoip = {}
+        self.context_unknown_ip = {"asn": None, "geoip": None}
+        # 8.8.8.8
+        self.context = {
+            "asn": {"asn": 15169, "as_org": "GOOGLE", "network": "8.8.8.0/24"},
+            "geoip": {
+                "continent": "NA",
+                "country": "US",
+                "lat": 37.751,
+                "long": -97.822,
+                "city": "",
+            },
+        }
+
+        self.matching_asns = [13335, 15169]
+        self.matching_countries = ["US", "CA"]
+        self.mismatching_asns = [1, 2]
+        self.mismatching_countries = ["MX", "UA"]
+
+    def enrich_context_disabled_geoip(self):
+        pass
+
+    def enrich_context_unknown_ip(self):
+        self.request.context["asn"] = self.context_unknown_ip["asn"]
+        self.request.context["geoip"] = self.context_unknown_ip["geoip"]
+
+    def enrich_context(self):
+        self.request.context["asn"] = self.context["asn"]
+        self.request.context["geoip"] = self.context["geoip"]
+
+    def test_disabled_geoip(self):
+        """Test that disabled GeoIP raises PolicyException with GeoIPNotFoundException"""
+        self.enrich_context_disabled_geoip()
+        policy = GeoIPPolicy.objects.create(
+            asns=self.matching_asns, countries=self.matching_countries
+        )
+
+        with self.assertRaises(PolicyException) as cm:
+            policy.passes(self.request)
+
+        self.assertIsInstance(cm.exception.src_exc, GeoIPNotFoundException)
+
+    def test_unknown_ip(self):
+        """Test that unknown IP raises PolicyException with GeoIPNotFoundException"""
+        self.enrich_context_unknown_ip()
+        policy = GeoIPPolicy.objects.create(
+            asns=self.matching_asns, countries=self.matching_countries
+        )
+
+        with self.assertRaises(PolicyException) as cm:
+            policy.passes(self.request)
+
+        self.assertIsInstance(cm.exception.src_exc, GeoIPNotFoundException)
+
+    def test_empty_policy(self):
+        """Test that empty policy passes"""
+        self.enrich_context()
+        policy = GeoIPPolicy.objects.create()
+
+        result: PolicyResult = policy.passes(self.request)
+
+        self.assertTrue(result.passing)
+
+    def test_policy_with_matching_asns(self):
+        """Test that a policy with matching ASNs passes"""
+        self.enrich_context()
+        policy = GeoIPPolicy.objects.create(asns=self.matching_asns)
+
+        result: PolicyResult = policy.passes(self.request)
+
+        self.assertTrue(result.passing)
+
+    def test_policy_with_mismatching_asns(self):
+        """Test that a policy with mismatching ASNs fails"""
+        self.enrich_context()
+        policy = GeoIPPolicy.objects.create(asns=self.mismatching_asns)
+
+        result: PolicyResult = policy.passes(self.request)
+
+        self.assertFalse(result.passing)
+
+    def test_policy_with_matching_countries(self):
+        """Test that a policy with matching countries passes"""
+        self.enrich_context()
+        policy = GeoIPPolicy.objects.create(countries=self.matching_countries)
+
+        result: PolicyResult = policy.passes(self.request)
+
+        self.assertTrue(result.passing)
+
+    def test_policy_with_mismatching_countries(self):
+        """Test that a policy with mismatching countries fails"""
+        self.enrich_context()
+        policy = GeoIPPolicy.objects.create(countries=self.mismatching_countries)
+
+        result: PolicyResult = policy.passes(self.request)
+
+        self.assertFalse(result.passing)
+
+    def test_policy_requires_only_one_match(self):
+        """Test that a policy with one matching value passes"""
+        self.enrich_context()
+        policy = GeoIPPolicy.objects.create(
+            asns=self.mismatching_asns, countries=self.matching_countries
+        )
+
+        result: PolicyResult = policy.passes(self.request)
+
+        self.assertTrue(result.passing)

authentik/policies/geoip/urls.py

@@ -0,0 +1,10 @@
+"""API URLs"""
+
+from django.urls import path
+
+from authentik.policies.geoip.api import GeoIPPolicyViewSet, ISO3166View
+
+api_urlpatterns = [
+    ("policies/geoip", GeoIPPolicyViewSet),
+    path("policies/geoip_iso3166/", ISO3166View.as_view(), name="iso-3166-view"),
+]

authentik/policies/process.py

@@ -4,7 +4,7 @@ from multiprocessing import get_context
 from multiprocessing.connection import Connection
 
 from django.core.cache import cache
-from sentry_sdk.hub import Hub
+from sentry_sdk import start_span
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger
 
@@ -121,7 +121,7 @@ class PolicyProcess(PROCESS_CLASS):
     def profiling_wrapper(self):
         """Run with profiling enabled"""
         with (
-            Hub.current.start_span(
+            start_span(
                 op="authentik.policy.process.execute",
             ) as span,
             HIST_POLICIES_EXECUTION_TIME.labels(

authentik/providers/ldap/api.py

@@ -5,7 +5,8 @@ from django.db.models.query import Q
 from django_filters.filters import BooleanFilter
 from django_filters.filterset import FilterSet
 from rest_framework.fields import CharField, ListField, SerializerMethodField
-from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
+from rest_framework.mixins import ListModelMixin
+from rest_framework.viewsets import GenericViewSet, ModelViewSet
 
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
@@ -105,7 +106,7 @@ class LDAPOutpostConfigSerializer(ModelSerializer):
         ]
 
 
-class LDAPOutpostConfigViewSet(ReadOnlyModelViewSet):
+class LDAPOutpostConfigViewSet(ListModelMixin, GenericViewSet):
     """LDAPProvider Viewset"""
 
     queryset = LDAPProvider.objects.filter(

authentik/providers/oauth2/api/scopes.py

@@ -1,14 +1,10 @@
 """OAuth2Provider API Views"""
 
-from django_filters.filters import AllValuesMultipleFilter
-from django_filters.filterset import FilterSet
-from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import extend_schema_field
 from rest_framework.fields import CharField
 from rest_framework.serializers import ValidationError
 from rest_framework.viewsets import ModelViewSet
 
-from authentik.core.api.property_mappings import PropertyMappingSerializer
+from authentik.core.api.property_mappings import PropertyMappingFilterSet, PropertyMappingSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.providers.oauth2.models import ScopeMapping
 
@@ -33,14 +29,12 @@ class ScopeMappingSerializer(PropertyMappingSerializer):
         ]
 
 
-class ScopeMappingFilter(FilterSet):
+class ScopeMappingFilter(PropertyMappingFilterSet):
     """Filter for ScopeMapping"""
 
-    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
-
-    class Meta:
+    class Meta(PropertyMappingFilterSet.Meta):
         model = ScopeMapping
-        fields = ["scope_name", "name", "managed"]
+        fields = PropertyMappingFilterSet.Meta.fields + ["scope_name"]
 
 
 class ScopeMappingViewSet(UsedByMixin, ModelViewSet):

authentik/providers/oauth2/apps.py

@@ -1,9 +1,9 @@
 """authentik oauth provider app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikProviderOAuth2Config(AppConfig):
+class AuthentikProviderOAuth2Config(ManagedAppConfig):
     """authentik oauth provider app config"""
 
     name = "authentik.providers.oauth2"
@@ -13,3 +13,4 @@ class AuthentikProviderOAuth2Config(AppConfig):
         "authentik.providers.oauth2.urls_root": "",
         "authentik.providers.oauth2.urls": "application/o/",
     }
+    default = True

authentik/providers/oauth2/models.py

@@ -22,6 +22,7 @@ from jwt import encode
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
+from authentik.brands.models import WebfingerProvider
 from authentik.core.models import ExpiringModel, PropertyMapping, Provider, User
 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.generators import generate_code_fixed_length, generate_id, generate_key
@@ -120,7 +121,7 @@ class ScopeMapping(PropertyMapping):
         verbose_name_plural = _("Scope Mappings")
 
 
-class OAuth2Provider(Provider):
+class OAuth2Provider(WebfingerProvider, Provider):
     """OAuth2 Provider for generic OAuth and OpenID Connect Applications."""
 
     client_type = models.CharField(
@@ -288,6 +289,24 @@ class OAuth2Provider(Provider):
         key, alg = self.jwt_key
         return encode(payload, key, algorithm=alg, headers=headers)
 
+    def webfinger(self, resource: str, request: HttpRequest):
+        return {
+            "subject": resource,
+            "links": [
+                {
+                    "rel": "http://openid.net/specs/connect/1.0/issuer",
+                    "href": request.build_absolute_uri(
+                        reverse(
+                            "authentik_providers_oauth2:provider-root",
+                            kwargs={
+                                "application_slug": self.application.slug,
+                            },
+                        )
+                    ),
+                },
+            ],
+        }
+
     class Meta:
         verbose_name = _("OAuth2/OpenID Provider")
         verbose_name_plural = _("OAuth2/OpenID Providers")

authentik/providers/oauth2/signals.py

@@ -0,0 +1,17 @@
+from hashlib import sha256
+
+from django.contrib.auth.signals import user_logged_out
+from django.dispatch import receiver
+from django.http import HttpRequest
+
+from authentik.core.models import User
+from authentik.providers.oauth2.models import AccessToken
+
+
+@receiver(user_logged_out)
+def user_logged_out_oauth_access_token(sender, request: HttpRequest, user: User, **_):
+    """Revoke access tokens upon user logout"""
+    if not request.session or not request.session.session_key:
+        return
+    hashed_session_key = sha256(request.session.session_key.encode("ascii")).hexdigest()
+    AccessToken.objects.filter(user=user, session_id=hashed_session_key).delete()

authentik/providers/oauth2/tests/test_authorize.py

@@ -10,7 +10,6 @@ from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.events.models import Event, EventAction
-from authentik.flows.challenge import ChallengeTypes
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.providers.oauth2.constants import TOKEN_TYPE
@@ -327,7 +326,6 @@ class TestAuthorize(OAuthTestCase):
             response.content.decode(),
             {
                 "component": "xak-flow-redirect",
-                "type": ChallengeTypes.REDIRECT.value,
                 "to": f"foo://localhost?code={code.code}&state={state}",
             },
         )
@@ -397,7 +395,6 @@ class TestAuthorize(OAuthTestCase):
                 response.content.decode(),
                 {
                     "component": "xak-flow-redirect",
-                    "type": ChallengeTypes.REDIRECT.value,
                     "to": (
                         f"http://localhost#access_token={token.token}"
                         f"&id_token={provider.encode(token.id_token.to_dict())}"
@@ -460,7 +457,6 @@ class TestAuthorize(OAuthTestCase):
                 response.content.decode(),
                 {
                     "component": "xak-flow-redirect",
-                    "type": ChallengeTypes.REDIRECT.value,
                     "to": (f"http://localhost#code={code.code}" f"&state={state}"),
                 },
             )
@@ -516,7 +512,6 @@ class TestAuthorize(OAuthTestCase):
             response.content.decode(),
             {
                 "component": "ak-stage-autosubmit",
-                "type": ChallengeTypes.NATIVE.value,
                 "url": "http://localhost",
                 "title": f"Redirecting to {app.name}...",
                 "attrs": {
@@ -564,7 +559,6 @@ class TestAuthorize(OAuthTestCase):
             response.content.decode(),
             {
                 "component": "ak-stage-autosubmit",
-                "type": ChallengeTypes.NATIVE.value,
                 "url": "http://localhost",
                 "title": f"Redirecting to {app.name}...",
                 "attrs": {