new release: 0.11.0-stable

outposts: disable Kubernetes selection for now
docs: fix usage of user's groups
2020-10-11 19:57:03 +02:00 · 2020-10-11 19:40:22 +02:00 · 2020-10-11 19:29:22 +02:00 · 2020-10-11 19:29:13 +02:00 · 2020-10-11 19:26:20 +02:00 · 2020-10-09 11:33:02 +02:00
268 changed files with 5103 additions and 1620 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.10.7-stable
+current_version = 0.11.0-stable
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -18,11 +18,11 @@ jobs:
      - name: Building Docker Image
        run: docker build
          --no-cache
-          -t beryju/passbook:0.10.7-stable
+          -t beryju/passbook:0.11.0-stable
          -t beryju/passbook:latest
          -f Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook:0.10.7-stable
+        run: docker push beryju/passbook:0.11.0-stable
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/passbook:latest
  build-proxy:
@ -48,11 +48,11 @@ jobs:
          cd proxy
          docker build \
          --no-cache \
-          -t beryju/passbook-proxy:0.10.7-stable \
+          -t beryju/passbook-proxy:0.11.0-stable \
          -t beryju/passbook-proxy:latest \
          -f Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook-proxy:0.10.7-stable
+        run: docker push beryju/passbook-proxy:0.11.0-stable
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/passbook-proxy:latest
  build-static:
@ -77,11 +77,11 @@ jobs:
        run: docker build
          --no-cache
          --network=$(docker network ls | grep github | awk '{print $1}')
-          -t beryju/passbook-static:0.10.7-stable
+          -t beryju/passbook-static:0.11.0-stable
          -t beryju/passbook-static:latest
          -f static.Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/passbook-static:0.10.7-stable
+        run: docker push beryju/passbook-static:0.11.0-stable
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/passbook-static:latest
  test-release:
@ -114,5 +114,5 @@ jobs:
          SENTRY_PROJECT: passbook
          SENTRY_URL: https://sentry.beryju.org
        with:
-          tagName: 0.10.7-stable
+          tagName: 0.11.0-stable
          environment: beryjuorg-prod
--- a/10
+++ b/10
@ -16,11 +16,15 @@ COPY --from=locker /app/requirements.txt /
 COPY --from=locker /app/requirements-dev.txt /

 RUN apt-get update && \
-    apt-get install -y --no-install-recommends postgresql-client-11 build-essential && \
-    rm -rf /var/lib/apt/ && \
+    apt-get install -y --no-install-recommends curl ca-certificates gnupg && \
+    curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \
+    echo "deb http://apt.postgresql.org/pub/repos/apt buster-pgdg main" > /etc/apt/sources.list.d/pgdg.list && \
+    apt-get update && \
+    apt-get install -y --no-install-recommends postgresql-client-12 postgresql-client-11 build-essential && \
+    apt-get clean && \
    pip install -r /requirements.txt --no-cache-dir && \
    apt-get remove --purge -y build-essential && \
-    apt-get autoremove --purge && \
+    apt-get autoremove --purge -y && \
    adduser --system --no-create-home --uid 1000 --group --home /passbook passbook

 COPY ./passbook/ /passbook
--- a/2
+++ b/2
@ -11,7 +11,7 @@ lint-fix:
 	black passbook e2e lifecycle

 lint:
-	pyright pyright e2e lifecycle
+	pyright passbook e2e lifecycle
 	bandit -r passbook e2e lifecycle
 	pylint passbook e2e lifecycle
 	prospector
--- a/8
+++ b/8
@ -17,7 +17,7 @@ django-otp = "*"
 django-prometheus = "*"
 django-recaptcha = "*"
 django-redis = "*"
-django-rest-framework = "*"
+djangorestframework = "==3.11.1"
 django-storages = "*"
 djangorestframework-guardian = "*"
 drf-yasg = "*"
@ -28,7 +28,7 @@ packaging = "*"
 psycopg2-binary = "*"
 pycryptodome = "*"
 pyjwkest = "*"
-uvicorn = "*"
+uvicorn = {extras = ["standard"],version = "*"}
 gunicorn = "*"
 pyyaml = "*"
 qrcode = "*"
@ -43,6 +43,7 @@ dacite = "*"
 channels = "*"
 channels-redis = "*"
 kubernetes = "*"
+docker = "*"

 [requires]
 python_version = "3.8"
@ -50,12 +51,11 @@ python_version = "3.8"
 [dev-packages]
 autopep8 = "*"
 bandit = "*"
-black = "==19.10b0"
+black = "==20.8b1"
 bumpversion = "*"
 colorama = "*"
 coverage = "*"
 django-debug-toolbar = "*"
-docker = "*"
 pylint = "*"
 pylint-django = "*"
 selenium = "*"
--- a/Pipfile.lock
+++ b/Pipfile.lock
@ -1,7 +1,7 @@
 {
    "_meta": {
        "hash": {
-            "sha256": "80570636236962f4b934a884817292de9f7bb48520aa964afc2959b0f795fb57"
+            "sha256": "77737b63b2469755fd2a3d06b23054ae42b07b3f24cf887472f05fb8ab165cc6"
        },
        "pipfile-spec": 6,
        "requires": {
@ -74,18 +74,18 @@
        },
        "boto3": {
            "hashes": [
-                "sha256:0c464a7de522f88b581ca0d41ffa71e9be5e17fbb0456c275421f65b7c5f6a55",
-                "sha256:0fce548e19d6db8e11fd0e2ae7809e1e3282080636b4062b2452bfa20e4f0233"
+                "sha256:1627f97e050be59cfef839481acc73eba4b29e475a067f374a493e6b7f25601e",
+                "sha256:8aafa1ec72451cf70fe6d8c7e86b1a83d2e195d4dda95e5bf21e40132a38c309"
            ],
            "index": "pypi",
-            "version": "==1.15.5"
+            "version": "==1.15.15"
        },
        "botocore": {
            "hashes": [
-                "sha256:7ce7a05b98ffb3170396960273383e8aade9be6026d5a762f5f40969d5d6b761",
-                "sha256:e3bf44fba058f6df16006b94a67650418a080a525c82521abb3cb516a4cba362"
+                "sha256:3b9179edbba61c96f5d1eaa4328c9cda686bd461e102c5878c4880479c24e268",
+                "sha256:f59437ff69d260faa876a2bb7d76debcbbb3b1a497e9ff49550a1a5501679720"
            ],
-            "version": "==1.18.5"
+            "version": "==1.18.15"
        },
        "cachetools": {
            "hashes": [
@ -263,11 +263,11 @@
        },
        "django": {
            "hashes": [
-                "sha256:59c8125ca873ed3bdae9c12b146fbbd6ed8d0f743e4cf5f5817af50c51f1fc2f",
-                "sha256:b5fbb818e751f660fa2d576d9f40c34a4c615c8b48dd383f5216e609f383371f"
+                "sha256:a2127ad0150ec6966655bedf15dbbff9697cc86d61653db2da1afa506c0b04cc",
+                "sha256:c93c28ccf1d094cbd00d860e83128a39e45d2c571d3b54361713aaaf9a94cac4"
            ],
            "index": "pypi",
-            "version": "==3.1.1"
+            "version": "==3.1.2"
        },
        "django-cors-middleware": {
            "hashes": [
@ -286,11 +286,11 @@
        },
        "django-filter": {
            "hashes": [
-                "sha256:11e63dd759835d9ba7a763926ffb2662cf8a6dcb4c7971a95064de34dbc7e5af",
-                "sha256:616848eab6fc50193a1b3730140c49b60c57a3eda1f7fc57fa8505ac156c6c75"
+                "sha256:84e9d5bb93f237e451db814ed422a3a625751cbc9968b484ecc74964a8696b06",
+                "sha256:e00d32cebdb3d54273c48f4f878f898dced8d5dfaad009438fe61ebdf535ace1"
            ],
            "index": "pypi",
-            "version": "==2.3.0"
+            "version": "==2.4.0"
        },
        "django-guardian": {
            "hashes": [
@ -310,11 +310,11 @@
        },
        "django-otp": {
            "hashes": [
-                "sha256:0c9edbb3f4abc9ac6e43daf0a9e0e293e99ad917641cf8d7dbc49d613bcb5cd4",
-                "sha256:ace831f3a0f2c2267e4f7219c78deeb3b41c2dc8ae44b03daebb4fb85dabeb43"
+                "sha256:2fb1c8dbd7e7ae76a65b63d89d3d8c3e1105a48bc29830b81c6e417a89380658",
+                "sha256:fef1f2de9a52bc37e16211b98b4323e5b34fa24739116fbe3d1ff018c17ebea8"
            ],
            "index": "pypi",
-            "version": "==1.0.0"
+            "version": "==1.0.1"
        },
        "django-prometheus": {
            "hashes": [
@ -339,13 +339,6 @@
            "index": "pypi",
            "version": "==4.12.1"
        },
-        "django-rest-framework": {
-            "hashes": [
-                "sha256:47a8f496fa69e3b6bd79f68dd7a1527d907d6b77f009e9db7cf9bb21cc565e4a"
-            ],
-            "index": "pypi",
-            "version": "==0.1.0"
-        },
        "django-storages": {
            "hashes": [
                "sha256:12de8fb2605b9b57bfaf54b075280d7cbb3b3ee1ca4bc9b9add147af87fe3a2c",
@ -359,6 +352,7 @@
                "sha256:6dd02d5a4bd2516fb93f80360673bf540c3b6641fec8766b1da2870a5aa00b32",
                "sha256:8b1ac62c581dbc5799b03e535854b92fc4053ecfe74bad3f9c05782063d4196b"
            ],
+            "index": "pypi",
            "version": "==3.11.1"
        },
        "djangorestframework-guardian": {
@ -369,6 +363,14 @@
            "index": "pypi",
            "version": "==0.3.0"
        },
+        "docker": {
+            "hashes": [
+                "sha256:13966471e8bc23b36bfb3a6fb4ab75043a5ef1dac86516274777576bed3b9828",
+                "sha256:bad94b8dd001a8a4af19ce4becc17f41b09f228173ffe6a4e0355389eef142f2"
+            ],
+            "index": "pypi",
+            "version": "==4.3.1"
+        },
        "drf-yasg": {
            "hashes": [
                "sha256:5572e9d5baab9f6b49318169df9789f7399d0e3c7bdac8fdb8dfccf1d5d2b1ca",
@ -400,10 +402,10 @@
        },
        "google-auth": {
            "hashes": [
-                "sha256:31941bf019fb242c04d0de32845da10180788bfddb0de87d78c4bdf55555dda1",
-                "sha256:873051a6317294b083795cffc467bcd05b6df483ef542bfe0069ddbfbac0a096"
+                "sha256:712dd7d140a9a1ea218e5688c7fcb04af71b431a29ec9ce433e384c60e387b98",
+                "sha256:9c0f71789438d703f77b94aad4ea545afaec9a65f10e6cc1bc8b89ce242244bb"
            ],
-            "version": "==1.21.3"
+            "version": "==1.22.1"
        },
        "gunicorn": {
            "hashes": [
@ -415,10 +417,10 @@
        },
        "h11": {
            "hashes": [
-                "sha256:33d4bca7be0fa039f4e84d50ab00531047e53d6ee8ffbc83501ea602c169cae1",
-                "sha256:4bc6d6a1238b7615b266ada57e0618568066f57dd6fa967d1290ec9309b2f2f1"
+                "sha256:3c6c61d69c6f13d41f1b80ab0322f1872702a3ba26e12aa864c928f6a43fbaab",
+                "sha256:ab6c335e1b6ef34b205d5ca3e228c9299cc7218b049819ec84a388c2525e5d87"
            ],
-            "version": "==0.9.0"
+            "version": "==0.11.0"
        },
        "hiredis": {
            "hashes": [
@ -486,7 +488,6 @@
                "sha256:fa3cd71e31436911a44620473e873a256851e1f53dee56669dae403ba41756a4",
                "sha256:fea04e126014169384dee76a153d4573d90d0cbd1d12185da089f73c78390437"
            ],
-            "markers": "sys_platform != 'win32' and sys_platform != 'cygwin' and platform_python_implementation != 'PyPy'",
            "version": "==0.1.1"
        },
        "hyperlink": {
@ -876,6 +877,13 @@
            ],
            "version": "==2.8.1"
        },
+        "python-dotenv": {
+            "hashes": [
+                "sha256:8c10c99a1b25d9a68058a1ad6f90381a62ba68230ca93966882a4dbc3bc9c33d",
+                "sha256:c10863aee750ad720f4f43436565e4c1698798d763b63234fb5021b6c616e423"
+            ],
+            "version": "==0.14.0"
+        },
        "pytz": {
            "hashes": [
                "sha256:a494d53b6d39c3c6e44c3bec237336e14305e4f29bbf800b599253057fbb79ed",
@ -982,11 +990,11 @@
        },
        "sentry-sdk": {
            "hashes": [
-                "sha256:c9c0fa1412bad87104c4eee8dd36c7bbf60b0d92ae917ab519094779b22e6d9a",
-                "sha256:e159f7c919d19ae86e5a4ff370fccc45149fab461fbeb93fb5a735a0b33a9cb1"
+                "sha256:1d91a0059d2d8bb980bec169578035c2f2d4b93cd8a4fb5b85c81904d33e221a",
+                "sha256:6222cf623e404c3e62b8e0e81c6db866ac2d12a663b7c1f7963350e3f397522a"
            ],
            "index": "pypi",
-            "version": "==0.17.8"
+            "version": "==0.18.0"
        },
        "service-identity": {
            "hashes": [
@ -1013,10 +1021,10 @@
        },
        "sqlparse": {
            "hashes": [
-                "sha256:022fb9c87b524d1f7862b3037e541f68597a730a8843245c349fc93e1643dc4e",
-                "sha256:e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548"
+                "sha256:017cde379adbd6a1f15a61873f43e8274179378e95ef3fede90b5aa64d304ed0",
+                "sha256:0f91fd2e829c44362cbcfab3e9ae12e22badaa8a29ad5ff599f9ec109f0454e8"
            ],
-            "version": "==0.3.1"
+            "version": "==0.4.1"
        },
        "structlog": {
            "hashes": [
@ -1092,12 +1100,15 @@
            "version": "==1.25.10"
        },
        "uvicorn": {
+            "extras": [
+                "standard"
+            ],
            "hashes": [
-                "sha256:46a83e371f37ea7ff29577d00015f02c942410288fb57def6440f2653fff1d26",
-                "sha256:4b70ddb4c1946e39db9f3082d53e323dfd50634b95fd83625d778729ef1730ef"
+                "sha256:a461e76406088f448f36323f5ac774d50e5a552b6ccb54e4fca8d83ef614a7c2",
+                "sha256:d06a25caa8dc680ad92eb3ec67363f5281c092059613a1cc0100acba37fc0f45"
            ],
            "index": "pypi",
-            "version": "==0.11.8"
+            "version": "==0.12.1"
        },
        "uvloop": {
            "hashes": [
@ -1111,7 +1122,6 @@
                "sha256:e7514d7a48c063226b7d06617cbb12a14278d4323a065a8d46a7962686ce2e95",
                "sha256:f07909cd9fc08c52d294b1570bba92186181ca01fe3dc9ffba68955273dd7362"
            ],
-            "markers": "sys_platform != 'win32' and sys_platform != 'cygwin' and platform_python_implementation != 'PyPy'",
            "version": "==0.14.0"
        },
        "vine": {
@ -1121,6 +1131,13 @@
            ],
            "version": "==5.0.0"
        },
+        "watchgod": {
+            "hashes": [
+                "sha256:59700dab7445aa8e6067a5b94f37bae90fc367554549b1ed2e9d0f4f38a90d2a",
+                "sha256:e9cca0ab9c63f17fc85df9fd8bd18156ff00aff04ebe5976cee473f4968c6858"
+            ],
+            "version": "==0.6"
+        },
        "wcwidth": {
            "hashes": [
                "sha256:beb4802a9cebb9144e99086eff703a642a13d6a0052920003a230f3294bbe784",
@ -1164,48 +1181,48 @@
        },
        "zope.interface": {
            "hashes": [
-                "sha256:0103cba5ed09f27d2e3de7e48bb320338592e2fabc5ce1432cf33808eb2dfd8b",
-                "sha256:14415d6979356629f1c386c8c4249b4d0082f2ea7f75871ebad2e29584bd16c5",
-                "sha256:1ae4693ccee94c6e0c88a4568fb3b34af8871c60f5ba30cf9f94977ed0e53ddd",
-                "sha256:1b87ed2dc05cb835138f6a6e3595593fea3564d712cb2eb2de963a41fd35758c",
-                "sha256:269b27f60bcf45438e8683269f8ecd1235fa13e5411de93dae3b9ee4fe7f7bc7",
-                "sha256:27d287e61639d692563d9dab76bafe071fbeb26818dd6a32a0022f3f7ca884b5",
-                "sha256:39106649c3082972106f930766ae23d1464a73b7d30b3698c986f74bf1256a34",
-                "sha256:40e4c42bd27ed3c11b2c983fecfb03356fae1209de10686d03c02c8696a1d90e",
-                "sha256:461d4339b3b8f3335d7e2c90ce335eb275488c587b61aca4b305196dde2ff086",
-                "sha256:4f98f70328bc788c86a6a1a8a14b0ea979f81ae6015dd6c72978f1feff70ecda",
-                "sha256:558a20a0845d1a5dc6ff87cd0f63d7dac982d7c3be05d2ffb6322a87c17fa286",
-                "sha256:562dccd37acec149458c1791da459f130c6cf8902c94c93b8d47c6337b9fb826",
-                "sha256:5e86c66a6dea8ab6152e83b0facc856dc4d435fe0f872f01d66ce0a2131b7f1d",
-                "sha256:60a207efcd8c11d6bbeb7862e33418fba4e4ad79846d88d160d7231fcb42a5ee",
-                "sha256:645a7092b77fdbc3f68d3cc98f9d3e71510e419f54019d6e282328c0dd140dcd",
-                "sha256:6874367586c020705a44eecdad5d6b587c64b892e34305bb6ed87c9bbe22a5e9",
-                "sha256:74bf0a4f9091131de09286f9a605db449840e313753949fe07c8d0fe7659ad1e",
-                "sha256:7b726194f938791a6691c7592c8b9e805fc6d1b9632a833b9c0640828cd49cbc",
-                "sha256:8149ded7f90154fdc1a40e0c8975df58041a6f693b8f7edcd9348484e9dc17fe",
-                "sha256:8cccf7057c7d19064a9e27660f5aec4e5c4001ffcf653a47531bde19b5aa2a8a",
-                "sha256:911714b08b63d155f9c948da2b5534b223a1a4fc50bb67139ab68b277c938578",
-                "sha256:a5f8f85986197d1dd6444763c4a15c991bfed86d835a1f6f7d476f7198d5f56a",
-                "sha256:a744132d0abaa854d1aad50ba9bc64e79c6f835b3e92521db4235a1991176813",
-                "sha256:af2c14efc0bb0e91af63d00080ccc067866fb8cbbaca2b0438ab4105f5e0f08d",
-                "sha256:b054eb0a8aa712c8e9030065a59b5e6a5cf0746ecdb5f087cca5ec7685690c19",
-                "sha256:b0becb75418f8a130e9d465e718316cd17c7a8acce6fe8fe07adc72762bee425",
-                "sha256:b1d2ed1cbda2ae107283befd9284e650d840f8f7568cb9060b5466d25dc48975",
-                "sha256:ba4261c8ad00b49d48bbb3b5af388bb7576edfc0ca50a49c11dcb77caa1d897e",
-                "sha256:d1fe9d7d09bb07228650903d6a9dc48ea649e3b8c69b1d263419cc722b3938e8",
-                "sha256:d7804f6a71fc2dda888ef2de266727ec2f3915373d5a785ed4ddc603bbc91e08",
-                "sha256:da2844fba024dd58eaa712561da47dcd1e7ad544a257482392472eae1c86d5e5",
-                "sha256:dcefc97d1daf8d55199420e9162ab584ed0893a109f45e438b9794ced44c9fd0",
-                "sha256:dd98c436a1fc56f48c70882cc243df89ad036210d871c7427dc164b31500dc11",
-                "sha256:e74671e43ed4569fbd7989e5eecc7d06dc134b571872ab1d5a88f4a123814e9f",
-                "sha256:eb9b92f456ff3ec746cd4935b73c1117538d6124b8617bc0fe6fda0b3816e345",
-                "sha256:ebb4e637a1fb861c34e48a00d03cffa9234f42bef923aec44e5625ffb9a8e8f9",
-                "sha256:ef739fe89e7f43fb6494a43b1878a36273e5924869ba1d866f752c5812ae8d58",
-                "sha256:f40db0e02a8157d2b90857c24d89b6310f9b6c3642369852cdc3b5ac49b92afc",
-                "sha256:f68bf937f113b88c866d090fea0bc52a098695173fc613b055a17ff0cf9683b6",
-                "sha256:fb55c182a3f7b84c1a2d6de5fa7b1a05d4660d866b91dbf8d74549c57a1499e8"
+                "sha256:040f833694496065147e76581c0bf32b229a8b8c5eda120a0293afb008222387",
+                "sha256:11198b44e4a3d8c7a80cc20bbdd65522258a4d82fe467cd310c9fcce8ffe2ed2",
+                "sha256:121a9dccfe0c34be9c33b2c28225f0284f9b8e090580ffdff26c38fa16c7ffe1",
+                "sha256:15f3082575e7e19581a80b866664f843719b647a7f7189c811ba7f9ab3309f83",
+                "sha256:1d73d8986f948525536956ddd902e8a587a6846ebf4492117db16daba2865ddf",
+                "sha256:208e82f73b242275b8566ac07a25158e7b21fa2f14e642a7881048430612d1a6",
+                "sha256:2557833df892558123d791d6ff80ac4a2a0351f69c7421c7d5f0c07db72c8865",
+                "sha256:25ea6906f9987d42546329d06f9750e69f0ee62307a2e7092955ed0758e64f09",
+                "sha256:2c867914f7608674a555ac8daf20265644ac7be709e1da7d818089eebdfe544e",
+                "sha256:2eadac20711a795d3bb7a2bfc87c04091cb5274d9c3281b43088a1227099b662",
+                "sha256:37999d5ebd5d7bcd32438b725ca3470df05a7de8b1e9c0395bef24296b31ca99",
+                "sha256:3ae8946d51789779f76e4fa326fd6676d8c19c1c3b4c4c5e9342807185264875",
+                "sha256:5636cd7e60583b1608044ae4405e91575399430e66a5e1812f4bf30bcc55864e",
+                "sha256:570e637cb6509998555f7e4af13006d89fad6c09cfc5c4795855385391063e4b",
+                "sha256:590a40447ff3803c44050ce3c17c3958f11ca028dae3eacdd7b96775184394fa",
+                "sha256:5aab51b9c1af1b8a84f40aa49ffe1684d41810b18d6c3e94aa50194e0a563f01",
+                "sha256:5ffe4e0753393bcbcfc9a58133ed3d3a584634cc7cc2e667f8e3e6fbcbb2155d",
+                "sha256:663982381bd428a275a841009e52983cc69c471a4979ce01344fadbf72cf353d",
+                "sha256:6d06bf8e24dd6c473c4fbd8e16a83bd2e6d74add6ba25169043deb46d497b211",
+                "sha256:6e5b9a4bf133cf1887b4a04c21c10ca9f548114f19c83957b2820d5c84254940",
+                "sha256:70a2aed9615645bbe9d82c0f52bc7e676d2c0f8a63933d68418e0cb307f30536",
+                "sha256:7750746421c4395e3d2cc3d805919f4f57bb9f2a9a0ccd955566a9341050a1b4",
+                "sha256:7fc8708bc996e50fc7a9a2ad394e1f015348e389da26789fa6916630237143d7",
+                "sha256:91abd2f080065a7c007540f6bbd93ef7bdbbffa6df4a4cfab3892d8623b83c98",
+                "sha256:988f8b2281f3d95c66c01bdb141cefef1cc97db0d473c25c3fe2927ef00293b9",
+                "sha256:9f56121d8a676802044584e6cc41250bbcde069d8adf725b9b817a6b0fd87f09",
+                "sha256:a0f51536ce6e817a7aa25b0dca8b62feb210d4dc22cabfe8d1a92d47979372cd",
+                "sha256:a1cdd7390d7f66ddcebf545203ca3728c4890d605f9f2697bc8e31437906e8e7",
+                "sha256:b10eb4d0a77609679bf5f23708e20b1cd461a1643bd8ea42b1ca4149b1a5406c",
+                "sha256:b274ac8e511b55ffb62e8292316bd2baa80c10e9fe811b1aa5ce81da6b6697d8",
+                "sha256:c75b502af2c83fcfa2ee9c2257c1ba5806634a91a50db6129ff70e67c42c7e7b",
+                "sha256:c9c8e53a5472b77f6a391b515c771105011f4b40740ce53af8428d1c8ca20004",
+                "sha256:d867998a56c5133b9d31992beb699892e33b72150a8bf40f86cb52b8c606c83f",
+                "sha256:eb566cab630ec176b2d6115ed08b2cf4d921b47caa7f02cca1b4a9525223ee94",
+                "sha256:f61e6b95b414431ffe9dc460928fe9f351095fde074e2c2f5c6dda7b67a2192d",
+                "sha256:f718675fd071bcce4f7cbf9250cbaaf64e2e91ef1b0b32a1af596e7412647556",
+                "sha256:f9d4bfbd015e4b80dbad11c97049975f94592a6a0440e903ee647309f6252a1f",
+                "sha256:fae50fc12a5e8541f6f1cc4ed744ca8f76a9543876cf63f618fb0e6aca8f8375",
+                "sha256:fcf9c8edda7f7b2fd78069e97f4197815df5e871ec47b0f22580d330c6dec561",
+                "sha256:fdedce3bc5360bd29d4bb90396e8d4d3c09af49bc0383909fe84c7233c5ee675"
            ],
-            "version": "==5.1.0"
+            "version": "==5.1.2"
        }
    },
    "develop": {
@ -1254,18 +1271,17 @@
        },
        "black": {
            "hashes": [
-                "sha256:1b30e59be925fafc1ee4565e5e08abef6b03fe455102883820fe5ee2e4734e0b",
-                "sha256:c2edb73a08e9e0e6f65a0e6af18b059b8b1cdd5bef997d7a0b181df93dc81539"
+                "sha256:1c02557aa099101b9d21496f8a914e9ed2222ef70336404eeeac8edba836fbea"
            ],
            "index": "pypi",
-            "version": "==19.10b0"
+            "version": "==20.8b1"
        },
        "bump2version": {
            "hashes": [
-                "sha256:477f0e18a0d58e50bb3dbc9af7fcda464fd0ebfc7a6151d8888602d7153171a0",
-                "sha256:cd4f3a231305e405ed8944d8ff35bd742d9bc740ad62f483bd0ca21ce7131984"
+                "sha256:37f927ea17cde7ae2d7baf832f8e80ce3777624554a653006c9144f8017fe410",
+                "sha256:762cb2bfad61f4ec8e2bdf452c7c267416f8c70dd9ecb1653fd0bbb01fa936e6"
            ],
-            "version": "==1.0.0"
+            "version": "==1.0.1"
        },
        "bumpversion": {
            "hashes": [
@ -1275,20 +1291,6 @@
            "index": "pypi",
            "version": "==0.6.0"
        },
-        "certifi": {
-            "hashes": [
-                "sha256:5930595817496dd21bb8dc35dad090f1c2cd0adfaf21204bf6732ca5d8ee34d3",
-                "sha256:8fc0819f1f30ba15bdb34cceffb9ef04d99f420f68eb75d901e9560b8749fc41"
-            ],
-            "version": "==2020.6.20"
-        },
-        "chardet": {
-            "hashes": [
-                "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae",
-                "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691"
-            ],
-            "version": "==3.0.4"
-        },
        "click": {
            "hashes": [
                "sha256:d2b5255c7c6349bc1bd1e59e08cd12acbbd63ce649f2588755783aa94dfb6b1a",
@ -1346,11 +1348,11 @@
        },
        "django": {
            "hashes": [
-                "sha256:59c8125ca873ed3bdae9c12b146fbbd6ed8d0f743e4cf5f5817af50c51f1fc2f",
-                "sha256:b5fbb818e751f660fa2d576d9f40c34a4c615c8b48dd383f5216e609f383371f"
+                "sha256:a2127ad0150ec6966655bedf15dbbff9697cc86d61653db2da1afa506c0b04cc",
+                "sha256:c93c28ccf1d094cbd00d860e83128a39e45d2c571d3b54361713aaaf9a94cac4"
            ],
            "index": "pypi",
-            "version": "==3.1.1"
+            "version": "==3.1.2"
        },
        "django-debug-toolbar": {
            "hashes": [
@ -1360,14 +1362,6 @@
            "index": "pypi",
            "version": "==3.1.1"
        },
-        "docker": {
-            "hashes": [
-                "sha256:13966471e8bc23b36bfb3a6fb4ab75043a5ef1dac86516274777576bed3b9828",
-                "sha256:bad94b8dd001a8a4af19ce4becc17f41b09f228173ffe6a4e0355389eef142f2"
-            ],
-            "index": "pypi",
-            "version": "==4.3.1"
-        },
        "dodgy": {
            "hashes": [
                "sha256:28323cbfc9352139fdd3d316fa17f325cc0e9ac74438cbba51d70f9b48f86c3a",
@ -1377,10 +1371,10 @@
        },
        "flake8": {
            "hashes": [
-                "sha256:15e351d19611c887e482fb960eae4d44845013cc142d42896e9862f775d8cf5c",
-                "sha256:f04b9fcbac03b0a3e58c0ab3a0ecc462e023a9faf046d57794184028123aa208"
+                "sha256:749dbbd6bfd0cf1318af27bf97a14e28e5ff548ef8e5b1566ccfb25a11e7c839",
+                "sha256:aadae8761ec651813c24be05c6f7b4680857ef6afaae4651a4eccaef97ce6c3b"
            ],
-            "version": "==3.8.3"
+            "version": "==3.8.4"
        },
        "flake8-polyfill": {
            "hashes": [
@ -1398,17 +1392,10 @@
        },
        "gitpython": {
            "hashes": [
-                "sha256:080bf8e2cf1a2b907634761c2eaefbe83b69930c94c66ad11b65a8252959f912",
-                "sha256:1858f4fd089abe92ae465f01d5aaaf55e937eca565fb2c1fce35a51b5f85c910"
+                "sha256:138016d519bf4dd55b22c682c904ed2fd0235c3612b2f8f65ce218ff358deed8",
+                "sha256:a03f728b49ce9597a6655793207c6ab0da55519368ff5961e4a74ae475b9fa8e"
            ],
-            "version": "==3.1.8"
-        },
-        "idna": {
-            "hashes": [
-                "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
-                "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
-            ],
-            "version": "==2.10"
+            "version": "==3.1.9"
        },
        "iniconfig": {
            "hashes": [
@ -1457,12 +1444,12 @@
            ],
            "version": "==0.6.1"
        },
-        "more-itertools": {
+        "mypy-extensions": {
            "hashes": [
-                "sha256:6f83822ae94818eae2612063a5101a7311e68ae8002005b5e05f03fd74a86a20",
-                "sha256:9b30f12df9393f0d28af9210ff8efe48d10c94f73e5daf886f10c4b0b0b4f03c"
+                "sha256:090fedd75945a69ae91ce1303b5824f428daf5a028d2f6ab8a299250a846f15d",
+                "sha256:2d82818f5bb3e369420cb3c4060a7970edba416647068eb4c5343488a6c604a8"
            ],
-            "version": "==8.5.0"
+            "version": "==0.4.3"
        },
        "packaging": {
            "hashes": [
@ -1579,11 +1566,11 @@
        },
        "pytest": {
            "hashes": [
-                "sha256:0e37f61339c4578776e090c3b8f6b16ce4db333889d65d0efb305243ec544b40",
-                "sha256:c8f57c2a30983f469bf03e68cdfa74dc474ce56b8f280ddcb080dfd91df01043"
+                "sha256:7a8190790c17d79a11f847fba0b004ee9a8122582ebff4729a082c109e81a4c9",
+                "sha256:8f593023c1a0f916110285b6efd7f99db07d59546e3d8c36fc60e2ab05d3be92"
            ],
            "index": "pypi",
-            "version": "==6.0.2"
+            "version": "==6.1.1"
        },
        "pytest-django": {
            "hashes": [
@ -1619,36 +1606,35 @@
        },
        "regex": {
            "hashes": [
-                "sha256:0dc64ee3f33cd7899f79a8d788abfbec168410be356ed9bd30bbd3f0a23a7204",
-                "sha256:1269fef3167bb52631ad4fa7dd27bf635d5a0790b8e6222065d42e91bede4162",
-                "sha256:14a53646369157baa0499513f96091eb70382eb50b2c82393d17d7ec81b7b85f",
-                "sha256:3a3af27a8d23143c49a3420efe5b3f8cf1a48c6fc8bc6856b03f638abc1833bb",
-                "sha256:46bac5ca10fb748d6c55843a931855e2727a7a22584f302dd9bb1506e69f83f6",
-                "sha256:4c037fd14c5f4e308b8370b447b469ca10e69427966527edcab07f52d88388f7",
-                "sha256:51178c738d559a2d1071ce0b0f56e57eb315bcf8f7d4cf127674b533e3101f88",
-                "sha256:5ea81ea3dbd6767873c611687141ec7b06ed8bab43f68fad5b7be184a920dc99",
-                "sha256:6961548bba529cac7c07af2fd4d527c5b91bb8fe18995fed6044ac22b3d14644",
-                "sha256:75aaa27aa521a182824d89e5ab0a1d16ca207318a6b65042b046053cfc8ed07a",
-                "sha256:7a2dd66d2d4df34fa82c9dc85657c5e019b87932019947faece7983f2089a840",
-                "sha256:8a51f2c6d1f884e98846a0a9021ff6861bdb98457879f412fdc2b42d14494067",
-                "sha256:9c568495e35599625f7b999774e29e8d6b01a6fb684d77dee1f56d41b11b40cd",
-                "sha256:9eddaafb3c48e0900690c1727fba226c4804b8e6127ea409689c3bb492d06de4",
-                "sha256:bbb332d45b32df41200380fff14712cb6093b61bd142272a10b16778c418e98e",
-                "sha256:bc3d98f621898b4a9bc7fecc00513eec8f40b5b83913d74ccb445f037d58cd89",
-                "sha256:c11d6033115dc4887c456565303f540c44197f4fc1a2bfb192224a301534888e",
-                "sha256:c50a724d136ec10d920661f1442e4a8b010a4fe5aebd65e0c2241ea41dbe93dc",
-                "sha256:d0a5095d52b90ff38592bbdc2644f17c6d495762edf47d876049cfd2968fbccf",
-                "sha256:d6cff2276e502b86a25fd10c2a96973fdb45c7a977dca2138d661417f3728341",
-                "sha256:e46d13f38cfcbb79bfdb2964b0fe12561fe633caf964a77a5f8d4e45fe5d2ef7"
+                "sha256:088afc8c63e7bd187a3c70a94b9e50ab3f17e1d3f52a32750b5b77dbe99ef5ef",
+                "sha256:1fe0a41437bbd06063aa184c34804efa886bcc128222e9916310c92cd54c3b4c",
+                "sha256:3d20024a70b97b4f9546696cbf2fd30bae5f42229fbddf8661261b1eaff0deb7",
+                "sha256:41bb65f54bba392643557e617316d0d899ed5b4946dccee1cb6696152b29844b",
+                "sha256:4318d56bccfe7d43e5addb272406ade7a2274da4b70eb15922a071c58ab0108c",
+                "sha256:4707f3695b34335afdfb09be3802c87fa0bc27030471dbc082f815f23688bc63",
+                "sha256:49f23ebd5ac073765ecbcf046edc10d63dcab2f4ae2bce160982cb30df0c0302",
+                "sha256:5533a959a1748a5c042a6da71fe9267a908e21eded7a4f373efd23a2cbdb0ecc",
+                "sha256:5d892a4f1c999834eaa3c32bc9e8b976c5825116cde553928c4c8e7e48ebda67",
+                "sha256:5f18875ac23d9aa2f060838e8b79093e8bb2313dbaaa9f54c6d8e52a5df097be",
+                "sha256:60b0e9e6dc45683e569ec37c55ac20c582973841927a85f2d8a7d20ee80216ab",
+                "sha256:816064fc915796ea1f26966163f6845de5af78923dfcecf6551e095f00983650",
+                "sha256:84cada8effefe9a9f53f9b0d2ba9b7b6f5edf8d2155f9fdbe34616e06ececf81",
+                "sha256:84e9407db1b2eb368b7ecc283121b5e592c9aaedbe8c78b1a2f1102eb2e21d19",
+                "sha256:8d69cef61fa50c8133382e61fd97439de1ae623fe943578e477e76a9d9471637",
+                "sha256:9a02d0ae31d35e1ec12a4ea4d4cca990800f66a917d0fb997b20fbc13f5321fc",
+                "sha256:9bc13e0d20b97ffb07821aa3e113f9998e84994fe4d159ffa3d3a9d1b805043b",
+                "sha256:a6f32aea4260dfe0e55dc9733ea162ea38f0ea86aa7d0f77b15beac5bf7b369d",
+                "sha256:ae91972f8ac958039920ef6e8769277c084971a142ce2b660691793ae44aae6b",
+                "sha256:c570f6fa14b9c4c8a4924aaad354652366577b4f98213cf76305067144f7b100",
+                "sha256:c9443124c67b1515e4fe0bb0aa18df640965e1030f468a2a5dc2589b26d130ad",
+                "sha256:d23a18037313714fb3bb5a94434d3151ee4300bae631894b1ac08111abeaa4a3",
+                "sha256:eaf548d117b6737df379fdd53bdde4f08870e66d7ea653e230477f071f861121",
+                "sha256:ebbe29186a3d9b0c591e71b7393f1ae08c83cb2d8e517d2a822b8f7ec99dfd8b",
+                "sha256:eda4771e0ace7f67f58bc5b560e27fb20f32a148cbc993b0c3835970935c2707",
+                "sha256:f1b3afc574a3db3b25c89161059d857bd4909a1269b0b3cb3c904677c8c4a3f7",
+                "sha256:f2388013e68e750eaa16ccbea62d4130180c26abb1d8e5d584b9baf69672b30f"
            ],
-            "version": "==2020.7.14"
-        },
-        "requests": {
-            "hashes": [
-                "sha256:b3559a131db72c33ee969480840fff4bb6dd111de7dd27c8ee1f820f4f00231b",
-                "sha256:fe75cc94a9443b9246fc7049224f75604b113c36acb93f87b80ed42c44cbb898"
-            ],
-            "version": "==2.24.0"
+            "version": "==2020.9.27"
        },
        "requirements-detector": {
            "hashes": [
@ -1693,10 +1679,10 @@
        },
        "sqlparse": {
            "hashes": [
-                "sha256:022fb9c87b524d1f7862b3037e541f68597a730a8843245c349fc93e1643dc4e",
-                "sha256:e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548"
+                "sha256:017cde379adbd6a1f15a61873f43e8274179378e95ef3fede90b5aa64d304ed0",
+                "sha256:0f91fd2e829c44362cbcfab3e9ae12e22badaa8a29ad5ff599f9ec109f0454e8"
            ],
-            "version": "==0.3.1"
+            "version": "==0.4.1"
        },
        "stevedore": {
            "hashes": [
@ -1738,6 +1724,14 @@
            ],
            "version": "==1.4.1"
        },
+        "typing-extensions": {
+            "hashes": [
+                "sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918",
+                "sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c",
+                "sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f"
+            ],
+            "version": "==3.7.4.3"
+        },
        "urllib3": {
            "extras": [
                "secure"
@ -1750,13 +1744,6 @@
            "markers": null,
            "version": "==1.25.10"
        },
-        "websocket-client": {
-            "hashes": [
-                "sha256:0fc45c961324d79c781bab301359d5a1b00b13ad1b10415a4780229ef71a5549",
-                "sha256:d735b91d6d1692a6a181f2a8c9e0238e5f6373356f561bb9dc4c7af36f452010"
-            ],
-            "version": "==0.57.0"
-        },
        "wrapt": {
            "hashes": [
                "sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7"
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@ -89,7 +89,7 @@ stages:
              versionSpec: '3.8'
          - task: CmdLine@2
            inputs:
-              script: npm install -g pyright
+              script: npm install -g pyright@1.1.75
          - task: CmdLine@2
            inputs:
              script: |
@ -219,7 +219,8 @@ stages:
            inputs:
              script: |
                cd passbook/static/static
-                yarn
+                npm i
+                npm run build
          - task: CmdLine@2
            displayName: Run full test suite
            inputs:
@ -332,19 +333,3 @@ stages:
            repository: 'beryju/passbook-static'
            command: 'push'
            tags: "gh-${{ variables.branchName }}"
-  - stage: Deploy
-    jobs:
-      - job: deploy_dev
-        pool:
-          vmImage: 'ubuntu-latest'
-          steps:
-          - task: HelmDeploy@0
-            inputs:
-              connectionType: 'Kubernetes Service Connection'
-              kubernetesServiceConnection: 'k8s-beryjuorg-prd'
-              namespace: 'passbook-dev'
-              command: 'upgrade'
-              chartType: 'FilePath'
-              chartPath: 'helm/'
-              releaseName: 'passbook-dev'
-              recreate: true
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -3,7 +3,7 @@ version: '3.2'

 services:
  postgresql:
-    image: postgres
+    image: postgres:12
    volumes:
      - database:/var/lib/postgresql/data
    networks:
@ -23,13 +23,12 @@ services:
    labels:
      - traefik.enable=false
  server:
-    image: beryju/passbook:${PASSBOOK_TAG:-0.10.7-stable}
+    image: beryju/passbook:${PASSBOOK_TAG:-0.11.0-stable}
    command: server
    environment:
      PASSBOOK_REDIS__HOST: redis
      PASSBOOK_POSTGRESQL__HOST: postgresql
      PASSBOOK_POSTGRESQL__PASSWORD: ${PG_PASS}
-      PASSBOOK_LOG_LEVEL: debug
    ports:
      - 8000
    networks:
@ -41,7 +40,7 @@ services:
    env_file:
      - .env
  worker:
-    image: beryju/passbook:${PASSBOOK_TAG:-0.10.7-stable}
+    image: beryju/passbook:${PASSBOOK_TAG:-0.11.0-stable}
    command: worker
    networks:
      - internal
@ -51,11 +50,13 @@ services:
      PASSBOOK_REDIS__HOST: redis
      PASSBOOK_POSTGRESQL__HOST: postgresql
      PASSBOOK_POSTGRESQL__PASSWORD: ${PG_PASS}
-      PASSBOOK_LOG_LEVEL: debug
+    volumes:
+      - ./backups:/backups
+      - /var/run/docker.socket:/var/run/docker.socket
    env_file:
      - .env
  static:
-    image: beryju/passbook-static:${PASSBOOK_TAG:-0.10.7-stable}
+    image: beryju/passbook-static:${PASSBOOK_TAG:-0.11.0-stable}
    networks:
      - internal
    labels:
--- a/docs/expressions/reference/user-object.md
+++ b/docs/expressions/reference/user-object.md
@ -4,18 +4,23 @@ The User object has the following attributes:

 - `username`: User's username.
 - `email` User's email.
- - `name` User's display mame.
+- `name` User's display name.
 - `is_staff` Boolean field if user is staff.
 - `is_active` Boolean field if user is active.
 - `date_joined` Date user joined/was created.
 - `password_change_date` Date password was last changed.
 - `attributes` Dynamic attributes.
+- `pb_groups` This is a queryset of all the user's groups.
+
+    You can do additional filtering like `user.pb_groups.filter(name__startswith='test')`, see [here](https://docs.djangoproject.com/en/3.1/ref/models/querysets/#id4)
+
+    To get the name of all groups, you can do `[group.name for group in user.pb_groups.all()]`

 ## Examples

 List all the User's group names:

 ```python
-for group in user.groups.all():
+for group in user.pb_groups.all():
    yield group.name
 ```
--- a/docs/images/screen_admin.png
+++ b/docs/images/screen_admin.png
--- a/docs/images/screen_apps.png
+++ b/docs/images/screen_apps.png
--- a/docs/installation/docker-compose.md
+++ b/docs/installation/docker-compose.md
@ -13,7 +13,7 @@ Download the latest `docker-compose.yml` from [here](https://raw.githubuserconte

 To optionally enable error-reporting, run `echo PASSBOOK_ERROR_REPORTING__ENABLED=true >> .env`

-To optionally deploy a different version run `echo PASSBOOK_TAG=0.10.7-stable >> .env`
+To optionally deploy a different version run `echo PASSBOOK_TAG=0.11.0-stable >> .env`

 If this is a fresh passbook install run the following commands to generate a password:

--- a/docs/installation/kubernetes.md
+++ b/docs/installation/kubernetes.md
@ -4,14 +4,14 @@ For a mid to high-load installation, Kubernetes is recommended. passbook is inst

 This installation automatically applies database migrations on startup. After the installation is done, you can use `pbadmin` as username and password.

-```
+```yaml
 ###################################
 # Values directly affecting passbook
 ###################################
 image:
  name: beryju/passbook
  name_static: beryju/passbook-static
-  tag: 0.10.7-stable
+  tag: 0.11.0-stable

 nameOverride: ""

@ -35,8 +35,21 @@ config:
 #   access_key: access-key
 #   secret_key: secret-key
 #   bucket: s3-bucket
+#   region: eu-central-1
 #   host: s3-host

+ingress:
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  path: /
+  hosts:
+    - passbook.k8s.local
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - passbook.k8s.local
+
 ###################################
 # Values controlling dependencies
 ###################################
@ -57,16 +70,4 @@ redis:
      enabled: false
    # https://stackoverflow.com/a/59189742
    disableCommands: []
-
-ingress:
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  path: /
-  hosts:
-    - passbook.k8s.local
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - passbook.k8s.local
 ```
--- a/docs/installation/reverse-proxy.md
+++ b/docs/installation/reverse-proxy.md
@ -0,0 +1,42 @@
+# passbook behind a reverse-proxy
+
+If you want to access passbook behind a reverse-proxy, use a config like this. It is important that Websocket is enabled, so that Outposts can connect.
+
+```
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+server {
+    # Server config
+    listen 80;
+    server_name sso.domain.tld;
+
+    # 301 to SSL
+    location / {
+            return 301 https://$host$request_uri;
+    }
+}
+server {
+    # Server config
+    listen 443 ssl http2;
+    server_name sso.domain.tld;
+
+    # SSL Certs
+    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
+
+    # Proxy site
+    location / {
+        proxy_pass https://<hostname of your passbook server>;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Port 443;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+}
+```
--- a/docs/integrations/services/tautulli/index.md
+++ b/docs/integrations/services/tautulli/index.md
@ -0,0 +1,50 @@
+# Tautulli Integration
+
+## What is Tautulli
+
+From https://tautulli.com/
+
+!!! note
+    Tautulli is a 3rd party application that you can run alongside your Plex Media Server to monitor activity and track various statistics. Most importantly, these statistics include what has been watched, who watched it, when and where they watched it, and how it was watched. The only thing missing is "why they watched it", but who am I to question your 42 plays of Frozen. All statistics are presented in a nice and clean interface with many tables and graphs, which makes it easy to brag about your server to everyone else.
+
+## Preparation
+
+The following placeholders will be used:
+
+- `tautulli.company` is the FQDN of the Tautulli install.
+- `passbook.company` is the FQDN of the passbook install.
+
+## passbook Setup
+
+Because Tautulli requires valid HTTP Basic credentials, you must save your HTTP Basic Credentials in passbook. The recommended way to do this is to create a Group. Name the group "Tautulli Users", for example. For this group, add the following attributes:
+
+```yaml
+tautulli_user: username
+tautulli_password: password
+```
+
+Add all Tautulli users to the Group. You should also create a Group Membership Policy to limit access to the application.
+
+Create an application in passbook. Create a Proxy provider with the following parameters:
+
+- Internal host
+
+    If Tautulli is running in docker, and you're deploying the passbook proxy on the same host, set the value to `http://tautulli:3579`, where tautulli is the name of your container.
+
+    If Tautulli is running on a different server to where you are deploying the passbook proxy, set the value to `http://tautulli.company:3579`.
+
+- External host
+
+    Set this to the external URL you will be accessing Tautulli from.
+
+Enable the `Set HTTP-Basic Authentication` option. Set and `HTTP-Basic Username` and `HTTP-Basic Password` to `tautulli_user` and `tautulli_password` respectively. These values can be chosen freely, `tautulli_` is just used as a prefix for clarity.
+
+## Tautulli Setup
+
+In Tautulli, navigate to Settings and enable the "Show Advanced" option. Navigate to "Web Interface" on the sidebar, and ensure the Option `Use Basic Authentication` is checked.
+
+![](./tautulli.png)
+
+Save the settings, and restart Tautulli if prompted.
+
+Afterwards, you need to deploy an Outpost in front of Tautulli, as descried [here](../sonarr/index.md)
--- a/docs/integrations/services/tautulli/tautulli.png
+++ b/docs/integrations/services/tautulli/tautulli.png
--- a/docs/integrations/services/vmware-vcenter/index.md
+++ b/docs/integrations/services/vmware-vcenter/index.md
@ -60,6 +60,8 @@ Under *Providers*, create an OAuth2/OpenID Provider with these settings:

 Create an application which uses this provider. Optionally apply access restrictions to the application.

+Set the Launch URL to `https://vcenter.company/ui/login/oauth2`. This will skip vCenter's User Prompt and directly log you in.
+
 ## vCenter Setup

 Login as local Administrator account (most likely ends with vsphere.local). Using the Menu in the Navigation bar, navigate to *Administration -> Single Sing-on -> Configuration*.
--- a/docs/maintenance/backups/index.md
+++ b/docs/maintenance/backups/index.md
@ -0,0 +1,111 @@
+# Backup and restore
+
+!!! warning
+
+    Local backups are only supported for docker-compose installs. If you want to backup a Kubernetes instance locally, use an S3-compatible server such as [minio](https://min.io/)
+
+### Backup
+
+Local backups can be created by running the following command in your passbook installation directory
+
+```
+docker-compose run --rm worker backup
+```
+
+This will dump the current database into the `./backups` folder. By defaults, the last 10 Backups are kept.
+
+To schedule these backups, use the following snippet in a crontab
+
+```
+0 0 * * * bash -c "cd <passbook install location> && docker-compose run --rm worker backup" >/dev/null
+```
+
+!!! notice
+
+    passbook does support automatic backups on a schedule, however this is currently not recommended, as there is no way to monitor these scheduled tasks.
+
+### Restore
+
+Run this command in your passbook installation directory
+
+```
+docker-compose run --rm worker restore
+```
+
+This will prompt you to restore from your last backup. If you want to restore from a specific file, use the `-i` flag with the filename:
+
+```
+docker-compose run --rm worker restore -i default-2020-10-03-115557.psql
+```
+
+After you've restored the backup, it is recommended to restart all services with `docker-compose restart`.
+
+### S3 Configuration
+
+!!! notice
+
+    To trigger backups with S3 enabled, use the same commands as above.
+
+#### S3 Preparation
+
+passbook expects the bucket you select to already exist. The IAM User given to passbook should have the following permissions
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:GetObjectAcl",
+                "s3:GetObject",
+                "s3:ListBucket",
+                "s3:DeleteObject",
+                "s3:PutObjectAcl"
+            ],
+            "Principal": {
+                "AWS": "arn:aws:iam::example-AWS-account-ID:user/example-user-name"
+            },
+            "Resource": [
+                "arn:aws:s3:::example-bucket-name/*",
+                "arn:aws:s3:::example-bucket-name"
+            ]
+        }
+    ]
+}
+```
+
+#### docker-compose
+
+Set the following values in your `.env` file.
+
+```
+PASSBOOK_POSTGRESQL__S3_BACKUP__ACCESS_KEY=
+PASSBOOK_POSTGRESQL__S3_BACKUP__SECRET_KEY=
+PASSBOOK_POSTGRESQL__S3_BACKUP__BUCKET=
+PASSBOOK_POSTGRESQL__S3_BACKUP__REGION=
+```
+
+If you want to backup to an S3-compatible server, like [minio](https://min.io/), use this setting:
+
+```
+PASSBOOK_POSTGRESQL__S3_BACKUP__HOST=http://play.min.io
+```
+
+#### Kubernetes
+
+Simply enable these options in your values.yaml file
+
+```yaml
+# Enable Database Backups to S3
+backup:
+  access_key: access-key
+  secret_key: secret-key
+  bucket: s3-bucket
+  region: eu-central-1
+  host: s3-host
+```
+
+Afterwards, run a `helm upgrade` to update the ConfigMap. Because passbook-scheduled backups are not recommended currently, a Kubernetes CronJob is created that runs the backup daily.
--- a/docs/outposts/deploy-docker-compose.md
+++ b/docs/outposts/deploy-docker-compose.md
@ -5,7 +5,7 @@ To deploy an outpost with docker-compose, use  this snippet in your docker-compo
 You can also run the outpost in a separate docker-compose project, you just have to ensure that the outpost container can reach your application container.

 ```yaml
-version: 3.5
+version: '3.5'

 services:
  passbook_proxy:
--- a/e2e/test_flows_enroll.py
+++ b/e2e/test_flows_enroll.py
@ -104,7 +104,7 @@ class TestFlowsEnroll(SeleniumTestCase):

        self.wait_for_url(self.url("passbook_core:user-settings"))
        self.assertEqual(
-            self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").text,
+            self.driver.find_element(By.ID, "user-settings").text,
            "foo",
        )
        self.assertEqual(
@ -205,15 +205,11 @@ class TestFlowsEnroll(SeleniumTestCase):
        self.driver.switch_to.window(self.driver.window_handles[0])

        # We're now logged in
-        self.wait.until(
-            ec.presence_of_element_located(
-                (By.XPATH, "//a[contains(@href, '/-/user/')]")
-            )
-        )
-        self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").click()
+        self.wait.until(ec.presence_of_element_located((By.ID, "user-settings")))
+        self.driver.find_element(By.ID, "user-settings").click()

        self.assertEqual(
-            self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").text,
+            self.driver.find_element(By.ID, "user-settings").text,
            "foo",
        )
        self.assertEqual(
--- a/e2e/test_flows_login.py
+++ b/e2e/test_flows_login.py
@ -21,6 +21,6 @@ class TestFlowsLogin(SeleniumTestCase):
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
        self.assertEqual(
-            self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").text,
+            self.driver.find_element(By.ID, "user-settings").text,
            USER().username,
        )
--- a/e2e/test_flows_otp.py
+++ b/e2e/test_flows_otp.py
@ -10,6 +10,7 @@ from django_otp.plugins.otp_static.models import StaticDevice, StaticToken
 from django_otp.plugins.otp_totp.models import TOTPDevice
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
+from selenium.webdriver.support import expected_conditions as ec

 from e2e.utils import USER, SeleniumTestCase
 from passbook.flows.models import Flow, FlowStageBinding
@ -45,8 +46,9 @@ class TestFlowsOTP(SeleniumTestCase):
        totp = TOTP(device.bin_key, device.step, device.t0, device.digits, device.drift)
        self.driver.find_element(By.ID, "id_code").send_keys(totp.token())
        self.driver.find_element(By.ID, "id_code").send_keys(Keys.ENTER)
+        self.wait_for_url(self.url("passbook_core:overview"))
        self.assertEqual(
-            self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").text,
+            self.driver.find_element(By.ID, "user-settings").text,
            USER().username,
        )

@ -61,13 +63,12 @@ class TestFlowsOTP(SeleniumTestCase):
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
        self.assertEqual(
-            self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").text,
+            self.driver.find_element(By.ID, "user-settings").text,
            USER().username,
        )

        self.driver.find_element(By.CSS_SELECTOR, ".pf-c-page__header").click()
-        self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").click()
-        self.wait_for_url(self.url("passbook_core:user-settings"))
+        self.driver.get(self.url("passbook_core:user-settings"))

        self.driver.find_element(By.LINK_TEXT, "Time-based OTP").click()

@ -78,9 +79,8 @@ class TestFlowsOTP(SeleniumTestCase):
            By.CSS_SELECTOR, ".pf-c-card__body a.pf-c-button"
        ).click()

-        otp_uri = self.driver.find_element(
-            By.CSS_SELECTOR, "#flow-body > div > form > div:nth-child(3) > div"
-        ).get_attribute("aria-label")
+        self.wait.until(ec.presence_of_element_located((By.ID, "qr")))
+        otp_uri = self.driver.find_element(By.ID, "qr").get_attribute("data-otpuri")

        # Parse the OTP URI, extract the secret and get the next token
        otp_args = urlparse(otp_uri)
@ -109,12 +109,12 @@ class TestFlowsOTP(SeleniumTestCase):
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
        self.assertEqual(
-            self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").text,
+            self.driver.find_element(By.ID, "user-settings").text,
            USER().username,
        )

        self.driver.find_element(By.CSS_SELECTOR, ".pf-c-page__header").click()
-        self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").click()
+        self.driver.find_element(By.ID, "user-settings").click()
        self.wait_for_url(self.url("passbook_core:user-settings"))

        self.driver.find_element(By.LINK_TEXT, "Static OTP").click()
--- a/e2e/test_flows_stage_setup.py
+++ b/e2e/test_flows_stage_setup.py
@ -38,7 +38,7 @@ class TestFlowsStageSetup(SeleniumTestCase):
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
        self.driver.find_element(By.CSS_SELECTOR, ".pf-c-page__header").click()
-        self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").click()
+        self.driver.find_element(By.ID, "user-settings").click()
        self.wait_for_url(self.url("passbook_core:user-settings"))
        self.driver.find_element(By.LINK_TEXT, "Change password").click()
        self.driver.find_element(By.ID, "id_password").send_keys(new_password)
--- a/e2e/test_provider_oauth2_github.py
+++ b/e2e/test_provider_oauth2_github.py
@ -77,7 +77,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
            authorization_flow=authorization_flow,
        )
        Application.objects.create(
-            name="Grafana", slug="grafana", provider=provider,
+            name="Grafana",
+            slug="grafana",
+            provider=provider,
        )

        self.driver.get("http://localhost:3000")
@ -89,7 +91,7 @@ class TestProviderOAuth2Github(SeleniumTestCase):
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)

        self.wait_for_url("http://localhost:3000/?orgId=1")
-        self.driver.find_element(By.XPATH, "//a[contains(@href, '/profile')]").click()
+        self.driver.get("http://localhost:3000/profile")
        self.assertEqual(
            self.driver.find_element(By.CLASS_NAME, "page-header__title").text,
            USER().username,
@ -129,7 +131,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
            authorization_flow=authorization_flow,
        )
        app = Application.objects.create(
-            name="Grafana", slug="grafana", provider=provider,
+            name="Grafana",
+            slug="grafana",
+            provider=provider,
        )

        self.driver.get("http://localhost:3000")
@ -142,28 +146,21 @@ class TestProviderOAuth2Github(SeleniumTestCase):

        sleep(1)

-        self.assertIn(
+        self.assertEqual(
            app.name,
-            self.driver.find_element(
-                By.XPATH, "/html/body/div[2]/div/main/div/form/div[2]/p[1]"
-            ).text,
+            self.driver.find_element(By.ID, "application-name").text,
        )
        self.assertEqual(
            "GitHub Compatibility: Access you Email addresses",
-            self.driver.find_element(
-                By.XPATH, "/html/body/div[2]/div/main/div/form/div[2]/ul/li[1]"
-            ).text,
+            self.driver.find_element(By.ID, "scope-user:email").text,
        )
        self.driver.find_element(
            By.CSS_SELECTOR,
-            (
-                "form[action='/flows/b/default-provider-authorization-explicit-consent/'] "
-                "[type=submit]"
-            ),
+            ("[type=submit]"),
        ).click()

        self.wait_for_url("http://localhost:3000/?orgId=1")
-        self.driver.find_element(By.XPATH, "//a[contains(@href, '/profile')]").click()
+        self.driver.get("http://localhost:3000/profile")
        self.assertEqual(
            self.driver.find_element(By.CLASS_NAME, "page-header__title").text,
            USER().username,
@ -203,7 +200,9 @@ class TestProviderOAuth2Github(SeleniumTestCase):
            authorization_flow=authorization_flow,
        )
        app = Application.objects.create(
-            name="Grafana", slug="grafana", provider=provider,
+            name="Grafana",
+            slug="grafana",
+            provider=provider,
        )

        negative_policy = ExpressionPolicy.objects.create(
--- a/e2e/test_provider_oauth2_grafana.py
+++ b/e2e/test_provider_oauth2_grafana.py
@ -0,0 +1,375 @@
+"""test OAuth2 OpenID Provider flow"""
+from sys import platform
+from time import sleep
+from typing import Any, Dict, Optional
+from unittest.case import skipUnless
+
+from docker.types import Healthcheck
+from selenium.webdriver.common.by import By
+from selenium.webdriver.common.keys import Keys
+from selenium.webdriver.support import expected_conditions as ec
+from structlog import get_logger
+
+from e2e.utils import USER, SeleniumTestCase
+from passbook.core.models import Application
+from passbook.crypto.models import CertificateKeyPair
+from passbook.flows.models import Flow
+from passbook.policies.expression.models import ExpressionPolicy
+from passbook.policies.models import PolicyBinding
+from passbook.providers.oauth2.constants import (
+    SCOPE_OPENID,
+    SCOPE_OPENID_EMAIL,
+    SCOPE_OPENID_PROFILE,
+)
+from passbook.providers.oauth2.generators import (
+    generate_client_id,
+    generate_client_secret,
+)
+from passbook.providers.oauth2.models import (
+    ClientTypes,
+    OAuth2Provider,
+    ResponseTypes,
+    ScopeMapping,
+)
+
+LOGGER = get_logger()
+APPLICATION_SLUG = "grafana"
+
+
+@skipUnless(platform.startswith("linux"), "requires local docker")
+class TestProviderOAuth2OAuth(SeleniumTestCase):
+    """test OAuth with OAuth Provider flow"""
+
+    def setUp(self):
+        self.client_id = generate_client_id()
+        self.client_secret = generate_client_secret()
+        super().setUp()
+
+    def get_container_specs(self) -> Optional[Dict[str, Any]]:
+        return {
+            "image": "grafana/grafana:7.1.0",
+            "detach": True,
+            "network_mode": "host",
+            "auto_remove": True,
+            "healthcheck": Healthcheck(
+                test=["CMD", "wget", "--spider", "http://localhost:3000"],
+                interval=5 * 100 * 1000000,
+                start_period=1 * 100 * 1000000,
+            ),
+            "environment": {
+                "GF_AUTH_GENERIC_OAUTH_ENABLED": "true",
+                "GF_AUTH_GENERIC_OAUTH_CLIENT_ID": self.client_id,
+                "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET": self.client_secret,
+                "GF_AUTH_GENERIC_OAUTH_SCOPES": "openid email profile",
+                "GF_AUTH_GENERIC_OAUTH_AUTH_URL": (
+                    self.url("passbook_providers_oauth2:authorize")
+                ),
+                "GF_AUTH_GENERIC_OAUTH_TOKEN_URL": (
+                    self.url("passbook_providers_oauth2:token")
+                ),
+                "GF_AUTH_GENERIC_OAUTH_API_URL": (
+                    self.url("passbook_providers_oauth2:userinfo")
+                ),
+                "GF_AUTH_SIGNOUT_REDIRECT_URL": (
+                    self.url(
+                        "passbook_providers_oauth2:end-session",
+                        application_slug=APPLICATION_SLUG,
+                    )
+                ),
+                "GF_LOG_LEVEL": "debug",
+            },
+        }
+
+    def test_redirect_uri_error(self):
+        """test OpenID Provider flow (invalid redirect URI, check error message)"""
+        sleep(1)
+        # Bootstrap all needed objects
+        authorization_flow = Flow.objects.get(
+            slug="default-provider-authorization-implicit-consent"
+        )
+        provider = OAuth2Provider.objects.create(
+            name="grafana",
+            client_type=ClientTypes.CONFIDENTIAL,
+            client_id=self.client_id,
+            client_secret=self.client_secret,
+            rsa_key=CertificateKeyPair.objects.first(),
+            redirect_uris="http://localhost:3000/",
+            authorization_flow=authorization_flow,
+            response_type=ResponseTypes.CODE,
+        )
+        provider.property_mappings.set(
+            ScopeMapping.objects.filter(
+                scope_name__in=[SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE]
+            )
+        )
+        provider.save()
+        Application.objects.create(
+            name="Grafana",
+            slug=APPLICATION_SLUG,
+            provider=provider,
+        )
+
+        self.driver.get("http://localhost:3000")
+        self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
+        self.driver.find_element(By.ID, "id_uid_field").click()
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
+        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        sleep(2)
+        self.assertEqual(
+            self.driver.find_element(By.CLASS_NAME, "pf-c-title").text,
+            "Redirect URI Error",
+        )
+
+    def test_authorization_consent_implied(self):
+        """test OpenID Provider flow (default authorization flow with implied consent)"""
+        sleep(1)
+        # Bootstrap all needed objects
+        authorization_flow = Flow.objects.get(
+            slug="default-provider-authorization-implicit-consent"
+        )
+        provider = OAuth2Provider.objects.create(
+            name="grafana",
+            client_type=ClientTypes.CONFIDENTIAL,
+            client_id=self.client_id,
+            client_secret=self.client_secret,
+            rsa_key=CertificateKeyPair.objects.first(),
+            redirect_uris="http://localhost:3000/login/generic_oauth",
+            authorization_flow=authorization_flow,
+            response_type=ResponseTypes.CODE,
+        )
+        provider.property_mappings.set(
+            ScopeMapping.objects.filter(
+                scope_name__in=[SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE]
+            )
+        )
+        provider.save()
+        Application.objects.create(
+            name="Grafana",
+            slug=APPLICATION_SLUG,
+            provider=provider,
+        )
+
+        self.driver.get("http://localhost:3000")
+        self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
+        self.driver.find_element(By.ID, "id_uid_field").click()
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
+        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.wait_for_url("http://localhost:3000/?orgId=1")
+        self.driver.get("http://localhost:3000/profile")
+        self.assertEqual(
+            self.driver.find_element(By.CLASS_NAME, "page-header__title").text,
+            USER().name,
+        )
+        self.assertEqual(
+            self.driver.find_element(By.CSS_SELECTOR, "input[name=name]").get_attribute(
+                "value"
+            ),
+            USER().name,
+        )
+        self.assertEqual(
+            self.driver.find_element(
+                By.CSS_SELECTOR, "input[name=email]"
+            ).get_attribute("value"),
+            USER().email,
+        )
+        self.assertEqual(
+            self.driver.find_element(
+                By.CSS_SELECTOR, "input[name=login]"
+            ).get_attribute("value"),
+            USER().email,
+        )
+
+    def test_authorization_logout(self):
+        """test OpenID Provider flow with logout"""
+        sleep(1)
+        # Bootstrap all needed objects
+        authorization_flow = Flow.objects.get(
+            slug="default-provider-authorization-implicit-consent"
+        )
+        provider = OAuth2Provider.objects.create(
+            name="grafana",
+            client_type=ClientTypes.CONFIDENTIAL,
+            client_id=self.client_id,
+            client_secret=self.client_secret,
+            rsa_key=CertificateKeyPair.objects.first(),
+            redirect_uris="http://localhost:3000/login/generic_oauth",
+            authorization_flow=authorization_flow,
+            response_type=ResponseTypes.CODE,
+        )
+        provider.property_mappings.set(
+            ScopeMapping.objects.filter(
+                scope_name__in=[SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE]
+            )
+        )
+        provider.save()
+        Application.objects.create(
+            name="Grafana",
+            slug=APPLICATION_SLUG,
+            provider=provider,
+        )
+
+        self.driver.get("http://localhost:3000")
+        self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
+        self.driver.find_element(By.ID, "id_uid_field").click()
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
+        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        self.wait_for_url("http://localhost:3000/?orgId=1")
+        self.driver.get("http://localhost:3000/profile")
+        self.assertEqual(
+            self.driver.find_element(By.CLASS_NAME, "page-header__title").text,
+            USER().name,
+        )
+        self.assertEqual(
+            self.driver.find_element(By.CSS_SELECTOR, "input[name=name]").get_attribute(
+                "value"
+            ),
+            USER().name,
+        )
+        self.assertEqual(
+            self.driver.find_element(
+                By.CSS_SELECTOR, "input[name=email]"
+            ).get_attribute("value"),
+            USER().email,
+        )
+        self.assertEqual(
+            self.driver.find_element(
+                By.CSS_SELECTOR, "input[name=login]"
+            ).get_attribute("value"),
+            USER().email,
+        )
+        self.driver.get("http://localhost:3000/logout")
+        self.wait_for_url(
+            self.url(
+                "passbook_providers_oauth2:end-session",
+                application_slug=APPLICATION_SLUG,
+            )
+        )
+        self.driver.find_element(By.ID, "logout").click()
+
+    def test_authorization_consent_explicit(self):
+        """test OpenID Provider flow (default authorization flow with explicit consent)"""
+        sleep(1)
+        # Bootstrap all needed objects
+        authorization_flow = Flow.objects.get(
+            slug="default-provider-authorization-explicit-consent"
+        )
+        provider = OAuth2Provider.objects.create(
+            name="grafana",
+            authorization_flow=authorization_flow,
+            response_type=ResponseTypes.CODE,
+            client_type=ClientTypes.CONFIDENTIAL,
+            client_id=self.client_id,
+            client_secret=self.client_secret,
+            rsa_key=CertificateKeyPair.objects.first(),
+            redirect_uris="http://localhost:3000/login/generic_oauth",
+        )
+        provider.property_mappings.set(
+            ScopeMapping.objects.filter(
+                scope_name__in=[SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE]
+            )
+        )
+        provider.save()
+        app = Application.objects.create(
+            name="Grafana",
+            slug=APPLICATION_SLUG,
+            provider=provider,
+        )
+
+        self.driver.get("http://localhost:3000")
+        self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
+        self.driver.find_element(By.ID, "id_uid_field").click()
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
+        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+
+        self.assertEqual(
+            app.name,
+            self.driver.find_element(By.ID, "application-name").text,
+        )
+        self.wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, "[type=submit]"))
+        )
+        sleep(1)
+        self.driver.find_element(By.CSS_SELECTOR, "[type=submit]").click()
+
+        self.wait_for_url("http://localhost:3000/?orgId=1")
+        self.driver.get("http://localhost:3000/profile")
+
+        self.assertEqual(
+            self.driver.find_element(By.CLASS_NAME, "page-header__title").text,
+            USER().name,
+        )
+        self.assertEqual(
+            self.driver.find_element(By.CSS_SELECTOR, "input[name=name]").get_attribute(
+                "value"
+            ),
+            USER().name,
+        )
+        self.assertEqual(
+            self.driver.find_element(
+                By.CSS_SELECTOR, "input[name=email]"
+            ).get_attribute("value"),
+            USER().email,
+        )
+        self.assertEqual(
+            self.driver.find_element(
+                By.CSS_SELECTOR, "input[name=login]"
+            ).get_attribute("value"),
+            USER().email,
+        )
+
+    def test_authorization_denied(self):
+        """test OpenID Provider flow (default authorization with access deny)"""
+        sleep(1)
+        # Bootstrap all needed objects
+        authorization_flow = Flow.objects.get(
+            slug="default-provider-authorization-explicit-consent"
+        )
+        provider = OAuth2Provider.objects.create(
+            name="grafana",
+            authorization_flow=authorization_flow,
+            response_type=ResponseTypes.CODE,
+            client_type=ClientTypes.CONFIDENTIAL,
+            client_id=self.client_id,
+            client_secret=self.client_secret,
+            rsa_key=CertificateKeyPair.objects.first(),
+            redirect_uris="http://localhost:3000/login/generic_oauth",
+        )
+        provider.property_mappings.set(
+            ScopeMapping.objects.filter(
+                scope_name__in=[SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE]
+            )
+        )
+        provider.save()
+        app = Application.objects.create(
+            name="Grafana",
+            slug=APPLICATION_SLUG,
+            provider=provider,
+        )
+
+        negative_policy = ExpressionPolicy.objects.create(
+            name="negative-static", expression="return False"
+        )
+        PolicyBinding.objects.create(target=app, policy=negative_policy, order=0)
+        self.driver.get("http://localhost:3000")
+        self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
+        self.driver.find_element(By.ID, "id_uid_field").click()
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
+        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
+        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+
+        self.wait.until(
+            ec.presence_of_element_located((By.CSS_SELECTOR, "header > h1"))
+        )
+        self.assertEqual(
+            self.driver.find_element(By.CSS_SELECTOR, "header > h1").text,
+            "Permission denied",
+        )
--- a/e2e/test_provider_oauth2_oidc.py
+++ b/e2e/test_provider_oauth2_oidc.py
@ -1,9 +1,11 @@
 """test OAuth2 OpenID Provider flow"""
+from json import loads
 from sys import platform
 from time import sleep
-from typing import Any, Dict, Optional
 from unittest.case import skipUnless

+from docker import DockerClient, from_env
+from docker.models.containers import Container
 from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys
@ -33,7 +35,6 @@ from passbook.providers.oauth2.models import (
 )

 LOGGER = get_logger()
-APPLICATION_SLUG = "grafana"


@skipUnless(platform.startswith("linux"), "requires local docker")
@ -43,42 +44,37 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
    def setUp(self):
        self.client_id = generate_client_id()
        self.client_secret = generate_client_secret()
+        self.application_slug = "test"
        super().setUp()

-    def get_container_specs(self) -> Optional[Dict[str, Any]]:
-        return {
-            "image": "grafana/grafana:7.1.0",
-            "detach": True,
-            "network_mode": "host",
-            "auto_remove": True,
-            "healthcheck": Healthcheck(
-                test=["CMD", "wget", "--spider", "http://localhost:3000"],
+    def setup_client(self) -> Container:
+        """Setup client saml-sp container which we test SAML against"""
+        sleep(1)
+        client: DockerClient = from_env()
+        client.images.pull("beryju/oidc-test-client")
+        container = client.containers.run(
+            image="beryju/oidc-test-client",
+            detach=True,
+            network_mode="host",
+            auto_remove=True,
+            healthcheck=Healthcheck(
+                test=["CMD", "wget", "--spider", "http://localhost:9009/health"],
                interval=5 * 100 * 1000000,
                start_period=1 * 100 * 1000000,
            ),
-            "environment": {
-                "GF_AUTH_GENERIC_OAUTH_ENABLED": "true",
-                "GF_AUTH_GENERIC_OAUTH_CLIENT_ID": self.client_id,
-                "GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET": self.client_secret,
-                "GF_AUTH_GENERIC_OAUTH_SCOPES": "openid email profile",
-                "GF_AUTH_GENERIC_OAUTH_AUTH_URL": (
-                    self.url("passbook_providers_oauth2:authorize")
-                ),
-                "GF_AUTH_GENERIC_OAUTH_TOKEN_URL": (
-                    self.url("passbook_providers_oauth2:token")
-                ),
-                "GF_AUTH_GENERIC_OAUTH_API_URL": (
-                    self.url("passbook_providers_oauth2:userinfo")
-                ),
-                "GF_AUTH_SIGNOUT_REDIRECT_URL": (
-                    self.url(
-                        "passbook_providers_oauth2:end-session",
-                        application_slug=APPLICATION_SLUG,
-                    )
-                ),
-                "GF_LOG_LEVEL": "debug",
+            environment={
+                "OIDC_CLIENT_ID": self.client_id,
+                "OIDC_CLIENT_SECRET": self.client_secret,
+                "OIDC_PROVIDER": f"{self.live_server_url}/application/o/{self.application_slug}/",
            },
-        }
+        )
+        while True:
+            container.reload()
+            status = container.attrs.get("State", {}).get("Health", {}).get("Status")
+            if status == "healthy":
+                return container
+            LOGGER.info("Container failed healthcheck")
+            sleep(1)

    def test_redirect_uri_error(self):
        """test OpenID Provider flow (invalid redirect URI, check error message)"""
@ -88,12 +84,12 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
            slug="default-provider-authorization-implicit-consent"
        )
        provider = OAuth2Provider.objects.create(
-            name="grafana",
+            name=self.application_slug,
            client_type=ClientTypes.CONFIDENTIAL,
            client_id=self.client_id,
            client_secret=self.client_secret,
            rsa_key=CertificateKeyPair.objects.first(),
-            redirect_uris="http://localhost:3000/",
+            redirect_uris="http://localhost:9009/",
            authorization_flow=authorization_flow,
            response_type=ResponseTypes.CODE,
        )
@ -104,11 +100,14 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
        )
        provider.save()
        Application.objects.create(
-            name="Grafana", slug=APPLICATION_SLUG, provider=provider,
+            name=self.application_slug,
+            slug=self.application_slug,
+            provider=provider,
        )
+        self.container = self.setup_client()
+
+        self.driver.get("http://localhost:9009")

-        self.driver.get("http://localhost:3000")
-        self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
        self.driver.find_element(By.ID, "id_uid_field").click()
        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
@ -128,12 +127,12 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
            slug="default-provider-authorization-implicit-consent"
        )
        provider = OAuth2Provider.objects.create(
-            name="grafana",
+            name=self.application_slug,
            client_type=ClientTypes.CONFIDENTIAL,
            client_id=self.client_id,
            client_secret=self.client_secret,
            rsa_key=CertificateKeyPair.objects.first(),
-            redirect_uris="http://localhost:3000/login/generic_oauth",
+            redirect_uris="http://localhost:9009/auth/callback",
            authorization_flow=authorization_flow,
            response_type=ResponseTypes.CODE,
        )
@ -144,105 +143,31 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
        )
        provider.save()
        Application.objects.create(
-            name="Grafana", slug=APPLICATION_SLUG, provider=provider,
+            name=self.application_slug,
+            slug=self.application_slug,
+            provider=provider,
        )
+        self.container = self.setup_client()
+
+        self.driver.get("http://localhost:9009")

-        self.driver.get("http://localhost:3000")
-        self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
        self.driver.find_element(By.ID, "id_uid_field").click()
        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-        self.driver.find_element(By.XPATH, "//a[contains(@href, '/profile')]").click()
-        self.assertEqual(
-            self.driver.find_element(By.CLASS_NAME, "page-header__title").text,
-            USER().name,
-        )
-        self.assertEqual(
-            self.driver.find_element(By.CSS_SELECTOR, "input[name=name]").get_attribute(
-                "value"
-            ),
-            USER().name,
-        )
-        self.assertEqual(
-            self.driver.find_element(
-                By.CSS_SELECTOR, "input[name=email]"
-            ).get_attribute("value"),
-            USER().email,
-        )
-        self.assertEqual(
-            self.driver.find_element(
-                By.CSS_SELECTOR, "input[name=login]"
-            ).get_attribute("value"),
-            USER().email,
-        )

-    def test_authorization_logout(self):
-        """test OpenID Provider flow with logout"""
-        sleep(1)
-        # Bootstrap all needed objects
-        authorization_flow = Flow.objects.get(
-            slug="default-provider-authorization-implicit-consent"
-        )
-        provider = OAuth2Provider.objects.create(
-            name="grafana",
-            client_type=ClientTypes.CONFIDENTIAL,
-            client_id=self.client_id,
-            client_secret=self.client_secret,
-            rsa_key=CertificateKeyPair.objects.first(),
-            redirect_uris="http://localhost:3000/login/generic_oauth",
-            authorization_flow=authorization_flow,
-            response_type=ResponseTypes.CODE,
-        )
-        provider.property_mappings.set(
-            ScopeMapping.objects.filter(
-                scope_name__in=[SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE]
-            )
-        )
-        provider.save()
-        Application.objects.create(
-            name="Grafana", slug=APPLICATION_SLUG, provider=provider,
-        )
+        self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "pre")))
+        body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)

-        self.driver.get("http://localhost:3000")
-        self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
-        self.driver.find_element(By.ID, "id_uid_field").click()
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
-        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
-        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-        self.driver.find_element(By.XPATH, "//a[contains(@href, '/profile')]").click()
-        self.assertEqual(
-            self.driver.find_element(By.CLASS_NAME, "page-header__title").text,
-            USER().name,
-        )
-        self.assertEqual(
-            self.driver.find_element(By.CSS_SELECTOR, "input[name=name]").get_attribute(
-                "value"
-            ),
-            USER().name,
-        )
-        self.assertEqual(
-            self.driver.find_element(
-                By.CSS_SELECTOR, "input[name=email]"
-            ).get_attribute("value"),
-            USER().email,
-        )
-        self.assertEqual(
-            self.driver.find_element(
-                By.CSS_SELECTOR, "input[name=login]"
-            ).get_attribute("value"),
-            USER().email,
-        )
-        self.driver.find_element(By.CSS_SELECTOR, "[href='/logout']").click()
-        self.wait_for_url(
-            self.url(
-                "passbook_providers_oauth2:end-session",
-                application_slug=APPLICATION_SLUG,
-            )
-        )
-        self.driver.find_element(By.ID, "logout").click()
+        self.assertEqual(body["IDTokenClaims"]["nickname"], USER().username)
+        self.assertEqual(body["UserInfo"]["nickname"], USER().username)
+
+        self.assertEqual(body["IDTokenClaims"]["name"], USER().name)
+        self.assertEqual(body["UserInfo"]["name"], USER().name)
+
+        self.assertEqual(body["IDTokenClaims"]["email"], USER().email)
+        self.assertEqual(body["UserInfo"]["email"], USER().email)

    def test_authorization_consent_explicit(self):
        """test OpenID Provider flow (default authorization flow with explicit consent)"""
@ -252,14 +177,14 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
            slug="default-provider-authorization-explicit-consent"
        )
        provider = OAuth2Provider.objects.create(
-            name="grafana",
+            name=self.application_slug,
            authorization_flow=authorization_flow,
            response_type=ResponseTypes.CODE,
            client_type=ClientTypes.CONFIDENTIAL,
            client_id=self.client_id,
            client_secret=self.client_secret,
            rsa_key=CertificateKeyPair.objects.first(),
-            redirect_uris="http://localhost:3000/login/generic_oauth",
+            redirect_uris="http://localhost:9009/auth/callback",
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
@ -268,22 +193,23 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
        )
        provider.save()
        app = Application.objects.create(
-            name="Grafana", slug=APPLICATION_SLUG, provider=provider,
+            name=self.application_slug,
+            slug=self.application_slug,
+            provider=provider,
        )
+        self.container = self.setup_client()
+
+        self.driver.get("http://localhost:9009")

-        self.driver.get("http://localhost:3000")
-        self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
        self.driver.find_element(By.ID, "id_uid_field").click()
        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)

-        self.assertIn(
+        self.assertEqual(
            app.name,
-            self.driver.find_element(
-                By.XPATH, "/html/body/div[2]/div/main/div/form/div[2]/p[1]"
-            ).text,
+            self.driver.find_element(By.ID, "application-name").text,
        )
        self.wait.until(
            ec.presence_of_element_located((By.CSS_SELECTOR, "[type=submit]"))
@ -291,34 +217,17 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
        sleep(1)
        self.driver.find_element(By.CSS_SELECTOR, "[type=submit]").click()

-        self.wait.until(
-            ec.presence_of_element_located(
-                (By.XPATH, "//a[contains(@href, '/profile')]")
-            )
-        )
-        self.driver.find_element(By.XPATH, "//a[contains(@href, '/profile')]").click()
-        self.assertEqual(
-            self.driver.find_element(By.CLASS_NAME, "page-header__title").text,
-            USER().name,
-        )
-        self.assertEqual(
-            self.driver.find_element(By.CSS_SELECTOR, "input[name=name]").get_attribute(
-                "value"
-            ),
-            USER().name,
-        )
-        self.assertEqual(
-            self.driver.find_element(
-                By.CSS_SELECTOR, "input[name=email]"
-            ).get_attribute("value"),
-            USER().email,
-        )
-        self.assertEqual(
-            self.driver.find_element(
-                By.CSS_SELECTOR, "input[name=login]"
-            ).get_attribute("value"),
-            USER().email,
-        )
+        self.wait.until(ec.presence_of_element_located((By.CSS_SELECTOR, "pre")))
+        body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
+
+        self.assertEqual(body["IDTokenClaims"]["nickname"], USER().username)
+        self.assertEqual(body["UserInfo"]["nickname"], USER().username)
+
+        self.assertEqual(body["IDTokenClaims"]["name"], USER().name)
+        self.assertEqual(body["UserInfo"]["name"], USER().name)
+
+        self.assertEqual(body["IDTokenClaims"]["email"], USER().email)
+        self.assertEqual(body["UserInfo"]["email"], USER().email)

    def test_authorization_denied(self):
        """test OpenID Provider flow (default authorization with access deny)"""
@ -328,14 +237,14 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
            slug="default-provider-authorization-explicit-consent"
        )
        provider = OAuth2Provider.objects.create(
-            name="grafana",
+            name=self.application_slug,
            authorization_flow=authorization_flow,
            response_type=ResponseTypes.CODE,
            client_type=ClientTypes.CONFIDENTIAL,
            client_id=self.client_id,
            client_secret=self.client_secret,
            rsa_key=CertificateKeyPair.objects.first(),
-            redirect_uris="http://localhost:3000/login/generic_oauth",
+            redirect_uris="http://localhost:9009/auth/callback",
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
@ -344,15 +253,19 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
        )
        provider.save()
        app = Application.objects.create(
-            name="Grafana", slug=APPLICATION_SLUG, provider=provider,
+            name=self.application_slug,
+            slug=self.application_slug,
+            provider=provider,
        )

        negative_policy = ExpressionPolicy.objects.create(
            name="negative-static", expression="return False"
        )
        PolicyBinding.objects.create(target=app, policy=negative_policy, order=0)
-        self.driver.get("http://localhost:3000")
-        self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
+
+        self.container = self.setup_client()
+        self.driver.get("http://localhost:9009")
+
        self.driver.find_element(By.ID, "id_uid_field").click()
        self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
--- a/e2e/test_provider_proxy.py
+++ b/e2e/test_provider_proxy.py
@ -4,12 +4,14 @@ from time import sleep
 from typing import Any, Dict, Optional
 from unittest.case import skipUnless

+from channels.testing import ChannelsLiveServerTestCase
 from docker.client import DockerClient, from_env
 from docker.models.containers import Container
 from selenium.webdriver.common.by import By
 from selenium.webdriver.common.keys import Keys

 from e2e.utils import USER, SeleniumTestCase
+from passbook import __version__
 from passbook.core.models import Application
 from passbook.flows.models import Flow
 from passbook.outposts.models import Outpost, OutpostDeploymentType, OutpostType
@ -38,7 +40,7 @@ class TestProviderProxy(SeleniumTestCase):
        """Start proxy container based on outpost created"""
        client: DockerClient = from_env()
        container = client.containers.run(
-            image="beryju/passbook-proxy:latest",
+            image=f"beryju/passbook-proxy:{__version__}",
            detach=True,
            network_mode="host",
            auto_remove=True,
@ -94,3 +96,66 @@ class TestProviderProxy(SeleniumTestCase):

        full_body_text = self.driver.find_element(By.CSS_SELECTOR, "pre").text
        self.assertIn("X-Forwarded-Preferred-Username: pbadmin", full_body_text)
+
+
+@skipUnless(platform.startswith("linux"), "requires local docker")
+class TestProviderProxyConnect(ChannelsLiveServerTestCase):
+    """Test Proxy connectivity over websockets"""
+
+    proxy_container: Container
+
+    def tearDown(self) -> None:
+        self.proxy_container.kill()
+        super().tearDown()
+
+    def start_proxy(self, outpost: Outpost) -> Container:
+        """Start proxy container based on outpost created"""
+        client: DockerClient = from_env()
+        container = client.containers.run(
+            image=f"beryju/passbook-proxy:{__version__}",
+            detach=True,
+            network_mode="host",
+            auto_remove=True,
+            environment={
+                "PASSBOOK_HOST": self.live_server_url,
+                "PASSBOOK_TOKEN": outpost.token.token_uuid.hex,
+            },
+        )
+        return container
+
+    def test_proxy_connectivity(self):
+        """Test proxy connectivity over websocket"""
+        SeleniumTestCase().apply_default_data()
+        proxy: ProxyProvider = ProxyProvider.objects.create(
+            name="proxy_provider",
+            authorization_flow=Flow.objects.get(
+                slug="default-provider-authorization-implicit-consent"
+            ),
+            internal_host="http://localhost:80",
+            external_host="http://localhost:4180",
+        )
+        # Ensure OAuth2 Params are set
+        proxy.set_oauth_defaults()
+        proxy.save()
+        # we need to create an application to actually access the proxy
+        Application.objects.create(name="proxy", slug="proxy", provider=proxy)
+        outpost: Outpost = Outpost.objects.create(
+            name="proxy_outpost",
+            type=OutpostType.PROXY,
+            deployment_type=OutpostDeploymentType.CUSTOM,
+        )
+        outpost.providers.add(proxy)
+        outpost.save()
+
+        self.proxy_container = self.start_proxy(outpost)
+
+        # Wait until outpost healthcheck succeeds
+        healthcheck_retries = 0
+        while healthcheck_retries < 50:
+            if outpost.deployment_health:
+                break
+            healthcheck_retries += 1
+            sleep(0.5)
+
+        self.assertIsNotNone(outpost.deployment_health)
+        self.assertEqual(outpost.deployment_version.get("version"), __version__)
--- a/e2e/test_provider_saml.py
+++ b/e2e/test_provider_saml.py
@ -1,4 +1,5 @@
 """test SAML Provider flow"""
+from json import loads
 from sys import platform
 from time import sleep
 from unittest.case import skipUnless
@ -35,6 +36,7 @@ class TestProviderSAML(SeleniumTestCase):
    def setup_client(self, provider: SAMLProvider) -> Container:
        """Setup client saml-sp container which we test SAML against"""
        client: DockerClient = from_env()
+        client.images.pull("beryju/oidc-test-client")
        container = client.containers.run(
            image="beryju/saml-test-sp",
            detach=True,
@ -82,7 +84,9 @@ class TestProviderSAML(SeleniumTestCase):
        provider.property_mappings.set(SAMLPropertyMapping.objects.all())
        provider.save()
        Application.objects.create(
-            name="SAML", slug="passbook-saml", provider=provider,
+            name="SAML",
+            slug="passbook-saml",
+            provider=provider,
        )
        self.container = self.setup_client(provider)
        self.driver.get("http://localhost:9009")
@ -92,10 +96,14 @@ class TestProviderSAML(SeleniumTestCase):
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
        self.wait_for_url("http://localhost:9009/")
-        self.assertEqual(
-            self.driver.find_element(By.XPATH, "/html/body/pre").text,
-            f"Hello, {USER().name}!",
-        )
+
+        body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
+
+        self.assertEqual(body["attr"]["cn"], [USER().name])
+        self.assertEqual(body["attr"]["displayName"], [USER().username])
+        self.assertEqual(body["attr"]["eduPersonPrincipalName"], [USER().email])
+        self.assertEqual(body["attr"]["mail"], [USER().email])
+        self.assertEqual(body["attr"]["uid"], [str(USER().pk)])

    def test_sp_initiated_explicit(self):
        """test SAML Provider flow SP-initiated flow (explicit consent)"""
@ -115,7 +123,9 @@ class TestProviderSAML(SeleniumTestCase):
        provider.property_mappings.set(SAMLPropertyMapping.objects.all())
        provider.save()
        app = Application.objects.create(
-            name="SAML", slug="passbook-saml", provider=provider,
+            name="SAML",
+            slug="passbook-saml",
+            provider=provider,
        )
        self.container = self.setup_client(provider)
        self.driver.get("http://localhost:9009")
@ -124,19 +134,21 @@ class TestProviderSAML(SeleniumTestCase):
        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
-        self.assertIn(
+        self.assertEqual(
            app.name,
-            self.driver.find_element(
-                By.XPATH, "/html/body/div[2]/div/main/div/form/div[2]/p[1]"
-            ).text,
+            self.driver.find_element(By.ID, "application-name").text,
        )
        sleep(1)
        self.driver.find_element(By.CSS_SELECTOR, "[type=submit]").click()
        self.wait_for_url("http://localhost:9009/")
-        self.assertEqual(
-            self.driver.find_element(By.XPATH, "/html/body/pre").text,
-            f"Hello, {USER().name}!",
-        )
+
+        body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
+
+        self.assertEqual(body["attr"]["cn"], [USER().name])
+        self.assertEqual(body["attr"]["displayName"], [USER().username])
+        self.assertEqual(body["attr"]["eduPersonPrincipalName"], [USER().email])
+        self.assertEqual(body["attr"]["mail"], [USER().email])
+        self.assertEqual(body["attr"]["uid"], [str(USER().pk)])

    def test_idp_initiated_implicit(self):
        """test SAML Provider flow IdP-initiated flow (implicit consent)"""
@ -156,7 +168,9 @@ class TestProviderSAML(SeleniumTestCase):
        provider.property_mappings.set(SAMLPropertyMapping.objects.all())
        provider.save()
        Application.objects.create(
-            name="SAML", slug="passbook-saml", provider=provider,
+            name="SAML",
+            slug="passbook-saml",
+            provider=provider,
        )
        self.container = self.setup_client(provider)
        self.driver.get(
@ -170,11 +184,16 @@ class TestProviderSAML(SeleniumTestCase):
        self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
        self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
        self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
+        sleep(1)
        self.wait_for_url("http://localhost:9009/")
-        self.assertEqual(
-            self.driver.find_element(By.XPATH, "/html/body/pre").text,
-            f"Hello, {USER().name}!",
-        )
+
+        body = loads(self.driver.find_element(By.CSS_SELECTOR, "pre").text)
+
+        self.assertEqual(body["attr"]["cn"], [USER().name])
+        self.assertEqual(body["attr"]["displayName"], [USER().username])
+        self.assertEqual(body["attr"]["eduPersonPrincipalName"], [USER().email])
+        self.assertEqual(body["attr"]["mail"], [USER().email])
+        self.assertEqual(body["attr"]["uid"], [str(USER().pk)])

    def test_sp_initiated_denied(self):
        """test SAML Provider flow SP-initiated flow (Policy denies access)"""
@ -197,7 +216,9 @@ class TestProviderSAML(SeleniumTestCase):
        provider.property_mappings.set(SAMLPropertyMapping.objects.all())
        provider.save()
        app = Application.objects.create(
-            name="SAML", slug="passbook-saml", provider=provider,
+            name="SAML",
+            slug="passbook-saml",
+            provider=provider,
        )
        PolicyBinding.objects.create(target=app, policy=negative_policy, order=0)
        self.container = self.setup_client(provider)
--- a/e2e/test_source_oauth.py
+++ b/e2e/test_source_oauth.py
@ -140,19 +140,19 @@ class TestSourceOAuth2(SeleniumTestCase):
        self.driver.find_element(By.NAME, "username").send_keys(Keys.ENTER)

        # Wait until we've loaded the user info page
-        self.wait.until(ec.presence_of_element_located((By.LINK_TEXT, "foo")))
-        self.driver.find_element(By.LINK_TEXT, "foo").click()
+        self.wait.until(ec.presence_of_element_located((By.ID, "user-settings")))
+        self.driver.get(self.url("passbook_core:user-settings"))

-        self.wait_for_url(self.url("passbook_core:user-settings"))
        self.assertEqual(
-            self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").text,
+            self.driver.find_element(By.ID, "user-settings").text,
            "foo",
        )
        self.assertEqual(
            self.driver.find_element(By.ID, "id_username").get_attribute("value"), "foo"
        )
        self.assertEqual(
-            self.driver.find_element(By.ID, "id_name").get_attribute("value"), "admin",
+            self.driver.find_element(By.ID, "id_name").get_attribute("value"),
+            "admin",
        )
        self.assertEqual(
            self.driver.find_element(By.ID, "id_email").get_attribute("value"),
@ -199,7 +199,7 @@ class TestSourceOAuth2(SeleniumTestCase):
        """test OAuth Source With With OIDC (enroll and authenticate again)"""
        self.test_oauth_enroll()
        # We're logged in at the end of this, log out and re-login
-        self.driver.find_element(By.CSS_SELECTOR, "[aria-label=logout]").click()
+        self.driver.find_element(By.ID, "logout").click()

        self.wait.until(
            ec.presence_of_element_located(
@ -223,20 +223,19 @@ class TestSourceOAuth2(SeleniumTestCase):
        )
        self.driver.find_element(By.CSS_SELECTOR, "button[type=submit]").click()

-        # Wait until we've loaded the user info page
-        self.wait.until(ec.presence_of_element_located((By.LINK_TEXT, "foo")))
-        self.driver.find_element(By.LINK_TEXT, "foo").click()
+        self.wait.until(ec.presence_of_element_located((By.ID, "user-settings")))
+        self.driver.get(self.url("passbook_core:user-settings"))

-        self.wait_for_url(self.url("passbook_core:user-settings"))
        self.assertEqual(
-            self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").text,
+            self.driver.find_element(By.ID, "user-settings").text,
            "foo",
        )
        self.assertEqual(
            self.driver.find_element(By.ID, "id_username").get_attribute("value"), "foo"
        )
        self.assertEqual(
-            self.driver.find_element(By.ID, "id_name").get_attribute("value"), "admin",
+            self.driver.find_element(By.ID, "id_name").get_attribute("value"),
+            "admin",
        )
        self.assertEqual(
            self.driver.find_element(By.ID, "id_email").get_attribute("value"),
@ -318,12 +317,11 @@ class TestSourceOAuth1(SeleniumTestCase):
        self.driver.find_element(By.CSS_SELECTOR, "[name='confirm']").click()

        # Wait until we've loaded the user info page
-        self.wait.until(ec.presence_of_element_located((By.LINK_TEXT, "example-user")))
-        self.driver.find_element(By.LINK_TEXT, "example-user").click()
+        self.wait.until(ec.presence_of_element_located((By.ID, "user-settings")))
+        self.driver.get(self.url("passbook_core:user-settings"))

-        self.wait_for_url(self.url("passbook_core:user-settings"))
        self.assertEqual(
-            self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").text,
+            self.driver.find_element(By.ID, "user-settings").text,
            "example-user",
        )
        self.assertEqual(
--- a/e2e/test_source_saml.py
+++ b/e2e/test_source_saml.py
@ -98,7 +98,9 @@ class TestSourceSAML(SeleniumTestCase):
        authentication_flow = Flow.objects.get(slug="default-source-authentication")
        enrollment_flow = Flow.objects.get(slug="default-source-enrollment")
        keypair = CertificateKeyPair.objects.create(
-            name="test-idp-cert", certificate_data=IDP_CERT, key_data=IDP_KEY,
+            name="test-idp-cert",
+            certificate_data=IDP_CERT,
+            key_data=IDP_KEY,
        )

        SAMLSource.objects.create(
@ -130,12 +132,8 @@ class TestSourceSAML(SeleniumTestCase):
        self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)

        # Wait until we're logged in
-        self.wait.until(
-            ec.presence_of_element_located(
-                (By.XPATH, "//a[contains(@href, '/-/user/')]")
-            )
-        )
-        self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").click()
+        self.wait.until(ec.presence_of_element_located((By.ID, "user-settings")))
+        self.driver.get(self.url("passbook_core:user-settings"))

        # Wait until we've loaded the user info page
        self.wait.until(ec.presence_of_element_located((By.ID, "id_username")))
@ -149,7 +147,9 @@ class TestSourceSAML(SeleniumTestCase):
        authentication_flow = Flow.objects.get(slug="default-source-authentication")
        enrollment_flow = Flow.objects.get(slug="default-source-enrollment")
        keypair = CertificateKeyPair.objects.create(
-            name="test-idp-cert", certificate_data=IDP_CERT, key_data=IDP_KEY,
+            name="test-idp-cert",
+            certificate_data=IDP_CERT,
+            key_data=IDP_KEY,
        )

        SAMLSource.objects.create(
@ -183,12 +183,8 @@ class TestSourceSAML(SeleniumTestCase):
        self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)

        # Wait until we're logged in
-        self.wait.until(
-            ec.presence_of_element_located(
-                (By.XPATH, "//a[contains(@href, '/-/user/')]")
-            )
-        )
-        self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").click()
+        self.wait.until(ec.presence_of_element_located((By.ID, "user-settings")))
+        self.driver.get(self.url("passbook_core:user-settings"))

        # Wait until we've loaded the user info page
        self.wait.until(ec.presence_of_element_located((By.ID, "id_username")))
@ -202,7 +198,9 @@ class TestSourceSAML(SeleniumTestCase):
        authentication_flow = Flow.objects.get(slug="default-source-authentication")
        enrollment_flow = Flow.objects.get(slug="default-source-enrollment")
        keypair = CertificateKeyPair.objects.create(
-            name="test-idp-cert", certificate_data=IDP_CERT, key_data=IDP_KEY,
+            name="test-idp-cert",
+            certificate_data=IDP_CERT,
+            key_data=IDP_KEY,
        )

        SAMLSource.objects.create(
@ -234,12 +232,8 @@ class TestSourceSAML(SeleniumTestCase):
        self.driver.find_element(By.ID, "password").send_keys(Keys.ENTER)

        # Wait until we're logged in
-        self.wait.until(
-            ec.presence_of_element_located(
-                (By.XPATH, "//a[contains(@href, '/-/user/')]")
-            )
-        )
-        self.driver.find_element(By.XPATH, "//a[contains(@href, '/-/user/')]").click()
+        self.wait.until(ec.presence_of_element_located((By.ID, "user-settings")))
+        self.driver.get(self.url("passbook_core:user-settings"))

        # Wait until we've loaded the user info page
        self.wait.until(ec.presence_of_element_located((By.ID, "id_username")))
--- a/e2e/utils.py
+++ b/e2e/utils.py
@ -38,8 +38,8 @@ class SeleniumTestCase(StaticLiveServerTestCase):
        makedirs("selenium_screenshots/", exist_ok=True)
        self.driver = self._get_driver()
        self.driver.maximize_window()
-        self.driver.implicitly_wait(10)
-        self.wait = WebDriverWait(self.driver, 30)
+        self.driver.implicitly_wait(30)
+        self.wait = WebDriverWait(self.driver, 60)
        self.apply_default_data()
        self.logger = get_logger()
        if specs := self.get_container_specs():
@ -47,6 +47,7 @@ class SeleniumTestCase(StaticLiveServerTestCase):

    def _start_container(self, specs: Dict[str, Any]) -> Container:
        client: DockerClient = from_env()
+        client.images.pull(specs["image"])
        container = client.containers.run(**specs)
        if "healthcheck" not in specs:
            return container
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: "0.10.7-stable"
+appVersion: "0.11.0-stable"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.10.7-stable"
+version: "0.11.0-stable"
 icon: https://github.com/BeryJu/passbook/blob/master/docs/images/logo.svg
 dependencies:
  - name: postgresql
--- a/helm/templates/configmap.yaml
+++ b/helm/templates/configmap.yaml
@ -7,10 +7,11 @@ data:
  POSTGRESQL__NAME: "{{ .Values.postgresql.postgresqlDatabase }}"
  POSTGRESQL__USER: "{{ .Values.postgresql.postgresqlUsername }}"
  {{- if .Values.backup }}
-  POSTGRESQL__BACKUP__ACCESS_KEY: "{{ .Values.backup.access_key }}"
-  POSTGRESQL__BACKUP__SECRET_KEY: "{{ .Values.backup.secret_key }}"
-  POSTGRESQL__BACKUP__BUCKET: "{{ .Values.backup.bucket }}"
-  POSTGRESQL__BACKUP__HOST: "{{ .Values.backup.host }}"
+  POSTGRESQL__S3_BACKUP__ACCESS_KEY: "{{ .Values.backup.access_key }}"
+  POSTGRESQL__S3_BACKUP__SECRET_KEY: "{{ .Values.backup.secret_key }}"
+  POSTGRESQL__S3_BACKUP__BUCKET: "{{ .Values.backup.bucket }}"
+  POSTGRESQL__S3_BACKUP__REGION: "{{ .Values.backup.region }}"
+  POSTGRESQL__S3_BACKUP__HOST: "{{ .Values.backup.host }}"
  {{- end}}
  REDIS__HOST: "{{ .Release.Name }}-redis-master"
  ERROR_REPORTING__ENABLED: "{{ .Values.config.error_reporting.enabled }}"
--- a/helm/templates/cronjob-backup.yaml
+++ b/helm/templates/cronjob-backup.yaml
@ -0,0 +1,42 @@
+{{- if .Values.backup }}
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: {{ include "passbook.fullname" . }}-backup
+  labels:
+    app.kubernetes.io/name: {{ include "passbook.name" . }}
+    helm.sh/chart: {{ include "passbook.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  schedule: "0 0 * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: Never
+          containers:
+          - name: {{ .Chart.Name }}
+            image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
+            args: [server]
+            envFrom:
+              - configMapRef:
+                  name: {{ include "passbook.fullname" . }}-config
+                prefix: PASSBOOK_
+            env:
+              - name: PASSBOOK_SECRET_KEY
+                valueFrom:
+                  secretKeyRef:
+                    name: "{{ include "passbook.fullname" . }}-secret-key"
+                    key: "secret_key"
+              - name: PASSBOOK_REDIS__PASSWORD
+                valueFrom:
+                  secretKeyRef:
+                    name: "{{ .Release.Name }}-redis"
+                    key: "redis-password"
+              - name: PASSBOOK_POSTGRESQL__PASSWORD
+                valueFrom:
+                  secretKeyRef:
+                    name: "{{ .Release.Name }}-postgresql"
+                    key: "postgresql-password"
+{{- end}}
--- a/helm/values.yaml
+++ b/helm/values.yaml
@ -4,7 +4,7 @@
 image:
  name: beryju/passbook
  name_static: beryju/passbook-static
-  tag: 0.10.7-stable
+  tag: 0.11.0-stable

 nameOverride: ""

@ -28,8 +28,21 @@ config:
 #   access_key: access-key
 #   secret_key: secret-key
 #   bucket: s3-bucket
+#   region: eu-central-1
 #   host: s3-host

+ingress:
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  path: /
+  hosts:
+    - passbook.k8s.local
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - passbook.k8s.local
+
 ###################################
 # Values controlling dependencies
 ###################################
@ -50,15 +63,3 @@ redis:
      enabled: false
    # https://stackoverflow.com/a/59189742
    disableCommands: []
-
-ingress:
-  annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-  path: /
-  hosts:
-    - passbook.k8s.local
-  tls: []
-  #  - secretName: chart-example-tls
-  #    hosts:
-  #      - passbook.k8s.local
--- a/lifecycle/bootstrap.sh
+++ b/lifecycle/bootstrap.sh
@ -1,6 +1,6 @@
 #!/bin/bash -e
 python -m lifecycle.wait_for_db
-printf '{"event": "Bootstrap completed", "level": "info", "logger": "bootstrap", "command": "%s"}\n' "$@"
+printf '{"event": "Bootstrap completed", "level": "info", "logger": "bootstrap", "command": "%s"}\n' "$@" > /dev/stderr
 if [[ "$1" == "server" ]]; then
    gunicorn -c /lifecycle/gunicorn.conf.py passbook.root.asgi:application
 elif [[ "$1" == "worker" ]]; then
@ -9,6 +9,12 @@ elif [[ "$1" == "migrate" ]]; then
    # Run system migrations first, run normal migrations after
    python -m lifecycle.migrate
    python -m manage migrate
+elif [[ "$1" == "backup" ]]; then
+    python -m manage dbbackup --clean
+elif [[ "$1" == "restore" ]]; then
+    python -m manage dbrestore ${@:2}
+elif [[ "$1" == "bash" ]]; then
+    /bin/bash
 else
    python -m manage "$@"
 fi
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -8,6 +8,7 @@ nav:
  - Installation:
    - docker-compose: installation/docker-compose.md
    - Kubernetes: installation/kubernetes.md
+    - Reverse Proxy: installation/reverse-proxy.md
  - Flows:
      Overview: flow/flows.md
      Examples: flow/examples/examples.md
@ -56,6 +57,9 @@ nav:
        - VMware vCenter: integrations/services/vmware-vcenter/index.md
        - Ubuntu Landscape: integrations/services/ubuntu-landscape/index.md
        - Sonarr: integrations/services/sonarr/index.md
+        - Tautulli: integrations/services/tautulli/index.md
+  - Maintenance:
+    - Backups: maintenance/backups/index.md
  - Upgrading:
    - to 0.9: upgrading/to-0.9.md
    - to 0.10: upgrading/to-0.10.md
--- a/passbook/init.py
+++ b/passbook/init.py
@ -1,2 +1,2 @@
 """passbook"""
-__version__ = "0.10.7-stable"
+__version__ = "0.11.0-stable"
--- a/passbook/admin/api/init.py
+++ b/passbook/admin/api/init.py
--- a/passbook/admin/api/overview.py
+++ b/passbook/admin/api/overview.py
@ -0,0 +1,80 @@
+"""passbook administration overview"""
+from django.core.cache import cache
+from django.http import response
+from drf_yasg.utils import swagger_auto_schema
+from rest_framework.fields import SerializerMethodField
+from rest_framework.permissions import IsAdminUser
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import Serializer
+from rest_framework.viewsets import ViewSet
+
+from passbook import __version__
+from passbook.admin.tasks import VERSION_CACHE_KEY, update_latest_version
+from passbook.core.models import Provider
+from passbook.policies.models import Policy
+from passbook.root.celery import CELERY_APP
+
+
+class AdministrationOverviewSerializer(Serializer):
+    """Overview View"""
+
+    version = SerializerMethodField()
+    version_latest = SerializerMethodField()
+    worker_count = SerializerMethodField()
+    providers_without_application = SerializerMethodField()
+    policies_without_binding = SerializerMethodField()
+    cached_policies = SerializerMethodField()
+    cached_flows = SerializerMethodField()
+
+    def get_version(self, _) -> str:
+        """Get current version"""
+        return __version__
+
+    def get_version_latest(self, _) -> str:
+        """Get latest version from cache"""
+        version_in_cache = cache.get(VERSION_CACHE_KEY)
+        if not version_in_cache:
+            update_latest_version.delay()
+            return __version__
+        return version_in_cache
+
+    def get_worker_count(self, _) -> int:
+        """Ping workers"""
+        return len(CELERY_APP.control.ping(timeout=0.5))
+
+    def get_providers_without_application(self, _) -> int:
+        """Count of providers without application"""
+        return len(Provider.objects.filter(application=None))
+
+    def get_policies_without_binding(self, _) -> int:
+        """Count of policies not bound or use in prompt stages"""
+        return len(
+            Policy.objects.filter(bindings__isnull=True, promptstage__isnull=True)
+        )
+
+    def get_cached_policies(self, _) -> int:
+        """Get cached policy count"""
+        return len(cache.keys("policy_*"))
+
+    def get_cached_flows(self, _) -> int:
+        """Get cached flow count"""
+        return len(cache.keys("flow_*"))
+
+    def create(self, request: Request) -> response:
+        raise NotImplementedError
+
+    def update(self, request: Request) -> Response:
+        raise NotImplementedError
+
+
+class AdministrationOverviewViewSet(ViewSet):
+    """Return single instance of AdministrationOverviewSerializer"""
+
+    permission_classes = [IsAdminUser]
+
+    @swagger_auto_schema(responses={200: AdministrationOverviewSerializer(many=True)})
+    def list(self, request: Request) -> Response:
+        """Return single instance of AdministrationOverviewSerializer"""
+        serializer = AdministrationOverviewSerializer(True)
+        return Response(serializer.data)
--- a/passbook/admin/api/overview_metrics.py
+++ b/passbook/admin/api/overview_metrics.py
@ -0,0 +1,80 @@
+"""passbook administration overview"""
+import time
+from collections import Counter
+from datetime import timedelta
+from typing import Dict, List
+
+from django.db.models import Count, ExpressionWrapper, F
+from django.db.models.fields import DurationField
+from django.db.models.functions import ExtractHour
+from django.http import response
+from django.utils.timezone import now
+from drf_yasg.utils import swagger_auto_schema
+from rest_framework.fields import SerializerMethodField
+from rest_framework.permissions import IsAdminUser
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import Serializer
+from rest_framework.viewsets import ViewSet
+
+from passbook.audit.models import Event, EventAction
+
+
+class AdministrationMetricsSerializer(Serializer):
+    """Overview View"""
+
+    logins_per_1h = SerializerMethodField()
+    logins_failed_per_1h = SerializerMethodField()
+
+    def get_events_per_1h(self, action: str) -> List[Dict[str, int]]:
+        """Get event count by hour in the last day, fill with zeros"""
+        date_from = now() - timedelta(days=1)
+        result = (
+            Event.objects.filter(action=action, created__gte=date_from)
+            .annotate(
+                age=ExpressionWrapper(
+                    now() - F("created"), output_field=DurationField()
+                )
+            )
+            .annotate(age_hours=ExtractHour("age"))
+            .values("age_hours")
+            .annotate(count=Count("pk"))
+            .order_by("age_hours")
+        )
+        data = Counter({d["age_hours"]: d["count"] for d in result})
+        results = []
+        _now = now()
+        for hour in range(0, -24, -1):
+            results.append(
+                {
+                    "x": time.mktime((_now + timedelta(hours=hour)).timetuple()) * 1000,
+                    "y": data[hour * -1],
+                }
+            )
+        return results
+
+    def get_logins_per_1h(self, _):
+        """Get successful logins per hour for the last 24 hours"""
+        return self.get_events_per_1h(EventAction.LOGIN)
+
+    def get_logins_failed_per_1h(self, _):
+        """Get failed logins per hour for the last 24 hours"""
+        return self.get_events_per_1h(EventAction.LOGIN_FAILED)
+
+    def create(self, request: Request) -> response:
+        raise NotImplementedError
+
+    def update(self, request: Request) -> Response:
+        raise NotImplementedError
+
+
+class AdministrationMetricsViewSet(ViewSet):
+    """Return single instance of AdministrationMetricsSerializer"""
+
+    permission_classes = [IsAdminUser]
+
+    @swagger_auto_schema(responses={200: AdministrationMetricsSerializer(many=True)})
+    def list(self, request: Request) -> Response:
+        """Return single instance of AdministrationMetricsSerializer"""
+        serializer = AdministrationMetricsSerializer(True)
+        return Response(serializer.data)
--- a/passbook/admin/fields.py
+++ b/passbook/admin/fields.py
@ -1,9 +1,35 @@
-"""YAML fields"""
+"""Additional fields"""
 import yaml
 from django import forms
+from django.utils.datastructures import MultiValueDict
 from django.utils.translation import gettext_lazy as _


+class ArrayFieldSelectMultiple(forms.SelectMultiple):
+    """This is a Form Widget for use with a Postgres ArrayField. It implements
+    a multi-select interface that can be given a set of `choices`.
+    You can provide a `delimiter` keyword argument to specify the delimeter used.
+
+    https://gist.github.com/stephane/00e73c0002de52b1c601"""
+
+    def __init__(self, *args, **kwargs):
+        # Accept a `delimiter` argument, and grab it (defaulting to a comma)
+        self.delimiter = kwargs.pop("delimiter", ",")
+        super().__init__(*args, **kwargs)
+
+    def value_from_datadict(self, data, files, name):
+        if isinstance(data, MultiValueDict):
+            # Normally, we'd want a list here, which is what we get from the
+            # SelectMultiple superclass, but the SimpleArrayField expects to
+            # get a delimited string, so we're doing a little extra work.
+            return self.delimiter.join(data.getlist(name))
+
+        return data.get(name)
+
+    def get_context(self, name, value, attrs):
+        return super().get_context(name, value.split(self.delimiter), attrs)
+
+
 class CodeMirrorWidget(forms.Textarea):
    """Custom Textarea-based Widget that triggers a CodeMirror editor"""

@ -49,7 +75,9 @@ class YAMLField(forms.JSONField):
            converted = yaml.safe_load(value)
        except yaml.YAMLError:
            raise forms.ValidationError(
-                self.error_messages["invalid"], code="invalid", params={"value": value},
+                self.error_messages["invalid"],
+                code="invalid",
+                params={"value": value},
            )
        if isinstance(converted, str):
            return YAMLString(converted)
--- a/passbook/admin/templates/administration/application/list.html
+++ b/passbook/admin/templates/administration/application/list.html
@ -18,6 +18,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <a href="{% url 'passbook_admin:application-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
                </div>
@ -62,18 +63,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="pf-icon pf-icon-applications pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Applications.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any application." %}
+                {% else %}
                    {% trans 'Currently no applications exist. Click the button below to create one.' %}
+                {% endif %}
                </div>
                <a href="{% url 'passbook_admin:application-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
            </div>
--- a/passbook/admin/templates/administration/base.html
+++ b/passbook/admin/templates/administration/base.html
@ -25,7 +25,7 @@
                <li class="pf-c-nav__item">
                    <a href="{% url 'passbook_admin:overview' %}"
                        class="pf-c-nav__link {% is_active 'passbook_admin:overview' %}">
-                        {% trans 'System Status' %}
+                        {% trans 'Overview' %}
                    </a>
                </li>
                <li class="pf-c-nav__item">
@ -58,7 +58,7 @@
                        {% trans 'Property Mappings' %}
                    </a>
                </li>
-                <li class="pf-c-nav__item pf-m-expandable pf-m-expanded">
+                <li class="pf-c-nav__item pf-m-expanded">
                    <a href="#" class="pf-c-nav__link" aria-expanded="true">{% trans 'Flows' %}
                        <span class="pf-c-nav__toggle">
                            <i class="fas fa-angle-right" aria-hidden="true"></i>
@ -99,7 +99,7 @@
                        </ul>
                    </section>
                </li>
-                <li class="pf-c-nav__item pf-m-expandable pf-m-expanded">
+                <li class="pf-c-nav__item pf-m-expanded">
                    <a href="#" class="pf-c-nav__link" aria-expanded="true">{% trans 'Policies' %}
                        <span class="pf-c-nav__toggle">
                            <i class="fas fa-angle-right" aria-hidden="true"></i>
--- a/passbook/admin/templates/administration/certificatekeypair/list.html
+++ b/passbook/admin/templates/administration/certificatekeypair/list.html
@ -18,6 +18,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <a href="{% url 'passbook_admin:certificatekeypair-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
                </div>
@ -64,18 +65,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="pf-icon pf-icon-key pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Certificates.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any certificates." %}
+                {% else %}
                    {% trans 'Currently no certificates exist. Click the button below to create one.' %}
+                {% endif %}
                </div>
                <a href="{% url 'passbook_admin:certificatekeypair-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
            </div>
--- a/passbook/admin/templates/administration/flow/list.html
+++ b/passbook/admin/templates/administration/flow/list.html
@ -18,6 +18,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <a href="{% url 'passbook_admin:flow-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
                    <a href="{% url 'passbook_admin:flow-import' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-secondary" type="button">{% trans 'Import' %}</a>
@ -69,18 +70,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="pf-icon pf-icon-process-automation pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Flows.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any flows." %}
+                {% else %}
                    {% trans 'Currently no flows exist. Click the button below to create one.' %}
+                {% endif %}
                </div>
                <a href="{% url 'passbook_admin:flow-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
                <a href="{% url 'passbook_admin:flow-import' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Import' %}</a>
--- a/passbook/admin/templates/administration/group/list.html
+++ b/passbook/admin/templates/administration/group/list.html
@ -19,6 +19,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <a href="{% url 'passbook_admin:group-create' %}?back={{ request.get_full_path }}"
                        class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
@ -61,18 +62,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="pf-icon pf-icon-users pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Groups.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any groups." %}
+                {% else %}
                    {% trans 'Currently no group exist. Click the button below to create one.' %}
+                {% endif %}
                </div>
                <a href="{% url 'passbook_admin:group-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
            </div>
--- a/passbook/admin/templates/administration/outpost/list.html
+++ b/passbook/admin/templates/administration/outpost/list.html
@ -20,6 +20,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <a href="{% url 'passbook_admin:outpost-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
                </div>
@ -59,12 +60,10 @@
                    <td role="cell">
                        <span>
                            {% with ver=outpost.deployment_version %}
-                            {% if ver.outdated %}
-                                {% if ver.version == "" %}
-                                <i class="fas fa-times pf-m-danger"></i> -
-                                {% else %}
+                            {% if not ver.version %}
+                            <i class="fas fa-question-circle"></i>
+                            {% elif ver.outdated %}
                            <i class="fas fa-times pf-m-danger"></i> {% blocktrans with is=ver.version should=ver.should %}{{ is }}, should be {{ should }}{% endblocktrans %}
-                                {% endif %}
                            {% else %}
                            <i class="fas fa-check pf-m-success"></i> {{ ver.version }}
                            {% endif %}
@ -83,18 +82,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="fas fa-map-marker pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Outposts.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any outposts." %}
+                {% else %}
                    {% trans 'Currently no outposts exist. Click the button below to create one.' %}
+                {% endif %}
                </div>
                <a href="{% url 'passbook_admin:outpost-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
            </div>
--- a/passbook/admin/templates/administration/overview.html
+++ b/passbook/admin/templates/administration/overview.html
@ -1,6 +1,7 @@
 {% extends "administration/base.html" %}

 {% load i18n %}
+{% load static %}

 {% block content %}
 <section class="pf-c-page__main-section pf-m-light">
@ -10,33 +11,51 @@
 </section>
 <section class="pf-c-page__main-section">
    <div class="pf-l-gallery pf-m-gutter">
-        <a href="{% url 'passbook_admin:applications' %}" class="pf-c-card pf-c-card-aggregate pf-m-hoverable pf-m-compact">
+        <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-4-col" style="grid-column-end: span 3;grid-row-end: span 2;">
            <div class="pf-c-card__header">
                <div class="pf-c-card__header-main">
-                    <i class="pf-icon pf-icon-applications"></i> {% trans 'Applications' %}
+                    <i class="pf-icon pf-icon-server"></i> {% trans 'Logins over the last 24 hours' %}
+                </div>
+            </div>
+            <div class="pf-c-card__body" style="position: relative; height:100%; width:100%">
+                <canvas id="logins-last-metrics"></canvas>
+            </div>
+        </div>
+        <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-4-col" style="grid-column-end: span 2;grid-row-end: span 3;">
+            <div class="pf-c-card__header">
+                <div class="pf-c-card__header-main">
+                    <i class="pf-icon pf-icon-server"></i> {% trans 'Apps with most usage' %}
                </div>
            </div>
            <div class="pf-c-card__body">
-                <p class="aggregate-status">
-                    <i class="fa fa-check-circle"></i> {{ application_count }}
-                </p>
+                <table class="pf-c-table pf-m-compact" role="grid">
+                    <thead>
+                        <tr role="row">
+                            <th role="columnheader" scope="col">{% trans 'Application' %}</th>
+                            <th role="columnheader" scope="col">{% trans 'Logins' %}</th>
+                            <th role="columnheader" scope="col"></th>
+                        </tr>
+                    </thead>
+                    <tbody role="rowgroup">
+                        {% for app in most_used_applications %}
+                        <tr role="row">
+                            <td role="cell">
+                                {{ app.application.name }}
+                            </td>
+                            <td role="cell">
+                                {{ app.total_logins }}
+                            </td>
+                            <td role="cell">
+                                <progress value="{{ app.total_logins }}" max="{{ most_used_applications.0.total_logins }}"></progress>
+                            </td>
+                        </tr>
+                        {% endfor %}
+                    </tbody>
+                </table>
+            </div>
        </div>
-        </a>

-        <a href="{% url 'passbook_admin:sources' %}" class="pf-c-card pf-c-card-aggregate pf-m-hoverable pf-m-compact">
-            <div class="pf-c-card__header">
-                <div class="pf-c-card__header-main">
-                    <i class="pf-icon pf-icon-middleware"></i> {% trans 'Sources' %}
-                </div>
-            </div>
-            <div class="pf-c-card__body">
-                <p class="aggregate-status">
-                    <i class="fa fa-check-circle"></i> {{ source_count }}
-                </p>
-            </div>
-        </a>
-
-        <a href="{% url 'passbook_admin:providers' %}" class="pf-c-card pf-c-card-aggregate pf-m-hoverable pf-m-compact">
+        <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-compact">
            <div class="pf-c-card__header">
                <div class="pf-c-card__header-main">
                    <i class="pf-icon pf-icon-plugged"></i> {% trans 'Providers' %}
@ -54,42 +73,9 @@
                </p>
                {% endif %}
            </div>
-        </a>
+        </div>

-        <a href="{% url 'passbook_admin:stages' %}" class="pf-c-card pf-c-card-aggregate pf-m-hoverable pf-m-compact">
-            <div class="pf-c-card__header">
-                <div class="pf-c-card__header-main">
-                    <i class="pf-icon pf-icon-plugged"></i> {% trans 'Stages' %}
-                </div>
-            </div>
-            <div class="pf-c-card__body">
-                {% if stage_count < 1 %}
-                <p class="aggregate-status">
-                    <i class="pficon-error-circle-o"></i> {{ stage_count }}
-                </p>
-                <p>{% trans 'No Stages configured. No Users will be able to login.' %}"></p>
-                {% else %}
-                <p class="aggregate-status">
-                    <i class="fa fa-check-circle"></i> {{ stage_count }}
-                </p>
-                {% endif %}
-            </div>
-        </a>
-
-        <a href="{% url 'passbook_admin:stages' %}" class="pf-c-card pf-c-card-aggregate pf-m-hoverable pf-m-compact">
-            <div class="pf-c-card__header">
-                <div class="pf-c-card__header-main">
-                    <i class="pf-icon pf-icon-topology"></i> {% trans 'Flows' %}
-                </div>
-            </div>
-            <div class="pf-c-card__body">
-                <p class="aggregate-status">
-                    <i class="fa fa-check-circle"></i> {{ flow_count }}
-                </p>
-            </div>
-        </a>
-
-        <a href="{% url 'passbook_admin:policies' %}" class="pf-c-card pf-c-card-aggregate pf-m-hoverable pf-m-compact">
+        <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-compact">
            <div class="pf-c-card__header">
                <div class="pf-c-card__header-main">
                    <i class="pf-icon pf-icon-infrastructure"></i> {% trans 'Policies' %}
@ -107,22 +93,9 @@
                </p>
                {% endif %}
            </div>
-        </a>
+        </div>

-        <a href="{% url 'passbook_admin:stage-invitations' %}" class="pf-c-card pf-c-card-aggregate pf-m-hoverable pf-m-compact">
-            <div class="pf-c-card__header">
-                <div class="pf-c-card__header-main">
-                    <i class="pf-icon pf-icon-migration"></i> {% trans 'Invitation' %}
-                </div>
-            </div>
-            <div class="pf-c-card__body">
-                <p class="aggregate-status">
-                    <i class="fa fa-check-circle"></i> {{ invitation_count }}
-                </p>
-            </div>
-        </a>
-
-        <a href="{% url 'passbook_admin:users' %}" class="pf-c-card pf-c-card-aggregate pf-m-hoverable pf-m-compact">
+        <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-compact">
            <div class="pf-c-card__header">
                <div class="pf-c-card__header-main">
                    <i class="pf-icon pf-icon-user"></i> {% trans 'Users' %}
@ -133,9 +106,9 @@
                    <i class="fa fa-check-circle"></i> {{ user_count }}
                </p>
            </div>
-        </a>
+        </div>

-        <div class="pf-c-card pf-c-card-aggregate pf-m-hoverable pf-m-compact">
+        <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-compact">
            <div class="pf-c-card__header">
                <div class="pf-c-card__header-main">
                    <i class="pf-icon pf-icon-bundle"></i> {% trans 'Version' %}
@ -161,27 +134,35 @@
            </div>
        </div>

-        <div class="pf-c-card pf-c-card-aggregate pf-m-hoverable pf-m-compact">
+        <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-compact">
            <div class="pf-c-card__header">
                <div class="pf-c-card__header-main">
                    <i class="pf-icon pf-icon-server"></i> {% trans 'Workers' %}
                </div>
            </div>
-            <div class="pf-c-card__body">
-                {% if worker_count < 1 %}
+            <fetch-fill-slot class="pf-c-card__body" url="{% url 'passbook_api:admin_overview-list' %}" key="worker_count">
+                <div slot="value < 1">
                    <p class="aggregate-status">
-                    <i class="fa fa-exclamation-triangle"></i> {{ worker_count }}
+                        <i class="fa fa-exclamation-triangle"></i> <span data-value></span>
                    </p>
                    <p>{% trans 'No workers connected.' %}</p>
-                {% else %}
-                <p class="aggregate-status">
-                    <i class="fa fa-check-circle"></i> {{ worker_count }}
-                </p>
-                {% endif %}
                </div>
+                <div slot="value >= 1">
+                    <p class="aggregate-status">
+                        <i class="fa fa-check-circle"></i> <span data-value></span>
+                    </p>
+                </div>
+                <div>
+                    <span class="pf-c-spinner" role="progressbar" aria-valuetext="Loading...">
+                        <span class="pf-c-spinner__clipper"></span>
+                        <span class="pf-c-spinner__lead-ball"></span>
+                        <span class="pf-c-spinner__tail-ball"></span>
+                    </span>
+                </div>
+            </fetch-fill-slot>
        </div>

-        <a class="pf-c-card pf-c-card-aggregate pf-m-hoverable pf-m-compact" data-target="modal" data-modal="clearCacheModalRoot">
+        <a class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-hoverable pf-m-compact" data-target="modal" data-modal="clearCacheModalRoot">
            <div class="pf-c-card__header">
                <div class="pf-c-card__header-main">
                    <i class="pf-icon pf-icon-server"></i> {% trans 'Cached Policies' %}
@ -201,7 +182,7 @@
            </div>
        </a>

-        <div class="pf-c-card pf-c-card-aggregate pf-m-hoverable pf-m-compact">
+        <div class="pf-c-card pf-c-card-aggregate pf-l-gallery__item pf-m-compact">
            <div class="pf-c-card__header">
                <div class="pf-c-card__header-main">
                    <i class="pf-icon pf-icon-server"></i> {% trans 'Cached Flows' %}
@ -254,4 +235,65 @@
        </div>
    </div>
 </div>
+
+<script src="{% static 'node_modules/chart.js/dist/Chart.bundle.min.js' %}"></script>
+<script>
+var ctx = document.getElementById('logins-last-metrics').getContext('2d');
+fetch("{% url 'passbook_api:admin_metrics-list' %}").then(r => r.json()).then(r => {
+    var myChart = new Chart(ctx, {
+        type: 'bar',
+        data: {
+            datasets: [
+                {
+                    label: 'Failed Logins',
+                    backgroundColor: "rgba(201, 25, 11, .5)",
+                    spanGaps: true,
+                    data: r.logins_failed_per_1h,
+                },
+                {
+                    label: 'Successful Logins',
+                    backgroundColor: "rgba(189, 229, 184, .5)",
+                    spanGaps: true,
+                    data: r.logins_per_1h,
+                },
+            ]
+        },
+        options: {
+            maintainAspectRatio: false,
+            spanGaps: true,
+            scales: {
+                xAxes: [{
+                    stacked: true,
+                    gridLines: {
+                        color: "rgba(0, 0, 0, 0)",
+                    },
+                    type: 'time',
+                    offset: true,
+                    ticks: {
+                        callback: function (value, index, values) {
+                            const date = new Date();
+                            const delta = (date - values[index].value);
+                            const ago = Math.round(delta / 1000 / 3600);
+                            console.log(ago);
+                            return `${ago} Hours ago`;
+                        },
+                        autoSkip: true,
+                        maxTicksLimit: 8
+                    }
+                }],
+                yAxes: [{
+                    ticks: {
+                        stepSize: 1
+                    },
+                    stacked: true,
+                    gridLines: {
+                        color: "rgba(0, 0, 0, 0)",
+                    }
+                }]
+            }
+        }
+    });
+});
+</script>
+
 {% endblock %}
--- a/passbook/admin/templates/administration/policy/list.html
+++ b/passbook/admin/templates/administration/policy/list.html
@ -18,6 +18,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <div class="pf-c-dropdown">
                        <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
@ -78,18 +79,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="pf-icon pf-icon-infrastructure pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Policies.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any policies." %}
+                {% else %}
                    {% trans 'Currently no policies exist. Click the button below to create one.' %}
+                {% endif %}
                </div>
                <div class="pf-c-dropdown">
                    <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
--- a/passbook/admin/templates/administration/policy_binding/list.html
+++ b/passbook/admin/templates/administration/policy_binding/list.html
@ -75,7 +75,7 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
--- a/passbook/admin/templates/administration/property_mapping/list.html
+++ b/passbook/admin/templates/administration/property_mapping/list.html
@ -19,6 +19,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <div class="pf-c-dropdown">
                        <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
@ -72,18 +73,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="pf-icon pf-icon-blueprint pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Property Mappings.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any property mappings." %}
+                {% else %}
                    {% trans 'Currently no property mappings exist. Click the button below to create one.' %}
+                {% endif %}
                </div>
                <div class="pf-c-dropdown">
                    <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
--- a/passbook/admin/templates/administration/provider/list.html
+++ b/passbook/admin/templates/administration/provider/list.html
@ -20,6 +20,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <div class="pf-c-dropdown">
                        <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
@ -91,18 +92,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="pf-icon-integration pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Providers.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any providers." %}
+                {% else %}
                    {% trans 'Currently no providers exist. Click the button below to create one.' %}
+                {% endif %}
                </div>
                <div class="pf-c-dropdown">
                    <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
--- a/passbook/admin/templates/administration/source/list.html
+++ b/passbook/admin/templates/administration/source/list.html
@ -20,6 +20,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <div class="pf-c-dropdown">
                        <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
@ -85,18 +86,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="pf-icon pf-icon-middleware pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Sources.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any sources." %}
+                {% else %}
                    {% trans 'Currently no sources exist. Click the button below to create one.' %}
+                {% endif %}
                </div>
                <div class="pf-c-dropdown">
                    <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
--- a/passbook/admin/templates/administration/stage/list.html
+++ b/passbook/admin/templates/administration/stage/list.html
@ -11,8 +11,7 @@
            <i class="pf-icon pf-icon-plugged"></i>
            {% trans 'Stages' %}
        </h1>
-        <p>{% trans "Stages are single steps of a Flow that a user is guided through." %}
-        </p>
+        <p>{% trans "Stages are single steps of a Flow that a user is guided through." %}</p>
    </div>
 </section>
 <section class="pf-c-page__main-section pf-m-no-padding-mobile">
@ -20,6 +19,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <div class="pf-c-dropdown">
                        <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
@ -81,18 +81,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="pf-icon pf-icon-plugged pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Stages.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any stages." %}
+                {% else %}
                    {% trans 'Currently no stages exist. Click the button below to create one.' %}
+                {% endif %}
                </div>
                <div class="pf-c-dropdown">
                    <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
--- a/passbook/admin/templates/administration/stage_binding/list.html
+++ b/passbook/admin/templates/administration/stage_binding/list.html
@ -81,7 +81,7 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
--- a/passbook/admin/templates/administration/stage_invitation/list.html
+++ b/passbook/admin/templates/administration/stage_invitation/list.html
@ -19,6 +19,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <a href="{% url 'passbook_admin:stage-invitation-create' %}?back={{ request.get_full_path }}"
                        class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
@ -54,18 +55,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="pf-icon pf-icon-migration pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Invitations.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any invitations." %}
+                {% else %}
                    {% trans 'Currently no invitations exist. Click the button below to create one.' %}
+                {% endif %}
                </div>
                <a href="{% url 'passbook_admin:stage-invitation-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
            </div>
--- a/passbook/admin/templates/administration/stage_prompt/list.html
+++ b/passbook/admin/templates/administration/stage_prompt/list.html
@ -19,6 +19,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <a href="{% url 'passbook_admin:stage-prompt-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
                </div>
@ -80,18 +81,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="pf-icon pf-icon-plugged pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Stage Prompts.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any stage prompts." %}
+                {% else %}
                    {% trans 'Currently no stage prompts exist. Click the button below to create one.' %}
+                {% endif %}
                </div>
                <a href="{% url 'passbook_admin:stage-prompt-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
            </div>
--- a/passbook/admin/templates/administration/token/list.html
+++ b/passbook/admin/templates/administration/token/list.html
@ -18,13 +18,14 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                {% include 'partials/pagination.html' %}
            </div>
        </div>
        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
            <thead>
                <tr role="row">
-                    <th role="columnheader" scope="col">{% trans 'Token' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Identifier' %}</th>
                    <th role="columnheader" scope="col">{% trans 'User' %}</th>
                    <th role="columnheader" scope="col">{% trans 'Expires?' %}</th>
                    <th role="columnheader" scope="col">{% trans 'Expiry Date' %}</th>
@ -35,9 +36,7 @@
                {% for token in object_list %}
                <tr role="row">
                    <th role="columnheader">
-                        <div>
-                            <div>{{ token.pk.hex }}</div>
-                        </div>
+                        <div>{{ token.identifier }}</div>
                    </th>
                    <td role="cell">
                        <span>
@ -65,18 +64,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="fas fa-key pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Tokens.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any token." %}
+                {% else %}
                    {% trans 'Currently no tokens exist.' %}
+                {% endif %}
                </div>
            </div>
        </div>
--- a/passbook/admin/templates/administration/user/list.html
+++ b/passbook/admin/templates/administration/user/list.html
@ -17,6 +17,7 @@
        {% if object_list %}
        <div class="pf-c-toolbar">
            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
                <div class="pf-c-toolbar__bulk-select">
                    <a href="{% url 'passbook_admin:user-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
                </div>
@ -61,18 +62,27 @@
                {% endfor %}
            </tbody>
        </table>
-        <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+        <div class="pf-c-pagination pf-m-bottom">
            {% include 'partials/pagination.html' %}
        </div>
        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
        <div class="pf-c-empty-state">
            <div class="pf-c-empty-state__content">
-                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <i class="pf-icon pf-icon-user pf-c-empty-state__icon" aria-hidden="true"></i>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans 'No Users.' %}
                </h1>
                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any users." %}
+                {% else %}
                    {% trans 'Currently no users exist. How did you even get here.' %}
+                {% endif %}
                </div>
                <a href="{% url 'passbook_admin:user-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
            </div>
--- a/passbook/admin/urls.py
+++ b/passbook/admin/urls.py
@ -191,10 +191,20 @@ urlpatterns = [
    ),
    # Flows
    path("flows/", flows.FlowListView.as_view(), name="flows"),
-    path("flows/create/", flows.FlowCreateView.as_view(), name="flow-create",),
-    path("flows/import/", flows.FlowImportView.as_view(), name="flow-import",),
    path(
-        "flows/<uuid:pk>/update/", flows.FlowUpdateView.as_view(), name="flow-update",
+        "flows/create/",
+        flows.FlowCreateView.as_view(),
+        name="flow-create",
+    ),
+    path(
+        "flows/import/",
+        flows.FlowImportView.as_view(),
+        name="flow-import",
+    ),
+    path(
+        "flows/<uuid:pk>/update/",
+        flows.FlowUpdateView.as_view(),
+        name="flow-update",
    ),
    path(
        "flows/<uuid:pk>/execute/",
@ -202,10 +212,14 @@ urlpatterns = [
        name="flow-execute",
    ),
    path(
-        "flows/<uuid:pk>/export/", flows.FlowExportView.as_view(), name="flow-export",
+        "flows/<uuid:pk>/export/",
+        flows.FlowExportView.as_view(),
+        name="flow-export",
    ),
    path(
-        "flows/<uuid:pk>/delete/", flows.FlowDeleteView.as_view(), name="flow-delete",
+        "flows/<uuid:pk>/delete/",
+        flows.FlowDeleteView.as_view(),
+        name="flow-delete",
    ),
    # Property Mappings
    path(
@ -273,9 +287,15 @@ urlpatterns = [
        name="certificatekeypair-delete",
    ),
    # Outposts
-    path("outposts/", outposts.OutpostListView.as_view(), name="outposts",),
    path(
-        "outposts/create/", outposts.OutpostCreateView.as_view(), name="outpost-create",
+        "outposts/",
+        outposts.OutpostListView.as_view(),
+        name="outposts",
+    ),
+    path(
+        "outposts/create/",
+        outposts.OutpostCreateView.as_view(),
+        name="outpost-create",
    ),
    path(
        "outposts/<uuid:pk>/update/",
--- a/passbook/admin/views/applications.py
+++ b/passbook/admin/views/applications.py
@ -12,6 +12,7 @@ from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 from passbook.admin.views.utils import (
    BackSuccessUrlMixin,
    DeleteMessageView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.core.forms.applications import ApplicationForm
@ -20,7 +21,11 @@ from passbook.lib.views import CreateAssignPermView


 class ApplicationListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, ListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
 ):
    """Show list of all applications"""

@ -29,6 +34,15 @@ class ApplicationListView(
    ordering = "name"
    template_name = "administration/application/list.html"

+    search_fields = [
+        "name",
+        "slug",
+        "meta_launch_url",
+        "meta_icon_url",
+        "meta_description",
+        "meta_publisher",
+    ]
+

 class ApplicationCreateView(
    SuccessMessageMixin,
--- a/passbook/admin/views/certificate_key_pair.py
+++ b/passbook/admin/views/certificate_key_pair.py
@ -12,6 +12,7 @@ from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 from passbook.admin.views.utils import (
    BackSuccessUrlMixin,
    DeleteMessageView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.crypto.forms import CertificateKeyPairForm
@ -20,7 +21,11 @@ from passbook.lib.views import CreateAssignPermView


 class CertificateKeyPairListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, ListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
 ):
    """Show list of all keypairs"""

@ -29,6 +34,8 @@ class CertificateKeyPairListView(
    ordering = "name"
    template_name = "administration/certificatekeypair/list.html"

+    search_fields = ["name"]
+

 class CertificateKeyPairCreateView(
    SuccessMessageMixin,
--- a/passbook/admin/views/flows.py
+++ b/passbook/admin/views/flows.py
@ -14,6 +14,7 @@ from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 from passbook.admin.views.utils import (
    BackSuccessUrlMixin,
    DeleteMessageView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.flows.forms import FlowForm, FlowImportForm
@ -28,7 +29,11 @@ from passbook.lib.views import CreateAssignPermView


 class FlowListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, ListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
 ):
    """Show list of all flows"""

@ -36,6 +41,7 @@ class FlowListView(
    permission_required = "passbook_flows.view_flow"
    ordering = "name"
    template_name = "administration/flow/list.html"
+    search_fields = ["name", "slug", "designation", "title"]


 class FlowCreateView(
@ -100,7 +106,9 @@ class FlowDebugExecuteView(LoginRequiredMixin, PermissionRequiredMixin, DetailVi
        plan = planner.plan(self.request, {PLAN_CONTEXT_PENDING_USER: request.user})
        self.request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
-            "passbook_flows:flow-executor-shell", self.request.GET, flow_slug=flow.slug,
+            "passbook_flows:flow-executor-shell",
+            self.request.GET,
+            flow_slug=flow.slug,
        )


--- a/passbook/admin/views/groups.py
+++ b/passbook/admin/views/groups.py
@ -12,6 +12,7 @@ from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 from passbook.admin.views.utils import (
    BackSuccessUrlMixin,
    DeleteMessageView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.core.forms.groups import GroupForm
@ -20,7 +21,11 @@ from passbook.lib.views import CreateAssignPermView


 class GroupListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, ListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
 ):
    """Show list of all groups"""

@ -28,6 +33,7 @@ class GroupListView(
    permission_required = "passbook_core.view_group"
    ordering = "name"
    template_name = "administration/group/list.html"
+    search_fields = ["name", "attributes"]


 class GroupCreateView(
--- a/passbook/admin/views/outposts.py
+++ b/passbook/admin/views/outposts.py
@ -15,6 +15,7 @@ from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 from passbook.admin.views.utils import (
    BackSuccessUrlMixin,
    DeleteMessageView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.lib.views import CreateAssignPermView
@ -23,7 +24,11 @@ from passbook.outposts.models import Outpost, OutpostConfig


 class OutpostListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, ListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
 ):
    """Show list of all outposts"""

@ -31,6 +36,7 @@ class OutpostListView(
    permission_required = "passbook_outposts.view_outpost"
    ordering = "name"
    template_name = "administration/outpost/list.html"
+    search_fields = ["name", "_config"]


 class OutpostCreateView(
--- a/passbook/admin/views/overview.py
+++ b/passbook/admin/views/overview.py
@ -1,7 +1,10 @@
 """passbook administration overview"""
 from typing import Union

+from django.conf import settings
 from django.core.cache import cache
+from django.db.models import Count
+from django.db.models.fields.json import KeyTextTransform
 from django.shortcuts import redirect, reverse
 from django.views.generic import TemplateView
 from packaging.version import LegacyVersion, Version, parse
@ -9,11 +12,9 @@ from packaging.version import LegacyVersion, Version, parse
 from passbook import __version__
 from passbook.admin.mixins import AdminRequiredMixin
 from passbook.admin.tasks import VERSION_CACHE_KEY, update_latest_version
-from passbook.core.models import Application, Provider, Source, User
-from passbook.flows.models import Flow, Stage
+from passbook.audit.models import Event, EventAction
+from passbook.core.models import Provider, User
 from passbook.policies.models import Policy
-from passbook.root.celery import CELERY_APP
-from passbook.stages.invitation.models import Invitation


 class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
@ -32,22 +33,32 @@ class AdministrationOverviewView(AdminRequiredMixin, TemplateView):
        """Get latest version from cache"""
        version_in_cache = cache.get(VERSION_CACHE_KEY)
        if not version_in_cache:
+            if not settings.DEBUG:
                update_latest_version.delay()
            return parse(__version__)
        return parse(version_in_cache)

+    def get_most_used_applications(self):
+        """Get Most used applications, total login counts and unique users that have used them."""
+        return (
+            Event.objects.filter(action=EventAction.AUTHORIZE_APPLICATION)
+            .exclude(context__authorized_application=None)
+            .annotate(application=KeyTextTransform("authorized_application", "context"))
+            .annotate(user_pk=KeyTextTransform("pk", "user"))
+            .values("application")
+            .annotate(total_logins=Count("application"))
+            .annotate(unique_users=Count("user_pk", distinct=True))
+            .values("unique_users", "application", "total_logins")
+            .order_by("-total_logins")[:15]
+        )
+
    def get_context_data(self, **kwargs):
-        kwargs["application_count"] = len(Application.objects.all())
        kwargs["policy_count"] = len(Policy.objects.all())
        kwargs["user_count"] = len(User.objects.all()) - 1  # Remove anonymous user
        kwargs["provider_count"] = len(Provider.objects.all())
-        kwargs["source_count"] = len(Source.objects.all())
-        kwargs["stage_count"] = len(Stage.objects.all())
-        kwargs["flow_count"] = len(Flow.objects.all())
-        kwargs["invitation_count"] = len(Invitation.objects.all())
        kwargs["version"] = parse(__version__)
        kwargs["version_latest"] = self.get_latest_version()
-        kwargs["worker_count"] = len(CELERY_APP.control.ping(timeout=0.5))
+        kwargs["most_used_applications"] = self.get_most_used_applications()
        kwargs["providers_without_application"] = Provider.objects.filter(
            application=None
        )
--- a/passbook/admin/views/policies.py
+++ b/passbook/admin/views/policies.py
@ -22,6 +22,7 @@ from passbook.admin.views.utils import (
    InheritanceCreateView,
    InheritanceListView,
    InheritanceUpdateView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.policies.models import Policy, PolicyBinding
@ -29,7 +30,11 @@ from passbook.policies.process import PolicyProcess, PolicyRequest


 class PolicyListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, InheritanceListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    InheritanceListView,
 ):
    """Show list of all policies"""

@ -37,6 +42,7 @@ class PolicyListView(
    permission_required = "passbook_policies.view_policy"
    ordering = "name"
    template_name = "administration/policy/list.html"
+    search_fields = ["name"]


 class PolicyCreateView(
--- a/passbook/admin/views/property_mapping.py
+++ b/passbook/admin/views/property_mapping.py
@ -14,13 +14,18 @@ from passbook.admin.views.utils import (
    InheritanceCreateView,
    InheritanceListView,
    InheritanceUpdateView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.core.models import PropertyMapping


 class PropertyMappingListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, InheritanceListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    InheritanceListView,
 ):
    """Show list of all property_mappings"""

@ -28,6 +33,7 @@ class PropertyMappingListView(
    permission_required = "passbook_core.view_propertymapping"
    template_name = "administration/property_mapping/list.html"
    ordering = "name"
+    search_fields = ["name", "expression"]


 class PropertyMappingCreateView(
--- a/passbook/admin/views/providers.py
+++ b/passbook/admin/views/providers.py
@ -14,13 +14,18 @@ from passbook.admin.views.utils import (
    InheritanceCreateView,
    InheritanceListView,
    InheritanceUpdateView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.core.models import Provider


 class ProviderListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, InheritanceListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    InheritanceListView,
 ):
    """Show list of all providers"""

@ -28,6 +33,7 @@ class ProviderListView(
    permission_required = "passbook_core.add_provider"
    template_name = "administration/provider/list.html"
    ordering = "id"
+    search_fields = ["id", "name"]


 class ProviderCreateView(
--- a/passbook/admin/views/sources.py
+++ b/passbook/admin/views/sources.py
@ -14,13 +14,18 @@ from passbook.admin.views.utils import (
    InheritanceCreateView,
    InheritanceListView,
    InheritanceUpdateView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.core.models import Source


 class SourceListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, InheritanceListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    InheritanceListView,
 ):
    """Show list of all sources"""

@ -28,6 +33,7 @@ class SourceListView(
    permission_required = "passbook_core.view_source"
    ordering = "name"
    template_name = "administration/source/list.html"
+    search_fields = ["name", "slug"]


 class SourceCreateView(
--- a/passbook/admin/views/stages.py
+++ b/passbook/admin/views/stages.py
@ -14,13 +14,18 @@ from passbook.admin.views.utils import (
    InheritanceCreateView,
    InheritanceListView,
    InheritanceUpdateView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.flows.models import Stage


 class StageListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, InheritanceListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    InheritanceListView,
 ):
    """Show list of all stages"""

@ -28,6 +33,7 @@ class StageListView(
    template_name = "administration/stage/list.html"
    permission_required = "passbook_flows.view_stage"
    ordering = "name"
+    search_fields = ["name"]


 class StageCreateView(
--- a/passbook/admin/views/stages_invitations.py
+++ b/passbook/admin/views/stages_invitations.py
@ -13,6 +13,7 @@ from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 from passbook.admin.views.utils import (
    BackSuccessUrlMixin,
    DeleteMessageView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.lib.views import CreateAssignPermView
@ -22,7 +23,11 @@ from passbook.stages.invitation.signals import invitation_created


 class InvitationListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, ListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
 ):
    """Show list of all invitations"""

@ -30,6 +35,7 @@ class InvitationListView(
    permission_required = "passbook_stages_invitation.view_invitation"
    template_name = "administration/stage_invitation/list.html"
    ordering = "-expires"
+    search_fields = ["created_by__username", "expires", "fixed_data"]


 class InvitationCreateView(
--- a/passbook/admin/views/stages_prompts.py
+++ b/passbook/admin/views/stages_prompts.py
@ -12,6 +12,7 @@ from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
 from passbook.admin.views.utils import (
    BackSuccessUrlMixin,
    DeleteMessageView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.lib.views import CreateAssignPermView
@ -20,7 +21,11 @@ from passbook.stages.prompt.models import Prompt


 class PromptListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, ListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
 ):
    """Show list of all prompts"""

@ -28,6 +33,12 @@ class PromptListView(
    permission_required = "passbook_stages_prompt.view_prompt"
    ordering = "order"
    template_name = "administration/stage_prompt/list.html"
+    search_fields = [
+        "field_key",
+        "label",
+        "type",
+        "placeholder",
+    ]


 class PromptCreateView(
--- a/passbook/admin/views/tokens.py
+++ b/passbook/admin/views/tokens.py
@ -5,12 +5,20 @@ from django.utils.translation import gettext as _
 from django.views.generic import ListView
 from guardian.mixins import PermissionListMixin, PermissionRequiredMixin

-from passbook.admin.views.utils import DeleteMessageView, UserPaginateListMixin
+from passbook.admin.views.utils import (
+    DeleteMessageView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
 from passbook.core.models import Token


 class TokenListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, ListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
 ):
    """Show list of all tokens"""

@ -18,6 +26,12 @@ class TokenListView(
    permission_required = "passbook_core.view_token"
    ordering = "expires"
    template_name = "administration/token/list.html"
+    search_fields = [
+        "identifier",
+        "intent",
+        "user__username",
+        "description",
+    ]


 class TokenDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
--- a/passbook/admin/views/users.py
+++ b/passbook/admin/views/users.py
@ -21,6 +21,7 @@ from passbook.admin.forms.users import UserForm
 from passbook.admin.views.utils import (
    BackSuccessUrlMixin,
    DeleteMessageView,
+    SearchListMixin,
    UserPaginateListMixin,
 )
 from passbook.core.models import Token, User
@ -28,7 +29,11 @@ from passbook.lib.views import CreateAssignPermView


 class UserListView(
-    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, ListView
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
 ):
    """Show list of all users"""

@ -36,6 +41,7 @@ class UserListView(
    permission_required = "passbook_core.view_user"
    ordering = "username"
    template_name = "administration/user/list.html"
+    search_fields = ["username", "name", "attributes"]

    def get_queryset(self):
        return super().get_queryset().exclude(pk=get_anonymous_user().pk)
@ -101,7 +107,9 @@ class UserPasswordResetView(LoginRequiredMixin, PermissionRequiredMixin, DetailV
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Create token for user and return link"""
        super().get(request, *args, **kwargs)
-        token = Token.objects.create(user=self.object)
+        token, _ = Token.objects.get_or_create(
+            identifier="password-reset-temp", user=self.object
+        )
        querystring = urlencode({"token": token.token_uuid})
        link = request.build_absolute_uri(
            reverse("passbook_flows:default-recovery") + f"?{querystring}"
--- a/passbook/admin/views/utils.py
+++ b/passbook/admin/views/utils.py
@ -1,13 +1,15 @@
 """passbook admin util views"""
-from typing import Any, Dict, Optional
+from typing import Any, Dict, List, Optional
 from urllib.parse import urlparse

 from django.contrib import messages
 from django.contrib.messages.views import SuccessMessageMixin
+from django.contrib.postgres.search import SearchQuery, SearchVector
 from django.db.models import QuerySet
 from django.http import Http404
 from django.http.request import HttpRequest
 from django.views.generic import DeleteView, ListView, UpdateView
+from django.views.generic.list import MultipleObjectMixin

 from passbook.lib.utils.reflection import all_subclasses
 from passbook.lib.views import CreateAssignPermView
@ -32,6 +34,26 @@ class InheritanceListView(ListView):
        return super().get_queryset().select_subclasses()


+class SearchListMixin(MultipleObjectMixin):
+    """Accept search query using `search` querystring parameter. Requires self.search_fields,
+    a list of all fields to search. Can contain special lookups like __icontains"""
+
+    search_fields: List[str]
+
+    def get_queryset(self) -> QuerySet:
+        queryset = super().get_queryset()
+        if "search" in self.request.GET:
+            raw_query = self.request.GET["search"]
+            if raw_query == "":
+                # Empty query, don't search at all
+                return queryset
+            search = SearchQuery(raw_query, search_type="websearch")
+            return queryset.annotate(search=SearchVector(*self.search_fields)).filter(
+                search=search
+            )
+        return queryset
+
+
 class InheritanceCreateView(CreateAssignPermView):
    """CreateView for objects using InheritanceManager"""

@ -43,7 +65,7 @@ class InheritanceCreateView(CreateAssignPermView):
            )
        except StopIteration as exc:
            raise Http404 from exc
-        return model.form(model)
+        return model().form

    def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
        kwargs = super().get_context_data(**kwargs)
@ -64,7 +86,7 @@ class InheritanceUpdateView(UpdateView):
        return kwargs

    def get_form_class(self):
-        return self.get_object().form()
+        return self.get_object().form

    def get_object(self, queryset=None):
        return (
--- a/passbook/api/permissions.py
+++ b/passbook/api/permissions.py
@ -1,30 +0,0 @@
-"""permission classes for django restframework"""
-from rest_framework.permissions import BasePermission, DjangoObjectPermissions
-
-from passbook.policies.engine import PolicyEngine
-from passbook.policies.models import PolicyBindingModel
-
-
-class CustomObjectPermissions(DjangoObjectPermissions):
-    """Similar to `DjangoObjectPermissions`, but adding 'view' permissions."""
-
-    perms_map = {
-        "GET": ["%(app_label)s.view_%(model_name)s"],
-        "OPTIONS": ["%(app_label)s.view_%(model_name)s"],
-        "HEAD": ["%(app_label)s.view_%(model_name)s"],
-        "POST": ["%(app_label)s.add_%(model_name)s"],
-        "PUT": ["%(app_label)s.change_%(model_name)s"],
-        "PATCH": ["%(app_label)s.change_%(model_name)s"],
-        "DELETE": ["%(app_label)s.delete_%(model_name)s"],
-    }
-
-
-class PolicyPermissions(BasePermission):
-    """Permission checker based on PolicyEngine"""
-
-    policy_engine: PolicyEngine
-
-    def has_object_permission(self, request, view, obj: PolicyBindingModel) -> bool:
-        self.policy_engine = PolicyEngine(obj.policies, request.user, request)
-        self.policy_engine.request.obj = obj
-        return self.policy_engine.build().passing
--- a/passbook/api/templates/rest_framework/api.html
+++ b/passbook/api/templates/rest_framework/api.html
@ -0,0 +1,7 @@
+{% extends "rest_framework/base.html" %}
+
+{% block branding %}
+<span class='navbar-brand'>
+    passbook
+</span>
+{% endblock %}
--- a/passbook/api/v2/urls.py
+++ b/passbook/api/v2/urls.py
@ -3,8 +3,10 @@ from django.urls import path, re_path
 from drf_yasg import openapi
 from drf_yasg.views import get_schema_view
 from rest_framework import routers
+from rest_framework.permissions import AllowAny

-from passbook.api.permissions import CustomObjectPermissions
+from passbook.admin.api.overview import AdministrationOverviewViewSet
+from passbook.admin.api.overview_metrics import AdministrationMetricsViewSet
 from passbook.api.v2.messages import MessagesViewSet
 from passbook.audit.api import EventViewSet
 from passbook.core.api.applications import ApplicationViewSet
@ -12,6 +14,7 @@ from passbook.core.api.groups import GroupViewSet
 from passbook.core.api.propertymappings import PropertyMappingViewSet
 from passbook.core.api.providers import ProviderViewSet
 from passbook.core.api.sources import SourceViewSet
+from passbook.core.api.tokens import TokenViewSet
 from passbook.core.api.users import UserViewSet
 from passbook.crypto.api import CertificateKeyPairViewSet
 from passbook.flows.api import FlowStageBindingViewSet, FlowViewSet, StageViewSet
@ -49,9 +52,17 @@ from passbook.stages.user_write.api import UserWriteStageViewSet
 router = routers.DefaultRouter()

 router.register("root/messages", MessagesViewSet, basename="messages")
+
+router.register(
+    "admin/overview", AdministrationOverviewViewSet, basename="admin_overview"
+)
+router.register("admin/metrics", AdministrationMetricsViewSet, basename="admin_metrics")
+
 router.register("core/applications", ApplicationViewSet)
 router.register("core/groups", GroupViewSet)
 router.register("core/users", UserViewSet)
+router.register("core/tokens", TokenViewSet)
+
 router.register("outposts/outposts", OutpostViewSet)
 router.register("outposts/proxy", OutpostConfigViewSet)

@ -114,7 +125,9 @@ info = openapi.Info(
    license=openapi.License(name="MIT License"),
 )
 SchemaView = get_schema_view(
-    info, public=True, permission_classes=(CustomObjectPermissions,),
+    info,
+    public=True,
+    permission_classes=(AllowAny,),
 )

 urlpatterns = [
--- a/passbook/audit/migrations/0001_initial.py
+++ b/passbook/audit/migrations/0001_initial.py
@ -47,7 +47,10 @@ class Migration(migrations.Migration):
                ),
                ("date", models.DateTimeField(auto_now_add=True)),
                ("app", models.TextField()),
-                ("context", models.JSONField(blank=True, default=dict),),
+                (
+                    "context",
+                    models.JSONField(blank=True, default=dict),
+                ),
                ("client_ip", models.GenericIPAddressField(null=True)),
                ("created", models.DateTimeField(auto_now_add=True)),
                (
--- a/passbook/audit/migrations/0003_auto_20200917_1155.py
+++ b/passbook/audit/migrations/0003_auto_20200917_1155.py
@ -49,10 +49,15 @@ class Migration(migrations.Migration):
            ),
        ),
        migrations.AddField(
-            model_name="event", name="user_json", field=models.JSONField(default=dict),
+            model_name="event",
+            name="user_json",
+            field=models.JSONField(default=dict),
        ),
        migrations.RunPython(convert_user_to_json),
-        migrations.RemoveField(model_name="event", name="user",),
+        migrations.RemoveField(
+            model_name="event",
+            name="user",
+        ),
        migrations.RenameField(
            model_name="event", old_name="user_json", new_name="user"
        ),
--- a/passbook/audit/migrations/0005_auto_20201005_2139.py
+++ b/passbook/audit/migrations/0005_auto_20201005_2139.py
@ -0,0 +1,37 @@
+# Generated by Django 3.1.2 on 2020-10-05 21:39
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_audit", "0004_auto_20200921_1829"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="event",
+            name="action",
+            field=models.TextField(
+                choices=[
+                    ("login", "Login"),
+                    ("login_failed", "Login Failed"),
+                    ("logout", "Logout"),
+                    ("user_write", "User Write"),
+                    ("suspicious_request", "Suspicious Request"),
+                    ("password_set", "Password Set"),
+                    ("invitation_created", "Invite Created"),
+                    ("invitation_used", "Invite Used"),
+                    ("authorize_application", "Authorize Application"),
+                    ("source_linked", "Source Linked"),
+                    ("impersonation_started", "Impersonation Started"),
+                    ("impersonation_ended", "Impersonation Ended"),
+                    ("model_created", "Model Created"),
+                    ("model_updated", "Model Updated"),
+                    ("model_deleted", "Model Deleted"),
+                    ("custom_", "Custom Prefix"),
+                ]
+            ),
+        ),
+    ]
--- a/passbook/audit/models.py
+++ b/passbook/audit/models.py
@ -96,14 +96,14 @@ class EventAction(models.TextChoices):
    LOGIN_FAILED = "login_failed"
    LOGOUT = "logout"

-    SIGN_UP = "sign_up"
-    AUTHORIZE_APPLICATION = "authorize_application"
+    USER_WRITE = "user_write"
    SUSPICIOUS_REQUEST = "suspicious_request"
    PASSWORD_SET = "password_set"  # noqa # nosec

    INVITE_CREATED = "invitation_created"
    INVITE_USED = "invitation_used"

+    AUTHORIZE_APPLICATION = "authorize_application"
    SOURCE_LINKED = "source_linked"

    IMPERSONATION_STARTED = "impersonation_started"
--- a/passbook/audit/signals.py
+++ b/passbook/audit/signals.py
@ -12,6 +12,7 @@ from django.http import HttpRequest

 from passbook.audit.models import Event, EventAction
 from passbook.core.models import User
+from passbook.core.signals import password_changed
 from passbook.stages.invitation.models import Invitation
 from passbook.stages.invitation.signals import invitation_created, invitation_used
 from passbook.stages.user_write.signals import user_write
@ -58,9 +59,12 @@ def on_user_logged_out(sender, request: HttpRequest, user: User, **_):

@receiver(user_write)
 # pylint: disable=unused-argument
-def on_user_write(sender, request: HttpRequest, user: User, data: Dict[str, Any], **_):
+def on_user_write(
+    sender, request: HttpRequest, user: User, data: Dict[str, Any], **kwargs
+):
    """Log User write"""
-    thread = EventNewThread("stages/user_write", request, **data)
+    thread = EventNewThread(EventAction.USER_WRITE, request, **data)
+    thread.kwargs["created"] = kwargs.get("created", False)
    thread.user = user
    thread.run()

@ -93,3 +97,11 @@ def on_invitation_used(sender, request: HttpRequest, invitation: Invitation, **_
        EventAction.INVITE_USED, request, invitation_uuid=invitation.invite_uuid.hex
    )
    thread.run()
+
+
+@receiver(password_changed)
+# pylint: disable=unused-argument
+def on_password_changed(sender, user: User, password: str, **_):
+    """Log password change"""
+    thread = EventNewThread(EventAction.PASSWORD_SET, None, user=user)
+    thread.run()
--- a/passbook/audit/templates/audit/list.html
+++ b/passbook/audit/templates/audit/list.html
@ -77,7 +77,7 @@
                    {% endfor %}
                </tbody>
            </table>
-            <div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
+            <div class="pf-c-pagination pf-m-bottom">
                {% include 'partials/pagination.html' %}
            </div>
        </div>
--- a/passbook/core/api/applications.py
+++ b/passbook/core/api/applications.py
@ -1,8 +1,13 @@
 """Application API Views"""
+from django.db.models import QuerySet
+from rest_framework.request import Request
+from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
+from rest_framework_guardian.filters import ObjectPermissionsFilter

 from passbook.core.models import Application
+from passbook.policies.engine import PolicyEngine


 class ApplicationSerializer(ModelSerializer):
@ -29,3 +34,24 @@ class ApplicationViewSet(ModelViewSet):

    queryset = Application.objects.all()
    serializer_class = ApplicationSerializer
+    lookup_field = "slug"
+
+    def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet:
+        """Custom filter_queryset method which ignores guardian, but still supports sorting"""
+        for backend in list(self.filter_backends):
+            if backend == ObjectPermissionsFilter:
+                continue
+            queryset = backend().filter_queryset(self.request, queryset, self)
+        return queryset
+
+    def list(self, request: Request, *_, **__) -> Response:
+        """Custom list method that checks Policy based access instead of guardian"""
+        queryset = self._filter_queryset_for_list(self.get_queryset())
+        allowed_applications = []
+        for application in queryset.order_by("name"):
+            engine = PolicyEngine(application, self.request.user, self.request)
+            engine.build()
+            if engine.passing:
+                allowed_applications.append(application)
+        serializer = self.get_serializer(allowed_applications, many=True)
+        return Response(serializer.data)
--- a/passbook/core/api/providers.py
+++ b/passbook/core/api/providers.py
@ -17,7 +17,7 @@ class ProviderSerializer(ModelSerializer):
    class Meta:

        model = Provider
-        fields = ["pk", "authorization_flow", "property_mappings", "__type__"]
+        fields = ["pk", "name", "authorization_flow", "property_mappings", "__type__"]


 class ProviderViewSet(ReadOnlyModelViewSet):
--- a/passbook/core/api/tokens.py
+++ b/passbook/core/api/tokens.py
@ -0,0 +1,22 @@
+"""Tokens API Viewset"""
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import ModelViewSet
+
+from passbook.core.models import Token
+
+
+class TokenSerializer(ModelSerializer):
+    """Token Serializer"""
+
+    class Meta:
+
+        model = Token
+        fields = ["pk", "identifier", "intent", "user", "description"]
+
+
+class TokenViewSet(ModelViewSet):
+    """Token Viewset"""
+
+    queryset = Token.objects.all()
+    lookup_field = "identifier"
+    serializer_class = TokenSerializer
--- a/passbook/core/channels.py
+++ b/passbook/core/channels.py
@ -0,0 +1,37 @@
+"""Channels base classes"""
+from channels.generic.websocket import JsonWebsocketConsumer
+from django.core.exceptions import ValidationError
+from structlog import get_logger
+
+from passbook.core.models import Token, TokenIntents, User
+
+LOGGER = get_logger()
+
+
+class AuthJsonConsumer(JsonWebsocketConsumer):
+    """Authorize a client with a token"""
+
+    user: User
+
+    def connect(self):
+        headers = dict(self.scope["headers"])
+        if b"authorization" not in headers:
+            LOGGER.warning("WS Request without authorization header")
+            self.close()
+
+        token = headers[b"authorization"]
+        try:
+            token_uuid = token.decode("utf-8")
+            tokens = Token.filter_not_expired(
+                token_uuid=token_uuid, intent=TokenIntents.INTENT_API
+            )
+            if not tokens.exists():
+                LOGGER.warning("WS Request with invalid token")
+                self.close()
+                return False
+        except ValidationError:
+            LOGGER.warning("WS Invalid UUID")
+            self.close()
+            return False
+        self.user = tokens.first().user
+        return True
--- a/passbook/core/migrations/0001_initial.py
+++ b/passbook/core/migrations/0001_initial.py
@ -108,11 +108,18 @@ class Migration(migrations.Migration):
                ("uuid", models.UUIDField(default=uuid.uuid4, editable=False)),
                ("name", models.TextField(help_text="User's display name.")),
                ("password_change_date", models.DateTimeField(auto_now_add=True)),
-                ("attributes", models.JSONField(blank=True, default=dict),),
+                (
+                    "attributes",
+                    models.JSONField(blank=True, default=dict),
+                ),
            ],
-            options={"permissions": (("reset_user_password", "Reset Password"),),},
+            options={
+                "permissions": (("reset_user_password", "Reset Password"),),
+            },
            bases=(guardian.mixins.GuardianUserMixin, models.Model),
-            managers=[("objects", django.contrib.auth.models.UserManager()),],
+            managers=[
+                ("objects", django.contrib.auth.models.UserManager()),
+            ],
        ),
        migrations.CreateModel(
            name="PropertyMapping",
@ -192,7 +199,9 @@ class Migration(migrations.Migration):
                    ),
                ),
            ],
-            options={"unique_together": {("user", "source")},},
+            options={
+                "unique_together": {("user", "source")},
+            },
        ),
        migrations.CreateModel(
            name="Token",
@ -223,7 +232,10 @@ class Migration(migrations.Migration):
                    ),
                ),
            ],
-            options={"verbose_name": "Token", "verbose_name_plural": "Tokens",},
+            options={
+                "verbose_name": "Token",
+                "verbose_name_plural": "Tokens",
+            },
        ),
        migrations.CreateModel(
            name="Provider",
@ -258,7 +270,10 @@ class Migration(migrations.Migration):
                    ),
                ),
                ("name", models.CharField(max_length=80, verbose_name="name")),
-                ("attributes", models.JSONField(blank=True, default=dict),),
+                (
+                    "attributes",
+                    models.JSONField(blank=True, default=dict),
+                ),
                (
                    "parent",
                    models.ForeignKey(
@ -270,7 +285,9 @@ class Migration(migrations.Migration):
                    ),
                ),
            ],
-            options={"unique_together": {("name", "parent")},},
+            options={
+                "unique_together": {("name", "parent")},
+            },
        ),
        migrations.CreateModel(
            name="Application",
--- a/passbook/core/migrations/0002_auto_20200523_1133.py
+++ b/passbook/core/migrations/0002_auto_20200523_1133.py
@ -12,7 +12,10 @@ class Migration(migrations.Migration):
    ]

    operations = [
-        migrations.RemoveField(model_name="application", name="skip_authorization",),
+        migrations.RemoveField(
+            model_name="application",
+            name="skip_authorization",
+        ),
        migrations.AddField(
            model_name="source",
            name="authentication_flow",
--- a/passbook/core/migrations/0003_default_user.py
+++ b/passbook/core/migrations/0003_default_user.py
@ -25,8 +25,14 @@ class Migration(migrations.Migration):
    ]

    operations = [
-        migrations.RemoveField(model_name="user", name="is_superuser",),
-        migrations.RemoveField(model_name="user", name="is_staff",),
+        migrations.RemoveField(
+            model_name="user",
+            name="is_superuser",
+        ),
+        migrations.RemoveField(
+            model_name="user",
+            name="is_staff",
+        ),
        migrations.RunPython(create_default_user),
        migrations.AddField(
            model_name="user",
--- a/passbook/core/migrations/0009_group_is_superuser.py
+++ b/passbook/core/migrations/0009_group_is_superuser.py
@ -13,7 +13,10 @@ def create_default_admin_group(apps: Apps, schema_editor: BaseDatabaseSchemaEdit

    # Creates a default admin group
    group, _ = Group.objects.using(db_alias).get_or_create(
-        is_superuser=True, defaults={"name": "passbook Admins",}
+        is_superuser=True,
+        defaults={
+            "name": "passbook Admins",
+        },
    )
    group.users.set(User.objects.filter(username="pbadmin"))
    group.save()
@ -26,8 +29,14 @@ class Migration(migrations.Migration):
    ]

    operations = [
-        migrations.RemoveField(model_name="user", name="is_superuser",),
-        migrations.RemoveField(model_name="user", name="is_staff",),
+        migrations.RemoveField(
+            model_name="user",
+            name="is_superuser",
+        ),
+        migrations.RemoveField(
+            model_name="user",
+            name="is_staff",
+        ),
        migrations.AlterField(
            model_name="user",
            name="pb_groups",
@ -44,6 +53,9 @@ class Migration(migrations.Migration):
        ),
        migrations.RunPython(create_default_admin_group),
        migrations.AlterModelManagers(
-            name="user", managers=[("objects", passbook.core.models.UserManager()),],
+            name="user",
+            managers=[
+                ("objects", passbook.core.models.UserManager()),
+            ],
        ),
    ]
--- a/passbook/core/migrations/0011_provider_name_temp.py
+++ b/passbook/core/migrations/0011_provider_name_temp.py
@ -0,0 +1,19 @@
+# Generated by Django 3.1.2 on 2020-10-03 17:34
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_core", "0010_auto_20200917_1021"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="provider",
+            name="name_temp",
+            field=models.TextField(default=""),
+            preserve_default=False,
+        ),
+    ]
--- a/passbook/core/migrations/0012_auto_20201003_1737.py
+++ b/passbook/core/migrations/0012_auto_20201003_1737.py
@ -0,0 +1,20 @@
+# Generated by Django 3.1.2 on 2020-10-03 17:37
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_core", "0011_provider_name_temp"),
+        ("passbook_providers_oauth2", "0006_remove_oauth2provider_name"),
+        ("passbook_providers_saml", "0006_remove_samlprovider_name"),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name="provider",
+            old_name="name_temp",
+            new_name="name",
+        ),
+    ]
--- a/passbook/core/migrations/0013_auto_20201003_2132.py
+++ b/passbook/core/migrations/0013_auto_20201003_2132.py
@ -0,0 +1,35 @@
+# Generated by Django 3.1.2 on 2020-10-03 21:32
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("passbook_core", "0012_auto_20201003_1737"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="token",
+            name="identifier",
+            field=models.TextField(default=""),
+            preserve_default=False,
+        ),
+        migrations.AlterField(
+            model_name="token",
+            name="intent",
+            field=models.TextField(
+                choices=[
+                    ("verification", "Intent Verification"),
+                    ("api", "Intent Api"),
+                    ("recovery", "Intent Recovery"),
+                ],
+                default="verification",
+            ),
+        ),
+        migrations.AlterUniqueTogether(
+            name="token",
+            unique_together={("identifier", "user")},
+        ),
+    ]
--- a/passbook/core/models.py
+++ b/passbook/core/models.py
@ -56,7 +56,12 @@ class Group(models.Model):

    class Meta:

-        unique_together = (("name", "parent",),)
+        unique_together = (
+            (
+                "name",
+                "parent",
+            ),
+        )


 class UserManager(DjangoUserManager):
@ -82,10 +87,12 @@ class User(GuardianUserMixin, AbstractUser):
    objects = UserManager()

    def group_attributes(self) -> Dict[str, Any]:
-        """Get a dictionary containing the attributes from all groups the user belongs to"""
+        """Get a dictionary containing the attributes from all groups the user belongs to,
+        including the users attributes"""
        final_attributes = {}
        for group in self.pb_groups.all().order_by("name"):
            final_attributes.update(group.attributes)
+        final_attributes.update(self.attributes)
        return final_attributes

    @cached_property
@ -117,6 +124,8 @@ class User(GuardianUserMixin, AbstractUser):
 class Provider(models.Model):
    """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""

+    name = models.TextField()
+
    authorization_flow = models.ForeignKey(
        Flow,
        on_delete=models.CASCADE,
@ -136,15 +145,13 @@ class Provider(models.Model):
        Can return None for providers that are not URL-based"""
        return None

+    @property
    def form(self) -> Type[ModelForm]:
        """Return Form class used to edit this object"""
        raise NotImplementedError

-    # This class defines no field for easier inheritance
    def __str__(self):
-        if hasattr(self, "name"):
-            return getattr(self, "name")
-        return super().__str__()
+        return self.name


 class Application(PolicyBindingModel):
@ -220,6 +227,7 @@ class Source(PolicyBindingModel):

    objects = InheritanceManager()

+    @property
    def form(self) -> Type[ModelForm]:
        """Return Form class used to edit this object"""
        raise NotImplementedError
@ -284,17 +292,20 @@ class ExpiringModel(models.Model):
 class TokenIntents(models.TextChoices):
    """Intents a Token can be created for."""

-    # Single user token
+    # Single use token
    INTENT_VERIFICATION = "verification"

    # Allow access to API
    INTENT_API = "api"

+    INTENT_RECOVERY = "recovery"
+

 class Token(ExpiringModel):
    """Token used to authenticate the User for API Access or confirm another Stage like Email."""

    token_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
+    identifier = models.TextField()
    intent = models.TextField(
        choices=TokenIntents.choices, default=TokenIntents.INTENT_VERIFICATION
    )
@ -302,14 +313,13 @@ class Token(ExpiringModel):
    description = models.TextField(default="", blank=True)

    def __str__(self):
-        return (
-            f"Token {self.token_uuid.hex} {self.description} (expires={self.expires})"
-        )
+        return f"Token {self.identifier} (expires={self.expires})"

    class Meta:

        verbose_name = _("Token")
        verbose_name_plural = _("Tokens")
+        unique_together = (("identifier", "user"),)


 class PropertyMapping(models.Model):
@ -321,6 +331,7 @@ class PropertyMapping(models.Model):

    objects = InheritanceManager()

+    @property
    def form(self) -> Type[ModelForm]:
        """Return Form class used to edit this object"""
        raise NotImplementedError
--- a/passbook/core/signals.py
+++ b/passbook/core/signals.py
@ -1,4 +1,5 @@
 """passbook core signals"""
 from django.core.signals import Signal

-password_changed = Signal(providing_args=["user", "password"])
+# Arguments: user: User, password: str
+password_changed = Signal()
--- a/passbook/core/templates/base/page.html
+++ b/passbook/core/templates/base/page.html
@ -19,7 +19,7 @@
                    <i class="fas fa-bars" aria-hidden="true"></i>
                </button>
            </div>
-            <a class="pf-c-page__header-brand-link">
+            <a href="{% url 'passbook_core:overview' %}" class="pf-c-page__header-brand-link">
                <div class="pf-c-brand pb-brand">
                    <img src="{{ config.passbook.branding.logo }}" alt="passbook icon">
                    {% if config.passbook.branding.title_show %}
@ -44,12 +44,12 @@
        </div>
        <div class="pf-c-page__header-tools">
            <div class="pf-c-page__header-tools-group pf-m-icons">
-                <a href="{% url 'passbook_flows:default-invalidation' %}" class="pf-c-button pf-m-plain" type="button" aria-label="logout">
+                <a href="{% url 'passbook_flows:default-invalidation' %}" class="pf-c-button pf-m-plain" type="button" id="logout">
                    <i class="fas fa-sign-out-alt" aria-hidden="true"></i>
                </a>
            </div>
            <div class="pf-c-page__header-tools-group">
-                <a href="{% url 'passbook_core:user-settings' %}" class="pf-c-button">
+                <a href="{% url 'passbook_core:user-settings' %}" id="user-settings" class="pf-c-button">
                    {{ user.username }}
                </a>
            </div>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jens Langhammer	713025d218	new release: 0.11.0-stable	2020-10-11 19:57:03 +02:00
Jens Langhammer	58ae159835	outposts: disable Kubernetes selection for now	2020-10-11 19:40:22 +02:00
Jens Langhammer	c95efe3cde	docs: fix usage of user's groups	2020-10-11 19:29:22 +02:00
Jens Langhammer	b6eb0bf53d	providers/oauth2: add missing property_mapping template	2020-10-11 19:29:13 +02:00
Jens Langhammer	610b6c7f70	policies: add PolicyAccessView, which does complete access checking	2020-10-11 19:26:20 +02:00
Jens Langhammer	1ea2d99ff2	ci: run rollup build	2020-10-09 11:33:02 +02:00
dependabot[bot]	67be43679c	build(deps): bump boto3 from 1.15.14 to 1.15.15 (#268 ) Bumps [boto3](https://github.com/boto/boto3) from 1.15.14 to 1.15.15. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.15.14...1.15.15) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-10-09 11:32:02 +02:00
dependabot[bot]	fd42389bd5	build(deps-dev): bump rollup-plugin-sourcemaps (#267 ) Bumps [rollup-plugin-sourcemaps](https://github.com/maxdavidson/rollup-plugin-sourcemaps) from 0.6.2 to 0.6.3. - [Release notes](https://github.com/maxdavidson/rollup-plugin-sourcemaps/releases) - [Changelog](https://github.com/maxdavidson/rollup-plugin-sourcemaps/blob/master/CHANGELOG.md) - [Commits](https://github.com/maxdavidson/rollup-plugin-sourcemaps/compare/v0.6.2...v0.6.3) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-10-09 11:31:47 +02:00
dependabot[bot]	71b1df2fec	build(deps): bump rollup in /passbook/static/static (#269 ) Bumps [rollup](https://github.com/rollup/rollup) from 2.28.2 to 2.29.0. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](https://github.com/rollup/rollup/compare/v2.28.2...v2.29.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-10-09 09:08:39 +02:00
Jens Langhammer	7a3122f25c	docs: add reverse-proxy example config, fix outpost docker-compose	2020-10-08 09:27:28 +02:00
Jens Langhammer	63041d788b	core: update application list API to show applications accessible by policy	2020-10-08 09:26:50 +02:00
dependabot[bot]	bfc1bae0bb	build(deps): bump boto3 from 1.15.13 to 1.15.14 (#266 ) Bumps [boto3](https://github.com/boto/boto3) from 1.15.13 to 1.15.14. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.15.13...1.15.14) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-10-08 09:18:06 +02:00
Jens Langhammer	8ab7f7fcbb	core: make passbook title navigate to overview closes #264	2020-10-07 19:27:20 +02:00
Jens Langhammer	c1eb8317f7	providers/proxy: update phrasing for basic_auth_* attributes closes #265	2020-10-07 19:27:06 +02:00
Jens Langhammer	7a578e5e83	admin: dont show check when outpost hasnt connected closes #263	2020-10-07 19:19:25 +02:00
Jens Langhammer	b10912d8ba	proxy: cleanup addHeadersForProxying	2020-10-07 18:02:57 +02:00
Jens Langhammer	ef24b1cde2	docs: update screenshots	2020-10-07 18:02:26 +02:00
dependabot[bot]	26cacc2a06	build(deps): bump boto3 from 1.15.12 to 1.15.13 (#259 ) Bumps [boto3](https://github.com/boto/boto3) from 1.15.12 to 1.15.13. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.15.12...1.15.13) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-10-07 11:54:32 +02:00
dependabot[bot]	ca0e89c799	build(deps): bump @patternfly/patternfly in /passbook/static/static (#261 ) Bumps [@patternfly/patternfly](https://github.com/patternfly/patternfly) from 4.42.2 to 4.50.4. - [Release notes](https://github.com/patternfly/patternfly/releases) - [Changelog](https://github.com/patternfly/patternfly/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/patternfly/patternfly/compare/prerelease-v4.42.2...prerelease-v4.50.4) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-10-07 09:10:47 +02:00
dependabot[bot]	17950119ad	build(deps): bump django-otp from 1.0.0 to 1.0.1 (#260 ) Bumps [django-otp](https://github.com/django-otp/django-otp) from 1.0.0 to 1.0.1. - [Release notes](https://github.com/django-otp/django-otp/releases) - [Changelog](https://github.com/django-otp/django-otp/blob/master/CHANGES.rst) - [Commits](https://github.com/django-otp/django-otp/compare/v1.0.0...v1.0.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-10-07 09:10:25 +02:00
dependabot[bot]	876618c1ec	build(deps): bump @fortawesome/fontawesome-free (#258 ) Bumps [@fortawesome/fontawesome-free](https://github.com/FortAwesome/Font-Awesome) from 5.15.0 to 5.15.1. - [Release notes](https://github.com/FortAwesome/Font-Awesome/releases) - [Changelog](https://github.com/FortAwesome/Font-Awesome/blob/master/CHANGELOG.md) - [Commits](https://github.com/FortAwesome/Font-Awesome/compare/5.15.0...5.15.1) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-10-06 10:19:05 +02:00
dependabot[bot]	2293ab69b9	build(deps): bump boto3 from 1.15.11 to 1.15.12 (#257 ) Bumps [boto3](https://github.com/boto/boto3) from 1.15.11 to 1.15.12. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.15.11...1.15.12) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-10-06 09:55:56 +02:00
Jens Langhammer	9df00e09a4	root: fix static docker's rollup build	2020-10-06 00:06:53 +02:00
Jens Langhammer	cf6ce9c915	audit: optimize eventaction,	2020-10-05 23:43:56 +02:00
Jens Langhammer	3b61191614	outpost: enable docker controller	2020-10-05 23:11:44 +02:00
Jens Langhammer	9954eeac86	proxy: fix broken docker healthcheck	2020-10-05 22:53:26 +02:00
Jens Langhammer	ac88bd5d44	core: hide token value by default	2020-10-05 22:40:30 +02:00
Jens Langhammer	2406a619df	root: fix lockfile in dockerfile	2020-10-05 22:37:53 +02:00
Jens Langhammer	63087c9393	root: run backups in server contianer	2020-10-05 22:30:13 +02:00
Jens Langhammer	da9aaf69df	admin: add metrics and charts	2020-10-05 22:10:03 +02:00
Jens Langhammer	ae125dd1f0	root: fix missing docker dependency	2020-10-04 15:04:07 +02:00
Jens Langhammer	f636595230	static: add fetch-fill-slot to load data for admin interface	2020-10-04 13:09:03 +02:00
Jens Langhammer	d506e8f1a3	outposts: implement docker controller	2020-10-04 00:41:12 +02:00
Jens Langhammer	d3a96ac7aa	outposts: load token async	2020-10-04 00:29:18 +02:00
Jens Langhammer	189b0ec324	admin: expose info as API	2020-10-04 00:28:58 +02:00
Jens Langhammer	c5a6b4961f	core: Add Token identifier as sudo-primary key	2020-10-04 00:28:43 +02:00
Jens Langhammer	b590589324	root: add base template for api	2020-10-03 23:20:33 +02:00
Jens L	9fb1ac98ec	Backup/Restore (#256 ) * lifecycle: move s3 backup settings to s3 name * providers/oauth2: fix for alerting for missing certificatekeypair * lifecycle: add backup commands see #252 * lifecycle: install postgres-client for 11 and 12 * root: migrate to DBBACKUP_STORAGE_OPTIONS, add region setting * lifecycle: auto-clean last backups * helm: add s3 region parameter, add cronjob for backups * docs: add backup docs * root: remove backup scheduled task for now	2020-10-03 20:36:36 +02:00
Jens Langhammer	195d8fe71f	core: move name field to base Provider	2020-10-03 20:05:16 +02:00
Jens Langhammer	b0602a3215	admin: implement search for all views see #253	2020-10-03 19:32:01 +02:00
Jens Langhammer	0150a5c58c	admin: add SearchListMixin mixin and partial template	2020-10-03 19:05:20 +02:00
Jens Langhammer	b35d27c83e	admin: fix pagination template, ensure template is placed correctly in footer	2020-10-03 17:50:17 +02:00
Jens Langhammer	801bb90806	root: lock pyright version	2020-10-03 15:34:53 +02:00
Jens Langhammer	55a83abb26	*: remove deprecated providing_args	2020-10-02 11:18:14 +02:00
Jens Langhammer	c09b4e9713	e2e: fix invalid proxy image being pulled	2020-10-02 10:30:56 +02:00
Jens Langhammer	247015e955	stages/otp_*: Remove duplicate validation for OTP Codes	2020-10-02 10:30:43 +02:00
dependabot[bot]	fe3634be64	build(deps): bump django from 3.1.1 to 3.1.2 (#255 ) Bumps [django](https://github.com/django/django) from 3.1.1 to 3.1.2. - [Release notes](https://github.com/django/django/releases) - [Commits](https://github.com/django/django/compare/3.1.1...3.1.2) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-10-02 09:50:18 +02:00
dependabot[bot]	ead20b03aa	build(deps): bump boto3 from 1.15.9 to 1.15.10 (#254 ) Bumps [boto3](https://github.com/boto/boto3) from 1.15.9 to 1.15.10. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.15.9...1.15.10) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-10-02 09:32:39 +02:00
Jens Langhammer	932a475af7	docs: add notice about vcenter launch URL	2020-10-01 20:01:58 +02:00
Jens Langhammer	e9a1a18ba3	providers/oauth2: ensure that when rs256 is selected, a certificate key pair is selected	2020-10-01 20:01:45 +02:00
Jens Langhammer	6cd9edd38a	providers/oauth2: add missing token_validity field to Forms and API	2020-10-01 20:01:28 +02:00
Jens Langhammer	9b5f9167cd	root: always enable dbbackup	2020-10-01 13:41:40 +02:00
Jens Langhammer	1f30bcd335	root: lock postgresql to 12 in docker-compose	2020-10-01 10:42:38 +02:00
Jens Langhammer	94eaeb5a60	new release: 0.10.9-stable	2020-10-01 10:24:16 +02:00
Jens Langhammer	a5420fe019	providers/saml: lowercase acs URLs before checking closes #249	2020-10-01 10:04:20 +02:00
Jens Langhammer	2e1849a732	providers/oauth2: lowercase all uris before checking redirect URI see #249	2020-10-01 10:00:44 +02:00
dependabot[bot]	4039e96803	build(deps): bump boto3 from 1.15.8 to 1.15.9 (#250 ) Bumps [boto3](https://github.com/boto/boto3) from 1.15.8 to 1.15.9. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.15.8...1.15.9) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-10-01 09:50:04 +02:00
Jens Langhammer	8f585eca70	stages/identification: replace buggy FilteredSelectMultiple with ArrayFieldSelectMultiple	2020-09-30 23:58:01 +02:00
Jens Langhammer	516455f482	stages/identification: add case_insensitive_matching closes #248	2020-09-30 23:48:53 +02:00
Jens L	719099a5af	ci: remove deploy as --recreate is deprecated	2020-09-30 23:00:05 +02:00
Jens Langhammer	7f74d32253	docs: update phrasing on tautulli docs	2020-09-30 21:19:04 +02:00
Jens Langhammer	525d271535	*: apply new black styling	2020-09-30 19:34:22 +02:00
Jens Langhammer	9ef39f1e04	root: update black version	2020-09-30 16:39:15 +02:00
Jens Langhammer	9099dc5713	root: fix missing dependencies of uvicorn	2020-09-30 16:11:28 +02:00
Jens Langhammer	c3c525a3f0	lib: re-add Websockets error	2020-09-30 15:55:59 +02:00
Jens Langhammer	e699dfe88c	ci: fix CD not working correctly	2020-09-30 15:41:04 +02:00
Jens Langhammer	c0b334eb02	lib: ignore ChannelFull error	2020-09-30 15:40:54 +02:00
Jens Langhammer	815ad26b91	root: add hard uvloop and httptools dependency	2020-09-30 15:37:15 +02:00
Jens Langhammer	03647fa6af	new release: 0.10.8-stable	2020-09-30 14:59:02 +02:00
Jens Langhammer	5aec581585	docs: add docs for Tautulli closes #244	2020-09-30 14:32:23 +02:00
Jens Langhammer	68e9b7e140	proxy: only use logrus	2020-09-30 14:31:55 +02:00
dependabot[bot]	b42bca4e3e	build(deps): bump django-filter from 2.3.0 to 2.4.0 (#239 ) Bumps [django-filter](https://github.com/carltongibson/django-filter) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/carltongibson/django-filter/releases) - [Changelog](https://github.com/carltongibson/django-filter/blob/master/CHANGES.rst) - [Commits](https://github.com/carltongibson/django-filter/compare/2.3.0...2.4.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-09-30 13:29:11 +02:00
dependabot[bot]	42c9ac61b2	build(deps-dev): bump pytest from 6.0.2 to 6.1.0 (#238 ) Bumps [pytest](https://github.com/pytest-dev/pytest) from 6.0.2 to 6.1.0. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/master/CHANGELOG.rst) - [Commits](https://github.com/pytest-dev/pytest/compare/6.0.2...6.1.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-09-30 13:14:42 +02:00
dependabot[bot]	7cdc5f0568	build(deps): bump sentry-sdk from 0.17.8 to 0.18.0 (#245 ) Bumps [sentry-sdk](https://github.com/getsentry/sentry-python) from 0.17.8 to 0.18.0. - [Release notes](https://github.com/getsentry/sentry-python/releases) - [Changelog](https://github.com/getsentry/sentry-python/blob/master/CHANGES.md) - [Commits](https://github.com/getsentry/sentry-python/compare/0.17.8...0.18.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-09-30 12:44:50 +02:00
dependabot[bot]	a063613f4c	build(deps): bump uvicorn from 0.11.8 to 0.12.0 (#241 ) * build(deps): bump uvicorn from 0.11.8 to 0.12.0 Bumps [uvicorn](https://github.com/encode/uvicorn) from 0.11.8 to 0.12.0. - [Release notes](https://github.com/encode/uvicorn/releases) - [Changelog](https://github.com/encode/uvicorn/blob/master/CHANGELOG.md) - [Commits](https://github.com/encode/uvicorn/compare/0.11.8...0.12.0) Signed-off-by: dependabot[bot] <support@github.com> * lib: remove websockets ignored exception Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org>	2020-09-30 11:49:59 +02:00
dependabot[bot]	3af04bf1e4	build(deps): bump boto3 from 1.15.5 to 1.15.8 (#246 ) Bumps [boto3](https://github.com/boto/boto3) from 1.15.5 to 1.15.8. - [Release notes](https://github.com/boto/boto3/releases) - [Changelog](https://github.com/boto/boto3/blob/develop/CHANGELOG.rst) - [Commits](https://github.com/boto/boto3/compare/1.15.5...1.15.8) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-09-30 11:49:36 +02:00
Jens Langhammer	74f8b68af8	proxy: ask for pb_proxy scope, set authorization header if enabled	2020-09-30 11:49:06 +02:00
Jens Langhammer	59dbc15be7	core: make group_attributes include user's attributes	2020-09-30 11:39:25 +02:00
Jens Langhammer	9d5dd896f3	providers/proxy: start implementing basic_auth_enabled see #244	2020-09-30 11:15:22 +02:00
Jens Langhammer	02f5f12089	providers/proxy: use external_url for launch URL, hide setup URLs	2020-09-30 11:14:50 +02:00
Jens Langhammer	90ea6dba90	providers/proxy: add pb_proxy scope for proxy that sends user_attributes	2020-09-30 11:13:59 +02:00
dependabot[bot]	b0b2c0830b	build(deps): bump github.com/sirupsen/logrus in /proxy (#243 ) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.6.0...v1.7.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-09-30 09:32:33 +02:00
Jens Langhammer	acb2b825f3	root: fix pipfile not referencing djangorestframework	2020-09-30 09:23:00 +02:00
Jens Langhammer	e956b86649	root: lock rest-framework to 3.11.1 to prevent drf-yasg See https://github.com/axnsan12/drf-yasg/issues/641	2020-09-30 09:15:48 +02:00
Jens Langhammer	739c66da1c	crypto: add tests	2020-09-30 09:12:37 +02:00
dependabot[bot]	e8c7cce68f	build(deps): bump @fortawesome/fontawesome-free (#247 ) Bumps [@fortawesome/fontawesome-free](https://github.com/FortAwesome/Font-Awesome) from 5.14.0 to 5.15.0. - [Release notes](https://github.com/FortAwesome/Font-Awesome/releases) - [Changelog](https://github.com/FortAwesome/Font-Awesome/blob/master/CHANGELOG.md) - [Commits](https://github.com/FortAwesome/Font-Awesome/compare/5.14.0...5.15.0) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2020-09-30 08:57:47 +02:00
Jens Langhammer	f741d382c2	e2e: bump wait	2020-09-29 15:01:01 +02:00
Jens Langhammer	a13d4047b6	e2e: fix formatting	2020-09-29 14:04:23 +02:00
Jens Langhammer	e0d8189442	e2e: update for new saml-test-sp, pull image before run	2020-09-29 12:47:38 +02:00
Jens Langhammer	760352202e	admin: fix get_form_class	2020-09-29 11:42:34 +02:00
Jens Langhammer	9724ded194	policies: change .form() and .serializer() to properties, add tests	2020-09-29 10:32:58 +02:00
Jens Langhammer	5da4ff4ff1	e2e: further cleanup tests, directly navigate to user-settings instead of click	2020-09-29 00:27:58 +02:00
Jens Langhammer	e54b98a80e	e2e: cleanup tests, remove XPATH selectors	2020-09-28 18:19:46 +02:00
Jens Langhammer	67b69cb5d3	e2e: add oidc tests using oidc-test-client	2020-09-28 17:22:35 +02:00
Jens Langhammer	863111ac57	e2e: fix oauth1 tests	2020-09-28 12:15:32 +02:00
Jens Langhammer	bd78087582	root: fix RemovedInDjango40Warning being triggered	2020-09-28 11:47:50 +02:00
Jens Langhammer	8f4e954160	providers/oauth2: rewrite introspection endpoint to allow basic or bearer auth	2020-09-28 11:42:27 +02:00
Jens Langhammer	553f184aad	e2e: add proxy connectivity test via Websocket	2020-09-28 09:04:44 +02:00
Jens Langhammer	b6d7847eae	providers/oauth2: fix token introspection view	2020-09-28 09:04:31 +02:00
Jens Langhammer	ad0d339794	flows: add benchmark command	2020-09-27 21:21:30 +02:00
Jens Langhammer	737cd22bb9	root: fix apt autoremove call	2020-09-27 21:07:29 +02:00
Jens Langhammer	6ad1465f8f	root: don't set default log level in docker-compose	2020-09-27 19:36:44 +02:00
Jens Langhammer	d74fa4abbf	admin: fix categories in sidebar being collapsible	2020-09-27 18:40:50 +02:00
Jens Langhammer	b24938fc6b	stages/consent: fix formatting	2020-09-26 21:06:01 +02:00
Jens Langhammer	ea1564548c	stages/consent: support pending_user from flow	2020-09-26 20:43:41 +02:00
Jens Langhammer	3663c3c8a1	sources/saml: cleanup SLO Implementation	2020-09-26 20:38:38 +02:00
Jens Langhammer	07e20a2950	core: add AuthJsonConsumer to handle websocket authentication	2020-09-26 20:11:04 +02:00
Jens Langhammer	6366d50a0e	core: show 'Create Application' button based on perms	2020-09-26 19:54:52 +02:00