Merge remote-tracking branch 'refs/remotes/origin/web/use-oauth' into web/use-oauth-by-jens

* refs/remotes/origin/web/use-oauth:
  fix missing mappings
  add blueprints for apps
  store user data in memory
  web: use OAuth

authentik/flows/views/executor.py

@@ -16,6 +16,7 @@ from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.generic import View
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, PolymorphicProxySerializer, extend_schema
+from rest_framework.authentication import SessionAuthentication
 from rest_framework.permissions import AllowAny
 from rest_framework.views import APIView
 from sentry_sdk import capture_exception
@@ -23,6 +24,7 @@ from sentry_sdk.api import set_tag
 from sentry_sdk.hub import Hub
 from structlog.stdlib import BoundLogger, get_logger
 
+from authentik.api.authentication import TokenAuthentication
 from authentik.brands.models import Brand
 from authentik.core.models import Application
 from authentik.events.models import Event, EventAction, cleanse_dict
@@ -104,6 +106,10 @@ class FlowExecutorView(APIView):
     """Flow executor, passing requests to Stage Views"""
 
     permission_classes = [AllowAny]
+    authentication_classes = [
+        TokenAuthentication,
+        SessionAuthentication,
+    ]
 
     flow: Flow
 

authentik/root/settings.py

@@ -5,6 +5,7 @@ from collections import OrderedDict
 from hashlib import sha512
 from pathlib import Path
 
+import orjson
 from celery.schedules import crontab
 from django.conf import ImproperlyConfigured
 from sentry_sdk import set_tag
@@ -178,16 +179,17 @@ REST_FRAMEWORK = {
         "rest_framework.filters.OrderingFilter",
         "rest_framework.filters.SearchFilter",
     ],
-    "DEFAULT_PARSER_CLASSES": [
-        "rest_framework.parsers.JSONParser",
-    ],
     "DEFAULT_PERMISSION_CLASSES": ("authentik.rbac.permissions.ObjectPermissions",),
-    "DEFAULT_AUTHENTICATION_CLASSES": (
-        "authentik.api.authentication.TokenAuthentication",
-        "rest_framework.authentication.SessionAuthentication",
-    ),
+    "DEFAULT_AUTHENTICATION_CLASSES": ("authentik.api.authentication.TokenAuthentication",),
     "DEFAULT_RENDERER_CLASSES": [
-        "rest_framework.renderers.JSONRenderer",
+        "drf_orjson_renderer.renderers.ORJSONRenderer",
+    ],
+    "ORJSON_RENDERER_OPTIONS": [
+        orjson.OPT_NON_STR_KEYS,
+        orjson.OPT_UTC_Z,
+    ],
+    "DEFAULT_PARSER_CLASSES": [
+        "drf_orjson_renderer.parsers.ORJSONParser",
     ],
     "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
     "TEST_REQUEST_DEFAULT_FORMAT": "json",

blueprints/default/app-authentik-admin.yaml

@@ -0,0 +1,45 @@
+version: 1
+metadata:
+  name: Default - authentik Admin Interface
+entries:
+  - model: authentik_providers_oauth2.oauth2provider
+    id: provider
+    identifiers:
+      name: authentik-admin-interface
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-implicit-consent],
+        ]
+      client_type: public
+      client_id: authentik-admin-interface
+      property_mappings:
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [managed, goauthentik.io/providers/oauth2/scope-openid],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [managed, goauthentik.io/providers/oauth2/scope-email],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [managed, goauthentik.io/providers/oauth2/scope-profile],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [managed, goauthentik.io/providers/oauth2/scope-authentik_api],
+          ]
+      signing_key:
+        !Find [
+          authentik_crypto.certificatekeypair,
+          [name, authentik Self-signed Certificate],
+        ]
+  - model: authentik_core.application
+    identifiers:
+      slug: authentik-admin-interface
+    attrs:
+      name: authentik Admin interface
+      icon: https://goauthentik.io/img/icon.png
+      provider: !KeyOf provider

blueprints/default/app-authentik-user.yaml

@@ -0,0 +1,45 @@
+version: 1
+metadata:
+  name: Default - authentik User Interface
+entries:
+  - model: authentik_providers_oauth2.oauth2provider
+    id: provider
+    identifiers:
+      name: authentik-user-interface
+    attrs:
+      authorization_flow:
+        !Find [
+          authentik_flows.flow,
+          [slug, default-provider-authorization-implicit-consent],
+        ]
+      client_type: public
+      client_id: authentik-user-interface
+      property_mappings:
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [managed, goauthentik.io/providers/oauth2/scope-openid],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [managed, goauthentik.io/providers/oauth2/scope-email],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [managed, goauthentik.io/providers/oauth2/scope-profile],
+          ]
+        - !Find [
+            authentik_providers_oauth2.scopemapping,
+            [managed, goauthentik.io/providers/oauth2/scope-authentik_api],
+          ]
+      signing_key:
+        !Find [
+          authentik_crypto.certificatekeypair,
+          [name, authentik Self-signed Certificate],
+        ]
+  - model: authentik_core.application
+    identifiers:
+      slug: authentik-user-interface
+    attrs:
+      name: authentik User interface
+      icon: https://goauthentik.io/img/icon.png
+      provider: !KeyOf provider

go.mod

@@ -23,12 +23,12 @@ require (
 	github.com/pires/go-proxyproto v0.7.0
 	github.com/prometheus/client_golang v1.19.1
 	github.com/redis/go-redis/v9 v9.5.3
-	github.com/sethvargo/go-envconfig v1.0.3
+	github.com/sethvargo/go-envconfig v1.1.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024060.5
+	goauthentik.io/api/v3 v3.2024060.6
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.21.0
 	golang.org/x/sync v0.7.0

go.sum

@@ -248,8 +248,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sethvargo/go-envconfig v1.0.3 h1:ZDxFGT1M7RPX0wgDOCdZMidrEB+NrayYr6fL0/+pk4I=
-github.com/sethvargo/go-envconfig v1.0.3/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/6nRidxI8YvGiHw=
+github.com/sethvargo/go-envconfig v1.1.0 h1:cWZiJxeTm7AlCvzGXrEXaSTCNgip5oJepekh/BOQuog=
+github.com/sethvargo/go-envconfig v1.1.0/go.mod h1:JLd0KFWQYzyENqnEPWWZ49i4vzZo/6nRidxI8YvGiHw=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@@ -294,8 +294,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2024060.5 h1:AjvPUZoObk7a86ZZaz2tmruteY+1vAEfVzIOzQpWSXM=
-goauthentik.io/api/v3 v3.2024060.5/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024060.6 h1:6xN5GXv9G2w6JlqdtSo5p/lBmvBwbNGRTbBwSr1EOKU=
+goauthentik.io/api/v3 v3.2024060.6/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=

poetry.lock

@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.2 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand.
 
 [[package]]
 name = "aiohttp"
@@ -639,13 +639,13 @@ zstd = ["zstandard (==0.22.0)"]
 
 [[package]]
 name = "certifi"
-version = "2024.2.2"
+version = "2024.7.4"
 description = "Python package for providing Mozilla's CA Bundle."
 optional = false
 python-versions = ">=3.6"
 files = [
-    {file = "certifi-2024.2.2-py3-none-any.whl", hash = "sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1"},
-    {file = "certifi-2024.2.2.tar.gz", hash = "sha256:0569859f95fc761b18b45ef421b1290a0f65f147e92a1e5eb3e635f9a5e4e66f"},
+    {file = "certifi-2024.7.4-py3-none-any.whl", hash = "sha256:c198e21b1289c2ab85ee4e67bb4b4ef3ead0892059901a8d5b622f24a1101e90"},
+    {file = "certifi-2024.7.4.tar.gz", hash = "sha256:5a1e7645bc0ec61a09e26c36f6106dd4cf40c6db3a1fb6352b0244e7fb057c7b"},
 ]
 
 [[package]]
@@ -1446,6 +1446,22 @@ docs = ["sphinx", "sphinx-rtd-theme"]
 release = ["bump-my-version", "twine"]
 tests = ["black", "django-stubs[compatible-mypy]", "djangorestframework-stubs[compatible-mypy]", "flake8", "fqdn", "idna", "isoduration", "isort", "jsonpointer", "mypy", "pytest", "pytest-django", "rfc3339-validator", "rfc3987", "tox", "types-jsonschema", "uri-template", "webcolors"]
 
+[[package]]
+name = "drf-orjson-renderer"
+version = "1.7.2"
+description = "Django RestFramework JSON Renderer Backed by orjson"
+optional = false
+python-versions = ">=3.6.0"
+files = [
+    {file = "drf_orjson_renderer-1.7.2-py3-none-any.whl", hash = "sha256:4fbf6f91d7032fbf23e31837e4c5cf6950af4e588bf34e9feadc809c67977657"},
+    {file = "drf_orjson_renderer-1.7.2.tar.gz", hash = "sha256:b8a47c38a6eeaf5ffc7a5d53d028b95fa8b340999507681e403a599f0a3be456"},
+]
+
+[package.dependencies]
+django = ">=3.2"
+djangorestframework = "*"
+orjson = ">=3.3.0"
+
 [[package]]
 name = "drf-spectacular"
 version = "0.27.2"
@@ -3018,6 +3034,61 @@ files = [
 [package.dependencies]
 opentelemetry-api = "1.25.0"
 
+[[package]]
+name = "orjson"
+version = "3.10.3"
+description = "Fast, correct Python JSON library supporting dataclasses, datetimes, and numpy"
+optional = false
+python-versions = ">=3.8"
+files = [
+    {file = "orjson-3.10.3-cp310-cp310-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:9fb6c3f9f5490a3eb4ddd46fc1b6eadb0d6fc16fb3f07320149c3286a1409dd8"},
+    {file = "orjson-3.10.3-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:252124b198662eee80428f1af8c63f7ff077c88723fe206a25df8dc57a57b1fa"},
+    {file = "orjson-3.10.3-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:9f3e87733823089a338ef9bbf363ef4de45e5c599a9bf50a7a9b82e86d0228da"},
+    {file = "orjson-3.10.3-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c8334c0d87103bb9fbbe59b78129f1f40d1d1e8355bbed2ca71853af15fa4ed3"},
+    {file = "orjson-3.10.3-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1952c03439e4dce23482ac846e7961f9d4ec62086eb98ae76d97bd41d72644d7"},
+    {file = "orjson-3.10.3-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:c0403ed9c706dcd2809f1600ed18f4aae50be263bd7112e54b50e2c2bc3ebd6d"},
+    {file = "orjson-3.10.3-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:382e52aa4270a037d41f325e7d1dfa395b7de0c367800b6f337d8157367bf3a7"},
+    {file = "orjson-3.10.3-cp310-none-win32.whl", hash = "sha256:be2aab54313752c04f2cbaab4515291ef5af8c2256ce22abc007f89f42f49109"},
+    {file = "orjson-3.10.3-cp310-none-win_amd64.whl", hash = "sha256:416b195f78ae461601893f482287cee1e3059ec49b4f99479aedf22a20b1098b"},
+    {file = "orjson-3.10.3-cp311-cp311-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:73100d9abbbe730331f2242c1fc0bcb46a3ea3b4ae3348847e5a141265479700"},
+    {file = "orjson-3.10.3-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:544a12eee96e3ab828dbfcb4d5a0023aa971b27143a1d35dc214c176fdfb29b3"},
+    {file = "orjson-3.10.3-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:520de5e2ef0b4ae546bea25129d6c7c74edb43fc6cf5213f511a927f2b28148b"},
+    {file = "orjson-3.10.3-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:ccaa0a401fc02e8828a5bedfd80f8cd389d24f65e5ca3954d72c6582495b4bcf"},
+    {file = "orjson-3.10.3-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9a7bc9e8bc11bac40f905640acd41cbeaa87209e7e1f57ade386da658092dc16"},
+    {file = "orjson-3.10.3-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:3582b34b70543a1ed6944aca75e219e1192661a63da4d039d088a09c67543b08"},
+    {file = "orjson-3.10.3-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:1c23dfa91481de880890d17aa7b91d586a4746a4c2aa9a145bebdbaf233768d5"},
+    {file = "orjson-3.10.3-cp311-none-win32.whl", hash = "sha256:1770e2a0eae728b050705206d84eda8b074b65ee835e7f85c919f5705b006c9b"},
+    {file = "orjson-3.10.3-cp311-none-win_amd64.whl", hash = "sha256:93433b3c1f852660eb5abdc1f4dd0ced2be031ba30900433223b28ee0140cde5"},
+    {file = "orjson-3.10.3-cp312-cp312-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:a39aa73e53bec8d410875683bfa3a8edf61e5a1c7bb4014f65f81d36467ea098"},
+    {file = "orjson-3.10.3-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0943a96b3fa09bee1afdfccc2cb236c9c64715afa375b2af296c73d91c23eab2"},
+    {file = "orjson-3.10.3-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e852baafceff8da3c9defae29414cc8513a1586ad93e45f27b89a639c68e8176"},
+    {file = "orjson-3.10.3-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:18566beb5acd76f3769c1d1a7ec06cdb81edc4d55d2765fb677e3eaa10fa99e0"},
+    {file = "orjson-3.10.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1bd2218d5a3aa43060efe649ec564ebedec8ce6ae0a43654b81376216d5ebd42"},
+    {file = "orjson-3.10.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:cf20465e74c6e17a104ecf01bf8cd3b7b252565b4ccee4548f18b012ff2f8069"},
+    {file = "orjson-3.10.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:ba7f67aa7f983c4345eeda16054a4677289011a478ca947cd69c0a86ea45e534"},
+    {file = "orjson-3.10.3-cp312-none-win32.whl", hash = "sha256:17e0713fc159abc261eea0f4feda611d32eabc35708b74bef6ad44f6c78d5ea0"},
+    {file = "orjson-3.10.3-cp312-none-win_amd64.whl", hash = "sha256:4c895383b1ec42b017dd2c75ae8a5b862fc489006afde06f14afbdd0309b2af0"},
+    {file = "orjson-3.10.3-cp38-cp38-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:be2719e5041e9fb76c8c2c06b9600fe8e8584e6980061ff88dcbc2691a16d20d"},
+    {file = "orjson-3.10.3-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cb0175a5798bdc878956099f5c54b9837cb62cfbf5d0b86ba6d77e43861bcec2"},
+    {file = "orjson-3.10.3-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:978be58a68ade24f1af7758626806e13cff7748a677faf95fbb298359aa1e20d"},
+    {file = "orjson-3.10.3-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:16bda83b5c61586f6f788333d3cf3ed19015e3b9019188c56983b5a299210eb5"},
+    {file = "orjson-3.10.3-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4ad1f26bea425041e0a1adad34630c4825a9e3adec49079b1fb6ac8d36f8b754"},
+    {file = "orjson-3.10.3-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:9e253498bee561fe85d6325ba55ff2ff08fb5e7184cd6a4d7754133bd19c9195"},
+    {file = "orjson-3.10.3-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:0a62f9968bab8a676a164263e485f30a0b748255ee2f4ae49a0224be95f4532b"},
+    {file = "orjson-3.10.3-cp38-none-win32.whl", hash = "sha256:8d0b84403d287d4bfa9bf7d1dc298d5c1c5d9f444f3737929a66f2fe4fb8f134"},
+    {file = "orjson-3.10.3-cp38-none-win_amd64.whl", hash = "sha256:8bc7a4df90da5d535e18157220d7915780d07198b54f4de0110eca6b6c11e290"},
+    {file = "orjson-3.10.3-cp39-cp39-macosx_10_15_x86_64.macosx_11_0_arm64.macosx_10_15_universal2.whl", hash = "sha256:9059d15c30e675a58fdcd6f95465c1522b8426e092de9fff20edebfdc15e1cb0"},
+    {file = "orjson-3.10.3-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8d40c7f7938c9c2b934b297412c067936d0b54e4b8ab916fd1a9eb8f54c02294"},
+    {file = "orjson-3.10.3-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d4a654ec1de8fdaae1d80d55cee65893cb06494e124681ab335218be6a0691e7"},
+    {file = "orjson-3.10.3-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:831c6ef73f9aa53c5f40ae8f949ff7681b38eaddb6904aab89dca4d85099cb78"},
+    {file = "orjson-3.10.3-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:99b880d7e34542db89f48d14ddecbd26f06838b12427d5a25d71baceb5ba119d"},
+    {file = "orjson-3.10.3-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:2e5e176c994ce4bd434d7aafb9ecc893c15f347d3d2bbd8e7ce0b63071c52e25"},
+    {file = "orjson-3.10.3-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:b69a58a37dab856491bf2d3bbf259775fdce262b727f96aafbda359cb1d114d8"},
+    {file = "orjson-3.10.3-cp39-none-win32.whl", hash = "sha256:b8d4d1a6868cde356f1402c8faeb50d62cee765a1f7ffcfd6de732ab0581e063"},
+    {file = "orjson-3.10.3-cp39-none-win_amd64.whl", hash = "sha256:5102f50c5fc46d94f2033fe00d392588564378260d64377aec702f21a7a22912"},
+    {file = "orjson-3.10.3.tar.gz", hash = "sha256:2b166507acae7ba2f7c315dcf185a9111ad5e992ac81f2d507aac39193c2c818"},
+]
+
 [[package]]
 name = "outcome"
 version = "1.3.0.post0"
@@ -4077,29 +4148,29 @@ pyasn1 = ">=0.1.3"
 
 [[package]]
 name = "ruff"
-version = "0.5.0"
+version = "0.5.1"
 description = "An extremely fast Python linter and code formatter, written in Rust."
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "ruff-0.5.0-py3-none-linux_armv6l.whl", hash = "sha256:ee770ea8ab38918f34e7560a597cc0a8c9a193aaa01bfbd879ef43cb06bd9c4c"},
-    {file = "ruff-0.5.0-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:38f3b8327b3cb43474559d435f5fa65dacf723351c159ed0dc567f7ab735d1b6"},
-    {file = "ruff-0.5.0-py3-none-macosx_11_0_arm64.whl", hash = "sha256:7594f8df5404a5c5c8f64b8311169879f6cf42142da644c7e0ba3c3f14130370"},
-    {file = "ruff-0.5.0-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:adc7012d6ec85032bc4e9065110df205752d64010bed5f958d25dbee9ce35de3"},
-    {file = "ruff-0.5.0-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:d505fb93b0fabef974b168d9b27c3960714d2ecda24b6ffa6a87ac432905ea38"},
-    {file = "ruff-0.5.0-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9dc5cfd3558f14513ed0d5b70ce531e28ea81a8a3b1b07f0f48421a3d9e7d80a"},
-    {file = "ruff-0.5.0-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:db3ca35265de239a1176d56a464b51557fce41095c37d6c406e658cf80bbb362"},
-    {file = "ruff-0.5.0-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b1a321c4f68809fddd9b282fab6a8d8db796b270fff44722589a8b946925a2a8"},
-    {file = "ruff-0.5.0-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2c4dfcd8d34b143916994b3876b63d53f56724c03f8c1a33a253b7b1e6bf2a7d"},
-    {file = "ruff-0.5.0-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:81e5facfc9f4a674c6a78c64d38becfbd5e4f739c31fcd9ce44c849f1fad9e4c"},
-    {file = "ruff-0.5.0-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:e589e27971c2a3efff3fadafb16e5aef7ff93250f0134ec4b52052b673cf988d"},
-    {file = "ruff-0.5.0-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:d2ffbc3715a52b037bcb0f6ff524a9367f642cdc5817944f6af5479bbb2eb50e"},
-    {file = "ruff-0.5.0-py3-none-musllinux_1_2_i686.whl", hash = "sha256:cd096e23c6a4f9c819525a437fa0a99d1c67a1b6bb30948d46f33afbc53596cf"},
-    {file = "ruff-0.5.0-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:46e193b36f2255729ad34a49c9a997d506e58f08555366b2108783b3064a0e1e"},
-    {file = "ruff-0.5.0-py3-none-win32.whl", hash = "sha256:49141d267100f5ceff541b4e06552e98527870eafa1acc9dec9139c9ec5af64c"},
-    {file = "ruff-0.5.0-py3-none-win_amd64.whl", hash = "sha256:e9118f60091047444c1b90952736ee7b1792910cab56e9b9a9ac20af94cd0440"},
-    {file = "ruff-0.5.0-py3-none-win_arm64.whl", hash = "sha256:ed5c4df5c1fb4518abcb57725b576659542bdbe93366f4f329e8f398c4b71178"},
-    {file = "ruff-0.5.0.tar.gz", hash = "sha256:eb641b5873492cf9bd45bc9c5ae5320648218e04386a5f0c264ad6ccce8226a1"},
+    {file = "ruff-0.5.1-py3-none-linux_armv6l.whl", hash = "sha256:6ecf968fcf94d942d42b700af18ede94b07521bd188aaf2cd7bc898dd8cb63b6"},
+    {file = "ruff-0.5.1-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:204fb0a472f00f2e6280a7c8c7c066e11e20e23a37557d63045bf27a616ba61c"},
+    {file = "ruff-0.5.1-py3-none-macosx_11_0_arm64.whl", hash = "sha256:d235968460e8758d1e1297e1de59a38d94102f60cafb4d5382033c324404ee9d"},
+    {file = "ruff-0.5.1-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:38beace10b8d5f9b6bdc91619310af6d63dd2019f3fb2d17a2da26360d7962fa"},
+    {file = "ruff-0.5.1-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:5e478d2f09cf06add143cf8c4540ef77b6599191e0c50ed976582f06e588c994"},
+    {file = "ruff-0.5.1-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f0368d765eec8247b8550251c49ebb20554cc4e812f383ff9f5bf0d5d94190b0"},
+    {file = "ruff-0.5.1-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:3a9a9a1b582e37669b0138b7c1d9d60b9edac880b80eb2baba6d0e566bdeca4d"},
+    {file = "ruff-0.5.1-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:bdd9f723e16003623423affabcc0a807a66552ee6a29f90eddad87a40c750b78"},
+    {file = "ruff-0.5.1-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:be9fd62c1e99539da05fcdc1e90d20f74aec1b7a1613463ed77870057cd6bd96"},
+    {file = "ruff-0.5.1-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e216fc75a80ea1fbd96af94a6233d90190d5b65cc3d5dfacf2bd48c3e067d3e1"},
+    {file = "ruff-0.5.1-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:c4c2112e9883a40967827d5c24803525145e7dab315497fae149764979ac7929"},
+    {file = "ruff-0.5.1-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:dfaf11c8a116394da3b65cd4b36de30d8552fa45b8119b9ef5ca6638ab964fa3"},
+    {file = "ruff-0.5.1-py3-none-musllinux_1_2_i686.whl", hash = "sha256:d7ceb9b2fe700ee09a0c6b192c5ef03c56eb82a0514218d8ff700f6ade004108"},
+    {file = "ruff-0.5.1-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:bac6288e82f6296f82ed5285f597713acb2a6ae26618ffc6b429c597b392535c"},
+    {file = "ruff-0.5.1-py3-none-win32.whl", hash = "sha256:5c441d9c24ec09e1cb190a04535c5379b36b73c4bc20aa180c54812c27d1cca4"},
+    {file = "ruff-0.5.1-py3-none-win_amd64.whl", hash = "sha256:b1789bf2cd3d1b5a7d38397cac1398ddf3ad7f73f4de01b1e913e2abc7dfc51d"},
+    {file = "ruff-0.5.1-py3-none-win_arm64.whl", hash = "sha256:2875b7596a740cbbd492f32d24be73e545a4ce0a3daf51e4f4e609962bfd3cd2"},
+    {file = "ruff-0.5.1.tar.gz", hash = "sha256:3164488aebd89b1745b47fd00604fb4358d774465f20d1fcd907f9c0fc1b0655"},
 ]
 
 [[package]]
@@ -5378,4 +5449,4 @@ files = [
 [metadata]
 lock-version = "2.0"
 python-versions = "~3.12"
-content-hash = "f960013b56683ab42d82f8b49b2822dffc76046e3d22695ebb737b405a98dbaf"
+content-hash = "484d2f95c5c725b76ade4455d4416be3ad6d29b1721a9367a775ecc442c7cc4b"

pyproject.toml

@@ -32,7 +32,7 @@ select = [
     "PL",
 ]
 ignore = [
-    "DJ001" # Avoid using `null=True` on string-based fields,
+    "DJ001", # Avoid using `null=True` on string-based fields,
 ]
 [tool.ruff.lint.pylint]
 max-args = 7
@@ -103,10 +103,11 @@ django-prometheus = "*"
 django-redis = "*"
 django-storages = { extras = ["s3"], version = "*" }
 # See https://github.com/django-tenants/django-tenants/pull/997
-django-tenants = { git = "https://github.com/rissson/django-tenants.git", branch="authentik-fixes" }
+django-tenants = { git = "https://github.com/rissson/django-tenants.git", branch = "authentik-fixes" }
 djangorestframework = "3.14.0"
 djangorestframework-guardian = "*"
 docker = "*"
+drf-orjson-renderer = "*"
 drf-spectacular = "*"
 dumb-init = "*"
 duo-client = "*"

web/package.json

@@ -65,6 +65,7 @@
         "lit": "^3.1.4",
         "md-front-matter": "^1.0.4",
         "mermaid": "^10.9.1",
+        "oidc-client-ts": "^2.4.0",
         "rapidoc": "^9.3.4",
         "showdown": "^2.1.0",
         "style-mod": "^4.1.2",
@@ -117,7 +118,7 @@
         "eslint-plugin-sonarjs": "^0.25.1",
         "eslint-plugin-storybook": "^0.8.0",
         "github-slugger": "^2.0.0",
-        "glob": "^10.4.2",
+        "glob": "^10.4.3",
         "lit-analyzer": "^2.0.3",
         "lockfile-lint": "^4.14.0",
         "npm-run-all": "^4.1.5",

web/sfe/package-lock.json

@@ -20,17 +20,17 @@
                 "@rollup/plugin-commonjs": "^26.0.1",
                 "@rollup/plugin-node-resolve": "^15.2.3",
                 "@rollup/plugin-swc": "^0.3.1",
-                "@swc/cli": "^0.3.14",
-                "@swc/core": "^1.6.7",
+                "@swc/cli": "^0.4.0",
+                "@swc/core": "^1.6.13",
                 "@types/jquery": "^3.5.30",
                 "rollup": "^4.18.0",
                 "rollup-plugin-copy": "^3.5.0"
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2024.6.0-1720200294",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.6.0-1720200294.tgz",
-            "integrity": "sha512-qGpI+0BpsHWlO8waj89q+6SWjVVuRtYqdmpSIrKFsZt9GLNXCvIAvgS5JI1Sq2z1uWK/8kLNZKDocI/XagqMPQ=="
+            "version": "2024.6.0-1719577139",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.6.0-1719577139.tgz",
+            "integrity": "sha512-wWRMISNz/stO2E0onPJD5/rwSaMKI77wikq1qpPZLOrQLZNZzUcnRo/ZBHa0LYgqBnnjSYBpAPLOmh9pD+HU2A=="
         },
         "node_modules/@isaacs/cliui": {
             "version": "8.0.2",
@@ -236,32 +236,6 @@
                 }
             }
         },
-        "node_modules/@rollup/rollup-android-arm-eabi": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.18.0.tgz",
-            "integrity": "sha512-Tya6xypR10giZV1XzxmH5wr25VcZSncG0pZIjfePT0OVBvqNEurzValetGNarVrGiq66EBVAFn15iYX4w6FKgQ==",
-            "cpu": [
-                "arm"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "android"
-            ]
-        },
-        "node_modules/@rollup/rollup-android-arm64": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.18.0.tgz",
-            "integrity": "sha512-avCea0RAP03lTsDhEyfy+hpfr85KfyTctMADqHVhLAF3MlIkq83CP8UfAHUssgXTYd+6er6PaAhx/QGv4L1EiA==",
-            "cpu": [
-                "arm64"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "android"
-            ]
-        },
         "node_modules/@rollup/rollup-darwin-arm64": {
             "version": "4.18.0",
             "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.18.0.tgz",
@@ -275,175 +249,6 @@
                 "darwin"
             ]
         },
-        "node_modules/@rollup/rollup-darwin-x64": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.18.0.tgz",
-            "integrity": "sha512-n2LMsUz7Ynu7DoQrSQkBf8iNrjOGyPLrdSg802vk6XT3FtsgX6JbE8IHRvposskFm9SNxzkLYGSq9QdpLYpRNA==",
-            "cpu": [
-                "x64"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "darwin"
-            ]
-        },
-        "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.18.0.tgz",
-            "integrity": "sha512-C/zbRYRXFjWvz9Z4haRxcTdnkPt1BtCkz+7RtBSuNmKzMzp3ZxdM28Mpccn6pt28/UWUCTXa+b0Mx1k3g6NOMA==",
-            "cpu": [
-                "arm"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "linux"
-            ]
-        },
-        "node_modules/@rollup/rollup-linux-arm-musleabihf": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.18.0.tgz",
-            "integrity": "sha512-l3m9ewPgjQSXrUMHg93vt0hYCGnrMOcUpTz6FLtbwljo2HluS4zTXFy2571YQbisTnfTKPZ01u/ukJdQTLGh9A==",
-            "cpu": [
-                "arm"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "linux"
-            ]
-        },
-        "node_modules/@rollup/rollup-linux-arm64-gnu": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.18.0.tgz",
-            "integrity": "sha512-rJ5D47d8WD7J+7STKdCUAgmQk49xuFrRi9pZkWoRD1UeSMakbcepWXPF8ycChBoAqs1pb2wzvbY6Q33WmN2ftw==",
-            "cpu": [
-                "arm64"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "linux"
-            ]
-        },
-        "node_modules/@rollup/rollup-linux-arm64-musl": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.18.0.tgz",
-            "integrity": "sha512-be6Yx37b24ZwxQ+wOQXXLZqpq4jTckJhtGlWGZs68TgdKXJgw54lUUoFYrg6Zs/kjzAQwEwYbp8JxZVzZLRepQ==",
-            "cpu": [
-                "arm64"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "linux"
-            ]
-        },
-        "node_modules/@rollup/rollup-linux-powerpc64le-gnu": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-powerpc64le-gnu/-/rollup-linux-powerpc64le-gnu-4.18.0.tgz",
-            "integrity": "sha512-hNVMQK+qrA9Todu9+wqrXOHxFiD5YmdEi3paj6vP02Kx1hjd2LLYR2eaN7DsEshg09+9uzWi2W18MJDlG0cxJA==",
-            "cpu": [
-                "ppc64"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "linux"
-            ]
-        },
-        "node_modules/@rollup/rollup-linux-riscv64-gnu": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.18.0.tgz",
-            "integrity": "sha512-ROCM7i+m1NfdrsmvwSzoxp9HFtmKGHEqu5NNDiZWQtXLA8S5HBCkVvKAxJ8U+CVctHwV2Gb5VUaK7UAkzhDjlg==",
-            "cpu": [
-                "riscv64"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "linux"
-            ]
-        },
-        "node_modules/@rollup/rollup-linux-s390x-gnu": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.18.0.tgz",
-            "integrity": "sha512-0UyyRHyDN42QL+NbqevXIIUnKA47A+45WyasO+y2bGJ1mhQrfrtXUpTxCOrfxCR4esV3/RLYyucGVPiUsO8xjg==",
-            "cpu": [
-                "s390x"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "linux"
-            ]
-        },
-        "node_modules/@rollup/rollup-linux-x64-gnu": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.18.0.tgz",
-            "integrity": "sha512-xuglR2rBVHA5UsI8h8UbX4VJ470PtGCf5Vpswh7p2ukaqBGFTnsfzxUBetoWBWymHMxbIG0Cmx7Y9qDZzr648w==",
-            "cpu": [
-                "x64"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "linux"
-            ]
-        },
-        "node_modules/@rollup/rollup-linux-x64-musl": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.18.0.tgz",
-            "integrity": "sha512-LKaqQL9osY/ir2geuLVvRRs+utWUNilzdE90TpyoX0eNqPzWjRm14oMEE+YLve4k/NAqCdPkGYDaDF5Sw+xBfg==",
-            "cpu": [
-                "x64"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "linux"
-            ]
-        },
-        "node_modules/@rollup/rollup-win32-arm64-msvc": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.18.0.tgz",
-            "integrity": "sha512-7J6TkZQFGo9qBKH0pk2cEVSRhJbL6MtfWxth7Y5YmZs57Pi+4x6c2dStAUvaQkHQLnEQv1jzBUW43GvZW8OFqA==",
-            "cpu": [
-                "arm64"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "win32"
-            ]
-        },
-        "node_modules/@rollup/rollup-win32-ia32-msvc": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.18.0.tgz",
-            "integrity": "sha512-Txjh+IxBPbkUB9+SXZMpv+b/vnTEtFyfWZgJ6iyCmt2tdx0OF5WhFowLmnh8ENGNpfUlUZkdI//4IEmhwPieNg==",
-            "cpu": [
-                "ia32"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "win32"
-            ]
-        },
-        "node_modules/@rollup/rollup-win32-x64-msvc": {
-            "version": "4.18.0",
-            "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.18.0.tgz",
-            "integrity": "sha512-UOo5FdvOL0+eIVTgS4tIdbW+TtnBLWg1YBCcU2KWM7nuNwRz9bksDX1bekJJCpu25N1DVWaCwnT39dVQxzqS8g==",
-            "cpu": [
-                "x64"
-            ],
-            "dev": true,
-            "optional": true,
-            "os": [
-                "win32"
-            ]
-        },
         "node_modules/@sindresorhus/is": {
             "version": "4.6.0",
             "resolved": "https://registry.npmjs.org/@sindresorhus/is/-/is-4.6.0.tgz",
@@ -457,9 +262,9 @@
             }
         },
         "node_modules/@swc/cli": {
-            "version": "0.3.14",
-            "resolved": "https://registry.npmjs.org/@swc/cli/-/cli-0.3.14.tgz",
-            "integrity": "sha512-0vGqD6FSW67PaZUZABkA+ADKsX7OUY/PwNEz1SbQdCvVk/e4Z36Gwh7mFVBQH9RIsMonTyhV1RHkwkGnEfR3zQ==",
+            "version": "0.4.0",
+            "resolved": "https://registry.npmjs.org/@swc/cli/-/cli-0.4.0.tgz",
+            "integrity": "sha512-4JdVrPtF/4rCMXp6Q1h5I6YkYZrCCcqod7Wk97ZQq7K8vNGzJUryBv4eHCvqx5sJOJBrbYm9fcswe1B0TygNoA==",
             "dev": true,
             "dependencies": {
                 "@mole-inc/bin-wrapper": "^8.0.1",
@@ -491,9 +296,9 @@
             }
         },
         "node_modules/@swc/core": {
-            "version": "1.6.7",
-            "resolved": "https://registry.npmjs.org/@swc/core/-/core-1.6.7.tgz",
-            "integrity": "sha512-BBzORL9qWz5hZqAZ83yn+WNaD54RH5eludjqIOboolFOK/Pw+2l00/H77H4CEBJnzCIBQszsyqtITmrn4evp0g==",
+            "version": "1.6.13",
+            "resolved": "https://registry.npmjs.org/@swc/core/-/core-1.6.13.tgz",
+            "integrity": "sha512-eailUYex6fkfaQTev4Oa3mwn0/e3mQU4H8y1WPuImYQESOQDtVrowwUGDSc19evpBbHpKtwM+hw8nLlhIsF+Tw==",
             "dev": true,
             "hasInstallScript": true,
             "dependencies": {
@@ -508,16 +313,16 @@
                 "url": "https://opencollective.com/swc"
             },
             "optionalDependencies": {
-                "@swc/core-darwin-arm64": "1.6.7",
-                "@swc/core-darwin-x64": "1.6.7",
-                "@swc/core-linux-arm-gnueabihf": "1.6.7",
-                "@swc/core-linux-arm64-gnu": "1.6.7",
-                "@swc/core-linux-arm64-musl": "1.6.7",
-                "@swc/core-linux-x64-gnu": "1.6.7",
-                "@swc/core-linux-x64-musl": "1.6.7",
-                "@swc/core-win32-arm64-msvc": "1.6.7",
-                "@swc/core-win32-ia32-msvc": "1.6.7",
-                "@swc/core-win32-x64-msvc": "1.6.7"
+                "@swc/core-darwin-arm64": "1.6.13",
+                "@swc/core-darwin-x64": "1.6.13",
+                "@swc/core-linux-arm-gnueabihf": "1.6.13",
+                "@swc/core-linux-arm64-gnu": "1.6.13",
+                "@swc/core-linux-arm64-musl": "1.6.13",
+                "@swc/core-linux-x64-gnu": "1.6.13",
+                "@swc/core-linux-x64-musl": "1.6.13",
+                "@swc/core-win32-arm64-msvc": "1.6.13",
+                "@swc/core-win32-ia32-msvc": "1.6.13",
+                "@swc/core-win32-x64-msvc": "1.6.13"
             },
             "peerDependencies": {
                 "@swc/helpers": "*"
@@ -529,9 +334,9 @@
             }
         },
         "node_modules/@swc/core-darwin-arm64": {
-            "version": "1.6.7",
-            "resolved": "https://registry.npmjs.org/@swc/core-darwin-arm64/-/core-darwin-arm64-1.6.7.tgz",
-            "integrity": "sha512-sNb+ghP2OhZyUjS7E5Mf3PqSvoXJ5gY6GBaH2qp8WQxx9VL7ozC4HVo6vkeFJBN5cmYqUCLnhrM3HU4W+7yMSA==",
+            "version": "1.6.13",
+            "resolved": "https://registry.npmjs.org/@swc/core-darwin-arm64/-/core-darwin-arm64-1.6.13.tgz",
+            "integrity": "sha512-SOF4buAis72K22BGJ3N8y88mLNfxLNprTuJUpzikyMGrvkuBFNcxYtMhmomO0XHsgLDzOJ+hWzcgjRNzjMsUcQ==",
             "cpu": [
                 "arm64"
             ],
@@ -545,9 +350,9 @@
             }
         },
         "node_modules/@swc/core-darwin-x64": {
-            "version": "1.6.7",
-            "resolved": "https://registry.npmjs.org/@swc/core-darwin-x64/-/core-darwin-x64-1.6.7.tgz",
-            "integrity": "sha512-LQwYm/ATYN5fYSYVPMfComPiFo5i8jh75h1ASvNWhXtS+/+k1dq1zXTJWZRuojd5NXgW3bb6mJtJ2evwYIgYbA==",
+            "version": "1.6.13",
+            "resolved": "https://registry.npmjs.org/@swc/core-darwin-x64/-/core-darwin-x64-1.6.13.tgz",
+            "integrity": "sha512-AW8akFSC+tmPE6YQQvK9S2A1B8pjnXEINg+gGgw0KRUUXunvu1/OEOeC5L2Co1wAwhD7bhnaefi06Qi9AiwOag==",
             "cpu": [
                 "x64"
             ],
@@ -561,9 +366,9 @@
             }
         },
         "node_modules/@swc/core-linux-arm-gnueabihf": {
-            "version": "1.6.7",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm-gnueabihf/-/core-linux-arm-gnueabihf-1.6.7.tgz",
-            "integrity": "sha512-kEDzVhNci38LX3kdY99t68P2CDf+2QFDk5LawVamXH0iN5DRAO/+wjOhxL8KOHa6wQVqKEt5WrhD+Rrvk/34Yw==",
+            "version": "1.6.13",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm-gnueabihf/-/core-linux-arm-gnueabihf-1.6.13.tgz",
+            "integrity": "sha512-f4gxxvDXVUm2HLYXRd311mSrmbpQF2MZ4Ja6XCQz1hWAxXdhRl1gpnZ+LH/xIfGSwQChrtLLVrkxdYUCVuIjFg==",
             "cpu": [
                 "arm"
             ],
@@ -577,9 +382,9 @@
             }
         },
         "node_modules/@swc/core-linux-arm64-gnu": {
-            "version": "1.6.7",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-gnu/-/core-linux-arm64-gnu-1.6.7.tgz",
-            "integrity": "sha512-SyOBUGfl31xLGpIJ/Jd6GKHtkfZyHBXSwFlK7FmPN//MBQLtTBm4ZaWTnWnGo4aRsJwQdXWDKPyqlMBtnIl1nQ==",
+            "version": "1.6.13",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-gnu/-/core-linux-arm64-gnu-1.6.13.tgz",
+            "integrity": "sha512-Nf/eoW2CbG8s+9JoLtjl9FByBXyQ5cjdBsA4efO7Zw4p+YSuXDgc8HRPC+E2+ns0praDpKNZtLvDtmF2lL+2Gg==",
             "cpu": [
                 "arm64"
             ],
@@ -593,9 +398,9 @@
             }
         },
         "node_modules/@swc/core-linux-arm64-musl": {
-            "version": "1.6.7",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-musl/-/core-linux-arm64-musl-1.6.7.tgz",
-            "integrity": "sha512-1fOAXkDFbRfItEdMZPxT3du1QWYhgToa4YsnqTujjE8EqJW8K27hIcHRIkVuzp7PNhq8nLBg0JpJM4g27EWD7g==",
+            "version": "1.6.13",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-musl/-/core-linux-arm64-musl-1.6.13.tgz",
+            "integrity": "sha512-2OysYSYtdw79prJYuKIiux/Gj0iaGEbpS2QZWCIY4X9sGoETJ5iMg+lY+YCrIxdkkNYd7OhIbXdYFyGs/w5LDg==",
             "cpu": [
                 "arm64"
             ],
@@ -609,9 +414,9 @@
             }
         },
         "node_modules/@swc/core-linux-x64-gnu": {
-            "version": "1.6.7",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-gnu/-/core-linux-x64-gnu-1.6.7.tgz",
-            "integrity": "sha512-Gp7uCwPsNO5ATxbyvfTyeNCHUGD9oA+xKMm43G1tWCy+l07gLqWMKp7DIr3L3qPD05TfAVo3OuiOn2abpzOFbw==",
+            "version": "1.6.13",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-gnu/-/core-linux-x64-gnu-1.6.13.tgz",
+            "integrity": "sha512-PkR4CZYJNk5hcd2+tMWBpnisnmYsUzazI1O5X7VkIGFcGePTqJ/bWlfUIVVExWxvAI33PQFzLbzmN5scyIUyGQ==",
             "cpu": [
                 "x64"
             ],
@@ -625,9 +430,9 @@
             }
         },
         "node_modules/@swc/core-linux-x64-musl": {
-            "version": "1.6.7",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-musl/-/core-linux-x64-musl-1.6.7.tgz",
-            "integrity": "sha512-QeruGBZJ15tadqEMQ77ixT/CYGk20MtlS8wmvJiV+Wsb8gPW5LgCjtupzcLLnoQzDG54JGNCeeZ0l/T8NYsOvA==",
+            "version": "1.6.13",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-musl/-/core-linux-x64-musl-1.6.13.tgz",
+            "integrity": "sha512-OdsY7wryTxCKwGQcwW9jwWg3cxaHBkTTHi91+5nm7hFPpmZMz1HivJrWAMwVE7iXFw+M4l6ugB/wCvpYrUAAjA==",
             "cpu": [
                 "x64"
             ],
@@ -641,9 +446,9 @@
             }
         },
         "node_modules/@swc/core-win32-arm64-msvc": {
-            "version": "1.6.7",
-            "resolved": "https://registry.npmjs.org/@swc/core-win32-arm64-msvc/-/core-win32-arm64-msvc-1.6.7.tgz",
-            "integrity": "sha512-ouRqgSnT95lTCiU/6kJRNS5b1o+p8I/V9jxtL21WUj/JOVhsFmBErqQ0MZyCu514noWiR5BIqOrZXR8C1Knx6Q==",
+            "version": "1.6.13",
+            "resolved": "https://registry.npmjs.org/@swc/core-win32-arm64-msvc/-/core-win32-arm64-msvc-1.6.13.tgz",
+            "integrity": "sha512-ap6uNmYjwk9M/+bFEuWRNl3hq4VqgQ/Lk+ID/F5WGqczNr0L7vEf+pOsRAn0F6EV+o/nyb3ePt8rLhE/wjHpPg==",
             "cpu": [
                 "arm64"
             ],
@@ -657,9 +462,9 @@
             }
         },
         "node_modules/@swc/core-win32-ia32-msvc": {
-            "version": "1.6.7",
-            "resolved": "https://registry.npmjs.org/@swc/core-win32-ia32-msvc/-/core-win32-ia32-msvc-1.6.7.tgz",
-            "integrity": "sha512-eZAP/EmJ0IcfgAx6B4/SpSjq3aT8gr0ooktfMqw/w0/5lnNrbMl2v+2kvxcneNcF7bp8VNcYZnoHlsP+LvmVbA==",
+            "version": "1.6.13",
+            "resolved": "https://registry.npmjs.org/@swc/core-win32-ia32-msvc/-/core-win32-ia32-msvc-1.6.13.tgz",
+            "integrity": "sha512-IJ8KH4yIUHTnS/U1jwQmtbfQals7zWPG0a9hbEfIr4zI0yKzjd83lmtS09lm2Q24QBWOCFGEEbuZxR4tIlvfzA==",
             "cpu": [
                 "ia32"
             ],
@@ -673,9 +478,9 @@
             }
         },
         "node_modules/@swc/core-win32-x64-msvc": {
-            "version": "1.6.7",
-            "resolved": "https://registry.npmjs.org/@swc/core-win32-x64-msvc/-/core-win32-x64-msvc-1.6.7.tgz",
-            "integrity": "sha512-QOdE+7GQg1UQPS6p0KxzJOh/8GLbJ5zI1vqKArCCB0unFqUfKIjYb2TaH0geEBy3w9qtXxe3ZW6hzxtZSS9lDg==",
+            "version": "1.6.13",
+            "resolved": "https://registry.npmjs.org/@swc/core-win32-x64-msvc/-/core-win32-x64-msvc-1.6.13.tgz",
+            "integrity": "sha512-f6/sx6LMuEnbuxtiSL/EkR0Y6qUHFw1XVrh6rwzKXptTipUdOY+nXpKoh+1UsBm/r7H0/5DtOdrn3q5ZHbFZjQ==",
             "cpu": [
                 "x64"
             ],

web/sfe/package.json

@@ -19,8 +19,8 @@
         "@rollup/plugin-commonjs": "^26.0.1",
         "@rollup/plugin-node-resolve": "^15.2.3",
         "@rollup/plugin-swc": "^0.3.1",
-        "@swc/cli": "^0.3.14",
-        "@swc/core": "^1.6.7",
+        "@swc/cli": "^0.4.0",
+        "@swc/core": "^1.6.13",
         "@types/jquery": "^3.5.30",
         "rollup": "^4.18.0",
         "rollup-plugin-copy": "^3.5.0"

web/src/admin/AdminInterface/AdminInterface.ts

@@ -4,9 +4,12 @@ import {
     EVENT_API_DRAWER_TOGGLE,
     EVENT_NOTIFICATION_DRAWER_TOGGLE,
 } from "@goauthentik/common/constants";
+import { WithOAuth } from "@goauthentik/common/oauth/interface";
 import { configureSentry } from "@goauthentik/common/sentry";
 import { me } from "@goauthentik/common/users";
 import { WebsocketClient } from "@goauthentik/common/ws";
+import { OAuthLoginController } from "@goauthentik/components/oauth/controller";
+import { adminSettings } from "@goauthentik/components/oauth/settings";
 import { EnterpriseAwareInterface } from "@goauthentik/elements/Interface";
 import "@goauthentik/elements/ak-locale-context";
 import "@goauthentik/elements/enterprise/EnterpriseStatusBanner";
@@ -33,7 +36,7 @@ import { AdminApi, SessionUser, UiThemeEnum, Version } from "@goauthentik/api";
 import "./AdminSidebar";
 
 @customElement("ak-interface-admin")
-export class AdminInterface extends EnterpriseAwareInterface {
+export class AdminInterface extends WithOAuth(EnterpriseAwareInterface, adminSettings) {
     @property({ type: Boolean })
     notificationDrawerOpen = getURLParam("notificationDrawerOpen", false);
 
@@ -48,6 +51,8 @@ export class AdminInterface extends EnterpriseAwareInterface {
     @state()
     user?: SessionUser;
 
+    oauthController: OAuthLoginController;
+
     static get styles(): CSSResult[] {
         return [
             PFBase,
@@ -78,6 +83,7 @@ export class AdminInterface extends EnterpriseAwareInterface {
     constructor() {
         super();
         this.ws = new WebsocketClient();
+        this.oauthController = new OAuthLoginController(this, adminSettings);
         window.addEventListener(EVENT_NOTIFICATION_DRAWER_TOGGLE, () => {
             this.notificationDrawerOpen = !this.notificationDrawerOpen;
             updateURLParams({
@@ -92,7 +98,8 @@ export class AdminInterface extends EnterpriseAwareInterface {
         });
     }
 
-    async firstUpdated(): Promise<void> {
+    async firstUpdated(_changedProperties: Map<PropertyKey, unknown>): Promise<void> {
+        super.firstUpdated(_changedProperties);
         configureSentry(true);
         this.version = await new AdminApi(DEFAULT_CONFIG).adminVersionRetrieve();
         this.user = await me();

web/src/admin/Routes.ts

@@ -1,4 +1,7 @@
 import "@goauthentik/admin/admin-overview/AdminOverviewPage";
+import "@goauthentik/components/oauth/callback";
+import { adminSettings } from "@goauthentik/components/oauth/settings";
+import "@goauthentik/components/oauth/signout";
 import { ID_REGEX, Route, SLUG_REGEX, UUID_REGEX } from "@goauthentik/elements/router/Route";
 
 import { html } from "lit";
@@ -8,6 +11,15 @@ export const ROUTES: Route[] = [
     new Route(new RegExp("^/$")).redirect("/administration/overview"),
     new Route(new RegExp("^#.*")).redirect("/administration/overview"),
     new Route(new RegExp("^/library$")).redirect("/if/user/", true),
+    new Route(new RegExp("^/oauth-callback/(?<rest>.*)$"), async (args) => {
+        return html`<ak-oauth-callback
+            .settings=${adminSettings}
+            params=${args.rest}
+        ></ak-oauth-callback>`;
+    }),
+    new Route(new RegExp("^/oauth-signout$"), async () => {
+        return html`<ak-oauth-signout .settings=${adminSettings}></ak-oauth-signout>`;
+    }),
     // statically imported since this is the default route
     new Route(new RegExp("^/administration/overview$"), async () => {
         return html`<ak-admin-overview></ak-admin-overview>`;

web/src/common/api/config.ts

@@ -5,6 +5,7 @@ import {
 } from "@goauthentik/common/api/middleware";
 import { EVENT_LOCALE_REQUEST, VERSION } from "@goauthentik/common/constants";
 import { globalAK } from "@goauthentik/common/global";
+import { TokenMiddleware } from "@goauthentik/common/oauth-middleware.js";
 
 import { Config, Configuration, CoreApi, CurrentBrand, RootApi } from "@goauthentik/api";
 
@@ -73,6 +74,7 @@ export const DEFAULT_CONFIG = new Configuration({
         "sentry-trace": getMetaContent("sentry-trace"),
     },
     middleware: [
+        new TokenMiddleware(),
         new CSRFMiddleware(),
         new EventMiddleware(),
         new LoggingMiddleware(globalAK().brand),

web/src/common/oauth-middleware.ts

@@ -0,0 +1,15 @@
+import { adminSettings } from "@goauthentik/components/oauth/settings";
+import { UserManager } from "oidc-client-ts";
+
+import { FetchParams, Middleware, RequestContext } from "@goauthentik/api";
+
+export class TokenMiddleware implements Middleware {
+    async pre?(context: RequestContext): Promise<FetchParams | void> {
+        const user = await new UserManager(adminSettings).getUser();
+        if (user !== null) {
+            // @ts-ignore
+            context.init.headers["Authorization"] = `Bearer ${user.access_token}`;
+        }
+        return Promise.resolve(context);
+    }
+}

web/src/common/oauth/callback.ts

@@ -0,0 +1,24 @@
+import { state } from "@goauthentik/common/oauth/constants";
+import { refreshMe } from "@goauthentik/common/users";
+import { User, UserManager, UserManagerSettings } from "oidc-client-ts";
+
+import { LitElement } from "lit";
+import { customElement, property } from "lit/decorators.js";
+
+@customElement("ak-oauth-callback")
+export class OAuthCallback extends LitElement {
+    @property()
+    params?: string;
+    @property({ attribute: false })
+    settings?: UserManagerSettings;
+    async firstUpdated(): Promise<void> {
+        if (!this.settings) {
+            return;
+        }
+        const client = new UserManager(this.settings);
+        const user = (await client.signinCallback(`#${this.params}`)) as User;
+        const st = user.state as state;
+        window.location.assign(st.url);
+        refreshMe();
+    }
+}

web/src/common/oauth/constants.ts

@@ -0,0 +1,7 @@
+export class state {
+    url: string;
+
+    constructor() {
+        this.url = window.location.href;
+    }
+}

web/src/common/oauth/interface.ts

@@ -0,0 +1,34 @@
+import { state } from "@goauthentik/common/oauth/constants";
+import { AbstractConstructor } from "@goauthentik/elements/types";
+import { UserManager, UserManagerSettings } from "oidc-client-ts";
+
+import type { LitElement } from "lit";
+
+export function WithOAuth<T extends AbstractConstructor<LitElement>>(
+    superclass: T,
+    settings: UserManagerSettings,
+) {
+    abstract class OAuthInterface extends superclass {
+        private async ensureLoggedIn() {
+            const client = new UserManager(settings);
+            const user = await client.getUser();
+            if (user !== null) {
+                return;
+            }
+            if (window.location.href.startsWith(settings.redirect_uri)) {
+                return;
+            }
+            const s = new state();
+            await client.signinRedirect({
+                state: s,
+            });
+        }
+
+        async firstUpdated(_changedProperties: Map<PropertyKey, unknown>): Promise<void> {
+            await this.ensureLoggedIn();
+            await super.firstUpdated(_changedProperties);
+        }
+    }
+
+    return OAuthInterface;
+}

web/src/common/oauth/middleware.ts

@@ -0,0 +1,15 @@
+import { adminSettings } from "@goauthentik/common/oauth/settings";
+import { UserManager } from "oidc-client-ts";
+
+import { FetchParams, Middleware, RequestContext } from "@goauthentik/api";
+
+export class TokenMiddleware implements Middleware {
+    async pre?(context: RequestContext): Promise<FetchParams | void> {
+        const user = await new UserManager(adminSettings).getUser();
+        if (user !== null) {
+            // @ts-ignore
+            context.init.headers["Authorization"] = `Bearer ${user.access_token}`;
+        }
+        return Promise.resolve(context);
+    }
+}

web/src/common/oauth/settings.ts

@@ -0,0 +1,25 @@
+import { MemoryStore } from "@goauthentik/common/oauth/storage";
+import { Log, OidcClientSettings, UserManagerSettings } from "oidc-client-ts";
+
+Log.setLogger(console);
+Log.setLevel(Log.DEBUG);
+
+export const userSettings: OidcClientSettings & UserManagerSettings = {
+    authority: `${window.location.origin}/application/o/authentik-user-interface/`,
+    redirect_uri: `${window.location.origin}/if/user/#/oauth-callback/`,
+    client_id: "authentik-user-interface",
+    scope: "openid profile email goauthentik.io/api",
+    response_mode: "fragment",
+    automaticSilentRenew: true,
+    userStore: new MemoryStore(),
+};
+
+export const adminSettings: OidcClientSettings & UserManagerSettings = {
+    authority: `${window.location.origin}/application/o/authentik-admin-interface/`,
+    redirect_uri: `${window.location.origin}/if/admin/#/oauth-callback/`,
+    client_id: "authentik-admin-interface",
+    scope: "openid profile email goauthentik.io/api",
+    response_mode: "fragment",
+    automaticSilentRenew: true,
+    userStore: new MemoryStore(),
+};

web/src/common/oauth/signout.ts

@@ -0,0 +1,17 @@
+import { UserManager, UserManagerSettings } from "oidc-client-ts";
+
+import { LitElement } from "lit";
+import { customElement, property } from "lit/decorators.js";
+
+@customElement("ak-oauth-signout")
+export class OAuthSignout extends LitElement {
+    @property({ attribute: false })
+    settings?: UserManagerSettings;
+    async firstUpdated(): Promise<void> {
+        if (!this.settings) {
+            return;
+        }
+        const client = new UserManager(this.settings);
+        await client.signoutRedirect();
+    }
+}

web/src/common/oauth/storage.ts

@@ -0,0 +1,20 @@
+import { WebStorageStateStore } from "oidc-client-ts";
+
+export class MemoryStore extends WebStorageStateStore {
+    private map: Map<string, string> = new Map();
+    async set(key: string, value: string): Promise<void> {
+        this.map.set(key, value);
+    }
+    async get(key: string): Promise<string | null> {
+        const value = this.map.get(key);
+        return value ? value : null;
+    }
+    async remove(key: string): Promise<string | null> {
+        const value = await this.get(key);
+        this.map.delete(key);
+        return value;
+    }
+    async getAllKeys(): Promise<string[]> {
+        return Array.from(this.map.keys());
+    }
+}

web/src/common/users.ts

@@ -1,7 +1,7 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_LOCALE_REQUEST } from "@goauthentik/common/constants";
 
-import { CoreApi, ResponseError, SessionUser } from "@goauthentik/api";
+import { CoreApi, SessionUser } from "@goauthentik/api";
 
 let globalMePromise: Promise<SessionUser> | undefined;
 
@@ -33,7 +33,7 @@ export function me(): Promise<SessionUser> {
                 }
                 return user;
             })
-            .catch((ex: ResponseError) => {
+            .catch(() => {
                 const defaultUser: SessionUser = {
                     user: {
                         pk: -1,
@@ -48,14 +48,6 @@ export function me(): Promise<SessionUser> {
                         systemPermissions: [],
                     },
                 };
-                if (ex.response?.status === 401 || ex.response?.status === 403) {
-                    const relativeUrl = window.location
-                        .toString()
-                        .substring(window.location.origin.length);
-                    window.location.assign(
-                        `/flows/-/default/authentication/?next=${encodeURIComponent(relativeUrl)}`,
-                    );
-                }
                 return defaultUser;
             });
     }

web/src/components/oauth/callback.ts

@@ -0,0 +1,24 @@
+import { refreshMe } from "@goauthentik/common/users";
+import { state } from "@goauthentik/components/oauth/constants";
+import { User, UserManager, UserManagerSettings } from "oidc-client-ts";
+
+import { LitElement } from "lit";
+import { customElement, property } from "lit/decorators.js";
+
+@customElement("ak-oauth-callback")
+export class OAuthCallback extends LitElement {
+    @property()
+    params?: string;
+    @property({ attribute: false })
+    settings?: UserManagerSettings;
+    async firstUpdated(): Promise<void> {
+        if (!this.settings) {
+            return;
+        }
+        const client = new UserManager(this.settings);
+        const user = (await client.signinCallback(`#${this.params}`)) as User;
+        const st = user.state as state;
+        window.location.assign(st.url);
+        refreshMe();
+    }
+}

web/src/components/oauth/constants.ts

@@ -0,0 +1,7 @@
+export class state {
+    url: string;
+
+    constructor() {
+        this.url = window.location.href;
+    }
+}

web/src/components/oauth/controller.ts

@@ -0,0 +1,41 @@
+import { state } from "@goauthentik/components/oauth/constants";
+import { Interface } from "@goauthentik/elements/Interface/index.js";
+import { UserManager, UserManagerSettings } from "oidc-client-ts";
+
+import { ReactiveController, ReactiveControllerHost } from "lit";
+
+type ReactiveInterfaceHost = Partial<ReactiveControllerHost> & Interface;
+
+export class OAuthLoginController implements ReactiveController {
+    checked = false;
+
+    constructor(
+        private host: ReactiveInterfaceHost,
+        private settings: UserManagerSettings,
+    ) {
+        this.host.addController(this);
+    }
+
+    hostUpdated() {
+        if (this.checked) {
+            return;
+        }
+        this.checked = true;
+        this.ensureLoggedIn();
+    }
+
+    private async ensureLoggedIn() {
+        const client = new UserManager(this.settings);
+        const user = await client.getUser();
+        if (user !== null) {
+            return;
+        }
+        if (window.location.href.startsWith(this.settings.redirect_uri)) {
+            return;
+        }
+        const s = new state();
+        await client.signinRedirect({
+            state: s,
+        });
+    }
+}

web/src/components/oauth/settings.ts

@@ -0,0 +1,25 @@
+import { MemoryStore } from "@goauthentik/components/oauth/storage";
+import { Log, OidcClientSettings, UserManagerSettings } from "oidc-client-ts";
+
+Log.setLogger(console);
+Log.setLevel(Log.DEBUG);
+
+export const userSettings: OidcClientSettings & UserManagerSettings = {
+    authority: `${window.location.origin}/application/o/authentik-user-interface/`,
+    redirect_uri: `${window.location.origin}/if/user/#/oauth-callback/`,
+    client_id: "authentik-user-interface",
+    scope: "openid profile email goauthentik.io/api",
+    response_mode: "fragment",
+    automaticSilentRenew: true,
+    userStore: new MemoryStore(),
+};
+
+export const adminSettings: OidcClientSettings & UserManagerSettings = {
+    authority: `${window.location.origin}/application/o/authentik-admin-interface/`,
+    redirect_uri: `${window.location.origin}/if/admin/#/oauth-callback/`,
+    client_id: "authentik-admin-interface",
+    scope: "openid profile email goauthentik.io/api",
+    response_mode: "fragment",
+    automaticSilentRenew: true,
+    userStore: new MemoryStore(),
+};

web/src/components/oauth/signout.ts

@@ -0,0 +1,17 @@
+import { UserManager, UserManagerSettings } from "oidc-client-ts";
+
+import { LitElement } from "lit";
+import { customElement, property } from "lit/decorators.js";
+
+@customElement("ak-oauth-signout")
+export class OAuthSignout extends LitElement {
+    @property({ attribute: false })
+    settings?: UserManagerSettings;
+    async firstUpdated(): Promise<void> {
+        if (!this.settings) {
+            return;
+        }
+        const client = new UserManager(this.settings);
+        await client.signoutRedirect();
+    }
+}

web/src/components/oauth/storage.ts

@@ -0,0 +1,20 @@
+import { WebStorageStateStore } from "oidc-client-ts";
+
+export class MemoryStore extends WebStorageStateStore {
+    private map: Map<string, string> = new Map();
+    async set(key: string, value: string): Promise<void> {
+        this.map.set(key, value);
+    }
+    async get(key: string): Promise<string | null> {
+        const value = this.map.get(key);
+        return value ? value : null;
+    }
+    async remove(key: string): Promise<string | null> {
+        const value = await this.get(key);
+        this.map.delete(key);
+        return value;
+    }
+    async getAllKeys(): Promise<string[]> {
+        return Array.from(this.map.keys());
+    }
+}

web/src/elements/sidebar/SidebarUser.ts

@@ -47,7 +47,7 @@ export class SidebarUser extends AKElement {
                     html``,
                 )}
             </a>
-            <a href="/flows/-/default/invalidation/" class="pf-c-nav__link user-logout" id="logout">
+            <a href="#/oauth-signout" class="pf-c-nav__link user-logout" id="logout">
                 <i class="fas fa-sign-out-alt" aria-hidden="true"></i>
             </a>
         `;

web/src/user/Routes.ts

@@ -1,3 +1,6 @@
+import "@goauthentik/components/oauth/callback";
+import { userSettings } from "@goauthentik/components/oauth/settings";
+import "@goauthentik/components/oauth/signout";
 import { Route } from "@goauthentik/elements/router/Route";
 import "@goauthentik/user/LibraryPage/ak-library.js";
 
@@ -7,6 +10,15 @@ export const ROUTES: Route[] = [
     // Prevent infinite Shell loops
     new Route(new RegExp("^/$")).redirect("/library"),
     new Route(new RegExp("^#.*")).redirect("/library"),
+    new Route(new RegExp("^/oauth-callback/(?<rest>.*)$"), async (args) => {
+        return html`<ak-oauth-callback
+            .settings=${userSettings}
+            params=${args.rest}
+        ></ak-oauth-callback>`;
+    }),
+    new Route(new RegExp("^/oauth-signout$"), async () => {
+        return html`<ak-oauth-signout .settings=${userSettings}></ak-oauth-signout>`;
+    }),
     new Route(new RegExp("^/library$"), async () => html`<ak-library></ak-library>`),
     new Route(new RegExp("^/settings$"), async () => {
         await import("@goauthentik/user/user-settings/UserSettingsPage");

web/src/user/UserInterface.ts

@@ -4,14 +4,18 @@ import {
     EVENT_NOTIFICATION_DRAWER_TOGGLE,
     EVENT_WS_MESSAGE,
 } from "@goauthentik/common/constants";
+import { WithOAuth } from "@goauthentik/common/oauth/interface";
 import { configureSentry } from "@goauthentik/common/sentry";
 import { UIConfig, UserDisplay } from "@goauthentik/common/ui/config";
 import { me } from "@goauthentik/common/users";
 import { WebsocketClient } from "@goauthentik/common/ws";
+import { OAuthLoginController } from "@goauthentik/components/oauth/controller.js";
+import { userSettings } from "@goauthentik/components/oauth/settings";
 import { AKElement } from "@goauthentik/elements/Base";
 import { EnterpriseAwareInterface } from "@goauthentik/elements/Interface";
 import "@goauthentik/elements/ak-locale-context";
 import "@goauthentik/elements/buttons/ActionButton";
+import { bound } from "@goauthentik/elements/decorators/bound.js";
 import "@goauthentik/elements/enterprise/EnterpriseStatusBanner";
 import "@goauthentik/elements/messages/MessageContainer";
 import "@goauthentik/elements/notifications/APIDrawer";
@@ -206,10 +210,7 @@ class UserInterfacePresentation extends AKElement {
                             <!-- -->
                             ${this.renderSettings()}
                             <div class="pf-c-page__header-tools-item">
-                                <a
-                                    href="/flows/-/default/invalidation/"
-                                    class="pf-c-button pf-m-plain"
-                                >
+                                <a href="#/oauth-signout" class="pf-c-button pf-m-plain">
                                     <pf-tooltip position="top" content=${msg("Sign out")}>
                                         <i class="fas fa-sign-out-alt" aria-hidden="true"></i>
                                     </pf-tooltip>
@@ -384,7 +385,7 @@ class UserInterfacePresentation extends AKElement {
 //
 //
 @customElement("ak-interface-user")
-export class UserInterface extends EnterpriseAwareInterface {
+export class UserInterface extends WithOAuth(EnterpriseAwareInterface, userSettings) {
     @property({ type: Boolean })
     notificationDrawerOpen = getURLParam("notificationDrawerOpen", false);
 
@@ -399,14 +400,14 @@ export class UserInterface extends EnterpriseAwareInterface {
     @state()
     me?: SessionUser;
 
+    oauthController: OAuthLoginController;
+
     constructor() {
         super();
         this.ws = new WebsocketClient();
         this.fetchConfigurationDetails();
         configureSentry(true);
-        this.toggleNotificationDrawer = this.toggleNotificationDrawer.bind(this);
-        this.toggleApiDrawer = this.toggleApiDrawer.bind(this);
-        this.fetchConfigurationDetails = this.fetchConfigurationDetails.bind(this);
+        this.oauthController = new OAuthLoginController(this, userSettings);
     }
 
     connectedCallback() {
@@ -423,6 +424,7 @@ export class UserInterface extends EnterpriseAwareInterface {
         super.disconnectedCallback();
     }
 
+    @bound
     toggleNotificationDrawer() {
         this.notificationDrawerOpen = !this.notificationDrawerOpen;
         updateURLParams({
@@ -430,6 +432,7 @@ export class UserInterface extends EnterpriseAwareInterface {
         });
     }
 
+    @bound
     toggleApiDrawer() {
         this.apiDrawerOpen = !this.apiDrawerOpen;
         updateURLParams({
@@ -437,6 +440,7 @@ export class UserInterface extends EnterpriseAwareInterface {
         });
     }
 
+    @bound
     fetchConfigurationDetails() {
         me().then((me: SessionUser) => {
             this.me = me;

website/integrations/services/dokuwiki/index.md

@@ -38,7 +38,7 @@ For _Oauthgeneric_:
 -   plugin»oauthgeneric»tokenurl: https://authentik.company/application/o/token/
 -   plugin»oauthgeneric»userurl: https://authentik.company/application/o/userinfo/
 -   plugin»oauthgeneric»authmethod: Bearer Header
--   plugin»oauthgeneric»scopes: email, openid, profile
+-   plugin»oauthgeneric»scopes: email, openid, profile, offline_access
 -   plugin»oauthgeneric»needs-state: checked
 -   plugin»oauthgeneric»json-user: preferred_username
 -   plugin»oauthgeneric»json-name: name
@@ -60,6 +60,8 @@ In authentik, under _Providers_, create an _OAuth2/OpenID Provider_ with these s
 
 Note the _client ID_ and _client secret_, then save the provider. If you need to retrieve these values, you can do so by editing the provider.
 
+To prevent users from needing to log in again as soon as the access token expires, include the _offline_access_ scope in both authentik and DokuWiki. This scope allows DokuWiki to use refresh tokens.
+
 ### Application
 
 In authentik, create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.