idk

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2024.2.1
+current_version = 2024.2.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?

.github/ISSUE_TEMPLATE/question.md

@@ -9,7 +9,7 @@ assignees: ""
 **Describe your question/**
 A clear and concise description of what you're trying to do.
 
-**Relevant infos**
+**Relevant info**
 i.e. Version of other software you're using, specifics of your setup
 
 **Screenshots**

.github/actions/docker-push-variables/action.yml

@@ -11,6 +11,10 @@ inputs:
     description: "Docker image arch"
 
 outputs:
+  shouldBuild:
+    description: "Whether to build image or not"
+    value: ${{ steps.ev.outputs.shouldBuild }}
+
   sha:
     description: "sha"
     value: ${{ steps.ev.outputs.sha }}

.github/actions/docker-push-variables/push_vars.py

@@ -7,6 +7,8 @@ from time import time
 parser = configparser.ConfigParser()
 parser.read(".bumpversion.cfg")
 
+should_build = str(os.environ.get("DOCKER_USERNAME", None) is not None).lower()
+
 branch_name = os.environ["GITHUB_REF"]
 if os.environ.get("GITHUB_HEAD_REF", "") != "":
     branch_name = os.environ["GITHUB_HEAD_REF"]
@@ -52,6 +54,7 @@ image_main_tag = image_tags[0]
 image_tags_rendered = ",".join(image_tags)
 
 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
+    print("shouldBuild=%s" % should_build, file=_output)
     print("sha=%s" % sha, file=_output)
     print("version=%s" % version, file=_output)
     print("prerelease=%s" % prerelease, file=_output)

.github/dependabot.yml

@@ -52,6 +52,10 @@ updates:
       esbuild:
         patterns:
           - "@esbuild/*"
+      rollup:
+        patterns:
+          - "@rollup/*"
+          - "rollup-*"
   - package-ecosystem: npm
     directory: "/tests/wdio"
     schedule:

.github/workflows/ci-main.yml

@@ -7,8 +7,6 @@ on:
       - main
       - next
       - version-*
-    paths-ignore:
-      - website/**
   pull_request:
     branches:
       - main
@@ -216,7 +214,6 @@ jobs:
       # Needed to upload contianer images to ghcr.io
       packages: write
     timeout-minutes: 120
-    if: "github.repository == 'goauthentik/authentik'"
     steps:
       - uses: actions/checkout@v4
         with:
@@ -228,10 +225,13 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-server
           image-arch: ${{ matrix.arch }}
       - name: Login to Container Registry
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -247,7 +247,7 @@ jobs:
             GEOIPUPDATE_ACCOUNT_ID=${{ secrets.GEOIPUPDATE_ACCOUNT_ID }}
             GEOIPUPDATE_LICENSE_KEY=${{ secrets.GEOIPUPDATE_LICENSE_KEY }}
           tags: ${{ steps.ev.outputs.imageTags }}
-          push: true
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           cache-from: type=gha
@@ -269,6 +269,8 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-server
       - name: Comment on PR

.github/workflows/ci-outpost.yml

@@ -71,7 +71,6 @@ jobs:
     permissions:
       # Needed to upload contianer images to ghcr.io
       packages: write
-    if: "github.repository == 'goauthentik/authentik'"
     steps:
       - uses: actions/checkout@v4
         with:
@@ -83,9 +82,12 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
       - name: Login to Container Registry
+        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
@@ -98,7 +100,7 @@ jobs:
         with:
           tags: ${{ steps.ev.outputs.imageTags }}
           file: ${{ matrix.type }}.Dockerfile
-          push: true
+          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
           build-args: |
             GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
           platforms: linux/amd64,linux/arm64

.github/workflows/ci-website.yml

@@ -48,7 +48,6 @@ jobs:
       matrix:
         job:
           - build
-          - build-docs-only
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4

.github/workflows/release-publish.yml

@@ -20,6 +20,8 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/server,beryju/authentik
       - name: Docker Login Registry
@@ -72,6 +74,8 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/${{ matrix.type }},beryju/authentik-${{ matrix.type }}
       - name: make empty clients
@@ -168,6 +172,8 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/server
       - name: Get static files from docker image

.github/workflows/release-tag.yml

@@ -32,6 +32,8 @@ jobs:
       - name: prepare variables
         uses: ./.github/actions/docker-push-variables
         id: ev
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
         with:
           image-name: ghcr.io/goauthentik/server
       - name: Create Release

Dockerfile

@@ -14,9 +14,10 @@ RUN --mount=type=bind,target=/work/website/package.json,src=./website/package.js
 
 COPY ./website /work/website/
 COPY ./blueprints /work/blueprints/
+COPY ./schema.yml /work/
 COPY ./SECURITY.md /work/
 
-RUN npm run build-docs-only
+RUN npm run build-bundled
 
 # Stage 2: Build webui
 FROM --platform=${BUILDPLATFORM} docker.io/node:21 as web-builder
@@ -37,7 +38,7 @@ COPY ./gen-ts-api /work/web/node_modules/@goauthentik/api
 RUN npm run build
 
 # Stage 3: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/golang:1.22.0-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/golang:1.22.1-bookworm AS go-builder
 
 ARG TARGETOS
 ARG TARGETARCH
@@ -103,9 +104,10 @@ RUN --mount=type=bind,target=./pyproject.toml,src=./pyproject.toml \
     --mount=type=cache,target=/root/.cache/pip \
     --mount=type=cache,target=/root/.cache/pypoetry \
     python -m venv /ak-root/venv/ && \
-    pip3 install --upgrade pip && \
-    pip3 install poetry && \
-    poetry install --only=main --no-ansi --no-interaction
+    bash -c "source ${VENV_PATH}/bin/activate && \
+        pip3 install --upgrade pip && \
+        pip3 install poetry && \
+        poetry install --only=main --no-ansi --no-interaction --no-root"
 
 # Stage 6: Run
 FROM docker.io/python:3.12.2-slim-bookworm AS final-image
@@ -149,7 +151,7 @@ COPY --from=go-builder /go/authentik /bin/authentik
 COPY --from=python-deps /ak-root/venv /ak-root/venv
 COPY --from=web-builder /work/web/dist/ /web/dist/
 COPY --from=web-builder /work/web/authentik/ /web/authentik/
-COPY --from=website-builder /work/website/help/ /website/help/
+COPY --from=website-builder /work/website/build/ /website/help/
 COPY --from=geoip /usr/share/GeoIP /geoip
 
 USER 1000

authentik/__init__.py

@@ -2,7 +2,7 @@
 
 from os import environ
 
-__version__ = "2024.2.1"
+__version__ = "2024.2.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/admin/api/version.py

@@ -10,7 +10,7 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 
 from authentik import __version__, get_build_hash
-from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
+from authentik.admin.tasks import VERSION_CACHE_KEY, VERSION_NULL, update_latest_version
 from authentik.core.api.utils import PassiveSerializer
 
 
@@ -19,6 +19,7 @@ class VersionSerializer(PassiveSerializer):
 
     version_current = SerializerMethodField()
     version_latest = SerializerMethodField()
+    version_latest_valid = SerializerMethodField()
     build_hash = SerializerMethodField()
     outdated = SerializerMethodField()
 
@@ -38,6 +39,10 @@ class VersionSerializer(PassiveSerializer):
             return __version__
         return version_in_cache
 
+    def get_version_latest_valid(self, _) -> bool:
+        """Check if latest version is valid"""
+        return cache.get(VERSION_CACHE_KEY) != VERSION_NULL
+
     def get_outdated(self, instance) -> bool:
         """Check if we're running the latest version"""
         return parse(self.get_version_current(instance)) < parse(self.get_version_latest(instance))

authentik/admin/tasks.py

@@ -18,6 +18,7 @@ from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
+VERSION_NULL = "0.0.0"
 VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
 # Chop of the first ^ because we want to search the entire string
@@ -55,7 +56,7 @@ def clear_update_notifications():
 def update_latest_version(self: SystemTask):
     """Update latest version info"""
     if CONFIG.get_bool("disable_update_check"):
-        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
+        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
         self.set_status(TaskStatus.WARNING, "Version check disabled.")
         return
     try:
@@ -82,7 +83,7 @@ def update_latest_version(self: SystemTask):
                 event_dict["message"] = f"Changelog: {match.group()}"
             Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
     except (RequestException, IndexError) as exc:
-        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
+        cache.set(VERSION_CACHE_KEY, VERSION_NULL, VERSION_CACHE_TIMEOUT)
         self.set_error(exc)
 
 

authentik/api/v3/config.py

@@ -68,7 +68,11 @@ class ConfigView(APIView):
         """Get all capabilities this server instance supports"""
         caps = []
         deb_test = settings.DEBUG or settings.TEST
-        if Path(settings.MEDIA_ROOT).is_mount() or deb_test:
+        if (
+            CONFIG.get("storage.media.backend", "file") == "s3"
+            or Path(settings.STORAGES["default"]["OPTIONS"]["location"]).is_mount()
+            or deb_test
+        ):
             caps.append(Capabilities.CAN_SAVE_MEDIA)
         for processor in get_context_processors():
             if cap := processor.capability():

authentik/brands/api.py

@@ -46,6 +46,7 @@ class BrandSerializer(ModelSerializer):
         fields = [
             "brand_uuid",
             "domain",
+            "origin",
             "default",
             "branding_title",
             "branding_logo",
@@ -56,6 +57,7 @@ class BrandSerializer(ModelSerializer):
             "flow_unenrollment",
             "flow_user_settings",
             "flow_device_code",
+            "default_application",
             "web_certificate",
             "attributes",
         ]

authentik/brands/middleware.py

@@ -1,12 +1,17 @@
 """Inject brand into current request"""
 
 from collections.abc import Callable
+from typing import TYPE_CHECKING
 
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
 from django.utils.translation import activate
 
 from authentik.brands.utils import get_brand_for_request
+from authentik.lib.config import CONFIG
+
+if TYPE_CHECKING:
+    from authentik.brands.models import Brand
 
 
 class BrandMiddleware:
@@ -25,3 +30,41 @@ class BrandMiddleware:
             if locale != "":
                 activate(locale)
         return self.get_response(request)
+
+
+class BrandHeaderMiddleware:
+    """Add headers from currently active brand"""
+
+    get_response: Callable[[HttpRequest], HttpResponse]
+    default_csp_elements: dict[str, list[str]] = {}
+
+    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):
+        self.get_response = get_response
+        self.default_csp_elements = {
+            "style-src": ["'self'", "'unsafe-inline'"],  # Required due to Lit/ShadowDOM
+            "script-src": ["'self'", "'unsafe-inline'"],  # Required for generated scripts
+            "img-src": ["https:", "http:", "data:"],
+            "default-src": ["'self'"],
+            "object-src": ["'none'"],
+            "connect-src": ["'self'"],
+        }
+        if CONFIG.get_bool("error_reporting.enabled"):
+            self.default_csp_elements["connect-src"].append(
+                # Required for sentry (TODO: Dynamic)
+                "https://authentik.error-reporting.a7k.io"
+            )
+            if CONFIG.get_bool("debug"):
+                # Also allow spotlight sidecar connection
+                self.default_csp_elements["connect-src"].append("http://localhost:8969")
+
+    def get_csp(self, request: HttpRequest) -> str:
+        brand: "Brand" = request.brand
+        elements = self.default_csp_elements.copy()
+        if brand.origin != "":
+            elements["frame-ancestors"] = [brand.origin]
+        return ";".join(f"{attr} {" ".join(value)}" for attr, value in elements.items())
+
+    def __call__(self, request: HttpRequest) -> HttpResponse:
+        response = self.get_response(request)
+        response.headers["Content-Security-Policy"] = self.get_csp(request)
+        return response

authentik/brands/migrations/0006_brand_default_application.py

@@ -0,0 +1,26 @@
+# Generated by Django 5.0.3 on 2024-03-21 15:42
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_brands", "0005_tenantuuid_to_branduuid"),
+        ("authentik_core", "0033_alter_user_options"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="brand",
+            name="default_application",
+            field=models.ForeignKey(
+                default=None,
+                help_text="When set, external users will be redirected to this application after authenticating.",
+                null=True,
+                on_delete=django.db.models.deletion.SET_DEFAULT,
+                to="authentik_core.application",
+            ),
+        ),
+    ]

authentik/brands/migrations/0007_brand_origin.py

@@ -0,0 +1,21 @@
+# Generated by Django 5.0.3 on 2024-03-26 14:17
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_brands", "0006_brand_default_application"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="brand",
+            name="origin",
+            field=models.TextField(
+                blank=True,
+                help_text="Origin domain that activates this brand. Can be left empty to not allow any origins.",
+            ),
+        ),
+    ]

authentik/brands/models.py

@@ -23,6 +23,12 @@ class Brand(SerializerModel):
             "Domain that activates this brand. Can be a superset, i.e. `a.b` for `aa.b` and `ba.b`"
         )
     )
+    origin = models.TextField(
+        help_text=_(
+            "Origin domain that activates this brand. Can be left empty to not allow any origins."
+        ),
+        blank=True,
+    )
     default = models.BooleanField(
         default=False,
     )
@@ -51,6 +57,16 @@ class Brand(SerializerModel):
         Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
     )
 
+    default_application = models.ForeignKey(
+        "authentik_core.Application",
+        null=True,
+        default=None,
+        on_delete=models.SET_DEFAULT,
+        help_text=_(
+            "When set, external users will be redirected to this application after authenticating."
+        ),
+    )
+
     web_certificate = models.ForeignKey(
         CertificateKeyPair,
         null=True,

authentik/brands/utils.py

@@ -1,11 +1,15 @@
 """Brand utilities"""
 
 from typing import Any
+from urllib.parse import urlparse
 
 from django.db.models import F, Q
 from django.db.models import Value as V
+from django.http import HttpResponse
 from django.http.request import HttpRequest
+from django.utils.cache import patch_vary_headers
 from sentry_sdk.hub import Hub
+from structlog.stdlib import get_logger
 
 from authentik import get_full_version
 from authentik.brands.models import Brand
@@ -13,13 +17,17 @@ from authentik.tenants.models import Tenant
 
 _q_default = Q(default=True)
 DEFAULT_BRAND = Brand(domain="fallback")
+LOGGER = get_logger()
 
 
 def get_brand_for_request(request: HttpRequest) -> Brand:
     """Get brand object for current request"""
+    query = Q(host_domain__iendswith=F("domain"))
+    if "Origin" in request.headers:
+        query &= Q(Q(origin=request.headers.get("Origin", "")) | Q(origin=""))
     db_brands = (
         Brand.objects.annotate(host_domain=V(request.get_host()))
-        .filter(Q(host_domain__iendswith=F("domain")) | _q_default)
+        .filter(Q(query) | _q_default)
         .order_by("default")
     )
     brands = list(db_brands.all())
@@ -42,3 +50,46 @@ def context_processor(request: HttpRequest) -> dict[str, Any]:
         "sentry_trace": trace,
         "version": get_full_version(),
     }
+
+
+def cors_allow(request: HttpRequest, response: HttpResponse, *allowed_origins: str):
+    """Add headers to permit CORS requests from allowed_origins, with or without credentials,
+    with any headers."""
+    origin = request.META.get("HTTP_ORIGIN")
+    if not origin:
+        return response
+
+    # OPTIONS requests don't have an authorization header -> hence
+    # we can't extract the provider this request is for
+    # so for options requests we allow the calling origin without checking
+    allowed = request.method == "OPTIONS"
+    received_origin = urlparse(origin)
+    for allowed_origin in allowed_origins:
+        url = urlparse(allowed_origin)
+        if (
+            received_origin.scheme == url.scheme
+            and received_origin.hostname == url.hostname
+            and received_origin.port == url.port
+        ):
+            allowed = True
+    if not allowed:
+        LOGGER.warning(
+            "CORS: Origin is not an allowed origin",
+            requested=received_origin,
+            allowed=allowed_origins,
+        )
+        return response
+
+    # From the CORS spec: The string "*" cannot be used for a resource that supports credentials.
+    response["Access-Control-Allow-Origin"] = origin
+    patch_vary_headers(response, ["Origin"])
+    response["Access-Control-Allow-Credentials"] = "true"
+
+    if request.method == "OPTIONS":
+        if "HTTP_ACCESS_CONTROL_REQUEST_HEADERS" in request.META:
+            response["Access-Control-Allow-Headers"] = request.META[
+                "HTTP_ACCESS_CONTROL_REQUEST_HEADERS"
+            ]
+        response["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS"
+
+    return response

authentik/core/api/applications.py

@@ -37,7 +37,7 @@ from authentik.lib.utils.file import (
 )
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
-from authentik.policies.types import PolicyResult
+from authentik.policies.types import CACHE_PREFIX, PolicyResult
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.filters import ObjectFilter
 
@@ -46,7 +46,7 @@ LOGGER = get_logger()
 
 def user_app_cache_key(user_pk: str) -> str:
     """Cache key where application list for user is saved"""
-    return f"goauthentik.io/core/app_access/{user_pk}"
+    return f"{CACHE_PREFIX}/app_access/{user_pk}"
 
 
 class ApplicationSerializer(ModelSerializer):
@@ -214,7 +214,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
             return super().list(request)
 
         queryset = self._filter_queryset_for_list(self.get_queryset())
-        pagined_apps = self.paginate_queryset(queryset)
+        paginated_apps = self.paginate_queryset(queryset)
 
         if "for_user" in request.query_params:
             try:
@@ -228,18 +228,18 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
                     raise ValidationError({"for_user": "User not found"})
             except ValueError as exc:
                 raise ValidationError from exc
-            allowed_applications = self._get_allowed_applications(pagined_apps, user=for_user)
+            allowed_applications = self._get_allowed_applications(paginated_apps, user=for_user)
             serializer = self.get_serializer(allowed_applications, many=True)
             return self.get_paginated_response(serializer.data)
 
         allowed_applications = []
         if not should_cache:
-            allowed_applications = self._get_allowed_applications(pagined_apps)
+            allowed_applications = self._get_allowed_applications(paginated_apps)
         if should_cache:
             allowed_applications = cache.get(user_app_cache_key(self.request.user.pk))
             if not allowed_applications:
                 LOGGER.debug("Caching allowed application list")
-                allowed_applications = self._get_allowed_applications(pagined_apps)
+                allowed_applications = self._get_allowed_applications(paginated_apps)
                 cache.set(
                     user_app_cache_key(self.request.user.pk),
                     allowed_applications,

authentik/core/api/users.py

@@ -605,7 +605,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         email_stage: EmailStage = stages.first()
         message = TemplateEmailMessage(
             subject=_(email_stage.subject),
-            to=[for_user.email],
+            to=[(for_user.name, for_user.email)],
             template_name=email_stage.template,
             language=for_user.locale(request),
             template_context={

authentik/core/models.py

@@ -33,7 +33,7 @@ from authentik.lib.models import (
     SerializerModel,
 )
 from authentik.policies.models import PolicyBindingModel
-from authentik.root.install_id import get_install_id
+from authentik.tenants.utils import get_unique_identifier
 
 LOGGER = get_logger()
 USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
@@ -276,7 +276,7 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
     @property
     def uid(self) -> str:
         """Generate a globally unique UID, based on the user ID and the hashed secret key"""
-        return sha256(f"{self.id}-{get_install_id()}".encode("ascii")).hexdigest()
+        return sha256(f"{self.id}-{get_unique_identifier()}".encode("ascii")).hexdigest()
 
     def locale(self, request: HttpRequest | None = None) -> str:
         """Get the locale the user has configured"""
@@ -617,6 +617,9 @@ class UserSourceConnection(SerializerModel, CreatedUpdatedModel):
         """Get serializer for this model"""
         raise NotImplementedError
 
+    def __str__(self) -> str:
+        return f"User-source connection (user={self.user.username}, source={self.source.slug})"
+
     class Meta:
         unique_together = (("user", "source"),)
 

authentik/core/sources/flow_manager.py

@@ -16,8 +16,9 @@ from authentik.core.models import Source, SourceUserMatchingModes, User, UserSou
 from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION, PostUserEnrollmentStage
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
-from authentik.flows.models import Flow, Stage, in_memory_stage
+from authentik.flows.models import Flow, FlowToken, Stage, in_memory_stage
 from authentik.flows.planner import (
+    PLAN_CONTEXT_IS_RESTORED,
     PLAN_CONTEXT_PENDING_USER,
     PLAN_CONTEXT_REDIRECT,
     PLAN_CONTEXT_SOURCE,
@@ -35,6 +36,8 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 
+SESSION_KEY_OVERRIDE_FLOW_TOKEN = "authentik/flows/source_override_flow_token"  # nosec
+
 
 class Action(Enum):
     """Actions that can be decided based on the request
@@ -222,22 +225,43 @@ class SourceFlowManager:
         **kwargs,
     ) -> HttpResponse:
         """Prepare Authentication Plan, redirect user FlowExecutor"""
-        # Ensure redirect is carried through when user was trying to
-        # authorize application
-        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
-            NEXT_ARG_NAME, "authentik_core:if-user"
-        )
         kwargs.update(
             {
                 # Since we authenticate the user by their token, they have no backend set
                 PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
                 PLAN_CONTEXT_SSO: True,
                 PLAN_CONTEXT_SOURCE: self.source,
-                PLAN_CONTEXT_REDIRECT: final_redirect,
                 PLAN_CONTEXT_SOURCES_CONNECTION: connection,
             }
         )
         kwargs.update(self.policy_context)
+        if SESSION_KEY_OVERRIDE_FLOW_TOKEN in self.request.session:
+            token: FlowToken = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
+            self._logger.info("Replacing source flow with overridden flow", flow=token.flow.slug)
+            plan = token.plan
+            plan.context[PLAN_CONTEXT_IS_RESTORED] = token
+            plan.context.update(kwargs)
+            for stage in self.get_stages_to_append(flow):
+                plan.append_stage(stage)
+            if stages:
+                for stage in stages:
+                    plan.append_stage(stage)
+            self.request.session[SESSION_KEY_PLAN] = plan
+            flow_slug = token.flow.slug
+            token.delete()
+            return redirect_with_qs(
+                "authentik_core:if-flow",
+                self.request.GET,
+                flow_slug=flow_slug,
+            )
+        # Ensure redirect is carried through when user was trying to
+        # authorize application
+        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
+            NEXT_ARG_NAME, "authentik_core:if-user"
+        )
+        if PLAN_CONTEXT_REDIRECT not in kwargs:
+            kwargs[PLAN_CONTEXT_REDIRECT] = final_redirect
+
         if not flow:
             return bad_request_message(
                 self.request,

authentik/core/urls.py

@@ -6,7 +6,6 @@ from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
 from django.views.decorators.csrf import ensure_csrf_cookie
-from django.views.generic import RedirectView
 
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@@ -20,7 +19,12 @@ from authentik.core.api.transactional_applications import TransactionalApplicati
 from authentik.core.api.users import UserViewSet
 from authentik.core.views import apps
 from authentik.core.views.debug import AccessDeniedView
-from authentik.core.views.interface import FlowInterfaceView, InterfaceView
+from authentik.core.views.interface import (
+    BrandDefaultRedirectView,
+    FlowInterfaceView,
+    InterfaceView,
+    RootRedirectView,
+)
 from authentik.core.views.session import EndSessionView
 from authentik.root.asgi_middleware import SessionMiddleware
 from authentik.root.messages.consumer import MessageConsumer
@@ -29,13 +33,11 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
 urlpatterns = [
     path(
         "",
-        login_required(
-            RedirectView.as_view(pattern_name="authentik_core:if-user", query_string=True)
-        ),
+        login_required(RootRedirectView.as_view()),
         name="root-redirect",
     ),
     path(
-        # We have to use this format since everything else uses applications/o or applications/saml
+        # We have to use this format since everything else uses application/o or application/saml
         "application/launch/<slug:application_slug>/",
         apps.RedirectToAppLaunch.as_view(),
         name="application-launch",
@@ -43,12 +45,12 @@ urlpatterns = [
     # Interfaces
     path(
         "if/admin/",
-        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/admin.html")),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
         name="if-admin",
     ),
     path(
         "if/user/",
-        ensure_csrf_cookie(InterfaceView.as_view(template_name="if/user.html")),
+        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
         name="if-user",
     ),
     path(

authentik/core/views/interface.py

@@ -3,15 +3,43 @@
 from json import dumps
 from typing import Any
 
-from django.shortcuts import get_object_or_404
-from django.views.generic.base import TemplateView
+from django.http import HttpRequest
+from django.http.response import HttpResponse
+from django.shortcuts import get_object_or_404, redirect
+from django.utils.translation import gettext as _
+from django.views.generic.base import RedirectView, TemplateView
 from rest_framework.request import Request
 
 from authentik import get_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
 from authentik.api.v3.config import ConfigView
 from authentik.brands.api import CurrentBrandSerializer
+from authentik.brands.models import Brand
+from authentik.core.models import UserTypes
 from authentik.flows.models import Flow
+from authentik.policies.denied import AccessDeniedResponse
+
+
+class RootRedirectView(RedirectView):
+    """Root redirect view, redirect to brand's default application if set"""
+
+    pattern_name = "authentik_core:if-user"
+    query_string = True
+
+    def redirect_to_app(self, request: HttpRequest):
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+            brand: Brand = request.brand
+            if brand.default_application:
+                return redirect(
+                    "authentik_core:application-launch",
+                    application_slug=brand.default_application.slug,
+                )
+        return None
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        if redirect_response := RootRedirectView().redirect_to_app(request):
+            return redirect_response
+        return super().dispatch(request, *args, **kwargs)
 
 
 class InterfaceView(TemplateView):
@@ -27,6 +55,22 @@ class InterfaceView(TemplateView):
         return super().get_context_data(**kwargs)
 
 
+class BrandDefaultRedirectView(InterfaceView):
+    """By default redirect to default app"""
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        if request.user.is_authenticated and request.user.type == UserTypes.EXTERNAL:
+            brand: Brand = request.brand
+            if brand.default_application:
+                return redirect(
+                    "authentik_core:application-launch",
+                    application_slug=brand.default_application.slug,
+                )
+            response = AccessDeniedResponse(self.request)
+            response.error_message = _("Interface can only be accessed by internal users.")
+        return super().dispatch(request, *args, **kwargs)
+
+
 class FlowInterfaceView(InterfaceView):
     """Flow interface"""
 

authentik/crypto/api.py

@@ -71,7 +71,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
         "Get certificate expiry"
         if not self._should_include_details:
             return None
-        return DateTimeField().to_representation(instance.certificate.not_valid_after)
+        return DateTimeField().to_representation(instance.certificate.not_valid_after_utc)
 
     def get_cert_subject(self, instance: CertificateKeyPair) -> str | None:
         """Get certificate subject as full rfc4514"""

authentik/crypto/tests.py

@@ -1,6 +1,5 @@
 """Crypto tests"""
 
-import datetime
 from json import loads
 from os import makedirs
 from tempfile import TemporaryDirectory
@@ -8,6 +7,7 @@ from tempfile import TemporaryDirectory
 from cryptography.x509.extensions import SubjectAlternativeName
 from cryptography.x509.general_name import DNSName
 from django.urls import reverse
+from django.utils.timezone import now
 from rest_framework.test import APITestCase
 
 from authentik.core.api.used_by import DeleteAction
@@ -68,9 +68,9 @@ class TestCrypto(APITestCase):
             validity_days=3,
         )
         instance = builder.save()
-        now = datetime.datetime.today()
+        _now = now()
         self.assertEqual(instance.name, name)
-        self.assertEqual((instance.certificate.not_valid_after - now).days, 2)
+        self.assertEqual((instance.certificate.not_valid_after_utc - _now).days, 2)
 
     def test_builder_api(self):
         """Test Builder (via API)"""

authentik/enterprise/api.py

@@ -22,7 +22,7 @@ from authentik.core.models import User, UserTypes
 from authentik.enterprise.license import LicenseKey, LicenseSummarySerializer
 from authentik.enterprise.models import License
 from authentik.rbac.decorators import permission_required
-from authentik.root.install_id import get_install_id
+from authentik.tenants.utils import get_unique_identifier
 
 
 class EnterpriseRequiredMixin:
@@ -31,7 +31,7 @@ class EnterpriseRequiredMixin:
 
     def validate(self, attrs: dict) -> dict:
         """Check that a valid license exists"""
-        if not LicenseKey.cached_summary().valid:
+        if not LicenseKey.cached_summary().has_license:
             raise ValidationError(_("Enterprise is required to create/update this object."))
         return super().validate(attrs)
 
@@ -92,7 +92,7 @@ class LicenseViewSet(UsedByMixin, ModelViewSet):
         """Get install_id"""
         return Response(
             data={
-                "install_id": get_install_id(),
+                "install_id": get_unique_identifier(),
             }
         )
 

authentik/enterprise/license.py

@@ -21,7 +21,7 @@ from rest_framework.fields import BooleanField, DateTimeField, IntegerField
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User, UserTypes
 from authentik.enterprise.models import License, LicenseUsage
-from authentik.root.install_id import get_install_id
+from authentik.tenants.utils import get_unique_identifier
 
 CACHE_KEY_ENTERPRISE_LICENSE = "goauthentik.io/enterprise/license"
 CACHE_EXPIRY_ENTERPRISE_LICENSE = 3 * 60 * 60  # 2 Hours
@@ -36,7 +36,7 @@ def get_licensing_key() -> Certificate:
 
 def get_license_aud() -> str:
     """Get the JWT audience field"""
-    return f"enterprise.goauthentik.io/license/{get_install_id()}"
+    return f"enterprise.goauthentik.io/license/{get_unique_identifier()}"
 
 
 class LicenseFlags(Enum):
@@ -142,13 +142,7 @@ class LicenseKey:
     @staticmethod
     def get_external_user_count():
         """Get current external user count"""
-        # Count since start of the month
-        last_month = now().replace(day=1)
-        return (
-            LicenseKey.base_user_qs()
-            .filter(type=UserTypes.EXTERNAL, last_login__gte=last_month)
-            .count()
-        )
+        return LicenseKey.base_user_qs().filter(type=UserTypes.EXTERNAL).count()
 
     def is_valid(self) -> bool:
         """Check if the given license body covers all users
@@ -188,20 +182,21 @@ class LicenseKey:
 
     def summary(self) -> LicenseSummary:
         """Summary of license status"""
+        has_license = License.objects.all().count() > 0
         last_valid = LicenseKey.last_valid_date()
         show_admin_warning = last_valid < now() - timedelta(weeks=2)
         show_user_warning = last_valid < now() - timedelta(weeks=4)
         read_only = last_valid < now() - timedelta(weeks=6)
         latest_valid = datetime.fromtimestamp(self.exp)
         return LicenseSummary(
-            show_admin_warning=show_admin_warning,
-            show_user_warning=show_user_warning,
-            read_only=read_only,
+            show_admin_warning=show_admin_warning and has_license,
+            show_user_warning=show_user_warning and has_license,
+            read_only=read_only and has_license,
             latest_valid=latest_valid,
             internal_users=self.internal_users,
             external_users=self.external_users,
             valid=self.is_valid(),
-            has_license=License.objects.all().count() > 0,
+            has_license=has_license,
         )
 
     @staticmethod

authentik/enterprise/providers/rac/api/connection_tokens.py

@@ -6,13 +6,13 @@ from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 
-from authentik.api.authorization import OwnerFilter, OwnerPermissions
+from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.core.api.groups import GroupMemberSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.enterprise.api import EnterpriseRequiredMixin
 from authentik.enterprise.providers.rac.api.endpoints import EndpointSerializer
 from authentik.enterprise.providers.rac.api.providers import RACProviderSerializer
-from authentik.enterprise.providers.rac.models import ConnectionToken, Endpoint
+from authentik.enterprise.providers.rac.models import ConnectionToken
 
 
 class ConnectionTokenSerializer(EnterpriseRequiredMixin, ModelSerializer):
@@ -23,7 +23,7 @@ class ConnectionTokenSerializer(EnterpriseRequiredMixin, ModelSerializer):
     user = GroupMemberSerializer(source="session.user", read_only=True)
 
     class Meta:
-        model = Endpoint
+        model = ConnectionToken
         fields = [
             "pk",
             "provider",
@@ -49,5 +49,5 @@ class ConnectionTokenViewSet(
     filterset_fields = ["endpoint", "session__user", "provider"]
     search_fields = ["endpoint__name", "provider__name"]
     ordering = ["endpoint__name", "provider__name"]
-    permission_classes = [OwnerPermissions]
+    permission_classes = [OwnerSuperuserPermissions]
     filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]

authentik/enterprise/settings.py

@@ -15,6 +15,7 @@ CELERY_BEAT_SCHEDULE = {
 TENANT_APPS = [
     "authentik.enterprise.audit",
     "authentik.enterprise.providers.rac",
+    "authentik.enterprise.stages.source",
 ]
 
 MIDDLEWARE = ["authentik.enterprise.middleware.EnterpriseMiddleware"]

authentik/enterprise/signals.py

@@ -2,11 +2,14 @@
 
 from datetime import datetime
 
-from django.db.models.signals import pre_save
+from django.core.cache import cache
+from django.db.models.signals import post_save, pre_save
 from django.dispatch import receiver
 from django.utils.timezone import get_current_timezone
 
+from authentik.enterprise.license import CACHE_KEY_ENTERPRISE_LICENSE
 from authentik.enterprise.models import License
+from authentik.enterprise.tasks import enterprise_update_usage
 
 
 @receiver(pre_save, sender=License)
@@ -17,3 +20,10 @@ def pre_save_license(sender: type[License], instance: License, **_):
     instance.internal_users = status.internal_users
     instance.external_users = status.external_users
     instance.expiry = datetime.fromtimestamp(status.exp, tz=get_current_timezone())
+
+
+@receiver(post_save, sender=License)
+def post_save_license(sender: type[License], instance: License, **_):
+    """Trigger license usage calculation when license is saved"""
+    cache.delete(CACHE_KEY_ENTERPRISE_LICENSE)
+    enterprise_update_usage.delay()

authentik/enterprise/stages/source/api.py

@@ -0,0 +1,38 @@
+"""Source Stage API Views"""
+
+from rest_framework.exceptions import ValidationError
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.models import Source
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.enterprise.stages.source.models import SourceStage
+from authentik.flows.api.stages import StageSerializer
+
+
+class SourceStageSerializer(EnterpriseRequiredMixin, StageSerializer):
+    """SourceStage Serializer"""
+
+    def validate_source(self, _source: Source) -> Source:
+        """Ensure configured source supports web-based login"""
+        source = Source.objects.filter(pk=_source.pk).select_subclasses().first()
+        if not source:
+            raise ValidationError("Invalid source")
+        login_button = source.ui_login_button(self.context["request"])
+        if not login_button:
+            raise ValidationError("Invalid source selected, only web-based sources are supported.")
+        return source
+
+    class Meta:
+        model = SourceStage
+        fields = StageSerializer.Meta.fields + ["source", "resume_timeout"]
+
+
+class SourceStageViewSet(UsedByMixin, ModelViewSet):
+    """SourceStage Viewset"""
+
+    queryset = SourceStage.objects.all()
+    serializer_class = SourceStageSerializer
+    filterset_fields = "__all__"
+    ordering = ["name"]
+    search_fields = ["name"]

authentik/enterprise/stages/source/apps.py

@@ -0,0 +1,12 @@
+"""authentik stage app config"""
+
+from authentik.enterprise.apps import EnterpriseConfig
+
+
+class AuthentikEnterpriseStageSourceConfig(EnterpriseConfig):
+    """authentik source stage config"""
+
+    name = "authentik.enterprise.stages.source"
+    label = "authentik_stages_source"
+    verbose_name = "authentik Enterprise.Stages.Source"
+    default = True

authentik/enterprise/stages/source/migrations/0001_initial.py

@@ -0,0 +1,53 @@
+# Generated by Django 5.0.2 on 2024-02-25 20:44
+
+import authentik.lib.utils.time
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    initial = True
+
+    dependencies = [
+        ("authentik_core", "0033_alter_user_options"),
+        ("authentik_flows", "0027_auto_20231028_1424"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="SourceStage",
+            fields=[
+                (
+                    "stage_ptr",
+                    models.OneToOneField(
+                        auto_created=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        parent_link=True,
+                        primary_key=True,
+                        serialize=False,
+                        to="authentik_flows.stage",
+                    ),
+                ),
+                (
+                    "resume_timeout",
+                    models.TextField(
+                        default="minutes=10",
+                        help_text="Amount of time a user can take to return from the source to continue the flow (Format: hours=-1;minutes=-2;seconds=-3)",
+                        validators=[authentik.lib.utils.time.timedelta_string_validator],
+                    ),
+                ),
+                (
+                    "source",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="authentik_core.source"
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Source Stage",
+                "verbose_name_plural": "Source Stages",
+            },
+            bases=("authentik_flows.stage",),
+        ),
+    ]

authentik/enterprise/stages/source/models.py

@@ -0,0 +1,45 @@
+"""Source stage models"""
+
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+from django.views import View
+from rest_framework.serializers import BaseSerializer
+
+from authentik.flows.models import Stage
+from authentik.lib.utils.time import timedelta_string_validator
+
+
+class SourceStage(Stage):
+    """Suspend the current flow execution and send the user to a source,
+    after which this flow execution is resumed."""
+
+    source = models.ForeignKey("authentik_core.Source", on_delete=models.CASCADE)
+
+    resume_timeout = models.TextField(
+        default="minutes=10",
+        validators=[timedelta_string_validator],
+        help_text=_(
+            "Amount of time a user can take to return from the source to continue the flow "
+            "(Format: hours=-1;minutes=-2;seconds=-3)"
+        ),
+    )
+
+    @property
+    def serializer(self) -> type[BaseSerializer]:
+        from authentik.enterprise.stages.source.api import SourceStageSerializer
+
+        return SourceStageSerializer
+
+    @property
+    def view(self) -> type[View]:
+        from authentik.enterprise.stages.source.stage import SourceStageView
+
+        return SourceStageView
+
+    @property
+    def component(self) -> str:
+        return "ak-stage-source-form"
+
+    class Meta:
+        verbose_name = _("Source Stage")
+        verbose_name_plural = _("Source Stages")

authentik/enterprise/stages/source/stage.py

@@ -0,0 +1,79 @@
+"""Source stage logic"""
+
+from typing import Any
+from uuid import uuid4
+
+from django.http import HttpRequest, HttpResponse
+from django.utils.text import slugify
+from django.utils.timezone import now
+from guardian.shortcuts import get_anonymous_user
+
+from authentik.core.models import Source, User
+from authentik.core.sources.flow_manager import SESSION_KEY_OVERRIDE_FLOW_TOKEN
+from authentik.core.types import UILoginButton
+from authentik.enterprise.stages.source.models import SourceStage
+from authentik.flows.challenge import Challenge, ChallengeResponse
+from authentik.flows.models import FlowToken
+from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED
+from authentik.flows.stage import ChallengeStageView
+from authentik.lib.utils.time import timedelta_from_string
+
+PLAN_CONTEXT_RESUME_TOKEN = "resume_token"  # nosec
+
+
+class SourceStageView(ChallengeStageView):
+    """Suspend the current flow execution and send the user to a source,
+    after which this flow execution is resumed."""
+
+    login_button: UILoginButton
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        current_stage: SourceStage = self.executor.current_stage
+        source: Source = (
+            Source.objects.filter(pk=current_stage.source_id).select_subclasses().first()
+        )
+        if not source:
+            self.logger.warning("Source does not exist")
+            return self.executor.stage_invalid("Source does not exist")
+        self.login_button = source.ui_login_button(self.request)
+        if not self.login_button:
+            self.logger.warning("Source does not have a UI login button")
+            return self.executor.stage_invalid("Invalid source")
+        restore_token = self.executor.plan.context.get(PLAN_CONTEXT_IS_RESTORED)
+        override_token = self.request.session.get(SESSION_KEY_OVERRIDE_FLOW_TOKEN)
+        if restore_token and override_token and restore_token.pk == override_token.pk:
+            del self.request.session[SESSION_KEY_OVERRIDE_FLOW_TOKEN]
+            return self.executor.stage_ok()
+        return super().dispatch(request, *args, **kwargs)
+
+    def get_challenge(self, *args, **kwargs) -> Challenge:
+        resume_token = self.create_flow_token()
+        self.request.session[SESSION_KEY_OVERRIDE_FLOW_TOKEN] = resume_token
+        return self.login_button.challenge
+
+    def create_flow_token(self) -> FlowToken:
+        """Save the current flow state in a token that can be used to resume this flow"""
+        pending_user: User = self.get_pending_user()
+        if pending_user.is_anonymous:
+            pending_user = get_anonymous_user()
+        current_stage: SourceStage = self.executor.current_stage
+        identifier = slugify(f"ak-source-stage-{current_stage.name}-{str(uuid4())}")
+        # Don't check for validity here, we only care if the token exists
+        tokens = FlowToken.objects.filter(identifier=identifier)
+        valid_delta = timedelta_from_string(current_stage.resume_timeout)
+        if not tokens.exists():
+            return FlowToken.objects.create(
+                expires=now() + valid_delta,
+                user=pending_user,
+                identifier=identifier,
+                flow=self.executor.flow,
+                _plan=FlowToken.pickle(self.executor.plan),
+            )
+        token = tokens.first()
+        # Check if token is expired and rotate key if so
+        if token.is_expired:
+            token.expire_action()
+        return token
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        return self.executor.stage_ok()

authentik/enterprise/stages/source/tests.py

@@ -0,0 +1,99 @@
+"""Source stage tests"""
+
+from django.urls import reverse
+
+from authentik.core.tests.utils import create_test_flow, create_test_user
+from authentik.enterprise.stages.source.models import SourceStage
+from authentik.flows.models import FlowDesignation, FlowStageBinding, FlowToken
+from authentik.flows.planner import PLAN_CONTEXT_IS_RESTORED, FlowPlan
+from authentik.flows.tests import FlowTestCase
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.generators import generate_id
+from authentik.sources.saml.models import SAMLSource
+from authentik.stages.identification.models import IdentificationStage, UserFields
+from authentik.stages.password import BACKEND_INBUILT
+from authentik.stages.password.models import PasswordStage
+from authentik.stages.user_login.models import UserLoginStage
+
+
+class TestSourceStage(FlowTestCase):
+    """Source stage tests"""
+
+    def setUp(self):
+        self.source = SAMLSource.objects.create(
+            slug=generate_id(),
+            issuer="authentik",
+            allow_idp_initiated=True,
+            pre_authentication_flow=create_test_flow(),
+        )
+
+    def test_source_success(self):
+        """Test"""
+        user = create_test_user()
+        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
+        stage = SourceStage.objects.create(name=generate_id(), source=self.source)
+        FlowStageBinding.objects.create(
+            target=flow,
+            stage=IdentificationStage.objects.create(
+                name=generate_id(),
+                user_fields=[UserFields.USERNAME],
+            ),
+            order=0,
+        )
+        FlowStageBinding.objects.create(
+            target=flow,
+            stage=PasswordStage.objects.create(name=generate_id(), backends=[BACKEND_INBUILT]),
+            order=5,
+        )
+        FlowStageBinding.objects.create(target=flow, stage=stage, order=10)
+        FlowStageBinding.objects.create(
+            target=flow,
+            stage=UserLoginStage.objects.create(
+                name=generate_id(),
+            ),
+            order=15,
+        )
+
+        # Get user identification stage
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertStageResponse(response, flow, component="ak-stage-identification")
+        # Send username
+        response = self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+            data={"uid_field": user.username},
+            follow=True,
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertStageResponse(response, flow, component="ak-stage-password")
+        # Send password
+        response = self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+            data={"password": user.username},
+            follow=True,
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertStageRedirects(
+            response,
+            reverse("authentik_sources_saml:login", kwargs={"source_slug": self.source.slug}),
+        )
+
+        # Hijack flow plan so we don't have to emulate the source
+        flow_token = FlowToken.objects.filter(
+            identifier__startswith=f"ak-source-stage-{stage.name.lower()}"
+        ).first()
+        self.assertIsNotNone(flow_token)
+        session = self.client.session
+        plan: FlowPlan = session[SESSION_KEY_PLAN]
+        plan.context[PLAN_CONTEXT_IS_RESTORED] = flow_token
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        # Pretend we've just returned from the source
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}), follow=True
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))

authentik/enterprise/stages/source/urls.py

@@ -0,0 +1,5 @@
+"""API URLs"""
+
+from authentik.enterprise.stages.source.api import SourceStageViewSet
+
+api_urlpatterns = [("stages/source", SourceStageViewSet)]

authentik/events/models.py

@@ -452,6 +452,13 @@ class NotificationTransport(SerializerModel):
 
     def send_email(self, notification: "Notification") -> list[str]:
         """Send notification via global email configuration"""
+        if notification.user.email.strip() == "":
+            LOGGER.info(
+                "Discarding notification as user has no email address",
+                user=notification.user,
+                notification=notification,
+            )
+            return None
         subject_prefix = "authentik Notification: "
         context = {
             "key_value": {
@@ -481,7 +488,7 @@ class NotificationTransport(SerializerModel):
             }
         mail = TemplateEmailMessage(
             subject=subject_prefix + context["title"],
-            to=[f"{notification.user.name} <{notification.user.email}>"],
+            to=[(notification.user.name, notification.user.email)],
             language=notification.user.locale(),
             template_name="email/event_notification.html",
             template_context=context,

authentik/flows/api/stages.py

@@ -13,6 +13,7 @@ from structlog.stdlib import get_logger
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.types import UserSettingSerializer
+from authentik.enterprise.apps import EnterpriseConfig
 from authentik.flows.api.flows import FlowSetSerializer
 from authentik.flows.models import ConfigurableStage, Stage
 from authentik.lib.utils.reflection import all_subclasses
@@ -75,6 +76,7 @@ class StageViewSet(
                     "description": subclass.__doc__,
                     "component": subclass().component,
                     "model_name": subclass._meta.model_name,
+                    "requires_enterprise": isinstance(subclass._meta.app_config, EnterpriseConfig),
                 }
             )
         data = sorted(data, key=lambda x: x["name"])

authentik/flows/tests/test_executor.py

@@ -1,6 +1,7 @@
 """flow views tests"""
 
 from unittest.mock import MagicMock, PropertyMock, patch
+from urllib.parse import urlencode
 
 from django.http import HttpRequest, HttpResponse
 from django.test.client import RequestFactory
@@ -18,7 +19,12 @@ from authentik.flows.models import (
 from authentik.flows.planner import FlowPlan, FlowPlanner
 from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, StageView
 from authentik.flows.tests import FlowTestCase
-from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_PLAN, FlowExecutorView
+from authentik.flows.views.executor import (
+    NEXT_ARG_NAME,
+    QS_QUERY,
+    SESSION_KEY_PLAN,
+    FlowExecutorView,
+)
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
@@ -121,16 +127,73 @@ class TestFlowExecutor(FlowTestCase):
         TO_STAGE_RESPONSE_MOCK,
     )
     def test_invalid_flow_redirect(self):
-        """Tests that an invalid flow still redirects"""
+        """Test invalid flow with valid redirect destination"""
         flow = create_test_flow(
             FlowDesignation.AUTHENTICATION,
         )
 
         dest = "/unique-string"
         url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})
-        response = self.client.get(url + f"?{NEXT_ARG_NAME}={dest}")
+        response = self.client.get(url + f"?{QS_QUERY}={urlencode({NEXT_ARG_NAME: dest})}")
         self.assertEqual(response.status_code, 302)
-        self.assertEqual(response.url, reverse("authentik_core:root-redirect"))
+        self.assertEqual(response.url, "/unique-string")
+
+    @patch(
+        "authentik.flows.views.executor.to_stage_response",
+        TO_STAGE_RESPONSE_MOCK,
+    )
+    def test_invalid_flow_invalid_redirect(self):
+        """Test invalid flow redirect with an invalid URL"""
+        flow = create_test_flow(
+            FlowDesignation.AUTHENTICATION,
+        )
+
+        dest = "http://something.example.com/unique-string"
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})
+
+        response = self.client.get(url + f"?{QS_QUERY}={urlencode({NEXT_ARG_NAME: dest})}")
+        self.assertEqual(response.status_code, 200)
+        self.assertStageResponse(
+            response,
+            flow,
+            component="ak-stage-access-denied",
+            error_message="Invalid next URL",
+        )
+
+    @patch(
+        "authentik.flows.views.executor.to_stage_response",
+        TO_STAGE_RESPONSE_MOCK,
+    )
+    def test_valid_flow_redirect(self):
+        """Test valid flow with valid redirect destination"""
+        flow = create_test_flow()
+
+        dest = "/unique-string"
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})
+
+        response = self.client.get(url + f"?{QS_QUERY}={urlencode({NEXT_ARG_NAME: dest})}")
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, "/unique-string")
+
+    @patch(
+        "authentik.flows.views.executor.to_stage_response",
+        TO_STAGE_RESPONSE_MOCK,
+    )
+    def test_valid_flow_invalid_redirect(self):
+        """Test valid flow redirect with an invalid URL"""
+        flow = create_test_flow()
+
+        dest = "http://something.example.com/unique-string"
+        url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})
+
+        response = self.client.get(url + f"?{QS_QUERY}={urlencode({NEXT_ARG_NAME: dest})}")
+        self.assertEqual(response.status_code, 200)
+        self.assertStageResponse(
+            response,
+            flow,
+            component="ak-stage-access-denied",
+            error_message="Invalid next URL",
+        )
 
     @patch(
         "authentik.flows.views.executor.to_stage_response",

authentik/flows/tests/test_inspector.py

@@ -53,6 +53,7 @@ class TestFlowInspector(APITestCase):
                     "title": flow.title,
                     "layout": "stacked",
                 },
+                "flow_designation": "authentication",
                 "type": ChallengeTypes.NATIVE.value,
                 "password_fields": False,
                 "primary_action": "Log in",

authentik/flows/views/executor.py

@@ -11,6 +11,7 @@ from django.shortcuts import get_object_or_404, redirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
 from django.utils.decorators import method_decorator
+from django.utils.translation import gettext as _
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.generic import View
 from drf_spectacular.types import OpenApiTypes
@@ -23,6 +24,7 @@ from sentry_sdk.hub import Hub
 from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.brands.models import Brand
+from authentik.brands.utils import cors_allow
 from authentik.core.models import Application
 from authentik.events.models import Event, EventAction, cleanse_dict
 from authentik.flows.apps import HIST_FLOW_EXECUTION_STAGE_TIME
@@ -154,6 +156,14 @@ class FlowExecutorView(APIView):
         return plan
 
     def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
+        response = self.dispatch_wrapper(request, flow_slug)
+        origins = []
+        if request.brand.origin != "":
+            origins.append(request.brand.origin)
+        cors_allow(request, response, *origins)
+        return response
+
+    def dispatch_wrapper(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
         with Hub.current.start_span(
             op="authentik.flow.executor.dispatch", description=self.flow.slug
         ) as span:
@@ -176,6 +186,8 @@ class FlowExecutorView(APIView):
                     self.cancel()
                 self._logger.debug("f(exec): Continuing existing plan")
 
+            # Initial flow request, check if we have an upstream query string passed in
+            request.session[SESSION_KEY_GET] = get_params
             # Don't check session again as we've either already loaded the plan or we need to plan
             if not self.plan:
                 request.session[SESSION_KEY_HISTORY] = []
@@ -190,8 +202,6 @@ class FlowExecutorView(APIView):
                     # To match behaviour with loading an empty flow plan from cache,
                     # we don't show an error message here, but rather call _flow_done()
                     return self._flow_done()
-            # Initial flow request, check if we have an upstream query string passed in
-            request.session[SESSION_KEY_GET] = get_params
             # We don't save the Plan after getting the next stage
             # as it hasn't been successfully passed yet
             try:
@@ -390,7 +400,11 @@ class FlowExecutorView(APIView):
             NEXT_ARG_NAME, "authentik_core:root-redirect"
         )
         self.cancel()
-        return to_stage_response(self.request, redirect_with_qs(next_param))
+        if next_param and not is_url_absolute(next_param):
+            return to_stage_response(self.request, redirect_with_qs(next_param))
+        return to_stage_response(
+            self.request, self.stage_invalid(error_message=_("Invalid next URL"))
+        )
 
     def stage_ok(self) -> HttpResponse:
         """Callback called by stages upon successful completion.
@@ -464,7 +478,7 @@ class FlowExecutorView(APIView):
 
 
 class CancelView(View):
-    """View which canels the currently active plan"""
+    """View which cancels the currently active plan"""
 
     def get(self, request: HttpRequest) -> HttpResponse:
         """View which canels the currently active plan"""

authentik/flows/views/inspector.py

@@ -24,7 +24,6 @@ from authentik.flows.api.bindings import FlowStageBindingSerializer
 from authentik.flows.models import Flow
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_HISTORY, SESSION_KEY_PLAN
-from authentik.root.install_id import get_install_id
 
 MIN_FLOW_LENGTH = 2
 
@@ -54,9 +53,7 @@ class FlowInspectorPlanSerializer(PassiveSerializer):
     def get_session_id(self, _plan: FlowPlan) -> str:
         """Get a unique session ID"""
         request: Request = self.context["request"]
-        return sha256(
-            f"{request._request.session.session_key}-{get_install_id()}".encode("ascii")
-        ).hexdigest()
+        return sha256(request._request.session.session_key.encode("ascii")).hexdigest()
 
 
 class FlowInspectionSerializer(PassiveSerializer):

authentik/outposts/controllers/k8s/service.py

@@ -33,6 +33,8 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
         # priority than being updated.
         if current.spec.selector != reference.spec.selector:
             raise NeedsUpdate()
+        if current.spec.type != reference.spec.type:
+            raise NeedsUpdate()
         super().reconcile(current, reference)
 
     def get_reference_object(self) -> V1Service:

authentik/providers/oauth2/apps.py

@@ -1,9 +1,9 @@
 """authentik oauth provider app config"""
 
-from django.apps import AppConfig
+from authentik.blueprints.apps import ManagedAppConfig
 
 
-class AuthentikProviderOAuth2Config(AppConfig):
+class AuthentikProviderOAuth2Config(ManagedAppConfig):
     """authentik oauth provider app config"""
 
     name = "authentik.providers.oauth2"
@@ -13,3 +13,4 @@ class AuthentikProviderOAuth2Config(AppConfig):
         "authentik.providers.oauth2.urls_root": "",
         "authentik.providers.oauth2.urls": "application/o/",
     }
+    default = True

authentik/providers/oauth2/signals.py

@@ -0,0 +1,15 @@
+from hashlib import sha256
+
+from django.contrib.auth.signals import user_logged_out
+from django.dispatch import receiver
+from django.http import HttpRequest
+
+from authentik.core.models import User
+from authentik.providers.oauth2.models import AccessToken
+
+
+@receiver(user_logged_out)
+def user_logged_out_oauth_access_token(sender, request: HttpRequest, user: User, **_):
+    """Revoke access tokens upon user logout"""
+    hashed_session_key = sha256(request.session.session_key.encode("ascii")).hexdigest()
+    AccessToken.objects.filter(user=user, session_id=hashed_session_key).delete()

authentik/providers/oauth2/tests/test_authorize.py

@@ -36,8 +36,21 @@ class TestAuthorize(OAuthTestCase):
 
     def test_invalid_grant_type(self):
         """Test with invalid grant type"""
+        OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_id="test",
+            authorization_flow=create_test_flow(),
+            redirect_uris="http://local.invalid/Foo",
+        )
         with self.assertRaises(AuthorizeError):
-            request = self.factory.get("/", data={"response_type": "invalid"})
+            request = self.factory.get(
+                "/",
+                data={
+                    "response_type": "invalid",
+                    "client_id": "test",
+                    "redirect_uri": "http://local.invalid/Foo",
+                },
+            )
             OAuthAuthorizationParams.from_request(request)
 
     def test_invalid_client_id(self):

authentik/providers/oauth2/utils.py

@@ -4,11 +4,9 @@ import re
 from base64 import b64decode
 from binascii import Error
 from typing import Any
-from urllib.parse import urlparse
 
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.http.response import HttpResponseRedirect
-from django.utils.cache import patch_vary_headers
 from structlog.stdlib import get_logger
 
 from authentik.core.middleware import CTX_AUTH_VIA, KEY_USER
@@ -30,49 +28,6 @@ class TokenResponse(JsonResponse):
         self["Pragma"] = "no-cache"
 
 
-def cors_allow(request: HttpRequest, response: HttpResponse, *allowed_origins: str):
-    """Add headers to permit CORS requests from allowed_origins, with or without credentials,
-    with any headers."""
-    origin = request.META.get("HTTP_ORIGIN")
-    if not origin:
-        return response
-
-    # OPTIONS requests don't have an authorization header -> hence
-    # we can't extract the provider this request is for
-    # so for options requests we allow the calling origin without checking
-    allowed = request.method == "OPTIONS"
-    received_origin = urlparse(origin)
-    for allowed_origin in allowed_origins:
-        url = urlparse(allowed_origin)
-        if (
-            received_origin.scheme == url.scheme
-            and received_origin.hostname == url.hostname
-            and received_origin.port == url.port
-        ):
-            allowed = True
-    if not allowed:
-        LOGGER.warning(
-            "CORS: Origin is not an allowed origin",
-            requested=received_origin,
-            allowed=allowed_origins,
-        )
-        return response
-
-    # From the CORS spec: The string "*" cannot be used for a resource that supports credentials.
-    response["Access-Control-Allow-Origin"] = origin
-    patch_vary_headers(response, ["Origin"])
-    response["Access-Control-Allow-Credentials"] = "true"
-
-    if request.method == "OPTIONS":
-        if "HTTP_ACCESS_CONTROL_REQUEST_HEADERS" in request.META:
-            response["Access-Control-Allow-Headers"] = request.META[
-                "HTTP_ACCESS_CONTROL_REQUEST_HEADERS"
-            ]
-        response["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS"
-
-    return response
-
-
 def extract_access_token(request: HttpRequest) -> str | None:
     """
     Get the access token using Authorization Request Header Field method.

authentik/providers/oauth2/views/authorize.py

@@ -119,44 +119,18 @@ class OAuthAuthorizationParams:
         redirect_uri = query_dict.get("redirect_uri", "")
 
         response_type = query_dict.get("response_type", "")
-        grant_type = None
-        # Determine which flow to use.
-        if response_type in [ResponseTypes.CODE]:
-            grant_type = GrantTypes.AUTHORIZATION_CODE
-        elif response_type in [
-            ResponseTypes.ID_TOKEN,
-            ResponseTypes.ID_TOKEN_TOKEN,
-        ]:
-            grant_type = GrantTypes.IMPLICIT
-        elif response_type in [
-            ResponseTypes.CODE_TOKEN,
-            ResponseTypes.CODE_ID_TOKEN,
-            ResponseTypes.CODE_ID_TOKEN_TOKEN,
-        ]:
-            grant_type = GrantTypes.HYBRID
-
-        # Grant type validation.
-        if not grant_type:
-            LOGGER.warning("Invalid response type", type=response_type)
-            raise AuthorizeError(redirect_uri, "unsupported_response_type", "", state)
 
         # Validate and check the response_mode against the predefined dict
         # Set to Query or Fragment if not defined in request
         response_mode = query_dict.get("response_mode", False)
 
-        if response_mode not in ResponseMode.values:
-            response_mode = ResponseMode.QUERY
-
-            if grant_type in [GrantTypes.IMPLICIT, GrantTypes.HYBRID]:
-                response_mode = ResponseMode.FRAGMENT
-
         max_age = query_dict.get("max_age")
         return OAuthAuthorizationParams(
             client_id=query_dict.get("client_id", ""),
             redirect_uri=redirect_uri,
             response_type=response_type,
             response_mode=response_mode,
-            grant_type=grant_type,
+            grant_type="",
             scope=set(query_dict.get("scope", "").split()),
             state=state,
             nonce=query_dict.get("nonce"),
@@ -176,6 +150,7 @@ class OAuthAuthorizationParams:
             LOGGER.warning("Invalid client identifier", client_id=self.client_id)
             raise ClientIdError(client_id=self.client_id)
         self.check_redirect_uri()
+        self.check_grant()
         self.check_scope(github_compat)
         self.check_nonce()
         self.check_code_challenge()
@@ -184,6 +159,34 @@ class OAuthAuthorizationParams:
                 self.redirect_uri, "request_not_supported", self.grant_type, self.state
             )
 
+    def check_grant(self):
+        """Check grant"""
+        # Determine which flow to use.
+        if self.response_type in [ResponseTypes.CODE]:
+            self.grant_type = GrantTypes.AUTHORIZATION_CODE
+        elif self.response_type in [
+            ResponseTypes.ID_TOKEN,
+            ResponseTypes.ID_TOKEN_TOKEN,
+        ]:
+            self.grant_type = GrantTypes.IMPLICIT
+        elif self.response_type in [
+            ResponseTypes.CODE_TOKEN,
+            ResponseTypes.CODE_ID_TOKEN,
+            ResponseTypes.CODE_ID_TOKEN_TOKEN,
+        ]:
+            self.grant_type = GrantTypes.HYBRID
+
+        # Grant type validation.
+        if not self.grant_type:
+            LOGGER.warning("Invalid response type", type=self.response_type)
+            raise AuthorizeError(self.redirect_uri, "unsupported_response_type", "", self.state)
+
+        if self.response_mode not in ResponseMode.values:
+            self.response_mode = ResponseMode.QUERY
+
+            if self.grant_type in [GrantTypes.IMPLICIT, GrantTypes.HYBRID]:
+                self.response_mode = ResponseMode.FRAGMENT
+
     def check_redirect_uri(self):
         """Redirect URI validation."""
         allowed_redirect_urls = self.provider.redirect_uris.split()
@@ -255,9 +258,9 @@ class OAuthAuthorizationParams:
         if SCOPE_OFFLINE_ACCESS in self.scope:
             # https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
             if PROMPT_CONSENT not in self.prompt:
-                raise AuthorizeError(
-                    self.redirect_uri, "consent_required", self.grant_type, self.state
-                )
+                # Instead of ignoring the `offline_access` scope when `prompt`
+                # isn't set to `consent`, we set override it ourselves
+                self.prompt.add(PROMPT_CONSENT)
             if self.response_type not in [
                 ResponseTypes.CODE,
                 ResponseTypes.CODE_TOKEN,

authentik/providers/oauth2/views/provider.py

@@ -8,6 +8,7 @@ from django.views import View
 from guardian.shortcuts import get_anonymous_user
 from structlog.stdlib import get_logger
 
+from authentik.brands.utils import cors_allow
 from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.core.models import Application
 from authentik.providers.oauth2.constants import (
@@ -28,7 +29,6 @@ from authentik.providers.oauth2.models import (
     ResponseTypes,
     ScopeMapping,
 )
-from authentik.providers.oauth2.utils import cors_allow
 
 LOGGER = get_logger()
 

authentik/providers/oauth2/views/token.py

@@ -20,6 +20,7 @@ from jwt import PyJWK, PyJWT, PyJWTError, decode
 from sentry_sdk.hub import Hub
 from structlog.stdlib import get_logger
 
+from authentik.brands.utils import cors_allow
 from authentik.core.middleware import CTX_AUTH_VIA
 from authentik.core.models import (
     USER_ATTRIBUTE_EXPIRES,
@@ -59,7 +60,7 @@ from authentik.providers.oauth2.models import (
     OAuth2Provider,
     RefreshToken,
 )
-from authentik.providers.oauth2.utils import TokenResponse, cors_allow, extract_client_auth
+from authentik.providers.oauth2.utils import TokenResponse, extract_client_auth
 from authentik.providers.oauth2.views.authorize import FORBIDDEN_URI_SCHEMES
 from authentik.sources.oauth.models import OAuthSource
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS

authentik/providers/oauth2/views/userinfo.py

@@ -11,6 +11,7 @@ from django.views import View
 from django.views.decorators.csrf import csrf_exempt
 from structlog.stdlib import get_logger
 
+from authentik.brands.utils import cors_allow
 from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.events.models import Event, EventAction
 from authentik.flows.challenge import PermissionDict
@@ -28,7 +29,7 @@ from authentik.providers.oauth2.models import (
     RefreshToken,
     ScopeMapping,
 )
-from authentik.providers.oauth2.utils import TokenResponse, cors_allow, protected_resource_view
+from authentik.providers.oauth2.utils import TokenResponse, protected_resource_view
 
 LOGGER = get_logger()
 

authentik/providers/proxy/controllers/k8s/ingress.py

@@ -56,7 +56,10 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
             proxy_provider: ProxyProvider
             external_host_name = urlparse(proxy_provider.external_host)
             expected_hosts.append(external_host_name.hostname)
-            if external_host_name.scheme == "https":
+            if (
+                external_host_name.scheme == "https"
+                and self.controller.outpost.config.kubernetes_ingress_secret_name
+            ):
                 expected_hosts_tls.append(external_host_name.hostname)
         expected_hosts.sort()
         expected_hosts_tls.sort()
@@ -116,7 +119,10 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
         ):
             proxy_provider: ProxyProvider
             external_host_name = urlparse(proxy_provider.external_host)
-            if external_host_name.scheme == "https":
+            if (
+                external_host_name.scheme == "https"
+                and self.controller.outpost.config.kubernetes_ingress_secret_name
+            ):
                 tls_hosts.append(external_host_name.hostname)
             if proxy_provider.mode in [
                 ProxyMode.FORWARD_SINGLE,
@@ -160,13 +166,15 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
             rules.append(rule)
         tls_config = None
         if tls_hosts:
-            tls_config = V1IngressTLS(
-                hosts=tls_hosts,
-                secret_name=self.controller.outpost.config.kubernetes_ingress_secret_name,
-            )
+            tls_config = [
+                V1IngressTLS(
+                    hosts=tls_hosts,
+                    secret_name=self.controller.outpost.config.kubernetes_ingress_secret_name,
+                )
+            ]
         spec = V1IngressSpec(
             rules=rules,
-            tls=[tls_config],
+            tls=tls_config,
         )
         if self.controller.outpost.config.kubernetes_ingress_class_name:
             spec.ingress_class_name = self.controller.outpost.config.kubernetes_ingress_class_name

authentik/root/install_id.py

@@ -7,6 +7,8 @@ from psycopg import connect
 
 from authentik.lib.config import CONFIG
 
+QUERY = """SELECT id FROM public.authentik_install_id ORDER BY id LIMIT 1;"""
+
 
 @lru_cache
 def get_install_id() -> str:
@@ -18,7 +20,7 @@ def get_install_id() -> str:
     if settings.TEST:
         return str(uuid4())
     with connection.cursor() as cursor:
-        cursor.execute("SELECT id FROM public.authentik_install_id LIMIT 1;")
+        cursor.execute(QUERY)
         return cursor.fetchone()[0]
 
 
@@ -38,5 +40,5 @@ def get_install_id_raw():
         sslkey=CONFIG.get("postgresql.sslkey"),
     )
     cursor = conn.cursor()
-    cursor.execute("SELECT id FROM public.authentik_install_id LIMIT 1;")
+    cursor.execute(QUERY)
     return cursor.fetchone()[0]

authentik/root/settings.py

@@ -196,8 +196,10 @@ if CONFIG.get_bool("redis.tls", False):
     _redis_protocol_prefix = "rediss://"
     _redis_celery_tls_requirements = f"?ssl_cert_reqs={CONFIG.get('redis.tls_reqs')}"
 _redis_url = (
-    f"{_redis_protocol_prefix}:"
-    f"{quote_plus(CONFIG.get('redis.password'))}@{quote_plus(CONFIG.get('redis.host'))}:"
+    f"{_redis_protocol_prefix}"
+    f"{quote_plus(CONFIG.get('redis.username'))}:"
+    f"{quote_plus(CONFIG.get('redis.password'))}@"
+    f"{quote_plus(CONFIG.get('redis.host'))}:"
     f"{CONFIG.get_int('redis.port')}"
 )
 
@@ -239,7 +241,7 @@ MIDDLEWARE = [
     "django.middleware.common.CommonMiddleware",
     "authentik.root.middleware.CsrfViewMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
-    "django.middleware.clickjacking.XFrameOptionsMiddleware",
+    "authentik.brands.middleware.BrandHeaderMiddleware",
     "authentik.core.middleware.ImpersonateMiddleware",
     "django_prometheus.middleware.PrometheusAfterMiddleware",
 ]

authentik/sources/ldap/api.py

@@ -77,6 +77,7 @@ class LDAPSourceSerializer(SourceSerializer):
             "group_object_filter",
             "group_membership_field",
             "object_uniqueness_field",
+            "password_login_update_internal_password",
             "sync_users",
             "sync_users_password",
             "sync_groups",
@@ -118,6 +119,7 @@ class LDAPSourceViewSet(UsedByMixin, ModelViewSet):
         "group_object_filter",
         "group_membership_field",
         "object_uniqueness_field",
+        "password_login_update_internal_password",
         "sync_users",
         "sync_users_password",
         "sync_groups",

authentik/sources/ldap/auth.py

@@ -41,10 +41,11 @@ class LDAPBackend(InbuiltBackend):
         # or has a password, but couldn't be authenticated by ModelBackend.
         # This means we check with a bind to see if the LDAP password has changed
         if self.auth_user_by_bind(source, user, password):
-            # Password given successfully binds to LDAP, so we save it in our Database
-            LOGGER.debug("Updating user's password in DB", user=user)
-            user.set_password(password, signal=False)
-            user.save()
+            if source.password_login_update_internal_password:
+                # Password given successfully binds to LDAP, so we save it in our Database
+                LOGGER.debug("Updating user's password in DB", user=user)
+                user.set_password(password, signal=False)
+                user.save()
             return user
         # Password doesn't match
         LOGGER.debug("Failed to bind, password invalid")

authentik/sources/ldap/migrations/0004_ldapsource_password_login_update_internal_password.py

@@ -0,0 +1,29 @@
+# Generated by Django 5.0.1 on 2024-01-31 18:41
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_ldap", "0003_ldapsource_client_certificate_ldapsource_sni_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="ldapsource",
+            name="password_login_update_internal_password",
+            field=models.BooleanField(
+                default=True,
+                help_text="Update internal authentik password when login succeeds with LDAP",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="ldapsource",
+            name="password_login_update_internal_password",
+            field=models.BooleanField(
+                default=False,
+                help_text="Update internal authentik password when login succeeds with LDAP",
+            ),
+        ),
+    ]

authentik/sources/ldap/models.py

@@ -98,6 +98,11 @@ class LDAPSource(Source):
         help_text=_("Property mappings used for group creation/updating."),
     )
 
+    password_login_update_internal_password = models.BooleanField(
+        default=False,
+        help_text=_("Update internal authentik password when login succeeds with LDAP"),
+    )
+
     sync_users = models.BooleanField(default=True)
     sync_users_password = models.BooleanField(
         default=True,

authentik/sources/oauth/apps.py

@@ -12,6 +12,7 @@ AUTHENTIK_SOURCES_OAUTH_TYPES = [
     "authentik.sources.oauth.types.discord",
     "authentik.sources.oauth.types.facebook",
     "authentik.sources.oauth.types.github",
+    "authentik.sources.oauth.types.gitlab",
     "authentik.sources.oauth.types.google",
     "authentik.sources.oauth.types.mailcow",
     "authentik.sources.oauth.types.oidc",

authentik/sources/oauth/models.py

@@ -118,6 +118,15 @@ class GitHubOAuthSource(OAuthSource):
         verbose_name_plural = _("GitHub OAuth Sources")
 
 
+class GitLabOAuthSource(OAuthSource):
+    """Social Login using GitLab.com or a GitLab Instance."""
+
+    class Meta:
+        abstract = True
+        verbose_name = _("GitLab OAuth Source")
+        verbose_name_plural = _("GitLab OAuth Sources")
+
+
 class TwitchOAuthSource(OAuthSource):
     """Social Login using Twitch."""
 

authentik/sources/oauth/tests/test_type_gitlab.py

@@ -0,0 +1,30 @@
+"""GitLab Type tests"""
+
+from django.test import TestCase
+
+from authentik.sources.oauth.models import OAuthSource
+from authentik.sources.oauth.types.gitlab import GitLabOAuthCallback
+
+GITLAB_USER = {
+    "preferred_username": "dev_gitlab",
+    "email": "dev@gitlab.com",
+    "name": "Dev",
+}
+
+
+class TestTypeGitLab(TestCase):
+    """OAuth Source tests for GitLab"""
+
+    def setUp(self):
+        self.source = OAuthSource.objects.create(
+            name="gitlab_test",
+            slug="gitlab_test",
+            provider_type="gitlab",
+        )
+
+    def test_enroll_context(self):
+        """Test GitLab Enrollment context"""
+        ak_context = GitLabOAuthCallback().get_user_enroll_context(GITLAB_USER)
+        self.assertEqual(ak_context["username"], GITLAB_USER["preferred_username"])
+        self.assertEqual(ak_context["email"], GITLAB_USER["email"])
+        self.assertEqual(ak_context["name"], GITLAB_USER["name"])

authentik/sources/oauth/types/gitlab.py

@@ -0,0 +1,54 @@
+"""
+GitLab OAuth Views
+
+See https://docs.gitlab.com/ee/integration/oauth_provider.html
+and https://docs.gitlab.com/ee/integration/openid_connect_provider.html
+"""
+
+from typing import Any
+
+from authentik.sources.oauth.models import OAuthSource
+from authentik.sources.oauth.types.registry import SourceType, registry
+from authentik.sources.oauth.views.callback import OAuthCallback
+from authentik.sources.oauth.views.redirect import OAuthRedirect
+
+
+class GitLabOAuthRedirect(OAuthRedirect):
+    """GitLab OAuth2 Redirect"""
+
+    def get_additional_parameters(self, source: OAuthSource):
+        return {
+            "scope": ["read_user", "openid", "profile", "email"],
+        }
+
+
+class GitLabOAuthCallback(OAuthCallback):
+    """GitLab OAuth2 Callback"""
+
+    def get_user_enroll_context(
+        self,
+        info: dict[str, Any],
+    ) -> dict[str, Any]:
+        return {
+            "username": info.get("preferred_username"),
+            "email": info.get("email"),
+            "name": info.get("name"),
+        }
+
+
+@registry.register()
+class GitLabType(SourceType):
+    """GitLab Type definition"""
+
+    callback_view = GitLabOAuthCallback
+    redirect_view = GitLabOAuthRedirect
+    verbose_name = "GitLab"
+    name = "gitlab"
+
+    urls_customizable = True
+
+    authorization_url = "https://gitlab.com/oauth/authorize"
+    access_token_url = "https://gitlab.com/oauth/token"  # nosec
+    profile_url = "https://gitlab.com/oauth/userinfo"
+    oidc_well_known_url = "https://gitlab.com/.well-known/openid-configuration"
+    oidc_jwks_url = "https://gitlab.com/oauth/discovery/keys"

authentik/sources/oauth/types/registry.py

@@ -47,7 +47,7 @@ class SourceType:
     def login_challenge(self, source: OAuthSource, request: HttpRequest) -> Challenge:
         """Allow types to return custom challenges"""
         return RedirectChallenge(
-            instance={
+            data={
                 "type": ChallengeTypes.REDIRECT.value,
                 "to": reverse(
                     "authentik_sources_oauth:oauth-client-login",

authentik/sources/oauth/views/callback.py

@@ -54,7 +54,7 @@ class OAuthCallback(OAuthClientMixin, View):
                 raw_profile=exc.doc,
             ).from_http(self.request)
             return self.handle_login_failure("Could not retrieve profile.")
-        identifier = self.get_user_id(raw_info)
+        identifier = self.get_user_id(info=raw_info)
         if identifier is None:
             return self.handle_login_failure("Could not determine id.")
         # Get or create access record
@@ -67,6 +67,7 @@ class OAuthCallback(OAuthClientMixin, View):
         )
         sfm.policy_context = {"oauth_userinfo": raw_info}
         return sfm.get_flow(
+            raw_info=raw_info,
             access_token=self.token.get("access_token"),
         )
 
@@ -116,6 +117,7 @@ class OAuthSourceFlowManager(SourceFlowManager):
         self,
         connection: UserOAuthSourceConnection,
         access_token: str | None = None,
+        **_,
     ) -> UserOAuthSourceConnection:
         """Set the access_token on the connection"""
         connection.access_token = access_token

authentik/sources/saml/models.py

@@ -190,7 +190,7 @@ class SAMLSource(Source):
     def ui_login_button(self, request: HttpRequest) -> UILoginButton:
         return UILoginButton(
             challenge=RedirectChallenge(
-                instance={
+                data={
                     "type": ChallengeTypes.REDIRECT.value,
                     "to": reverse(
                         "authentik_sources_saml:login",

authentik/sources/saml/processors/response.py

@@ -234,12 +234,14 @@ class ResponseProcessor:
         if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
             return self._handle_name_id_transient()
 
-        return SAMLSourceFlowManager(
+        flow_manager = SAMLSourceFlowManager(
             self._source,
             self._http_request,
             name_id.text,
             delete_none_values(self.get_attributes()),
         )
+        flow_manager.policy_context["saml_response"] = self._root
+        return flow_manager
 
 
 class SAMLSourceFlowManager(SourceFlowManager):

authentik/stages/authenticator_validate/challenge.py

@@ -120,7 +120,9 @@ def validate_challenge_code(code: str, stage_view: StageView, user: User) -> Dev
             stage=stage_view.executor.current_stage,
             device_class=DeviceClasses.TOTP.value,
         )
-        raise ValidationError(_("Invalid Token"))
+        raise ValidationError(
+            _("Invalid Token. Please ensure the time on your device is accurate and try again.")
+        )
     return device
 
 

authentik/stages/authenticator_validate/stage.py

@@ -18,7 +18,6 @@ from authentik.flows.models import FlowDesignation, NotConfiguredAction, Stage
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
 from authentik.lib.utils.time import timedelta_from_string
-from authentik.root.install_id import get_install_id
 from authentik.stages.authenticator import devices_for_user
 from authentik.stages.authenticator.models import Device
 from authentik.stages.authenticator_sms.models import SMSDevice
@@ -34,6 +33,7 @@ from authentik.stages.authenticator_validate.challenge import (
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage, DeviceClasses
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
+from authentik.tenants.utils import get_unique_identifier
 
 COOKIE_NAME_MFA = "authentik_mfa"
 
@@ -331,7 +331,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
     def cookie_jwt_key(self) -> str:
         """Signing key for MFA Cookie for this stage"""
         return sha256(
-            f"{get_install_id()}:{self.executor.current_stage.pk.hex}".encode("ascii")
+            f"{get_unique_identifier()}:{self.executor.current_stage.pk.hex}".encode("ascii")
         ).hexdigest()
 
     def check_mfa_cookie(self, allowed_devices: list[Device]):

authentik/stages/authenticator_webauthn/stage.py

@@ -10,6 +10,7 @@ from webauthn import options_to_json
 from webauthn.helpers.bytes_to_base64url import bytes_to_base64url
 from webauthn.helpers.exceptions import InvalidRegistrationResponse
 from webauthn.helpers.structs import (
+    AuthenticatorAttachment,
     AuthenticatorSelectionCriteria,
     PublicKeyCredentialCreationOptions,
     ResidentKeyRequirement,
@@ -91,7 +92,7 @@ class AuthenticatorWebAuthnStageView(ChallengeStageView):
         # set, cast it to string to ensure it's not a django class
         authenticator_attachment = stage.authenticator_attachment
         if authenticator_attachment:
-            authenticator_attachment = str(authenticator_attachment)
+            authenticator_attachment = AuthenticatorAttachment(str(authenticator_attachment))
 
         registration_options: PublicKeyCredentialCreationOptions = generate_registration_options(
             rp_id=get_rp_id(self.request),

authentik/stages/dummy/stage.py

@@ -12,6 +12,7 @@ class DummyChallenge(Challenge):
     """Dummy challenge"""
 
     component = CharField(default="ak-stage-dummy")
+    name = CharField()
 
 
 class DummyChallengeResponse(ChallengeResponse):
@@ -35,5 +36,6 @@ class DummyStageView(ChallengeStageView):
             data={
                 "type": ChallengeTypes.NATIVE.value,
                 "title": self.executor.current_stage.name,
+                "name": self.executor.current_stage.name,
             }
         )

authentik/stages/email/management/commands/test_email.py

@@ -30,7 +30,7 @@ class Command(TenantCommand):
             delete_stage = True
         message = TemplateEmailMessage(
             subject="authentik Test-Email",
-            to=[options["to"]],
+            to=[("", options["to"])],
             template_name="email/setup.html",
             template_context={},
         )

authentik/stages/email/stage.py

@@ -111,13 +111,14 @@ class EmailStageView(ChallengeStageView):
         try:
             message = TemplateEmailMessage(
                 subject=_(current_stage.subject),
-                to=[f"{pending_user.name} <{email}>"],
+                to=[(pending_user.name, email)],
                 language=pending_user.locale(self.request),
                 template_name=current_stage.template,
                 template_context={
                     "url": self.get_full_url(**{QS_KEY_TOKEN: token.key}),
                     "user": pending_user,
                     "expires": token.expires,
+                    "token": token.key,
                 },
             )
             send_mails(current_stage, message)

authentik/stages/email/templates/email/account_confirmation.txt

@@ -1,4 +1,4 @@
-{% load i18n %}{% translate "Welcome!" %}
+{% load i18n %}{% autoescape off %}{% translate "Welcome!" %}
 
 {% translate "We're excited to have you get started. First, you need to confirm your account. Just open the link below." %}
 
@@ -6,3 +6,4 @@
 
 -- 
 Powered by goauthentik.io.
+{% endautoescape %}

authentik/stages/email/templates/email/event_notification.txt

@@ -1,4 +1,4 @@
-{% load authentik_stages_email %}{% load i18n %}{% translate "Dear authentik user," %}
+{% load authentik_stages_email %}{% load i18n %}{% autoescape off %}{% translate "Dear authentik user," %}
 
 {% translate "The following notification was created:" %}
 
@@ -16,3 +16,4 @@ This email was sent from the notification transport {{ name }}.
 
 -- 
 Powered by goauthentik.io.
+{% endautoescape %}

authentik/stages/email/templates/email/password_reset.txt

@@ -1,4 +1,4 @@
-{% load i18n %}{% load humanize %}{% blocktrans with username=user.username %}Hi {{ username }},{% endblocktrans %}
+{% load i18n %}{% load humanize %}{% autoescape off %}{% blocktrans with username=user.username %}Hi {{ username }},{% endblocktrans %}
 
 {% blocktrans %}
 You recently requested to change your password for your authentik account. Use the link below to set a new password.
@@ -10,3 +10,4 @@ If you did not request a password change, please ignore this Email. The link abo
 
 -- 
 Powered by goauthentik.io.
+{% endautoescape %}

authentik/stages/email/templates/email/setup.txt

@@ -1,7 +1,8 @@
-{% load i18n %}authentik Test-Email
+{% load i18n %}{% autoescape off %}authentik Test-Email
 {% blocktrans %}
 This is a test email to inform you, that you've successfully configured authentik emails.
 {% endblocktrans %}
 
 -- 
 Powered by goauthentik.io.
+{% endautoescape %}

authentik/stages/email/tests/test_sending.py

@@ -39,6 +39,7 @@ class TestEmailStageSending(FlowTestCase):
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
         session.save()
+        Event.objects.filter(action=EventAction.EMAIL_SENT).delete()
 
         url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
         with patch(

authentik/stages/email/tests/test_templates.py

@@ -9,6 +9,7 @@ from unittest.mock import PropertyMock, patch
 
 from django.conf import settings
 from django.core.mail.backends.locmem import EmailBackend
+from django.core.mail.message import sanitize_address
 from django.urls import reverse
 
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
@@ -19,6 +20,7 @@ from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.stages.email.models import EmailStage, get_template_choices
+from authentik.stages.email.utils import TemplateEmailMessage
 
 
 def get_templates_setting(temp_dir: str) -> dict[str, Any]:
@@ -89,3 +91,12 @@ class TestEmailStageTemplates(FlowTestCase):
                     event.context["message"], "Exception occurred while rendering E-mail template"
                 )
                 self.assertEqual(event.context["template"], "invalid.html")
+
+    def test_template_address(self):
+        """Test addresses are correctly parsed"""
+        message = TemplateEmailMessage(to=[("foo@bar.baz", "foo@bar.baz")])
+        [sanitize_address(addr, "utf-8") for addr in message.recipients()]
+        self.assertEqual(message.recipients(), ["foo@bar.baz"])
+        message = TemplateEmailMessage(to=[("some-name", "foo@bar.baz")])
+        [sanitize_address(addr, "utf-8") for addr in message.recipients()]
+        self.assertEqual(message.recipients(), ["some-name <foo@bar.baz>"])

authentik/stages/email/utils.py

@@ -25,8 +25,19 @@ def logo_data() -> MIMEImage:
 class TemplateEmailMessage(EmailMultiAlternatives):
     """Wrapper around EmailMultiAlternatives with integrated template rendering"""
 
-    def __init__(self, template_name=None, template_context=None, language="", **kwargs):
-        super().__init__(**kwargs)
+    def __init__(
+        self, to: list[tuple[str]], template_name=None, template_context=None, language="", **kwargs
+    ):
+        sanitized_to = []
+        # Ensure that all recipients are valid
+        for recipient_name, recipient_email in to:
+            if recipient_name == recipient_email:
+                sanitized_to.append(recipient_email)
+            else:
+                sanitized_to.append(f"{recipient_name} <{recipient_email}>")
+        super().__init__(to=sanitized_to, **kwargs)
+        if not template_name:
+            return
         with translation.override(language):
             html_content = render_to_string(template_name, template_context)
             try:

authentik/stages/identification/stage.py

@@ -10,7 +10,7 @@ from django.db.models import Q
 from django.http import HttpResponse
 from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema_field
-from rest_framework.fields import BooleanField, CharField, DictField, ListField
+from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
 from rest_framework.serializers import ValidationError
 from sentry_sdk.hub import Hub
 
@@ -66,6 +66,7 @@ class IdentificationChallenge(Challenge):
     user_fields = ListField(child=CharField(), allow_empty=True, allow_null=True)
     password_fields = BooleanField()
     application_pre = CharField(required=False)
+    flow_designation = ChoiceField(FlowDesignation.choices)
 
     enroll_url = CharField(required=False)
     recovery_url = CharField(required=False)
@@ -194,11 +195,12 @@ class IdentificationStageView(ChallengeStageView):
         challenge = IdentificationChallenge(
             data={
                 "type": ChallengeTypes.NATIVE.value,
-                "primary_action": self.get_primary_action(),
                 "component": "ak-stage-identification",
+                "primary_action": self.get_primary_action(),
                 "user_fields": current_stage.user_fields,
                 "password_fields": bool(current_stage.password_stage),
                 "show_source_labels": current_stage.show_source_labels,
+                "flow_designation": self.executor.flow.designation,
             }
         )
         # If the user has been redirected to us whilst trying to access an
@@ -237,7 +239,9 @@ class IdentificationStageView(ChallengeStageView):
             ui_login_button = source.ui_login_button(self.request)
             if ui_login_button:
                 button = asdict(ui_login_button)
-                button["challenge"] = ui_login_button.challenge.data
+                source_challenge = ui_login_button.challenge
+                source_challenge.is_valid()
+                button["challenge"] = source_challenge.data
                 ui_sources.append(button)
         challenge.initial_data["sources"] = ui_sources
         return challenge

authentik/stages/user_write/stage.py

@@ -12,6 +12,7 @@ from rest_framework.exceptions import ValidationError
 from authentik.core.middleware import SESSION_KEY_IMPERSONATE_USER
 from authentik.core.models import USER_ATTRIBUTE_SOURCES, User, UserSourceConnection, UserTypes
 from authentik.core.sources.stage import PLAN_CONTEXT_SOURCES_CONNECTION
+from authentik.events.utils import sanitize_item
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import StageView
 from authentik.flows.views.executor import FlowExecutorView
@@ -47,7 +48,7 @@ class UserWriteStageView(StageView):
         # this is just a sanity check to ensure that is removed
         if parts[0] == "attributes":
             parts = parts[1:]
-        set_path_in_dict(user.attributes, ".".join(parts), value)
+        set_path_in_dict(user.attributes, ".".join(parts), sanitize_item(value))
 
     def ensure_user(self) -> tuple[User | None, bool]:
         """Ensure a user exists"""

authentik/tenants/apps.py

@@ -16,7 +16,7 @@ def ensure_default_tenant(*args, using=DEFAULT_DB_ALIAS, **kwargs):
     with schema_context(get_public_schema_name()):
         Tenant.objects.using(using).update_or_create(
             defaults={"name": "Default", "ready": True},
-            schema_name="public",
+            schema_name=get_public_schema_name(),
         )
 
 

authentik/tenants/models.py

@@ -87,11 +87,6 @@ class Tenant(TenantMixin, SerializerModel):
             raise IntegrityError("Cannot create schema named template")
         super().save(*args, **kwargs)
 
-    def delete(self, *args, **kwargs):
-        if self.schema_name in ("public", "template"):
-            raise IntegrityError("Cannot delete schema public or template")
-        super().delete(*args, **kwargs)
-
     @property
     def serializer(self) -> Serializer:
         from authentik.tenants.api.tenants import TenantSerializer

authentik/tenants/signals.py

@@ -0,0 +1,14 @@
+"""authentik tenants signals"""
+
+from django.db import models
+from django.db.models.signals import pre_delete
+from django.dispatch import receiver
+from django_tenants.utils import get_public_schema_name
+
+from authentik.tenants.models import Tenant
+
+
+@receiver(pre_delete, sender=Tenant)
+def tenants_ensure_no_default_delete(sender, instance: Tenant, **kwargs):
+    if instance.schema_name == get_public_schema_name():
+        raise models.ProtectedError("Cannot delete schema public", instance)

authentik/tenants/utils.py

@@ -1,10 +1,26 @@
 """Tenant utils"""
 
 from django.db import connection
+from django_tenants.utils import get_public_schema_name
 
+from authentik.lib.config import CONFIG
+from authentik.root.install_id import get_install_id
 from authentik.tenants.models import Tenant
 
 
 def get_current_tenant() -> Tenant:
     """Get tenant for current request"""
     return Tenant.objects.get(schema_name=connection.schema_name)
+
+
+def get_unique_identifier() -> str:
+    """Get a globally unique identifier that does not change"""
+    install_id = get_install_id()
+    if CONFIG.get_bool("tenants.enabled"):
+        tenant = get_current_tenant()
+        # Only use tenant's uuid if this request is not from the "public"
+        # (i.e. default) tenant
+        if tenant.schema_name == get_public_schema_name():
+            return install_id
+        return str(get_current_tenant().tenant_uuid)
+    return install_id

blueprints/schema.json

@@ -2594,6 +2594,43 @@
                             }
                         }
                     },
+                    {
+                        "type": "object",
+                        "required": [
+                            "model",
+                            "identifiers"
+                        ],
+                        "properties": {
+                            "model": {
+                                "const": "authentik_stages_source.sourcestage"
+                            },
+                            "id": {
+                                "type": "string"
+                            },
+                            "state": {
+                                "type": "string",
+                                "enum": [
+                                    "absent",
+                                    "present",
+                                    "created",
+                                    "must_created"
+                                ],
+                                "default": "present"
+                            },
+                            "conditions": {
+                                "type": "array",
+                                "items": {
+                                    "type": "boolean"
+                                }
+                            },
+                            "attrs": {
+                                "$ref": "#/$defs/model_authentik_stages_source.sourcestage"
+                            },
+                            "identifiers": {
+                                "$ref": "#/$defs/model_authentik_stages_source.sourcestage"
+                            }
+                        }
+                    },
                     {
                         "type": "object",
                         "required": [
@@ -3257,6 +3294,7 @@
                         "authentik.enterprise",
                         "authentik.enterprise.audit",
                         "authentik.enterprise.providers.rac",
+                        "authentik.enterprise.stages.source",
                         "authentik.events"
                     ],
                     "title": "App",
@@ -3338,6 +3376,7 @@
                         "authentik_providers_rac.racprovider",
                         "authentik_providers_rac.endpoint",
                         "authentik_providers_rac.racpropertymapping",
+                        "authentik_stages_source.sourcestage",
                         "authentik_events.event",
                         "authentik_events.notificationtransport",
                         "authentik_events.notification",
@@ -4308,6 +4347,11 @@
                     "title": "Object uniqueness field",
                     "description": "Field which contains a unique Identifier."
                 },
+                "password_login_update_internal_password": {
+                    "type": "boolean",
+                    "title": "Password login update internal password",
+                    "description": "Update internal authentik password when login succeeds with LDAP"
+                },
                 "sync_users": {
                     "type": "boolean",
                     "title": "Sync users"
@@ -4444,6 +4488,7 @@
                         "discord",
                         "facebook",
                         "github",
+                        "gitlab",
                         "google",
                         "mailcow",
                         "okta",
@@ -7564,6 +7609,11 @@
                     "title": "Domain",
                     "description": "Domain that activates this brand. Can be a superset, i.e. `a.b` for `aa.b` and `ba.b`"
                 },
+                "origin": {
+                    "type": "string",
+                    "title": "Origin",
+                    "description": "Origin domain that activates this brand. Can be left empty to not allow any origins."
+                },
                 "default": {
                     "type": "boolean",
                     "title": "Default"
@@ -7607,6 +7657,11 @@
                     "type": "integer",
                     "title": "Flow device code"
                 },
+                "default_application": {
+                    "type": "integer",
+                    "title": "Default application",
+                    "description": "When set, external users will be redirected to this application after authenticating."
+                },
                 "web_certificate": {
                     "type": "integer",
                     "title": "Web certificate",
@@ -8017,6 +8072,109 @@
             },
             "required": []
         },
+        "model_authentik_stages_source.sourcestage": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Name"
+                },
+                "flow_set": {
+                    "type": "array",
+                    "items": {
+                        "type": "object",
+                        "properties": {
+                            "name": {
+                                "type": "string",
+                                "minLength": 1,
+                                "title": "Name"
+                            },
+                            "slug": {
+                                "type": "string",
+                                "maxLength": 50,
+                                "minLength": 1,
+                                "pattern": "^[-a-zA-Z0-9_]+$",
+                                "title": "Slug",
+                                "description": "Visible in the URL."
+                            },
+                            "title": {
+                                "type": "string",
+                                "minLength": 1,
+                                "title": "Title",
+                                "description": "Shown as the Title in Flow pages."
+                            },
+                            "designation": {
+                                "type": "string",
+                                "enum": [
+                                    "authentication",
+                                    "authorization",
+                                    "invalidation",
+                                    "enrollment",
+                                    "unenrollment",
+                                    "recovery",
+                                    "stage_configuration"
+                                ],
+                                "title": "Designation",
+                                "description": "Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
+                            },
+                            "policy_engine_mode": {
+                                "type": "string",
+                                "enum": [
+                                    "all",
+                                    "any"
+                                ],
+                                "title": "Policy engine mode"
+                            },
+                            "compatibility_mode": {
+                                "type": "boolean",
+                                "title": "Compatibility mode",
+                                "description": "Enable compatibility mode, increases compatibility with password managers on mobile devices."
+                            },
+                            "layout": {
+                                "type": "string",
+                                "enum": [
+                                    "stacked",
+                                    "content_left",
+                                    "content_right",
+                                    "sidebar_left",
+                                    "sidebar_right"
+                                ],
+                                "title": "Layout"
+                            },
+                            "denied_action": {
+                                "type": "string",
+                                "enum": [
+                                    "message_continue",
+                                    "message",
+                                    "continue"
+                                ],
+                                "title": "Denied action",
+                                "description": "Configure what should happen when a flow denies access to a user."
+                            }
+                        },
+                        "required": [
+                            "name",
+                            "slug",
+                            "title",
+                            "designation"
+                        ]
+                    },
+                    "title": "Flow set"
+                },
+                "source": {
+                    "type": "integer",
+                    "title": "Source"
+                },
+                "resume_timeout": {
+                    "type": "string",
+                    "minLength": 1,
+                    "title": "Resume timeout",
+                    "description": "Amount of time a user can take to return from the source to continue the flow (Format: hours=-1;minutes=-2;seconds=-3)"
+                }
+            },
+            "required": []
+        },
         "model_authentik_events.event": {
             "type": "object",
             "properties": {

docker-compose.yml

@@ -32,7 +32,7 @@ services:
     volumes:
       - redis:/data
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}
     restart: unless-stopped
     command: server
     environment:
@@ -53,7 +53,7 @@ services:
       - postgresql
       - redis
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -1,6 +1,8 @@
 module goauthentik.io
 
-go 1.21
+go 1.22
+
+toolchain go1.22.0
 
 require (
 	beryju.io/ldap v0.1.0
@@ -8,8 +10,8 @@ require (
 	github.com/getsentry/sentry-go v0.27.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.6
-	github.com/go-openapi/runtime v0.27.1
-	github.com/go-openapi/strfmt v0.22.0
+	github.com/go-openapi/runtime v0.28.0
+	github.com/go-openapi/strfmt v0.23.0
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.2
@@ -21,16 +23,16 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.7.0
-	github.com/prometheus/client_golang v1.18.0
+	github.com/prometheus/client_golang v1.19.0
 	github.com/redis/go-redis/v9 v9.5.1
-	github.com/sethvargo/go-envconfig v1.0.0
+	github.com/sethvargo/go-envconfig v1.0.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.0
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.9.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024021.2
+	goauthentik.io/api/v3 v3.2024022.5
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.17.0
+	golang.org/x/oauth2 v0.18.0
 	golang.org/x/sync v0.6.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
@@ -47,39 +49,38 @@ require (
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
 	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/analysis v0.21.5 // indirect
-	github.com/go-openapi/errors v0.21.0 // indirect
-	github.com/go-openapi/jsonpointer v0.20.1 // indirect
-	github.com/go-openapi/jsonreference v0.20.3 // indirect
-	github.com/go-openapi/loads v0.21.3 // indirect
-	github.com/go-openapi/spec v0.20.12 // indirect
-	github.com/go-openapi/swag v0.22.5 // indirect
-	github.com/go-openapi/validate v0.22.4 // indirect
+	github.com/go-openapi/analysis v0.23.0 // indirect
+	github.com/go-openapi/errors v0.22.0 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/loads v0.22.0 // indirect
+	github.com/go-openapi/spec v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-openapi/validate v0.24.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.45.0 // indirect
+	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	go.mongodb.org/mongo-driver v1.13.1 // indirect
-	go.opentelemetry.io/otel v1.17.0 // indirect
-	go.opentelemetry.io/otel/metric v1.17.0 // indirect
-	go.opentelemetry.io/otel/trace v1.17.0 // indirect
-	golang.org/x/crypto v0.19.0 // indirect
-	golang.org/x/net v0.21.0 // indirect
-	golang.org/x/sys v0.17.0 // indirect
+	go.mongodb.org/mongo-driver v1.14.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/net v0.22.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -87,30 +87,30 @@ github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a/go.mod h1:I7
 github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=
 github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
-github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-openapi/analysis v0.21.5 h1:3tHfEBh6Ia8eKc4M7khOGjPOAlWKJ10d877Cr9teujI=
-github.com/go-openapi/analysis v0.21.5/go.mod h1:25YcZosX9Lwz2wBsrFrrsL8bmjjXdlyP6zsr2AMy29M=
-github.com/go-openapi/errors v0.21.0 h1:FhChC/duCnfoLj1gZ0BgaBmzhJC2SL/sJr8a2vAobSY=
-github.com/go-openapi/errors v0.21.0/go.mod h1:jxNTMUxRCKj65yb/okJGEtahVd7uvWnuWfj53bse4ho=
-github.com/go-openapi/jsonpointer v0.20.1 h1:MkK4VEIEZMj4wT9PmjaUmGflVBr9nvud4Q4UVFbDoBE=
-github.com/go-openapi/jsonpointer v0.20.1/go.mod h1:bHen+N0u1KEO3YlmqOjTT9Adn1RfD91Ar825/PuiRVs=
-github.com/go-openapi/jsonreference v0.20.3 h1:EjGcjTW8pD1mRis6+w/gmoBdqv5+RbE9B85D1NgDOVQ=
-github.com/go-openapi/jsonreference v0.20.3/go.mod h1:FviDZ46i9ivh810gqzFLl5NttD5q3tSlMLqLr6okedM=
-github.com/go-openapi/loads v0.21.3 h1:8sSH2FIm/SnbDUGv572md4YqVMFne/a9Eubvcd3anew=
-github.com/go-openapi/loads v0.21.3/go.mod h1:Y3aMR24iHbKHppOj91nQ/SHc0cuPbAr4ndY4a02xydc=
-github.com/go-openapi/runtime v0.27.1 h1:ae53yaOoh+fx/X5Eaq8cRmavHgDma65XPZuvBqvJYto=
-github.com/go-openapi/runtime v0.27.1/go.mod h1:fijeJEiEclyS8BRurYE1DE5TLb9/KZl6eAdbzjsrlLU=
-github.com/go-openapi/spec v0.20.12 h1:cgSLbrsmziAP2iais+Vz7kSazwZ8rsUZd6TUzdDgkVI=
-github.com/go-openapi/spec v0.20.12/go.mod h1:iSCgnBcwbMW9SfzJb8iYynXvcY6C/QFrI7otzF7xGM4=
-github.com/go-openapi/strfmt v0.22.0 h1:Ew9PnEYc246TwrEspvBdDHS4BVKXy/AOVsfqGDgAcaI=
-github.com/go-openapi/strfmt v0.22.0/go.mod h1:HzJ9kokGIju3/K6ap8jL+OlGAbjpSv27135Yr9OivU4=
-github.com/go-openapi/swag v0.22.5 h1:fVS63IE3M0lsuWRzuom3RLwUMVI2peDH01s6M70ugys=
-github.com/go-openapi/swag v0.22.5/go.mod h1:Gl91UqO+btAM0plGGxHqJcQZ1ZTy6jbmridBTsDy8A0=
-github.com/go-openapi/validate v0.22.4 h1:5v3jmMyIPKTR8Lv9syBAIRxG6lY0RqeBPB1LKEijzk8=
-github.com/go-openapi/validate v0.22.4/go.mod h1:qm6O8ZIcPVdSY5219468Jv7kBdGvkiZLPOmqnqTUZ2A=
+github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU=
+github.com/go-openapi/analysis v0.23.0/go.mod h1:9mz9ZWaSlV8TvjQHLl2mUW2PbZtemkE8yA5v22ohupo=
+github.com/go-openapi/errors v0.22.0 h1:c4xY/OLxUBSTiepAg3j/MHuAv5mJhnf53LLMWFB+u/w=
+github.com/go-openapi/errors v0.22.0/go.mod h1:J3DmZScxCDufmIMsdOuDHxJbdOGC0xtUynjIx092vXE=
+github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
+github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
+github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
+github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
+github.com/go-openapi/loads v0.22.0 h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco=
+github.com/go-openapi/loads v0.22.0/go.mod h1:yLsaTCS92mnSAZX5WWoxszLj0u+Ojl+Zs5Stn1oF+rs=
+github.com/go-openapi/runtime v0.28.0 h1:gpPPmWSNGo214l6n8hzdXYhPuJcGtziTOgUpvsFWGIQ=
+github.com/go-openapi/runtime v0.28.0/go.mod h1:QN7OzcS+XuYmkQLw05akXk0jRH/eZ3kb18+1KwW9gyc=
+github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9ZY=
+github.com/go-openapi/spec v0.21.0/go.mod h1:78u6VdPw81XU44qEWGhtr982gJ5BWg2c0I5XwVMotYk=
+github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c=
+github.com/go-openapi/strfmt v0.23.0/go.mod h1:NrtIpfKtWIygRkKVsxh7XQMDQW5HKQl6S5ik2elW+K4=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
+github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
+github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -140,7 +140,6 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -150,7 +149,6 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -195,7 +193,6 @@ github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFF
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -206,11 +203,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
-github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc=
 github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484 h1:D9EvfGQvlkKaDr2CRKN++7HbSXbefUNDrPq60T+g24s=
 github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484/go.mod h1:O1EljZ+oHprtxDDPHiMWVo/5dBT6PlvWX5PSwj80aBA=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
@@ -227,13 +221,13 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac h1:jWKYCNlX4J5s8M0nHYkh7Y7c9gRVDEb3mq51j5J0F5M=
 github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac/go.mod h1:hoLfEwdY11HjRfKFH6KqnPsfxlo3BP6bJehpDv8t6sQ=
-github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
-github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
+github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
+github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
 github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
-github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
-github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
+github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
+github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
 github.com/redis/go-redis/v9 v9.5.1 h1:H1X4D3yHPaYrkL5X06Wh6xNVM/pX0Ft4RV0vMGvLBh8=
@@ -242,8 +236,8 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sethvargo/go-envconfig v1.0.0 h1:1C66wzy4QrROf5ew4KdVw942CQDa55qmlYmw9FZxZdU=
-github.com/sethvargo/go-envconfig v1.0.0/go.mod h1:Lzc75ghUn5ucmcRGIdGQ33DKJrcjk4kihFYgSTBmjIc=
+github.com/sethvargo/go-envconfig v1.0.1 h1:9wglip/5fUfaH0lQecLM8AyOClMw0gT0A9K2c2wozao=
+github.com/sethvargo/go-envconfig v1.0.1/go.mod h1:OKZ02xFaD3MvWBBmEW45fQr08sJEsonGrrOdicvQmQA=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@@ -261,37 +255,33 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/wwt/guac v1.3.2 h1:sH6OFGa/1tBs7ieWBVlZe7t6F5JAOWBry/tqQL/Vup4=
 github.com/wwt/guac v1.3.2/go.mod h1:eKm+NrnK7A88l4UBEcYNpZQGMpZRryYKoz4D/0/n1C0=
-github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
-github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4=
-github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
-github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.mongodb.org/mongo-driver v1.13.1 h1:YIc7HTYsKndGK4RFzJ3covLz1byri52x0IoMB0Pt/vk=
-go.mongodb.org/mongo-driver v1.13.1/go.mod h1:wcDf1JBCXy2mOW0bWHwO/IOYqdca1MPCwDtFu/Z9+eo=
+go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=
+go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opentelemetry.io/otel v1.17.0 h1:MW+phZ6WZ5/uk2nd93ANk/6yJ+dVrvNWUjGhnnFU5jM=
-go.opentelemetry.io/otel v1.17.0/go.mod h1:I2vmBGtFaODIVMBSTPVDlJSzBDNf93k60E6Ft0nyjo0=
-go.opentelemetry.io/otel/metric v1.17.0 h1:iG6LGVz5Gh+IuO0jmgvpTB6YVrCGngi8QGm+pMd8Pdc=
-go.opentelemetry.io/otel/metric v1.17.0/go.mod h1:h4skoxdZI17AxwITdmdZjjYJQH5nzijUUjm+wtPph5o=
-go.opentelemetry.io/otel/sdk v1.17.0 h1:FLN2X66Ke/k5Sg3V623Q7h7nt3cHXaW1FOvKKrW0IpE=
-go.opentelemetry.io/otel/sdk v1.17.0/go.mod h1:U87sE0f5vQB7hwUoW98pW5Rz4ZDuCFBZFNUBlSgmDFQ=
-go.opentelemetry.io/otel/trace v1.17.0 h1:/SWhSRHmDPOImIAetP1QAeMnZYiQXrTy4fMMYOdSKWQ=
-go.opentelemetry.io/otel/trace v1.17.0/go.mod h1:I/4vKTgFclIsXRVucpH25X0mpFSczM7aHeaz0ZBLWjY=
+go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=
+go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo=
+go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=
+go.opentelemetry.io/otel/metric v1.24.0/go.mod h1:VYhLe1rFfxuTXLgj4CBiyz+9WYBA8pNGJgDcSFRKBco=
+go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
+go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
+go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=
+go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
-goauthentik.io/api/v3 v3.2024021.2 h1:yky58o0BDSg5ko/CbYww4EtdHDzwygOxHwl+shtE9dw=
-goauthentik.io/api/v3 v3.2024021.2/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2024022.5 h1:z1ZaVY/UpwpHAghf/PyYRSOQT7U9g8E2N23YlRB5BJQ=
+goauthentik.io/api/v3 v3.2024022.5/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -299,10 +289,9 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -364,20 +353,19 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
-golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
+golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
-golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=
+golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
+golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -417,7 +405,6 @@ golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -425,8 +412,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -437,9 +424,7 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
@@ -571,8 +556,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=

internal/config/struct.go

@@ -50,12 +50,12 @@ type StorageConfig struct {
 }
 
 type StorageMediaConfig struct {
-	Backend string            `yaml:"backend" env:"AUTHENTIK_STORAGE_MEDIA_BACKEND"`
+	Backend string            `yaml:"backend" env:"AUTHENTIK_STORAGE__MEDIA__BACKEND"`
 	File    StorageFileConfig `yaml:"file"`
 }
 
 type StorageFileConfig struct {
-	Path string `yaml:"path" env:"AUTHENTIK_STORAGE_MEDIA_FILE_PATH"`
+	Path string `yaml:"path" env:"AUTHENTIK_STORAGE__MEDIA__FILE__PATH"`
 }
 
 type ErrorReportingConfig struct {

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2024.2.1"
+const VERSION = "2024.2.2"

internal/outpost/flow/solvers_mfa.go

@@ -10,12 +10,17 @@ const CodePasswordSeparator = ";"
 
 var alphaNum = regexp.MustCompile(`^[a-zA-Z0-9]*$`)
 
-// CheckPasswordInlineMFA For protocols that only support username/password, check if the password
-// contains the TOTP code
-func (fe *FlowExecutor) CheckPasswordInlineMFA() {
-	password := fe.Answers[StagePassword]
-	// We already have an authenticator answer
-	if fe.Answers[StageAuthenticatorValidate] != "" {
+// Sets the secret answers for the flow executor for protocols that only support username/password
+// according to used options
+func (fe *FlowExecutor) SetSecrets(password string, mfaCodeBased bool) {
+	if fe.Answers[StageAuthenticatorValidate] != "" || fe.Answers[StagePassword] != "" {
+		return
+	}
+	fe.Answers[StagePassword] = password
+	if !mfaCodeBased {
+		// If code-based MFA is disabled StageAuthenticatorValidate answer is set to password.
+		// This allows flows with a mfa stage only.
+		fe.Answers[StageAuthenticatorValidate] = password
 		return
 	}
 	// password doesn't contain the separator