release: 2021.12.3

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.12.2
+current_version = 2021.12.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)

.github/workflows/ci-main.yml

@@ -47,7 +47,7 @@ jobs:
         env:
           INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
         run: scripts/ci_prepare.sh
-      - name: run pylint
+      - name: run job
         run: pipenv run make ci-${{ matrix.job }}
   test-migrations:
     runs-on: ubuntu-latest
@@ -86,7 +86,11 @@ jobs:
           path: ~/.local/share/virtualenvs
           key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
       - name: checkout stable
+        id: stable
         run: |
+          # Save current branch
+          current=$(git branch --show)
+          echo ##[set-output name=originalBranch]$current
           # Copy current, latest config to local
           cp authentik/lib/default.yml local.env.yml
           cp -R .github ..
@@ -108,7 +112,7 @@ jobs:
           set -x
           git fetch
           git reset --hard HEAD
-          git checkout $GITHUB_HEAD_REF
+          git checkout ${{ steps.stable.outputs.originalBranch }}
           pipenv sync --dev
       - name: prepare
         env:

.github/workflows/release-publish.yml

@@ -30,14 +30,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik:2021.12.2,
+            beryju/authentik:2021.12.3,
             beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.12.2,
+            ghcr.io/goauthentik/server:2021.12.3,
             ghcr.io/goauthentik/server:latest
           platforms: linux/amd64,linux/arm64
           context: .
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.12.2', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.12.3', 'rc') }}
         run: |
           docker pull beryju/authentik:latest
           docker tag beryju/authentik:latest beryju/authentik:stable
@@ -78,14 +78,14 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-${{ matrix.type }}:2021.12.2,
+            beryju/authentik-${{ matrix.type }}:2021.12.3,
             beryju/authentik-${{ matrix.type }}:latest,
-            ghcr.io/goauthentik/${{ matrix.type }}:2021.12.2,
+            ghcr.io/goauthentik/${{ matrix.type }}:2021.12.3,
             ghcr.io/goauthentik/${{ matrix.type }}:latest
           file: ${{ matrix.type }}.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.12.2', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.12.3', 'rc') }}
         run: |
           docker pull beryju/authentik-${{ matrix.type }}:latest
           docker tag beryju/authentik-${{ matrix.type }}:latest beryju/authentik-${{ matrix.type }}:stable
@@ -150,7 +150,9 @@ jobs:
           docker-compose run -u root server test
   sentry-release:
     needs:
-      - test-release
+      - build-server
+      - build-outpost
+      - build-outpost-binary
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -168,7 +170,7 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          version: authentik@2021.12.2
+          version: authentik@2021.12.3
           environment: beryjuorg-prod
           sourcemaps: './web/dist'
           url_prefix: '~/static/dist'

Pipfile.lock

@@ -109,11 +109,11 @@
         },
         "amqp": {
             "hashes": [
-                "sha256:4d9cb6b5d69183ba279e97382ff68a071864c25b561d206dab73499d3ed26d1c",
-                "sha256:d757b78fd7d3c6bb60e3ee811b68145583643747ed3ec253329f086aa3a72a5d"
+                "sha256:1e5f707424e544078ca196e72ae6a14887ce74e02bd126be54b7c03c971bef18",
+                "sha256:9cd81f7b023fc04bbb108718fbac674f06901b77bfcdce85b10e2a5d0ee91be5"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==5.0.7"
+            "version": "==5.0.9"
         },
         "asgiref": {
             "hashes": [
@@ -367,30 +367,29 @@
         },
         "cryptography": {
             "hashes": [
-                "sha256:2049f8b87f449fc6190350de443ee0c1dd631f2ce4fa99efad2984de81031681",
-                "sha256:231c4a69b11f6af79c1495a0e5a85909686ea8db946935224b7825cfb53827ed",
-                "sha256:24469d9d33217ffd0ce4582dfcf2a76671af115663a95328f63c99ec7ece61a4",
-                "sha256:2deab5ec05d83ddcf9b0916319674d3dae88b0e7ee18f8962642d3cde0496568",
-                "sha256:494106e9cd945c2cadfce5374fa44c94cfadf01d4566a3b13bb487d2e6c7959e",
-                "sha256:4c702855cd3174666ef0d2d13dcc879090aa9c6c38f5578896407a7028f75b9f",
-                "sha256:52f769ecb4ef39865719aedc67b4b7eae167bafa48dbc2a26dd36fa56460507f",
-                "sha256:5c49c9e8fb26a567a2b3fa0343c89f5d325447956cc2fc7231c943b29a973712",
-                "sha256:684993ff6f67000a56454b41bdc7e015429732d65a52d06385b6e9de6181c71e",
-                "sha256:6fbbbb8aab4053fa018984bb0e95a16faeb051dd8cca15add2a27e267ba02b58",
-                "sha256:8982c19bb90a4fa2aad3d635c6d71814e38b643649b4000a8419f8691f20ac44",
-                "sha256:9511416e85e449fe1de73f7f99b21b3aa04fba4c4d335d30c486ba3756e3a2a6",
-                "sha256:97199a13b772e74cdcdb03760c32109c808aff7cd49c29e9cf4b7754bb725d1d",
-                "sha256:a776bae1629c8d7198396fd93ec0265f8dd2341c553dc32b976168aaf0e6a636",
-                "sha256:aa94d617a4cd4cdf4af9b5af65100c036bce22280ebb15d8b5262e8273ebc6ba",
-                "sha256:b17d83b3d1610e571fedac21b2eb36b816654d6f7496004d6a0d32f99d1d8120",
-                "sha256:d73e3a96c38173e0aa5646c31bf8473bc3564837977dd480f5cbeacf1d7ef3a3",
-                "sha256:d91bc9f535599bed58f6d2e21a2724cb0c3895bf41c6403fe881391d29096f1d",
-                "sha256:ef216d13ac8d24d9cd851776662f75f8d29c9f2d05cdcc2d34a18d32463a9b0b",
-                "sha256:f6a5a85beb33e57998dc605b9dbe7deaa806385fdf5c4810fb849fcd04640c81",
-                "sha256:f92556f94e476c1b616e6daec5f7ddded2c082efa7cee7f31c7aeda615906ed8"
+                "sha256:0a817b961b46894c5ca8a66b599c745b9a3d9f822725221f0e0fe49dc043a3a3",
+                "sha256:2d87cdcb378d3cfed944dac30596da1968f88fb96d7fc34fdae30a99054b2e31",
+                "sha256:30ee1eb3ebe1644d1c3f183d115a8c04e4e603ed6ce8e394ed39eea4a98469ac",
+                "sha256:391432971a66cfaf94b21c24ab465a4cc3e8bf4a939c1ca5c3e3a6e0abebdbcf",
+                "sha256:39bdf8e70eee6b1c7b289ec6e5d84d49a6bfa11f8b8646b5b3dfe41219153316",
+                "sha256:4caa4b893d8fad33cf1964d3e51842cd78ba87401ab1d2e44556826df849a8ca",
+                "sha256:53e5c1dc3d7a953de055d77bef2ff607ceef7a2aac0353b5d630ab67f7423638",
+                "sha256:596f3cd67e1b950bc372c33f1a28a0692080625592ea6392987dba7f09f17a94",
+                "sha256:5d59a9d55027a8b88fd9fd2826c4392bd487d74bf628bb9d39beecc62a644c12",
+                "sha256:6c0c021f35b421ebf5976abf2daacc47e235f8b6082d3396a2fe3ccd537ab173",
+                "sha256:73bc2d3f2444bcfeac67dd130ff2ea598ea5f20b40e36d19821b4df8c9c5037b",
+                "sha256:74d6c7e80609c0f4c2434b97b80c7f8fdfaa072ca4baab7e239a15d6d70ed73a",
+                "sha256:7be0eec337359c155df191d6ae00a5e8bbb63933883f4f5dffc439dac5348c3f",
+                "sha256:94ae132f0e40fe48f310bba63f477f14a43116f05ddb69d6fa31e93f05848ae2",
+                "sha256:bb5829d027ff82aa872d76158919045a7c1e91fbf241aec32cb07956e9ebd3c9",
+                "sha256:ca238ceb7ba0bdf6ce88c1b74a87bffcee5afbfa1e41e173b1ceb095b39add46",
+                "sha256:ca28641954f767f9822c24e927ad894d45d5a1e501767599647259cbf030b903",
+                "sha256:e0344c14c9cb89e76eb6a060e67980c9e35b3f36691e15e1b7a9e58a0a6c6dc3",
+                "sha256:ebc15b1c22e55c4d5566e3ca4db8689470a0ca2babef8e3a9ee057a8b82ce4b1",
+                "sha256:ec63da4e7e4a5f924b90af42eddf20b698a70e58d86a72d943857c4c6045b3ee"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==36.0.0"
+            "version": "==36.0.1"
         },
         "dacite": {
             "hashes": [
@@ -410,11 +409,11 @@
         },
         "deepmerge": {
             "hashes": [
-                "sha256:87166dbe9ba1a3348a45c9d4ada6778f518d41afc0b85aa017ea3041facc3f9c",
-                "sha256:f6fd7f1293c535fb599e197e750dbe8674503c5d2a89759b3c72a3c46746d4fd"
+                "sha256:4b44779ed3d2fb791bb181fc2683423496fea428abb7af37feb23286de7f0a1a",
+                "sha256:f851fff957697cb8f4580b465acf5c2d35841695306ff0abb9cb9c273ad76112"
             ],
             "index": "pypi",
-            "version": "==0.3.0"
+            "version": "==1.0.1"
         },
         "defusedxml": {
             "hashes": [
@@ -470,11 +469,11 @@
         },
         "django-prometheus": {
             "hashes": [
-                "sha256:c338d6efde1ca336e90c540b5e87afe9287d7bcc82d651a778f302b0be17a933",
-                "sha256:dd3f8da1399140fbef5c00d1526a23d1ade286b144281c325f8e409a781643f2"
+                "sha256:240378a1307c408bd5fc85614a3a57f1ce633d4a222c9e291e2bbf325173b801",
+                "sha256:e6616770d8820b8834762764bf1b76ec08e1b98e72a6f359d488a2e15fe3537c"
             ],
             "index": "pypi",
-            "version": "==2.1.0"
+            "version": "==2.2.0"
         },
         "django-redis": {
             "hashes": [
@@ -494,11 +493,11 @@
         },
         "djangorestframework": {
             "hashes": [
-                "sha256:48e64f08244fa0df9e2b8fbd405edec263d8e1251112a06d0073b546b7c86b9c",
-                "sha256:8b987d5683f5b3553dd946d4972048d3117fc526cb0bc01a3f021e81af53f39e"
+                "sha256:0c33407ce23acc68eca2a6e46424b008c9c02eceb8cf18581921d0092bc1f2ee",
+                "sha256:24c4bf58ed7e85d1fe4ba250ab2da926d263cd57d64b03e8dcef0ac683f8b1aa"
             ],
             "index": "pypi",
-            "version": "==3.13.0"
+            "version": "==3.13.1"
         },
         "djangorestframework-guardian": {
             "hashes": [
@@ -781,11 +780,11 @@
         },
         "jsonschema": {
             "hashes": [
-                "sha256:2a0f162822a64d95287990481b45d82f096e99721c86534f48201b64ebca6e8c",
-                "sha256:390713469ae64b8a58698bb3cbc3859abe6925b565a973f87323ef21b09a27a8"
+                "sha256:0070ca8dd5bf47941d1e9d8bc115a3654b1138cfb8aff44f3e3527276107314f",
+                "sha256:91ffbad994d766041c6003d5f8f475cceb890c30084bd0e64847ccb1c10e48bb"
             ],
             "markers": "python_version >= '3.7'",
-            "version": "==4.2.1"
+            "version": "==4.3.1"
         },
         "kombu": {
             "hashes": [
@@ -1329,11 +1328,11 @@
         },
         "setuptools": {
             "hashes": [
-                "sha256:22c7348c6d2976a52632c67f7ab0cdf40147db7789f9aed18734643fe9cf3373",
-                "sha256:4ce92f1e1f8f01233ee9952c04f6b81d1e02939d6e1b488428154974a4d0783e"
+                "sha256:5ec2bbb534ed160b261acbbdd1b463eb3cf52a8d223d96a8ab9981f63798e85c",
+                "sha256:75fd345a47ce3d79595b27bf57e6f49c2ca7904f3c7ce75f8a87012046c86b0b"
             ],
-            "markers": "python_version >= '3.6'",
-            "version": "==59.6.0"
+            "markers": "python_version >= '3.7'",
+            "version": "==60.0.0"
         },
         "six": {
             "hashes": [
@@ -1353,11 +1352,11 @@
         },
         "structlog": {
             "hashes": [
-                "sha256:305a66201f9605a2e8a2595271a446f258175901c09c01e4c2c2a8ac5b68edf1",
-                "sha256:6ed8fadb27cf8362be0e606f5e79ccdd3b1e879aac65f9dc0ac3033fd013a7be"
+                "sha256:68c4c29c003714fe86834f347cb107452847ba52414390a7ee583472bde00fc9",
+                "sha256:fd7922e195262b337da85c2a91c84be94ccab1f8fd1957bd6986f6904e3761c8"
             ],
             "index": "pypi",
-            "version": "==21.4.0"
+            "version": "==21.5.0"
         },
         "swagger-spec-validator": {
             "hashes": [
@@ -1455,9 +1454,7 @@
             "version": "==4.1.1"
         },
         "urllib3": {
-            "extras": [
-                "secure"
-            ],
+            "extras": [],
             "hashes": [
                 "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece",
                 "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"
@@ -1942,30 +1939,29 @@
         },
         "cryptography": {
             "hashes": [
-                "sha256:2049f8b87f449fc6190350de443ee0c1dd631f2ce4fa99efad2984de81031681",
-                "sha256:231c4a69b11f6af79c1495a0e5a85909686ea8db946935224b7825cfb53827ed",
-                "sha256:24469d9d33217ffd0ce4582dfcf2a76671af115663a95328f63c99ec7ece61a4",
-                "sha256:2deab5ec05d83ddcf9b0916319674d3dae88b0e7ee18f8962642d3cde0496568",
-                "sha256:494106e9cd945c2cadfce5374fa44c94cfadf01d4566a3b13bb487d2e6c7959e",
-                "sha256:4c702855cd3174666ef0d2d13dcc879090aa9c6c38f5578896407a7028f75b9f",
-                "sha256:52f769ecb4ef39865719aedc67b4b7eae167bafa48dbc2a26dd36fa56460507f",
-                "sha256:5c49c9e8fb26a567a2b3fa0343c89f5d325447956cc2fc7231c943b29a973712",
-                "sha256:684993ff6f67000a56454b41bdc7e015429732d65a52d06385b6e9de6181c71e",
-                "sha256:6fbbbb8aab4053fa018984bb0e95a16faeb051dd8cca15add2a27e267ba02b58",
-                "sha256:8982c19bb90a4fa2aad3d635c6d71814e38b643649b4000a8419f8691f20ac44",
-                "sha256:9511416e85e449fe1de73f7f99b21b3aa04fba4c4d335d30c486ba3756e3a2a6",
-                "sha256:97199a13b772e74cdcdb03760c32109c808aff7cd49c29e9cf4b7754bb725d1d",
-                "sha256:a776bae1629c8d7198396fd93ec0265f8dd2341c553dc32b976168aaf0e6a636",
-                "sha256:aa94d617a4cd4cdf4af9b5af65100c036bce22280ebb15d8b5262e8273ebc6ba",
-                "sha256:b17d83b3d1610e571fedac21b2eb36b816654d6f7496004d6a0d32f99d1d8120",
-                "sha256:d73e3a96c38173e0aa5646c31bf8473bc3564837977dd480f5cbeacf1d7ef3a3",
-                "sha256:d91bc9f535599bed58f6d2e21a2724cb0c3895bf41c6403fe881391d29096f1d",
-                "sha256:ef216d13ac8d24d9cd851776662f75f8d29c9f2d05cdcc2d34a18d32463a9b0b",
-                "sha256:f6a5a85beb33e57998dc605b9dbe7deaa806385fdf5c4810fb849fcd04640c81",
-                "sha256:f92556f94e476c1b616e6daec5f7ddded2c082efa7cee7f31c7aeda615906ed8"
+                "sha256:0a817b961b46894c5ca8a66b599c745b9a3d9f822725221f0e0fe49dc043a3a3",
+                "sha256:2d87cdcb378d3cfed944dac30596da1968f88fb96d7fc34fdae30a99054b2e31",
+                "sha256:30ee1eb3ebe1644d1c3f183d115a8c04e4e603ed6ce8e394ed39eea4a98469ac",
+                "sha256:391432971a66cfaf94b21c24ab465a4cc3e8bf4a939c1ca5c3e3a6e0abebdbcf",
+                "sha256:39bdf8e70eee6b1c7b289ec6e5d84d49a6bfa11f8b8646b5b3dfe41219153316",
+                "sha256:4caa4b893d8fad33cf1964d3e51842cd78ba87401ab1d2e44556826df849a8ca",
+                "sha256:53e5c1dc3d7a953de055d77bef2ff607ceef7a2aac0353b5d630ab67f7423638",
+                "sha256:596f3cd67e1b950bc372c33f1a28a0692080625592ea6392987dba7f09f17a94",
+                "sha256:5d59a9d55027a8b88fd9fd2826c4392bd487d74bf628bb9d39beecc62a644c12",
+                "sha256:6c0c021f35b421ebf5976abf2daacc47e235f8b6082d3396a2fe3ccd537ab173",
+                "sha256:73bc2d3f2444bcfeac67dd130ff2ea598ea5f20b40e36d19821b4df8c9c5037b",
+                "sha256:74d6c7e80609c0f4c2434b97b80c7f8fdfaa072ca4baab7e239a15d6d70ed73a",
+                "sha256:7be0eec337359c155df191d6ae00a5e8bbb63933883f4f5dffc439dac5348c3f",
+                "sha256:94ae132f0e40fe48f310bba63f477f14a43116f05ddb69d6fa31e93f05848ae2",
+                "sha256:bb5829d027ff82aa872d76158919045a7c1e91fbf241aec32cb07956e9ebd3c9",
+                "sha256:ca238ceb7ba0bdf6ce88c1b74a87bffcee5afbfa1e41e173b1ceb095b39add46",
+                "sha256:ca28641954f767f9822c24e927ad894d45d5a1e501767599647259cbf030b903",
+                "sha256:e0344c14c9cb89e76eb6a060e67980c9e35b3f36691e15e1b7a9e58a0a6c6dc3",
+                "sha256:ebc15b1c22e55c4d5566e3ca4db8689470a0ca2babef8e3a9ee057a8b82ce4b1",
+                "sha256:ec63da4e7e4a5f924b90af42eddf20b698a70e58d86a72d943857c4c6045b3ee"
             ],
             "markers": "python_version >= '3.6'",
-            "version": "==36.0.0"
+            "version": "==36.0.1"
         },
         "gitdb": {
             "hashes": [
@@ -2000,11 +1996,11 @@
         },
         "importlib-metadata": {
             "hashes": [
-                "sha256:53ccfd5c134223e497627b9815d5030edf77d2ed573922f7a0b8f8bb81a1c100",
-                "sha256:75bdec14c397f528724c1bfd9709d660b33a4d2e77387a3358f20b848bb5e5fb"
+                "sha256:92a8b58ce734b2a4494878e0ecf7d79ccd7a128b5fc6014c401e0b61f006f0f6",
+                "sha256:b7cf7d3fef75f1e4c80a96ca660efbd51473d7e8f39b5ab9210febc7809012a4"
             ],
             "index": "pypi",
-            "version": "==4.8.2"
+            "version": "==4.10.0"
         },
         "iniconfig": {
             "hashes": [
@@ -2018,36 +2014,51 @@
                 "sha256:6f62d78e2f89b4500b080fe3a81690850cd254227f27f75c3a0c491a1f351ba7",
                 "sha256:e8443a5e7a020e9d7f97f1d7d9cd17c88bcb3bc7e218bf9cf5095fe550be2951"
             ],
-            "markers": "python_version < '4' and python_full_version >= '3.6.1'",
+            "markers": "python_version < '4.0' and python_full_version >= '3.6.1'",
             "version": "==5.10.1"
         },
         "lazy-object-proxy": {
             "hashes": [
-                "sha256:17e0967ba374fc24141738c69736da90e94419338fd4c7c7bef01ee26b339653",
-                "sha256:1fee665d2638491f4d6e55bd483e15ef21f6c8c2095f235fef72601021e64f61",
-                "sha256:22ddd618cefe54305df49e4c069fa65715be4ad0e78e8d252a33debf00f6ede2",
-                "sha256:24a5045889cc2729033b3e604d496c2b6f588c754f7a62027ad4437a7ecc4837",
-                "sha256:410283732af311b51b837894fa2f24f2c0039aa7f220135192b38fcc42bd43d3",
-                "sha256:4732c765372bd78a2d6b2150a6e99d00a78ec963375f236979c0626b97ed8e43",
-                "sha256:489000d368377571c6f982fba6497f2aa13c6d1facc40660963da62f5c379726",
-                "sha256:4f60460e9f1eb632584c9685bccea152f4ac2130e299784dbaf9fae9f49891b3",
-                "sha256:5743a5ab42ae40caa8421b320ebf3a998f89c85cdc8376d6b2e00bd12bd1b587",
-                "sha256:85fb7608121fd5621cc4377a8961d0b32ccf84a7285b4f1d21988b2eae2868e8",
-                "sha256:9698110e36e2df951c7c36b6729e96429c9c32b3331989ef19976592c5f3c77a",
-                "sha256:9d397bf41caad3f489e10774667310d73cb9c4258e9aed94b9ec734b34b495fd",
-                "sha256:b579f8acbf2bdd9ea200b1d5dea36abd93cabf56cf626ab9c744a432e15c815f",
-                "sha256:b865b01a2e7f96db0c5d12cfea590f98d8c5ba64ad222300d93ce6ff9138bcad",
-                "sha256:bf34e368e8dd976423396555078def5cfc3039ebc6fc06d1ae2c5a65eebbcde4",
-                "sha256:c6938967f8528b3668622a9ed3b31d145fab161a32f5891ea7b84f6b790be05b",
-                "sha256:d1c2676e3d840852a2de7c7d5d76407c772927addff8d742b9808fe0afccebdf",
-                "sha256:d7124f52f3bd259f510651450e18e0fd081ed82f3c08541dffc7b94b883aa981",
-                "sha256:d900d949b707778696fdf01036f58c9876a0d8bfe116e8d220cfd4b15f14e741",
-                "sha256:ebfd274dcd5133e0afae738e6d9da4323c3eb021b3e13052d8cbd0e457b1256e",
-                "sha256:ed361bb83436f117f9917d282a456f9e5009ea12fd6de8742d1a4752c3017e93",
-                "sha256:f5144c75445ae3ca2057faac03fda5a902eff196702b0a24daf1d6ce0650514b"
+                "sha256:043651b6cb706eee4f91854da4a089816a6606c1428fd391573ef8cb642ae4f7",
+                "sha256:07fa44286cda977bd4803b656ffc1c9b7e3bc7dff7d34263446aec8f8c96f88a",
+                "sha256:12f3bb77efe1367b2515f8cb4790a11cffae889148ad33adad07b9b55e0ab22c",
+                "sha256:2052837718516a94940867e16b1bb10edb069ab475c3ad84fd1e1a6dd2c0fcfc",
+                "sha256:2130db8ed69a48a3440103d4a520b89d8a9405f1b06e2cc81640509e8bf6548f",
+                "sha256:39b0e26725c5023757fc1ab2a89ef9d7ab23b84f9251e28f9cc114d5b59c1b09",
+                "sha256:46ff647e76f106bb444b4533bb4153c7370cdf52efc62ccfc1a28bdb3cc95442",
+                "sha256:4dca6244e4121c74cc20542c2ca39e5c4a5027c81d112bfb893cf0790f96f57e",
+                "sha256:553b0f0d8dbf21890dd66edd771f9b1b5f51bd912fa5f26de4449bfc5af5e029",
+                "sha256:677ea950bef409b47e51e733283544ac3d660b709cfce7b187f5ace137960d61",
+                "sha256:6a24357267aa976abab660b1d47a34aaf07259a0c3859a34e536f1ee6e76b5bb",
+                "sha256:6a6e94c7b02641d1311228a102607ecd576f70734dc3d5e22610111aeacba8a0",
+                "sha256:6aff3fe5de0831867092e017cf67e2750c6a1c7d88d84d2481bd84a2e019ec35",
+                "sha256:6ecbb350991d6434e1388bee761ece3260e5228952b1f0c46ffc800eb313ff42",
+                "sha256:7096a5e0c1115ec82641afbdd70451a144558ea5cf564a896294e346eb611be1",
+                "sha256:70ed0c2b380eb6248abdef3cd425fc52f0abd92d2b07ce26359fcbc399f636ad",
+                "sha256:8561da8b3dd22d696244d6d0d5330618c993a215070f473b699e00cf1f3f6443",
+                "sha256:85b232e791f2229a4f55840ed54706110c80c0a210d076eee093f2b2e33e1bfd",
+                "sha256:898322f8d078f2654d275124a8dd19b079080ae977033b713f677afcfc88e2b9",
+                "sha256:8f3953eb575b45480db6568306893f0bd9d8dfeeebd46812aa09ca9579595148",
+                "sha256:91ba172fc5b03978764d1df5144b4ba4ab13290d7bab7a50f12d8117f8630c38",
+                "sha256:9d166602b525bf54ac994cf833c385bfcc341b364e3ee71e3bf5a1336e677b55",
+                "sha256:a57d51ed2997e97f3b8e3500c984db50a554bb5db56c50b5dab1b41339b37e36",
+                "sha256:b9e89b87c707dd769c4ea91f7a31538888aad05c116a59820f28d59b3ebfe25a",
+                "sha256:bb8c5fd1684d60a9902c60ebe276da1f2281a318ca16c1d0a96db28f62e9166b",
+                "sha256:c19814163728941bb871240d45c4c30d33b8a2e85972c44d4e63dd7107faba44",
+                "sha256:c4ce15276a1a14549d7e81c243b887293904ad2d94ad767f42df91e75fd7b5b6",
+                "sha256:c7a683c37a8a24f6428c28c561c80d5f4fd316ddcf0c7cab999b15ab3f5c5c69",
+                "sha256:d609c75b986def706743cdebe5e47553f4a5a1da9c5ff66d76013ef396b5a8a4",
+                "sha256:d66906d5785da8e0be7360912e99c9188b70f52c422f9fc18223347235691a84",
+                "sha256:dd7ed7429dbb6c494aa9bc4e09d94b778a3579be699f9d67da7e6804c422d3de",
+                "sha256:df2631f9d67259dc9620d831384ed7732a198eb434eadf69aea95ad18c587a28",
+                "sha256:e368b7f7eac182a59ff1f81d5f3802161932a41dc1b1cc45c1f757dc876b5d2c",
+                "sha256:e40f2013d96d30217a51eeb1db28c9ac41e9d0ee915ef9d00da639c5b63f01a1",
+                "sha256:f769457a639403073968d118bc70110e7dce294688009f5c24ab78800ae56dc8",
+                "sha256:fccdf7c2c5821a8cbd0a9440a456f5050492f2270bd54e94360cac663398739b",
+                "sha256:fd45683c3caddf83abbb1249b653a266e7069a09f486daa8863fb0e7496a9fdb"
             ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
-            "version": "==1.6.0"
+            "markers": "python_version >= '3.6'",
+            "version": "==1.7.1"
         },
         "mccabe": {
             "hashes": [
@@ -2332,11 +2343,11 @@
         },
         "setuptools": {
             "hashes": [
-                "sha256:22c7348c6d2976a52632c67f7ab0cdf40147db7789f9aed18734643fe9cf3373",
-                "sha256:4ce92f1e1f8f01233ee9952c04f6b81d1e02939d6e1b488428154974a4d0783e"
+                "sha256:5ec2bbb534ed160b261acbbdd1b463eb3cf52a8d223d96a8ab9981f63798e85c",
+                "sha256:75fd345a47ce3d79595b27bf57e6f49c2ca7904f3c7ce75f8a87012046c86b0b"
             ],
-            "markers": "python_version >= '3.6'",
-            "version": "==59.6.0"
+            "markers": "python_version >= '3.7'",
+            "version": "==60.0.0"
         },
         "six": {
             "hashes": [
@@ -2418,9 +2429,7 @@
             "version": "==4.0.1"
         },
         "urllib3": {
-            "extras": [
-                "secure"
-            ],
+            "extras": [],
             "hashes": [
                 "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece",
                 "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"

authentik/__init__.py

@@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.12.2"
+__version__ = "2021.12.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"

authentik/core/models.py

@@ -270,8 +270,8 @@ class Application(PolicyBindingModel):
         """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
         if self.meta_launch_url:
             return self.meta_launch_url
-        if self.provider:
-            return self.get_provider().launch_url
+        if provider := self.get_provider():
+            return provider.launch_url
         return None
 
     def get_provider(self) -> Optional[Provider]:

authentik/lib/default.yml

@@ -64,7 +64,7 @@ outposts:
   # %(type)s: Outpost type; proxy, ldap, etc
   # %(version)s: Current version; 2021.4.1
   # %(build_hash)s: Build hash if you're running a beta version
-  container_image_base: goauthentik.io/%(type)s:%(version)s
+  container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
 
 cookie_domain: null
 disable_update_check: false

authentik/lib/sentry.py

@@ -108,6 +108,9 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
             "multiprocessing",
             "django_redis",
             "django.security.DisallowedHost",
+            "django_redis.cache",
+            "celery.backends.redis",
+            "celery.worker",
         ]:
             return None
     LOGGER.debug("sending event to sentry", exc=exc_value, source_logger=event.get("logger", None))

authentik/outposts/api/outposts.py

@@ -116,6 +116,7 @@ class OutpostFilter(FilterSet):
             "providers": ["isnull"],
             "name": ["iexact", "icontains"],
             "service_connection__name": ["iexact", "icontains"],
+            "managed": ["iexact", "icontains"],
         }
 
 

authentik/outposts/controllers/docker.py

@@ -169,7 +169,7 @@ class DockerController(BaseController):
             # Check if the container is out of date, delete it and retry
             if len(container.image.tags) > 0:
                 should_image = self.try_pull_image()
-                if should_image not in container.image.tags:
+                if should_image not in container.image.tags:  # pragma: no cover
                     self.logger.info(
                         "Container has mismatched image, re-creating...",
                         has=container.image.tags,

authentik/outposts/models.py

@@ -481,6 +481,8 @@ class OutpostState:
     def for_outpost(outpost: Outpost) -> list["OutpostState"]:
         """Get all states for an outpost"""
         keys = cache.keys(f"{outpost.state_cache_prefix}_*")
+        if not keys:
+            return []
         states = []
         for key in keys:
             instance_uid = key.replace(f"{outpost.state_cache_prefix}_", "")

authentik/providers/proxy/controllers/k8s/ingress.py

@@ -89,6 +89,7 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
             # goes to the same pod
             "nginx.ingress.kubernetes.io/affinity": "cookie",
             "traefik.ingress.kubernetes.io/affinity": "true",
+            # Buffer sizes for large headers with JWTs
             "nginx.ingress.kubernetes.io/proxy-buffers-number": "4",
             "nginx.ingress.kubernetes.io/proxy-buffer-size": "16k",
         }

authentik/providers/proxy/controllers/k8s/traefik.py

@@ -96,6 +96,16 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
         super().reconcile(current, reference)
         if current.spec.forwardAuth.address != reference.spec.forwardAuth.address:
             raise NeedsUpdate()
+        if (
+            current.spec.forwardAuth.authResponseHeadersRegex
+            != reference.spec.forwardAuth.authResponseHeadersRegex
+        ):
+            raise NeedsUpdate()
+        # Ensure all of our headers are set, others can be added by the user.
+        if not set(current.spec.forwardAuth.authResponseHeaders).issubset(
+            reference.spec.forwardAuth.authResponseHeaders
+        ):
+            raise NeedsUpdate()
 
     def get_reference_object(self) -> TraefikMiddleware:
         """Get deployment object for outpost"""
@@ -110,8 +120,27 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
             spec=TraefikMiddlewareSpec(
                 forwardAuth=TraefikMiddlewareSpecForwardAuth(
                     address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
-                    authResponseHeaders=[],
-                    authResponseHeadersRegex="^.*$",
+                    authResponseHeaders=[
+                        # Legacy headers, remove after 2022.1
+                        "X-Auth-Username",
+                        "X-Auth-Groups",
+                        "X-Forwarded-Email",
+                        "X-Forwarded-Preferred-Username",
+                        "X-Forwarded-User",
+                        # New headers, unique prefix
+                        "X-authentik-username",
+                        "X-authentik-groups",
+                        "X-authentik-email",
+                        "X-authentik-name",
+                        "X-authentik-uid",
+                        "X-authentik-jwt",
+                        "X-authentik-meta-jwks",
+                        "X-authentik-meta-outpost",
+                        "X-authentik-meta-provider",
+                        "X-authentik-meta-app",
+                        "X-authentik-meta-version",
+                    ],
+                    authResponseHeadersRegex="",
                     trustForwardHeader=True,
                 )
             ),

authentik/root/settings.py

@@ -67,7 +67,7 @@ SECRET_KEY = CONFIG.y("secret_key")
 INTERNAL_IPS = ["127.0.0.1"]
 ALLOWED_HOSTS = ["*"]
 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
-
+SECURE_CROSS_ORIGIN_OPENER_POLICY = None
 LOGIN_URL = "authentik_flows:default-authentication"
 
 # Custom user model
@@ -220,15 +220,16 @@ REDIS_CELERY_TLS_REQUIREMENTS = ""
 if CONFIG.y_bool("redis.tls", False):
     REDIS_PROTOCOL_PREFIX = "rediss://"
     REDIS_CELERY_TLS_REQUIREMENTS = f"?ssl_cert_reqs={CONFIG.y('redis.tls_reqs')}"
+_redis_url = (
+    f"{REDIS_PROTOCOL_PREFIX}:"
+    f"{quote(CONFIG.y('redis.password'))}@{quote(CONFIG.y('redis.host'))}:"
+    f"{int(CONFIG.y('redis.port'))}"
+)
 
 CACHES = {
     "default": {
         "BACKEND": "django_redis.cache.RedisCache",
-        "LOCATION": (
-            f"{REDIS_PROTOCOL_PREFIX}:"
-            f"{quote(CONFIG.y('redis.password'))}@{quote(CONFIG.y('redis.host'))}:"
-            f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.cache_db')}"
-        ),
+        "LOCATION": f"{_redis_url}/{CONFIG.y('redis.cache_db')}",
         "TIMEOUT": int(CONFIG.y("redis.cache_timeout", 300)),
         "OPTIONS": {"CLIENT_CLASS": "django_redis.client.DefaultClient"},
     }
@@ -287,11 +288,7 @@ CHANNEL_LAYERS = {
     "default": {
         "BACKEND": "channels_redis.core.RedisChannelLayer",
         "CONFIG": {
-            "hosts": [
-                f"{REDIS_PROTOCOL_PREFIX}:"
-                f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:"
-                f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.ws_db')}"
-            ],
+            "hosts": [f"{_redis_url}/{CONFIG.y('redis.ws_db')}"],
         },
     },
 }
@@ -367,16 +364,10 @@ CELERY_BEAT_SCHEDULE = {
 CELERY_TASK_CREATE_MISSING_QUEUES = True
 CELERY_TASK_DEFAULT_QUEUE = "authentik"
 CELERY_BROKER_URL = (
-    f"{REDIS_PROTOCOL_PREFIX}:"
-    f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:"
-    f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.message_queue_db')}"
-    f"{REDIS_CELERY_TLS_REQUIREMENTS}"
+    f"{_redis_url}/{CONFIG.y('redis.message_queue_db')}{REDIS_CELERY_TLS_REQUIREMENTS}"
 )
 CELERY_RESULT_BACKEND = (
-    f"{REDIS_PROTOCOL_PREFIX}:"
-    f"{CONFIG.y('redis.password')}@{CONFIG.y('redis.host')}:"
-    f"{int(CONFIG.y('redis.port'))}/{CONFIG.y('redis.message_queue_db')}"
-    f"{REDIS_CELERY_TLS_REQUIREMENTS}"
+    f"{_redis_url}/{CONFIG.y('redis.message_queue_db')}{REDIS_CELERY_TLS_REQUIREMENTS}"
 )
 
 # Database backup
@@ -470,6 +461,11 @@ TEST = False
 TEST_RUNNER = "authentik.root.test_runner.PytestTestRunner"
 # We can't check TEST here as its set later by the test runner
 LOG_LEVEL = CONFIG.y("log_level").upper() if "TF_BUILD" not in os.environ else "DEBUG"
+# We could add a custom level to stdlib logging and structlog, but it's not easy or clean
+# https://stackoverflow.com/questions/54505487/custom-log-level-not-working-with-structlog
+# Additionally, the entire code uses debug as highest level so that would have to be re-written too
+if LOG_LEVEL == "TRACE":
+    LOG_LEVEL = "DEBUG"
 
 structlog.configure_once(
     processors=[

cmd/ldap/server.go

@@ -21,6 +21,12 @@ Required environment variables:
 
 func main() {
 	log.SetLevel(log.DebugLevel)
+	log.SetFormatter(&log.JSONFormatter{
+		FieldMap: log.FieldMap{
+			log.FieldKeyMsg:  "event",
+			log.FieldKeyTime: "timestamp",
+		},
+	})
 	akURL, found := os.LookupEnv("AUTHENTIK_HOST")
 	if !found {
 		fmt.Println("env AUTHENTIK_HOST not set!")

cmd/proxy/server.go

@@ -26,6 +26,12 @@ Optionally, you can set these:
 
 func main() {
 	log.SetLevel(log.DebugLevel)
+	log.SetFormatter(&log.JSONFormatter{
+		FieldMap: log.FieldMap{
+			log.FieldKeyMsg:  "event",
+			log.FieldKeyTime: "timestamp",
+		},
+	})
 	akURL, found := os.LookupEnv("AUTHENTIK_HOST")
 	if !found {
 		fmt.Println("env AUTHENTIK_HOST not set!")

cmd/server/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"net/http"
 	"net/url"
 	"time"
 
@@ -20,7 +21,12 @@ var running = true
 
 func main() {
 	log.SetLevel(log.DebugLevel)
-	log.SetFormatter(&log.JSONFormatter{})
+	log.SetFormatter(&log.JSONFormatter{
+		FieldMap: log.FieldMap{
+			log.FieldKeyMsg:  "event",
+			log.FieldKeyTime: "timestamp",
+		},
+	})
 	l := log.WithField("logger", "authentik.root")
 	config.DefaultConfig()
 	err := config.LoadConfig("./authentik/lib/default.yml")
@@ -41,9 +47,12 @@ func main() {
 		err := sentry.Init(sentry.ClientOptions{
 			Dsn:              config.G.ErrorReporting.DSN,
 			AttachStacktrace: true,
-			TracesSampleRate: 0.6,
+			TracesSampleRate: config.G.ErrorReporting.SampleRate,
 			Release:          fmt.Sprintf("authentik@%s", constants.VERSION),
 			Environment:      config.G.ErrorReporting.Environment,
+			IgnoreErrors: []string{
+				http.ErrAbortHandler.Error(),
+			},
 		})
 		if err != nil {
 			l.WithError(err).Warning("failed to init sentry")
@@ -69,9 +78,9 @@ func main() {
 
 		<-ex
 		running = false
-		l.WithField("logger", "authentik").Info("shutting down gunicorn")
+		l.Info("shutting down gunicorn")
 		go g.Kill()
-		l.WithField("logger", "authentik").Info("shutting down webserver")
+		l.Info("shutting down webserver")
 		go ws.Shutdown()
 	}
 }
@@ -89,8 +98,9 @@ func attemptStartBackend(g *gounicorn.GoUnicorn) {
 func attemptProxyStart(ws *web.WebServer, u *url.URL) {
 	maxTries := 100
 	attempt := 0
+	l := log.WithField("logger", "authentik.server")
 	for {
-		log.WithField("logger", "authentik").Debug("attempting to init outpost")
+		l.Debug("attempting to init outpost")
 		ac := ak.NewAPIController(*u, config.G.SecretKey)
 		if ac == nil {
 			attempt += 1
@@ -103,10 +113,10 @@ func attemptProxyStart(ws *web.WebServer, u *url.URL) {
 		srv := proxyv2.NewProxyServer(ac, 0)
 		ws.ProxyServer = srv
 		ac.Server = srv
-		log.WithField("logger", "authentik").Debug("attempting to start outpost")
+		l.Debug("attempting to start outpost")
 		err := ac.StartBackgorundTasks()
 		if err != nil {
-			log.WithField("logger", "authentik").WithError(err).Warning("outpost failed to start")
+			l.WithError(err).Warning("outpost failed to start")
 			attempt += 1
 			time.Sleep(15 * time.Second)
 			if attempt > maxTries {

docker-compose.yml

@@ -17,7 +17,7 @@ services:
     image: redis:alpine
     restart: unless-stopped
   server:
-    image: ${AUTHENTIK_IMAGE:-goauthentik.io/server}:${AUTHENTIK_TAG:-2021.12.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.12.3}
     restart: unless-stopped
     command: server
     environment:
@@ -38,7 +38,7 @@ services:
       - "0.0.0.0:9000:9000"
       - "0.0.0.0:9443:9443"
   worker:
-    image: ${AUTHENTIK_IMAGE:-goauthentik.io/server}:${AUTHENTIK_TAG:-2021.12.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.12.3}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -28,7 +28,7 @@ require (
 	github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac // indirect
 	github.com/prometheus/client_golang v1.11.0
 	github.com/sirupsen/logrus v1.8.1
-	goauthentik.io/api v0.2021121.1
+	goauthentik.io/api v0.2021122.2
 	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 // indirect
 	golang.org/x/net v0.0.0-20210510120150-4163338589ed // indirect
 	golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558

go.sum

@@ -558,8 +558,8 @@ go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-goauthentik.io/api v0.2021121.1 h1:e8JIkquWxtKJAmIPgDXmx7GAdhqr9mWQ6uZwkosJsfk=
-goauthentik.io/api v0.2021121.1/go.mod h1:02nnD4FRd8lu8A1+ZuzqownBgvAhdCKzqkKX8v7JMTE=
+goauthentik.io/api v0.2021122.2 h1:3kvyBS7F+uxJ38qrUoWB0Rpidmnw/MHei1NNQ34daAU=
+goauthentik.io/api v0.2021122.2/go.mod h1:02nnD4FRd8lu8A1+ZuzqownBgvAhdCKzqkKX8v7JMTE=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=

internal/config/config.go

@@ -2,6 +2,7 @@ package config
 
 import (
 	"io/ioutil"
+	"strings"
 
 	env "github.com/Netflix/go-env"
 	"github.com/imdario/mergo"
@@ -24,8 +25,9 @@ func DefaultConfig() {
 		},
 		LogLevel: "info",
 		ErrorReporting: ErrorReportingConfig{
-			Enabled: false,
-			DSN:     "https://a579bb09306d4f8b8d8847c052d3a1d3@sentry.beryju.org/8",
+			Enabled:    false,
+			DSN:        "https://a579bb09306d4f8b8d8847c052d3a1d3@sentry.beryju.org/8",
+			SampleRate: 1,
 		},
 	}
 }
@@ -61,7 +63,7 @@ func FromEnv() error {
 }
 
 func ConfigureLogger() {
-	switch G.LogLevel {
+	switch strings.ToLower(G.LogLevel) {
 	case "trace":
 		log.SetLevel(log.TraceLevel)
 	case "debug":
@@ -76,14 +78,14 @@ func ConfigureLogger() {
 		log.SetLevel(log.DebugLevel)
 	}
 
+	fm := log.FieldMap{
+		log.FieldKeyMsg:  "event",
+		log.FieldKeyTime: "timestamp",
+	}
+
 	if G.Debug {
-		log.SetFormatter(&log.TextFormatter{})
+		log.SetFormatter(&log.TextFormatter{FieldMap: fm})
 	} else {
-		log.SetFormatter(&log.JSONFormatter{
-			FieldMap: log.FieldMap{
-				log.FieldKeyMsg:  "event",
-				log.FieldKeyTime: "timestamp",
-			},
-		})
+		log.SetFormatter(&log.JSONFormatter{FieldMap: fm})
 	}
 }

internal/config/struct.go

@@ -42,4 +42,5 @@ type ErrorReportingConfig struct {
 	Environment string `yaml:"environment" env:"AUTHENTIK_ERROR_REPORTING__ENVIRONMENT"`
 	SendPII     bool   `yaml:"send_pii" env:"AUTHENTIK_ERROR_REPORTING__SEND_PII"`
 	DSN         string
+	SampleRate  float64 `yaml:"sample_rate" env:"AUTHENTIK_ERROR_REPORTING__SAMPLE_RATE"`
 }

internal/constants/constants.go

@@ -17,4 +17,4 @@ func OutpostUserAgent() string {
 	return fmt.Sprintf("authentik-outpost@%s (build=%s)", VERSION, BUILD())
 }
 
-const VERSION = "2021.12.2"
+const VERSION = "2021.12.3"

internal/outpost/ak/api.go

@@ -81,7 +81,8 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 	}
 	log.Debug("Fetched global configuration")
 
-	doGlobalSetup(outpost, akConfig)
+	// doGlobalSetup is called by the OnRefresh handler, which ticks on start
+	// doGlobalSetup(outpost, akConfig)
 
 	ac := &APIController{
 		Client:       apiClient,
@@ -106,7 +107,11 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 
 // Start Starts all handlers, non-blocking
 func (a *APIController) Start() error {
-	err := a.StartBackgorundTasks()
+	err := a.Server.Refresh()
+	if err != nil {
+		return err
+	}
+	err = a.StartBackgorundTasks()
 	if err != nil {
 		return err
 	}
@@ -146,6 +151,7 @@ func (a *APIController) OnRefresh() error {
 	a.Outpost = outposts.Results[0]
 
 	a.logger.WithField("name", a.Outpost.Name).Debug("Fetched outpost configuration")
+	doGlobalSetup(a.Outpost, a.GlobalConfig)
 	return a.Server.Refresh()
 }
 

internal/outpost/ak/api_ws.go

@@ -195,6 +195,7 @@ func (ac *APIController) startIntervalUpdater() {
 	logger := ac.logger.WithField("loop", "interval-updater")
 	ticker := time.NewTicker(5 * time.Minute)
 	for ; true; <-ticker.C {
+		logger.Debug("Running interval update")
 		err := ac.OnRefresh()
 		if err != nil {
 			logger.WithError(err).Debug("Failed to update")

internal/outpost/ak/global.go

@@ -13,38 +13,41 @@ import (
 )
 
 func doGlobalSetup(outpost api.Outpost, globalConfig api.Config) {
-	log.SetFormatter(&log.JSONFormatter{
-		FieldMap: log.FieldMap{
-			log.FieldKeyMsg:  "event",
-			log.FieldKeyTime: "timestamp",
-		},
-	})
-	switch outpost.Config[ConfigLogLevel].(string) {
-	case "trace":
-		log.SetLevel(log.TraceLevel)
-	case "debug":
-		log.SetLevel(log.DebugLevel)
-	case "info":
-		log.SetLevel(log.InfoLevel)
-	case "warning":
-		log.SetLevel(log.WarnLevel)
-	case "error":
-		log.SetLevel(log.ErrorLevel)
-	default:
-		log.SetLevel(log.DebugLevel)
+	l := log.WithField("logger", "authentik.outpost")
+	m := outpost.Managed.Get()
+	if m == nil || *m == "" {
+		switch outpost.Config[ConfigLogLevel].(string) {
+		case "trace":
+			log.SetLevel(log.TraceLevel)
+		case "debug":
+			log.SetLevel(log.DebugLevel)
+		case "info":
+			log.SetLevel(log.InfoLevel)
+		case "warning":
+			log.SetLevel(log.WarnLevel)
+		case "error":
+			log.SetLevel(log.ErrorLevel)
+		default:
+			log.SetLevel(log.DebugLevel)
+		}
+	} else {
+		l.Debug("Managed outpost, not setting global log level")
 	}
-	log.WithField("logger", "authentik.outpost").WithField("hash", constants.BUILD()).WithField("version", constants.VERSION).Info("Starting authentik outpost")
+	l.WithField("hash", constants.BUILD()).WithField("version", constants.VERSION).Info("Starting authentik outpost")
 
 	if globalConfig.ErrorReporting.Enabled {
 		dsn := "https://a579bb09306d4f8b8d8847c052d3a1d3@sentry.beryju.org/8"
-		log.WithField("env", globalConfig.ErrorReporting.Environment).Debug("Error reporting enabled")
+		l.WithField("env", globalConfig.ErrorReporting.Environment).Debug("Error reporting enabled")
 		err := sentry.Init(sentry.ClientOptions{
 			Dsn:              dsn,
 			Environment:      globalConfig.ErrorReporting.Environment,
 			TracesSampleRate: float64(globalConfig.ErrorReporting.TracesSampleRate),
+			IgnoreErrors: []string{
+				http.ErrAbortHandler.Error(),
+			},
 		})
 		if err != nil {
-			log.WithField("env", globalConfig.ErrorReporting.Environment).WithError(err).Warning("Failed to initialise sentry")
+			l.WithField("env", globalConfig.ErrorReporting.Environment).WithError(err).Warning("Failed to initialise sentry")
 		}
 	}
 }

internal/outpost/ldap/ldap.go

@@ -57,7 +57,7 @@ func (ls *LDAPServer) StartLDAPServer() error {
 	proxyListener := &proxyproto.Listener{Listener: ln}
 	defer proxyListener.Close()
 
-	ls.log.WithField("listen", listen).Info("Starting ldap server")
+	ls.log.WithField("listen", listen).Info("Starting LDAP server")
 	err = ls.s.Serve(proxyListener)
 	if err != nil {
 		return err

internal/outpost/ldap/ldap_tls.go

@@ -45,7 +45,7 @@ func (ls *LDAPServer) StartLDAPTLSServer() error {
 
 	tln := tls.NewListener(proxyListener, tlsConfig)
 
-	ls.log.WithField("listen", listen).Info("Starting ldap tls server")
+	ls.log.WithField("listen", listen).Info("Starting LDAP SSL server")
 	err = ls.s.Serve(tln)
 	if err != nil {
 		return err

internal/outpost/proxyv2/application/application.go

@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"encoding/gob"
 	"fmt"
+	"html/template"
 	"net/http"
 	"net/url"
 	"regexp"
@@ -24,6 +25,7 @@ import (
 	"goauthentik.io/internal/outpost/proxyv2/constants"
 	"goauthentik.io/internal/outpost/proxyv2/hs256"
 	"goauthentik.io/internal/outpost/proxyv2/metrics"
+	"goauthentik.io/internal/outpost/proxyv2/templates"
 	"goauthentik.io/internal/utils/web"
 	"golang.org/x/oauth2"
 )
@@ -44,6 +46,8 @@ type Application struct {
 
 	log *log.Entry
 	mux *mux.Router
+
+	errorTemplates *template.Template
 }
 
 func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore, ak *ak.APIController) (*Application, error) {
@@ -79,15 +83,16 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
 	}
 	mux := mux.NewRouter()
 	a := &Application{
-		Host:          externalHost.Host,
-		log:           log.WithField("logger", "authentik.outpost.proxy.bundle").WithField("provider", p.Name),
-		outpostName:   ak.Outpost.Name,
-		endpint:       endpoint,
-		oauthConfig:   oauth2Config,
-		tokenVerifier: verifier,
-		proxyConfig:   p,
-		httpClient:    c,
-		mux:           mux,
+		Host:           externalHost.Host,
+		log:            log.WithField("logger", "authentik.outpost.proxy.bundle").WithField("provider", p.Name),
+		outpostName:    ak.Outpost.Name,
+		endpint:        endpoint,
+		oauthConfig:    oauth2Config,
+		tokenVerifier:  verifier,
+		proxyConfig:    p,
+		httpClient:     c,
+		mux:            mux,
+		errorTemplates: templates.GetTemplates(),
 	}
 	a.sessions = a.getStore(p)
 	mux.Use(web.NewLoggingHandler(muxLogger, func(l *log.Entry, r *http.Request) *log.Entry {
@@ -178,22 +183,6 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
 	return a, nil
 }
 
-func (a *Application) IsAllowlisted(r *http.Request) bool {
-	for _, u := range a.UnauthenticatedRegex {
-		var testString string
-		if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
-			testString = r.URL.Path
-		} else {
-			testString = r.URL.String()
-		}
-		a.log.WithField("regex", u.String()).WithField("url", testString).Trace("Matching URL against allow list")
-		if u.MatchString(testString) {
-			return true
-		}
-	}
-	return false
-}
-
 func (a *Application) Mode() api.ProxyMode {
 	return *a.proxyConfig.Mode
 }

internal/outpost/proxyv2/application/error.go

@@ -2,33 +2,38 @@ package application
 
 import (
 	"fmt"
-	"html/template"
 	"net/http"
 
 	log "github.com/sirupsen/logrus"
 )
 
-// NewProxyErrorHandler creates a ProxyErrorHandler using the template given.
-func (a *Application) newProxyErrorHandler(errorTemplate *template.Template) func(http.ResponseWriter, *http.Request, error) {
-	return func(rw http.ResponseWriter, req *http.Request, proxyErr error) {
-		claims, _ := a.getClaims(req)
-		log.WithError(proxyErr).Warning("Error proxying to upstream server")
-		rw.WriteHeader(http.StatusBadGateway)
-		data := struct {
-			Title       string
-			Message     string
-			ProxyPrefix string
-		}{
-			Title:       "Bad Gateway",
-			Message:     "Error proxying to upstream server",
-			ProxyPrefix: "/akprox",
-		}
-		if claims != nil {
-			data.Message = fmt.Sprintf("Error proxying to upstream server: %s", proxyErr.Error())
-		}
-		err := errorTemplate.Execute(rw, data)
-		if err != nil {
-			http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
-		}
+type ErrorPageData struct {
+	Title       string
+	Message     string
+	ProxyPrefix string
+}
+
+func (a *Application) ErrorPage(rw http.ResponseWriter, r *http.Request, err string) {
+	claims, _ := a.getClaims(r)
+	data := ErrorPageData{
+		Title:       "Bad Gateway",
+		Message:     "Error proxying to upstream server",
+		ProxyPrefix: "/akprox",
+	}
+	if claims != nil && len(err) > 0 {
+		data.Message = err
+	}
+	er := a.errorTemplates.Execute(rw, data)
+	if er != nil {
+		http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
+	}
+}
+
+// NewProxyErrorHandler creates a ProxyErrorHandler using the template given.
+func (a *Application) newProxyErrorHandler() func(http.ResponseWriter, *http.Request, error) {
+	return func(rw http.ResponseWriter, req *http.Request, proxyErr error) {
+		log.WithError(proxyErr).Warning("Error proxying to upstream server")
+		rw.WriteHeader(http.StatusBadGateway)
+		a.ErrorPage(rw, req, fmt.Sprintf("Error proxying to upstream server: %s", proxyErr.Error()))
 	}
 }

internal/outpost/proxyv2/application/mode_common.go

@@ -4,8 +4,10 @@ import (
 	"encoding/base64"
 	"fmt"
 	"net/http"
+	"net/url"
 	"strings"
 
+	"goauthentik.io/api"
 	"goauthentik.io/internal/constants"
 )
 
@@ -62,3 +64,43 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) {
 		}
 	}
 }
+
+func (a *Application) getTraefikForwardUrl(r *http.Request) *url.URL {
+	u, err := url.Parse(fmt.Sprintf(
+		"%s://%s%s",
+		r.Header.Get("X-Forwarded-Proto"),
+		r.Header.Get("X-Forwarded-Host"),
+		r.Header.Get("X-Forwarded-Uri"),
+	))
+	if err != nil {
+		a.log.WithError(err).Warning("Failed to parse URL from traefik")
+		return r.URL
+	}
+	return u
+}
+
+func (a *Application) IsAllowlisted(r *http.Request) bool {
+	url := r.URL
+	// In Forward auth mode, we can't directly match against the requested URL
+	// Since that would be /akprox/auth/...
+	if a.Mode() == api.PROXYMODE_FORWARD_SINGLE || a.Mode() == api.PROXYMODE_FORWARD_DOMAIN {
+		// For traefik, we can get the Upstream URL from headers
+		// For nginx we can attempt to as well, but it's not guaranteed to work.
+		if strings.HasPrefix(r.URL.Path, "/akprox/auth") {
+			url = a.getTraefikForwardUrl(r)
+		}
+	}
+	for _, u := range a.UnauthenticatedRegex {
+		var testString string
+		if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
+			testString = url.Path
+		} else {
+			testString = url.String()
+		}
+		a.log.WithField("regex", u.String()).WithField("url", testString).Trace("Matching URL against allow list")
+		if u.MatchString(testString) {
+			return true
+		}
+	}
+	return false
+}

internal/outpost/proxyv2/application/mode_forward.go

@@ -48,16 +48,20 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
 	// to the application
 	// see https://doc.traefik.io/traefik/middlewares/forwardauth/
 	// X-Forwarded-Uri is only the path, so we need to build the entire URL
-	s.Values[constants.SessionRedirect] = fmt.Sprintf(
-		"%s://%s%s",
-		r.Header.Get("X-Forwarded-Proto"),
-		r.Header.Get("X-Forwarded-Host"),
-		r.Header.Get("X-Forwarded-Uri"),
-	)
+	s.Values[constants.SessionRedirect] = a.getTraefikForwardUrl(r).String()
+	if r.Header.Get("X-Forwarded-Uri") == "/akprox/start" {
+		a.log.Info("Detected potential redirect loop")
+		if val, ok := s.Values[constants.SessionLoopDetection]; !ok {
+			s.Values[constants.SessionLoopDetection] = 1
+		} else {
+			s.Values[constants.SessionLoopDetection] = val.(int) + 1
+		}
+	}
 	err = s.Save(r, rw)
 	if err != nil {
 		a.log.WithError(err).Warning("failed to save session before redirect")
 	}
+
 	proto := r.Header.Get("X-Forwarded-Proto")
 	if proto != "" {
 		proto = proto + ":"

internal/outpost/proxyv2/application/mode_proxy.go

@@ -10,9 +10,9 @@ import (
 
 	"github.com/getsentry/sentry-go"
 	"github.com/prometheus/client_golang/prometheus"
+	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/proxyv2/metrics"
-	"goauthentik.io/internal/outpost/proxyv2/templates"
 	"goauthentik.io/internal/utils/web"
 )
 
@@ -31,7 +31,7 @@ func (a *Application) configureProxy() error {
 	rp := &httputil.ReverseProxy{Director: a.proxyModifyRequest(u)}
 	rsp := sentry.StartSpan(context.TODO(), "authentik.outposts.proxy.application_transport")
 	rp.Transport = ak.NewTracingTransport(rsp.Context(), a.getUpstreamTransport())
-	rp.ErrorHandler = a.newProxyErrorHandler(templates.GetTemplates())
+	rp.ErrorHandler = a.newProxyErrorHandler()
 	rp.ModifyResponse = a.proxyModifyResponse
 	a.mux.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		claims, err := a.getClaims(r)
@@ -45,6 +45,13 @@ func (a *Application) configureProxy() error {
 		}
 		before := time.Now()
 		rp.ServeHTTP(rw, r)
+		defer func() {
+			err := recover()
+			if err == nil || err == http.ErrAbortHandler {
+				return
+			}
+			log.WithError(err.(error)).Error("recover in reverse proxy")
+		}()
 		after := time.Since(before)
 
 		user := ""

internal/outpost/proxyv2/application/oauth.go

@@ -3,6 +3,7 @@ package application
 import (
 	"encoding/base64"
 	"net/http"
+	"time"
 
 	"github.com/gorilla/securecookie"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
@@ -16,6 +17,13 @@ func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		a.log.WithError(err).Warning("failed to save session")
 	}
+	if loop, ok := s.Values[constants.SessionLoopDetection]; ok {
+		if loop.(int) > 10 {
+			rw.WriteHeader(http.StatusBadRequest)
+			a.ErrorPage(rw, r, "Detected redirect loop, make sure /akprox is accessible without authentication.")
+			return
+		}
+	}
 	http.Redirect(rw, r, a.oauthConfig.AuthCodeURL(state), http.StatusFound)
 }
 
@@ -42,7 +50,7 @@ func (a *Application) handleCallback(rw http.ResponseWriter, r *http.Request) {
 		}
 		return
 	}
-	s.Options.MaxAge = claims.Exp / 1000
+	s.Options.MaxAge = int(time.Until(time.Unix(int64(claims.Exp), 0)).Seconds())
 	s.Values[constants.SessionClaims] = &claims
 	err = s.Save(r, rw)
 	if err != nil {

internal/outpost/proxyv2/application/session.go

@@ -23,7 +23,9 @@ func (a *Application) getStore(p api.ProxyOutpostConfig) sessions.Store {
 		if p.TokenValidity.IsSet() {
 			t := p.TokenValidity.Get()
 			// Add one to the validity to ensure we don't have a session with indefinite length
-			rs.Options.MaxAge = int(*t) + 1
+			rs.SetMaxAge(int(*t) + 1)
+		} else {
+			rs.SetMaxAge(0)
 		}
 		rs.Options.Domain = *p.CookieDomain
 		a.log.Info("using redis session backend")
@@ -31,7 +33,6 @@ func (a *Application) getStore(p api.ProxyOutpostConfig) sessions.Store {
 	} else {
 		dir := os.TempDir()
 		cs := sessions.NewFilesystemStore(dir, []byte(*p.CookieSecret))
-		cs.Options.Domain = *p.CookieDomain
 		// https://github.com/markbates/goth/commit/7276be0fdf719ddff753f3574ef0f967e4a5a5f7
 		// set the maxLength of the cookies stored on the disk to a larger number to prevent issues with:
 		// securecookie: the value is too long
@@ -42,8 +43,11 @@ func (a *Application) getStore(p api.ProxyOutpostConfig) sessions.Store {
 		if p.TokenValidity.IsSet() {
 			t := p.TokenValidity.Get()
 			// Add one to the validity to ensure we don't have a session with indefinite length
-			cs.Options.MaxAge = int(*t) + 1
+			cs.MaxAge(int(*t) + 1)
+		} else {
+			cs.MaxAge(0)
 		}
+		cs.Options.Domain = *p.CookieDomain
 		a.log.WithField("dir", dir).Info("using filesystem session backend")
 		store = cs
 	}

internal/outpost/proxyv2/constants/constants.go

@@ -6,3 +6,4 @@ const SessionOAuthState = "oauth_state"
 const SessionClaims = "claims"
 
 const SessionRedirect = "redirect"
+const SessionLoopDetection = "loop_detection"

internal/outpost/proxyv2/handlers.go

@@ -48,6 +48,10 @@ func (ps *ProxyServer) Handle(rw http.ResponseWriter, r *http.Request) {
 		ps.HandleStatic(rw, r)
 		return
 	}
+	if strings.HasPrefix(r.URL.Path, "/akprox/ping") {
+		ps.HandlePing(rw, r)
+		return
+	}
 	host := web.GetHost(r)
 	a, ok := ps.apps[host]
 	if !ok {

internal/outpost/proxyv2/proxyv2.go

@@ -66,6 +66,7 @@ func NewProxyServer(ac *ak.APIController, portOffset int) *ProxyServer {
 		defaultCert: defaultCert,
 	}
 	globalMux.PathPrefix("/akprox/static").HandlerFunc(s.HandleStatic)
+	globalMux.Path("/akprox/ping").HandlerFunc(s.HandlePing)
 	rootMux.PathPrefix("/").HandlerFunc(s.Handle)
 	return s
 }

internal/outpost/proxyv2/templates/templates.go

@@ -10,7 +10,7 @@ import (
 var ErrorTemplate string
 
 func GetTemplates() *template.Template {
-	t, err := template.New("foo").Parse(ErrorTemplate)
+	t, err := template.New("authentik.outpost.proxy.errors").Parse(ErrorTemplate)
 	if err != nil {
 		log.Fatalf("failed parsing template %s", err)
 	}

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2021.12.2
+  version: 2021.12.3
   description: Making authentication simple.
   contact:
     email: hello@beryju.org
@@ -5723,6 +5723,14 @@ paths:
       operationId: outposts_instances_list
       description: Outpost Viewset
       parameters:
+      - in: query
+        name: managed__icontains
+        schema:
+          type: string
+      - in: query
+        name: managed__iexact
+        schema:
+          type: string
       - in: query
         name: name__icontains
         schema:
@@ -5931,6 +5939,14 @@ paths:
       operationId: outposts_instances_health_list
       description: Get outposts current health
       parameters:
+      - in: query
+        name: managed__icontains
+        schema:
+          type: string
+      - in: query
+        name: managed__iexact
+        schema:
+          type: string
       - in: query
         name: name__icontains
         schema:

web/package-lock.json

@@ -15,7 +15,7 @@
                 "@babel/preset-env": "^7.16.5",
                 "@babel/preset-typescript": "^7.16.5",
                 "@fortawesome/fontawesome-free": "^5.15.4",
-                "@goauthentik/api": "^2021.12.1-1639840580",
+                "@goauthentik/api": "^2021.12.2-1639916912",
                 "@jackfranklin/rollup-plugin-markdown": "^0.3.0",
                 "@lingui/cli": "^3.13.0",
                 "@lingui/core": "^3.13.0",
@@ -36,16 +36,16 @@
                 "@types/chart.js": "^2.9.34",
                 "@types/codemirror": "5.60.5",
                 "@types/grecaptcha": "^3.0.3",
-                "@typescript-eslint/eslint-plugin": "^5.7.0",
-                "@typescript-eslint/parser": "^5.7.0",
+                "@typescript-eslint/eslint-plugin": "^5.8.0",
+                "@typescript-eslint/parser": "^5.8.0",
                 "@webcomponents/webcomponentsjs": "^2.6.0",
                 "babel-plugin-macros": "^3.1.0",
                 "base64-js": "^1.5.1",
                 "chart.js": "^3.6.2",
                 "chartjs-adapter-moment": "^1.0.0",
-                "codemirror": "^5.64.0",
+                "codemirror": "^5.65.0",
                 "construct-style-sheets-polyfill": "^3.0.5",
-                "eslint": "^8.4.1",
+                "eslint": "^8.5.0",
                 "eslint-config-google": "^0.14.0",
                 "eslint-plugin-custom-elements": "0.0.4",
                 "eslint-plugin-lit": "^1.6.1",
@@ -1723,9 +1723,9 @@
             }
         },
         "node_modules/@goauthentik/api": {
-            "version": "2021.12.1-1639840580",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2021.12.1-1639840580.tgz",
-            "integrity": "sha512-6fWh4w1k2zmtN17FKKTBbN5LUY9U4KqUy0AdhYXAJCpnuKvPPgtQWLUWVLGT2M633slFWsxMcPYZOj1vKZdWFg=="
+            "version": "2021.12.2-1639916912",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2021.12.2-1639916912.tgz",
+            "integrity": "sha512-yNDcPNABLI9OgiRfdnTCaXjRq/hgii8M5EeBsTm0XVKNYFN2ofwZsVNJfHYiuy9cqW3UdX+063WGmpkJSMS3zQ=="
         },
         "node_modules/@humanwhocodes/config-array": {
             "version": "0.9.2",
@@ -2796,12 +2796,12 @@
             "integrity": "sha512-7tFImggNeNBVMsn0vLrpn1H1uPrUBdnARPTpZoitY37ZrdJREzf7I16tMrlK3hen349gr1NYh8CmZQa7CTG6Aw=="
         },
         "node_modules/@typescript-eslint/eslint-plugin": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.7.0.tgz",
-            "integrity": "sha512-8RTGBpNn5a9M628wBPrCbJ+v3YTEOE2qeZb7TDkGKTDXSj36KGRg92SpFFaR/0S3rSXQxM0Og/kV9EyadsYSBg==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.8.0.tgz",
+            "integrity": "sha512-spu1UW7QuBn0nJ6+psnfCc3iVoQAifjKORgBngKOmC8U/1tbe2YJMzYQqDGYB4JCss7L8+RM2kKLb1B1Aw9BNA==",
             "dependencies": {
-                "@typescript-eslint/experimental-utils": "5.7.0",
-                "@typescript-eslint/scope-manager": "5.7.0",
+                "@typescript-eslint/experimental-utils": "5.8.0",
+                "@typescript-eslint/scope-manager": "5.8.0",
                 "debug": "^4.3.2",
                 "functional-red-black-tree": "^1.0.1",
                 "ignore": "^5.1.8",
@@ -2849,14 +2849,14 @@
             }
         },
         "node_modules/@typescript-eslint/experimental-utils": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/experimental-utils/-/experimental-utils-5.7.0.tgz",
-            "integrity": "sha512-u57eZ5FbEpzN5kSjmVrSesovWslH2ZyNPnaXQMXWgH57d5+EVHEt76W75vVuI9qKZ5BMDKNfRN+pxcPEjQjb2A==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/experimental-utils/-/experimental-utils-5.8.0.tgz",
+            "integrity": "sha512-KN5FvNH71bhZ8fKtL+lhW7bjm7cxs1nt+hrDZWIqb6ViCffQcWyLunGrgvISgkRojIDcXIsH+xlFfI4RCDA0xA==",
             "dependencies": {
                 "@types/json-schema": "^7.0.9",
-                "@typescript-eslint/scope-manager": "5.7.0",
-                "@typescript-eslint/types": "5.7.0",
-                "@typescript-eslint/typescript-estree": "5.7.0",
+                "@typescript-eslint/scope-manager": "5.8.0",
+                "@typescript-eslint/types": "5.8.0",
+                "@typescript-eslint/typescript-estree": "5.8.0",
                 "eslint-scope": "^5.1.1",
                 "eslint-utils": "^3.0.0"
             },
@@ -2868,17 +2868,17 @@
                 "url": "https://opencollective.com/typescript-eslint"
             },
             "peerDependencies": {
-                "eslint": "*"
+                "eslint": "^6.0.0 || ^7.0.0 || ^8.0.0"
             }
         },
         "node_modules/@typescript-eslint/parser": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.7.0.tgz",
-            "integrity": "sha512-m/gWCCcS4jXw6vkrPQ1BjZ1vomP01PArgzvauBqzsoZ3urLbsRChexB8/YV8z9HwE3qlJM35FxfKZ1nfP/4x8g==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.8.0.tgz",
+            "integrity": "sha512-Gleacp/ZhRtJRYs5/T8KQR3pAQjQI89Dn/k+OzyCKOsLiZH2/Vh60cFBTnFsHNI6WAD+lNUo/xGZ4NeA5u0Ipw==",
             "dependencies": {
-                "@typescript-eslint/scope-manager": "5.7.0",
-                "@typescript-eslint/types": "5.7.0",
-                "@typescript-eslint/typescript-estree": "5.7.0",
+                "@typescript-eslint/scope-manager": "5.8.0",
+                "@typescript-eslint/types": "5.8.0",
+                "@typescript-eslint/typescript-estree": "5.8.0",
                 "debug": "^4.3.2"
             },
             "engines": {
@@ -2898,12 +2898,12 @@
             }
         },
         "node_modules/@typescript-eslint/scope-manager": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.7.0.tgz",
-            "integrity": "sha512-7mxR520DGq5F7sSSgM0HSSMJ+TFUymOeFRMfUfGFAVBv8BR+Jv1vHgAouYUvWRZeszVBJlLcc9fDdktxb5kmxA==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.8.0.tgz",
+            "integrity": "sha512-x82CYJsLOjPCDuFFEbS6e7K1QEWj7u5Wk1alw8A+gnJiYwNnDJk0ib6PCegbaPMjrfBvFKa7SxE3EOnnIQz2Gg==",
             "dependencies": {
-                "@typescript-eslint/types": "5.7.0",
-                "@typescript-eslint/visitor-keys": "5.7.0"
+                "@typescript-eslint/types": "5.8.0",
+                "@typescript-eslint/visitor-keys": "5.8.0"
             },
             "engines": {
                 "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@@ -2914,9 +2914,9 @@
             }
         },
         "node_modules/@typescript-eslint/types": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.7.0.tgz",
-            "integrity": "sha512-5AeYIF5p2kAneIpnLFve8g50VyAjq7udM7ApZZ9JYjdPjkz0LvODfuSHIDUVnIuUoxafoWzpFyU7Sqbxgi79mA==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.8.0.tgz",
+            "integrity": "sha512-LdCYOqeqZWqCMOmwFnum6YfW9F3nKuxJiR84CdIRN5nfHJ7gyvGpXWqL/AaW0k3Po0+wm93ARAsOdzlZDPCcXg==",
             "engines": {
                 "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
             },
@@ -2926,12 +2926,12 @@
             }
         },
         "node_modules/@typescript-eslint/typescript-estree": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.7.0.tgz",
-            "integrity": "sha512-aO1Ql+izMrTnPj5aFFlEJkpD4jRqC4Gwhygu2oHK2wfVQpmOPbyDSveJ+r/NQo+PWV43M6uEAeLVbTi09dFLhg==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.8.0.tgz",
+            "integrity": "sha512-srfeZ3URdEcUsSLbkOFqS7WoxOqn8JNil2NSLO9O+I2/Uyc85+UlfpEvQHIpj5dVts7KKOZnftoJD/Fdv0L7nQ==",
             "dependencies": {
-                "@typescript-eslint/types": "5.7.0",
-                "@typescript-eslint/visitor-keys": "5.7.0",
+                "@typescript-eslint/types": "5.8.0",
+                "@typescript-eslint/visitor-keys": "5.8.0",
                 "debug": "^4.3.2",
                 "globby": "^11.0.4",
                 "is-glob": "^4.0.3",
@@ -2966,11 +2966,11 @@
             }
         },
         "node_modules/@typescript-eslint/visitor-keys": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.7.0.tgz",
-            "integrity": "sha512-hdohahZ4lTFcglZSJ3DGdzxQHBSxsLVqHzkiOmKi7xVAWC4y2c1bIMKmPJSrA4aOEoRUPOKQ87Y/taC7yVHpFg==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.8.0.tgz",
+            "integrity": "sha512-+HDIGOEMnqbxdAHegxvnOqESUH6RWFRR2b8qxP1W9CZnnYh4Usz6MBL+2KMAgPk/P0o9c1HqnYtwzVH6GTIqug==",
             "dependencies": {
-                "@typescript-eslint/types": "5.7.0",
+                "@typescript-eslint/types": "5.8.0",
                 "eslint-visitor-keys": "^3.0.0"
             },
             "engines": {
@@ -3699,9 +3699,9 @@
             }
         },
         "node_modules/codemirror": {
-            "version": "5.64.0",
-            "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.64.0.tgz",
-            "integrity": "sha512-fqr6CtDQdJ6iNMbD8NX2gH2G876nNDk+TO1rrYkgWnqQdO3O1Xa9tK6q+psqhJJgE5SpbaDcgdfLmukoUVE8pg=="
+            "version": "5.65.0",
+            "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.65.0.tgz",
+            "integrity": "sha512-gWEnHKEcz1Hyz7fsQWpK7P0sPI2/kSkRX2tc7DFA6TmZuDN75x/1ejnH/Pn8adYKrLEA1V2ww6L00GudHZbSKw=="
         },
         "node_modules/collection-visit": {
             "version": "1.0.0",
@@ -4053,9 +4053,9 @@
             }
         },
         "node_modules/eslint": {
-            "version": "8.4.1",
-            "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.4.1.tgz",
-            "integrity": "sha512-TxU/p7LB1KxQ6+7aztTnO7K0i+h0tDi81YRY9VzB6Id71kNz+fFYnf5HD5UOQmxkzcoa0TlVZf9dpMtUv0GpWg==",
+            "version": "8.5.0",
+            "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.5.0.tgz",
+            "integrity": "sha512-tVGSkgNbOfiHyVte8bCM8OmX+xG9PzVG/B4UCF60zx7j61WIVY/AqJECDgpLD4DbbESD0e174gOg3ZlrX15GDg==",
             "dependencies": {
                 "@eslint/eslintrc": "^1.0.5",
                 "@humanwhocodes/config-array": "^0.9.2",
@@ -9925,9 +9925,9 @@
             "integrity": "sha512-eYm8vijH/hpzr/6/1CJ/V/Eb1xQFW2nnUKArb3z+yUWv7HTwj6M7SP957oMjfZjAHU6qpoNc2wQvIxBLWYa/Jg=="
         },
         "@goauthentik/api": {
-            "version": "2021.12.1-1639840580",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2021.12.1-1639840580.tgz",
-            "integrity": "sha512-6fWh4w1k2zmtN17FKKTBbN5LUY9U4KqUy0AdhYXAJCpnuKvPPgtQWLUWVLGT2M633slFWsxMcPYZOj1vKZdWFg=="
+            "version": "2021.12.2-1639916912",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2021.12.2-1639916912.tgz",
+            "integrity": "sha512-yNDcPNABLI9OgiRfdnTCaXjRq/hgii8M5EeBsTm0XVKNYFN2ofwZsVNJfHYiuy9cqW3UdX+063WGmpkJSMS3zQ=="
         },
         "@humanwhocodes/config-array": {
             "version": "0.9.2",
@@ -10820,12 +10820,12 @@
             "integrity": "sha512-7tFImggNeNBVMsn0vLrpn1H1uPrUBdnARPTpZoitY37ZrdJREzf7I16tMrlK3hen349gr1NYh8CmZQa7CTG6Aw=="
         },
         "@typescript-eslint/eslint-plugin": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.7.0.tgz",
-            "integrity": "sha512-8RTGBpNn5a9M628wBPrCbJ+v3YTEOE2qeZb7TDkGKTDXSj36KGRg92SpFFaR/0S3rSXQxM0Og/kV9EyadsYSBg==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-5.8.0.tgz",
+            "integrity": "sha512-spu1UW7QuBn0nJ6+psnfCc3iVoQAifjKORgBngKOmC8U/1tbe2YJMzYQqDGYB4JCss7L8+RM2kKLb1B1Aw9BNA==",
             "requires": {
-                "@typescript-eslint/experimental-utils": "5.7.0",
-                "@typescript-eslint/scope-manager": "5.7.0",
+                "@typescript-eslint/experimental-utils": "5.8.0",
+                "@typescript-eslint/scope-manager": "5.8.0",
                 "debug": "^4.3.2",
                 "functional-red-black-tree": "^1.0.1",
                 "ignore": "^5.1.8",
@@ -10850,50 +10850,50 @@
             }
         },
         "@typescript-eslint/experimental-utils": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/experimental-utils/-/experimental-utils-5.7.0.tgz",
-            "integrity": "sha512-u57eZ5FbEpzN5kSjmVrSesovWslH2ZyNPnaXQMXWgH57d5+EVHEt76W75vVuI9qKZ5BMDKNfRN+pxcPEjQjb2A==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/experimental-utils/-/experimental-utils-5.8.0.tgz",
+            "integrity": "sha512-KN5FvNH71bhZ8fKtL+lhW7bjm7cxs1nt+hrDZWIqb6ViCffQcWyLunGrgvISgkRojIDcXIsH+xlFfI4RCDA0xA==",
             "requires": {
                 "@types/json-schema": "^7.0.9",
-                "@typescript-eslint/scope-manager": "5.7.0",
-                "@typescript-eslint/types": "5.7.0",
-                "@typescript-eslint/typescript-estree": "5.7.0",
+                "@typescript-eslint/scope-manager": "5.8.0",
+                "@typescript-eslint/types": "5.8.0",
+                "@typescript-eslint/typescript-estree": "5.8.0",
                 "eslint-scope": "^5.1.1",
                 "eslint-utils": "^3.0.0"
             }
         },
         "@typescript-eslint/parser": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.7.0.tgz",
-            "integrity": "sha512-m/gWCCcS4jXw6vkrPQ1BjZ1vomP01PArgzvauBqzsoZ3urLbsRChexB8/YV8z9HwE3qlJM35FxfKZ1nfP/4x8g==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-5.8.0.tgz",
+            "integrity": "sha512-Gleacp/ZhRtJRYs5/T8KQR3pAQjQI89Dn/k+OzyCKOsLiZH2/Vh60cFBTnFsHNI6WAD+lNUo/xGZ4NeA5u0Ipw==",
             "requires": {
-                "@typescript-eslint/scope-manager": "5.7.0",
-                "@typescript-eslint/types": "5.7.0",
-                "@typescript-eslint/typescript-estree": "5.7.0",
+                "@typescript-eslint/scope-manager": "5.8.0",
+                "@typescript-eslint/types": "5.8.0",
+                "@typescript-eslint/typescript-estree": "5.8.0",
                 "debug": "^4.3.2"
             }
         },
         "@typescript-eslint/scope-manager": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.7.0.tgz",
-            "integrity": "sha512-7mxR520DGq5F7sSSgM0HSSMJ+TFUymOeFRMfUfGFAVBv8BR+Jv1vHgAouYUvWRZeszVBJlLcc9fDdktxb5kmxA==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-5.8.0.tgz",
+            "integrity": "sha512-x82CYJsLOjPCDuFFEbS6e7K1QEWj7u5Wk1alw8A+gnJiYwNnDJk0ib6PCegbaPMjrfBvFKa7SxE3EOnnIQz2Gg==",
             "requires": {
-                "@typescript-eslint/types": "5.7.0",
-                "@typescript-eslint/visitor-keys": "5.7.0"
+                "@typescript-eslint/types": "5.8.0",
+                "@typescript-eslint/visitor-keys": "5.8.0"
             }
         },
         "@typescript-eslint/types": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.7.0.tgz",
-            "integrity": "sha512-5AeYIF5p2kAneIpnLFve8g50VyAjq7udM7ApZZ9JYjdPjkz0LvODfuSHIDUVnIuUoxafoWzpFyU7Sqbxgi79mA=="
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-5.8.0.tgz",
+            "integrity": "sha512-LdCYOqeqZWqCMOmwFnum6YfW9F3nKuxJiR84CdIRN5nfHJ7gyvGpXWqL/AaW0k3Po0+wm93ARAsOdzlZDPCcXg=="
         },
         "@typescript-eslint/typescript-estree": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.7.0.tgz",
-            "integrity": "sha512-aO1Ql+izMrTnPj5aFFlEJkpD4jRqC4Gwhygu2oHK2wfVQpmOPbyDSveJ+r/NQo+PWV43M6uEAeLVbTi09dFLhg==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-5.8.0.tgz",
+            "integrity": "sha512-srfeZ3URdEcUsSLbkOFqS7WoxOqn8JNil2NSLO9O+I2/Uyc85+UlfpEvQHIpj5dVts7KKOZnftoJD/Fdv0L7nQ==",
             "requires": {
-                "@typescript-eslint/types": "5.7.0",
-                "@typescript-eslint/visitor-keys": "5.7.0",
+                "@typescript-eslint/types": "5.8.0",
+                "@typescript-eslint/visitor-keys": "5.8.0",
                 "debug": "^4.3.2",
                 "globby": "^11.0.4",
                 "is-glob": "^4.0.3",
@@ -10912,11 +10912,11 @@
             }
         },
         "@typescript-eslint/visitor-keys": {
-            "version": "5.7.0",
-            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.7.0.tgz",
-            "integrity": "sha512-hdohahZ4lTFcglZSJ3DGdzxQHBSxsLVqHzkiOmKi7xVAWC4y2c1bIMKmPJSrA4aOEoRUPOKQ87Y/taC7yVHpFg==",
+            "version": "5.8.0",
+            "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-5.8.0.tgz",
+            "integrity": "sha512-+HDIGOEMnqbxdAHegxvnOqESUH6RWFRR2b8qxP1W9CZnnYh4Usz6MBL+2KMAgPk/P0o9c1HqnYtwzVH6GTIqug==",
             "requires": {
-                "@typescript-eslint/types": "5.7.0",
+                "@typescript-eslint/types": "5.8.0",
                 "eslint-visitor-keys": "^3.0.0"
             },
             "dependencies": {
@@ -11430,9 +11430,9 @@
             "integrity": "sha1-2jCcwmPfFZlMaIypAheco8fNfH4="
         },
         "codemirror": {
-            "version": "5.64.0",
-            "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.64.0.tgz",
-            "integrity": "sha512-fqr6CtDQdJ6iNMbD8NX2gH2G876nNDk+TO1rrYkgWnqQdO3O1Xa9tK6q+psqhJJgE5SpbaDcgdfLmukoUVE8pg=="
+            "version": "5.65.0",
+            "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.65.0.tgz",
+            "integrity": "sha512-gWEnHKEcz1Hyz7fsQWpK7P0sPI2/kSkRX2tc7DFA6TmZuDN75x/1ejnH/Pn8adYKrLEA1V2ww6L00GudHZbSKw=="
         },
         "collection-visit": {
             "version": "1.0.0",
@@ -11696,9 +11696,9 @@
             "integrity": "sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ="
         },
         "eslint": {
-            "version": "8.4.1",
-            "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.4.1.tgz",
-            "integrity": "sha512-TxU/p7LB1KxQ6+7aztTnO7K0i+h0tDi81YRY9VzB6Id71kNz+fFYnf5HD5UOQmxkzcoa0TlVZf9dpMtUv0GpWg==",
+            "version": "8.5.0",
+            "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.5.0.tgz",
+            "integrity": "sha512-tVGSkgNbOfiHyVte8bCM8OmX+xG9PzVG/B4UCF60zx7j61WIVY/AqJECDgpLD4DbbESD0e174gOg3ZlrX15GDg==",
             "requires": {
                 "@eslint/eslintrc": "^1.0.5",
                 "@humanwhocodes/config-array": "^0.9.2",

web/package.json

@@ -51,7 +51,7 @@
         "@babel/preset-env": "^7.16.5",
         "@babel/preset-typescript": "^7.16.5",
         "@fortawesome/fontawesome-free": "^5.15.4",
-        "@goauthentik/api": "^2021.12.1-1639840580",
+        "@goauthentik/api": "^2021.12.2-1639916912",
         "@jackfranklin/rollup-plugin-markdown": "^0.3.0",
         "@lingui/cli": "^3.13.0",
         "@lingui/core": "^3.13.0",
@@ -72,16 +72,16 @@
         "@types/chart.js": "^2.9.34",
         "@types/codemirror": "5.60.5",
         "@types/grecaptcha": "^3.0.3",
-        "@typescript-eslint/eslint-plugin": "^5.7.0",
-        "@typescript-eslint/parser": "^5.7.0",
+        "@typescript-eslint/eslint-plugin": "^5.8.0",
+        "@typescript-eslint/parser": "^5.8.0",
         "@webcomponents/webcomponentsjs": "^2.6.0",
         "babel-plugin-macros": "^3.1.0",
         "base64-js": "^1.5.1",
         "chart.js": "^3.6.2",
         "chartjs-adapter-moment": "^1.0.0",
-        "codemirror": "^5.64.0",
+        "codemirror": "^5.65.0",
         "construct-style-sheets-polyfill": "^3.0.5",
-        "eslint": "^8.4.1",
+        "eslint": "^8.5.0",
         "eslint-config-google": "^0.14.0",
         "eslint-plugin-custom-elements": "0.0.4",
         "eslint-plugin-lit": "^1.6.1",

web/src/api/Plex.ts

@@ -1,3 +1,4 @@
+import { SentryIgnoredError } from "../common/errors";
 import { VERSION } from "../constants";
 
 export interface PlexPinResponse {
@@ -73,7 +74,7 @@ export class PlexAPIClient {
             headers: headers,
         });
         if (pinResponse.status > 200) {
-            throw new Error("Invalid response code")
+            throw new SentryIgnoredError("Invalid response code")
         }
         const pin: PlexPinResponse = await pinResponse.json();
         console.debug(`authentik/plex: polling Pin`);

web/src/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2021.12.2";
+export const VERSION = "2021.12.3";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/src/elements/messages/MessageContainer.ts

@@ -4,6 +4,7 @@ import { customElement, property } from "lit/decorators.js";
 import PFAlertGroup from "@patternfly/patternfly/components/AlertGroup/alert-group.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
+import { SentryIgnoredError } from "../../common/errors";
 import { WSMessage } from "../../common/ws";
 import { EVENT_WS_MESSAGE, WS_MSG_TYPE_MESSAGE } from "../../constants";
 import "./Message";
@@ -12,7 +13,7 @@ import { APIMessage } from "./Message";
 export function showMessage(message: APIMessage, unique = false): void {
     const container = document.querySelector<MessageContainer>("ak-message-container");
     if (!container) {
-        throw new Error("failed to find message container");
+        throw new SentryIgnoredError("failed to find message container");
     }
     container.addMessage(message, unique);
     container.requestUpdate();

web/src/locales/en.po

@@ -2520,6 +2520,10 @@ msgstr "Keypair which is used to sign outgoing requests. Leave empty to disable
 msgid "Kubeconfig"
 msgstr "Kubeconfig"
 
+#: src/pages/outposts/OutpostListPage.ts
+msgid "LDAP"
+msgstr "LDAP"
+
 #: src/pages/outposts/OutpostForm.ts
 msgid "LDAP (Technical preview)"
 msgstr "LDAP (Technical preview)"
@@ -3199,6 +3203,10 @@ msgstr "OAuth Authorization Codes"
 msgid "OAuth Refresh Codes"
 msgstr "OAuth Refresh Codes"
 
+#: src/pages/admin-overview/cards/SystemStatusCard.ts
+msgid "OK"
+msgstr "OK"
+
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 msgid "Object"
@@ -3642,6 +3650,7 @@ msgid "Providers"
 msgstr "Providers"
 
 #: src/pages/outposts/OutpostForm.ts
+#: src/pages/outposts/OutpostListPage.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts
 msgid "Proxy"
@@ -5201,6 +5210,7 @@ msgstr "Twilio Auth Token"
 
 #: src/pages/flows/BoundStagesList.ts
 #: src/pages/outposts/OutpostForm.ts
+#: src/pages/outposts/OutpostListPage.ts
 #: src/pages/outposts/ServiceConnectionListPage.ts
 #: src/pages/policies/PolicyListPage.ts
 #: src/pages/property-mappings/PropertyMappingListPage.ts

web/src/locales/fr_FR.po

@@ -2500,6 +2500,10 @@ msgstr "Paire de clés utilisée pour signer le requêtes sortantes. Laisser vid
 msgid "Kubeconfig"
 msgstr "Kubeconfig"
 
+#: src/pages/outposts/OutpostListPage.ts
+msgid "LDAP"
+msgstr ""
+
 #: src/pages/outposts/OutpostForm.ts
 msgid "LDAP (Technical preview)"
 msgstr "LDAP (aperçu technique)"
@@ -3175,6 +3179,10 @@ msgstr "Code d'autorisation OAuth"
 msgid "OAuth Refresh Codes"
 msgstr "Code de rafraîchissement OAuth"
 
+#: src/pages/admin-overview/cards/SystemStatusCard.ts
+msgid "OK"
+msgstr ""
+
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 msgid "Object"
@@ -3610,6 +3618,7 @@ msgid "Providers"
 msgstr "Fournisseurs"
 
 #: src/pages/outposts/OutpostForm.ts
+#: src/pages/outposts/OutpostListPage.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts
 msgid "Proxy"
@@ -5142,6 +5151,7 @@ msgstr ""
 
 #: src/pages/flows/BoundStagesList.ts
 #: src/pages/outposts/OutpostForm.ts
+#: src/pages/outposts/OutpostListPage.ts
 #: src/pages/outposts/ServiceConnectionListPage.ts
 #: src/pages/policies/PolicyListPage.ts
 #: src/pages/property-mappings/PropertyMappingListPage.ts

web/src/locales/pseudo-LOCALE.po

@@ -2510,6 +2510,10 @@ msgstr ""
 msgid "Kubeconfig"
 msgstr ""
 
+#: src/pages/outposts/OutpostListPage.ts
+msgid "LDAP"
+msgstr ""
+
 #: src/pages/outposts/OutpostForm.ts
 msgid "LDAP (Technical preview)"
 msgstr ""
@@ -3189,6 +3193,10 @@ msgstr ""
 msgid "OAuth Refresh Codes"
 msgstr ""
 
+#: src/pages/admin-overview/cards/SystemStatusCard.ts
+msgid "OK"
+msgstr ""
+
 #: src/pages/events/EventInfo.ts
 #: src/pages/events/EventInfo.ts
 msgid "Object"
@@ -3632,6 +3640,7 @@ msgid "Providers"
 msgstr ""
 
 #: src/pages/outposts/OutpostForm.ts
+#: src/pages/outposts/OutpostListPage.ts
 #: src/pages/providers/proxy/ProxyProviderForm.ts
 #: src/pages/providers/proxy/ProxyProviderViewPage.ts
 msgid "Proxy"
@@ -5181,6 +5190,7 @@ msgstr ""
 
 #: src/pages/flows/BoundStagesList.ts
 #: src/pages/outposts/OutpostForm.ts
+#: src/pages/outposts/OutpostListPage.ts
 #: src/pages/outposts/ServiceConnectionListPage.ts
 #: src/pages/policies/PolicyListPage.ts
 #: src/pages/property-mappings/PropertyMappingListPage.ts

web/src/pages/admin-overview/cards/SystemStatusCard.ts

@@ -3,7 +3,7 @@ import { t } from "@lingui/macro";
 import { TemplateResult, html } from "lit";
 import { customElement } from "lit/decorators.js";
 
-import { AdminApi, System } from "@goauthentik/api";
+import { AdminApi, OutpostsApi, System } from "@goauthentik/api";
 
 import { DEFAULT_CONFIG } from "../../../api/Config";
 import { AdminStatus, AdminStatusCard } from "./AdminStatusCard";
@@ -12,11 +12,34 @@ import { AdminStatus, AdminStatusCard } from "./AdminStatusCard";
 export class SystemStatusCard extends AdminStatusCard<System> {
     now?: Date;
 
-    header = "OK";
+    header = t`OK`;
 
-    getPrimaryValue(): Promise<System> {
+    async getPrimaryValue(): Promise<System> {
         this.now = new Date();
-        return new AdminApi(DEFAULT_CONFIG).adminSystemRetrieve();
+        let status = await new AdminApi(DEFAULT_CONFIG).adminSystemRetrieve();
+        if (status.embeddedOutpostHost === "") {
+            // First install, ensure the embedded outpost host is set
+            await this.setOutpostHost();
+            status = await new AdminApi(DEFAULT_CONFIG).adminSystemRetrieve();
+        }
+        return status;
+    }
+
+    // Called on fresh installations and whenever the embedded outpost is deleted
+    // automatically send the login URL when the user first visits the admin dashboard.
+    async setOutpostHost(): Promise<void> {
+        const outposts = await new OutpostsApi(DEFAULT_CONFIG).outpostsInstancesList({
+            managedIexact: "goauthentik.io/outposts/embedded",
+        });
+        if (outposts.results.length < 1) {
+            return;
+        }
+        const outpost = outposts.results[0];
+        outpost.config["authentik_host"] = window.location.origin;
+        await new OutpostsApi(DEFAULT_CONFIG).outpostsInstancesUpdate({
+            uuid: outpost.pk,
+            outpostRequest: outpost,
+        });
     }
 
     getStatus(value: System): Promise<AdminStatus> {

web/src/pages/flows/FlowImportForm.ts

@@ -6,6 +6,7 @@ import { customElement } from "lit/decorators.js";
 import { Flow, FlowsApi } from "@goauthentik/api";
 
 import { DEFAULT_CONFIG } from "../../api/Config";
+import { SentryIgnoredError } from "../../common/errors";
 import { Form } from "../../elements/forms/Form";
 import "../../elements/forms/HorizontalFormElement";
 
@@ -19,7 +20,7 @@ export class FlowImportForm extends Form<Flow> {
     send = (data: Flow): Promise<void> => {
         const file = this.getFormFile();
         if (!file) {
-            throw new Error("No form data");
+            throw new SentryIgnoredError("No form data");
         }
         return new FlowsApi(DEFAULT_CONFIG).flowsInstancesImportFlowCreate({
             file: file,

web/src/pages/outposts/OutpostHealth.ts

@@ -1,6 +1,6 @@
 import { t } from "@lingui/macro";
 
-import { CSSResult, LitElement, TemplateResult, html } from "lit";
+import { CSSResult, LitElement, TemplateResult, css, html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 
 import AKGlobal from "../../authentik.css";
@@ -17,7 +17,15 @@ export class OutpostHealthElement extends LitElement {
     outpostHealth?: OutpostHealth;
 
     static get styles(): CSSResult[] {
-        return [PFBase, AKGlobal];
+        return [
+            PFBase,
+            AKGlobal,
+            css`
+                li {
+                    margin: 5px 0;
+                }
+            `,
+        ];
     }
 
     render(): TemplateResult {
@@ -25,12 +33,12 @@ export class OutpostHealthElement extends LitElement {
             return html`<ak-spinner></ak-spinner>`;
         }
         return html` <ul>
-            <li role="cell">
+            <li>
                 <ak-label color=${PFColor.Green}>
                     ${t`Last seen: ${this.outpostHealth.lastSeen?.toLocaleTimeString()}`}
                 </ak-label>
             </li>
-            <li role="cell">
+            <li>
                 ${this.outpostHealth.versionOutdated
                     ? html`<ak-label color=${PFColor.Red}
                           >${t`${this.outpostHealth.version}, should be ${this.outpostHealth.versionShould}`}

web/src/pages/outposts/OutpostListPage.ts

@@ -8,7 +8,7 @@ import { until } from "lit/directives/until.js";
 
 import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css";
 
-import { Outpost, OutpostsApi } from "@goauthentik/api";
+import { Outpost, OutpostTypeEnum, OutpostsApi } from "@goauthentik/api";
 
 import { AKResponse } from "../../api/Client";
 import { DEFAULT_CONFIG } from "../../api/Config";
@@ -24,6 +24,16 @@ import "./OutpostForm";
 import "./OutpostHealth";
 import "./OutpostHealthSimple";
 
+export function TypeToLabel(type?: OutpostTypeEnum): string {
+    if (!type) return "";
+    switch (type) {
+        case OutpostTypeEnum.Proxy:
+            return t`Proxy`;
+        case OutpostTypeEnum.Ldap:
+            return t`LDAP`;
+    }
+}
+
 @customElement("ak-outpost-list")
 export class OutpostListPage extends TablePage<Outpost> {
     expandable = true;
@@ -51,6 +61,7 @@ export class OutpostListPage extends TablePage<Outpost> {
     columns(): TableColumn[] {
         return [
             new TableColumn(t`Name`, "name"),
+            new TableColumn(t`Type`, "type"),
             new TableColumn(t`Providers`),
             new TableColumn(t`Integration`, "service_connection__name"),
             new TableColumn(t`Health and Version`),
@@ -79,6 +90,7 @@ export class OutpostListPage extends TablePage<Outpost> {
                     : html`<i class="pf-icon pf-icon-ok"></i>
                           <small> ${t`Logging in via ${item.config.authentik_host}.`} </small>`}
             </div>`,
+            html`${TypeToLabel(item.type)}`,
             html`<ul>
                 ${item.providersObj?.map((p) => {
                     return html`<li>

web/src/pages/providers/saml/SAMLProviderImportForm.ts

@@ -12,6 +12,7 @@ import {
 } from "@goauthentik/api";
 
 import { DEFAULT_CONFIG } from "../../../api/Config";
+import { SentryIgnoredError } from "../../../common/errors";
 import { Form } from "../../../elements/forms/Form";
 import "../../../elements/forms/HorizontalFormElement";
 
@@ -25,7 +26,7 @@ export class SAMLProviderImportForm extends Form<SAMLProvider> {
     send = (data: SAMLProvider): Promise<void> => {
         const file = this.getFormFile();
         if (!file) {
-            throw new Error("No form data");
+            throw new SentryIgnoredError("No form data");
         }
         return new ProvidersApi(DEFAULT_CONFIG).providersSamlImportMetadataCreate({
             file: file,

web/src/pages/sources/ldap/LDAPSourceForm.ts

@@ -160,11 +160,8 @@ export class LDAPSourceForm extends ModelForm<LDAPSource, string> {
                                     })
                                     .then((keys) => {
                                         return keys.results.map((key) => {
-                                            let selected =
+                                            const selected =
                                                 this.instance?.peerCertificate === key.pk;
-                                            if (keys.results.length === 1) {
-                                                selected = true;
-                                            }
                                             return html`<option
                                                 value=${ifDefined(key.pk)}
                                                 ?selected=${selected}

web/src/utils.ts

@@ -2,6 +2,7 @@ import { t } from "@lingui/macro";
 
 import { TemplateResult, html } from "lit";
 
+import { SentryIgnoredError } from "./common/errors";
 import "./elements/EmptyState";
 
 export function getCookie(name: string): string {
@@ -73,7 +74,7 @@ export function first<T>(...args: Array<T | undefined | null>): T {
             return element;
         }
     }
-    throw new Error(`No compatible arg given: ${args}`);
+    throw new SentryIgnoredError(`No compatible arg given: ${args}`);
 }
 
 export function hexEncode(buf: Uint8Array): string {

website/developer-docs/setup/frontend-only-dev-environment.md

@@ -17,9 +17,9 @@ If you want to only make changes on the UI, you don't need a backend running fro
 3. Add the following entry to your `.env` file:
 
     ```
-    AUTHENTIK_IMAGE=goauthentik.io/dev-server
+    AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
     AUTHENTIK_TAG=gh-next
-    AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=goauthentik.io/dev-%(type)s:gh-next
+    AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-next
     AUTHENTIK_LOG_LEVEL=debug
     ```
 

website/docs/installation/beta.mdx

@@ -17,9 +17,9 @@ import TabItem from '@theme/TabItem';
 Add the following block to your `.env` file:
 
 ```shell
-AUTHENTIK_IMAGE=goauthentik.io/dev-server
+AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
 AUTHENTIK_TAG=gh-next
-AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=goauthentik.io/dev-%(type)s:gh-next
+AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-next
 ```
 
 Afterwards, run the upgrade commands from the latest releasae notes.
@@ -30,9 +30,9 @@ Add the following block to your `values.yml` file:
 ```yaml
 authentik:
   outposts:
-    container_image_base: goauthentik.io/dev-%(type)s:gh-%(build_hash)s
+    container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
 image:
-  repository: goauthentik.io/dev-server
+  repository: ghcr.io/goauthentik/dev-server
   tag: gh-next
   # pullPolicy: Always to ensure you always get the latest version
   pullPolicy: Always

website/docs/installation/configuration.md

@@ -62,6 +62,9 @@ Secret key used for cookie signing and unique user IDs, don't change this after
 ### AUTHENTIK_LOG_LEVEL
 
 Log level for the server and worker containers. Possible values: debug, info, warning, error
+
+Starting with 2021.12.3, you can also set the log level to *trace*. This has no affect on the core authentik server, but shows additional messages for the embedded outpost.
+
 Defaults to `info`.
 
 ### AUTHENTIK_COOKIE_DOMAIN
@@ -133,7 +136,7 @@ Disable the inbuilt update-checker. Defaults to `false`.
    - `%(version)s`: Current version; 2021.4.1
    - `%(build_hash)s`: Build hash if you're running a beta version
 
-  Placeholder for outpost docker images. Default: `goauthentik.io/%(type)s:%(version)s`.
+  Placeholder for outpost docker images. Default: `ghcr.io/goauthentik/%(type)s:%(version)s`.
 
 ### AUTHENTIK_AVATARS
 

website/docs/installation/docker-compose.md

@@ -14,7 +14,7 @@ This installation method is for test-setups and small-scale productive setups.
 
 Download the latest `docker-compose.yml` from [here](https://goauthentik.io/docker-compose.yml). Place it in a directory of your choice.
 
-To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.12.2 >> .env`
+To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.12.3 >> .env`
 
 If this is a fresh authentik install run the following commands to generate a password:
 

website/docs/outposts/index.md

@@ -26,6 +26,7 @@ Outposts fetch their configuration from authentik. Below are all the options you
 
 ```yaml
 # Log level that the outpost will set
+# Allowed levels: trace, debug, info, warning, error
 log_level: debug
 ########################################
 # The settings below are only relevant when using a managed outpost

website/docs/outposts/manual-deploy-docker-compose.md

@@ -13,7 +13,7 @@ version: "3.5"
 
 services:
   authentik_proxy:
-    image: goauthentik.io/proxy:2021.12.2
+    image: goauthentik.io/proxy:2021.12.3
     # Optionally specify which networks the container should be
     # might be needed to reach the core authentik server
     # networks:
@@ -40,7 +40,7 @@ version: "3.5"
 
 services:
   authentik_ldap:
-    image: goauthentik.io/ldap:2021.12.2
+    image: goauthentik.io/ldap:2021.12.3
     # Optionally specify which networks the container should be
     # might be needed to reach the core authentik server
     # networks:

website/docs/outposts/manual-deploy-kubernetes.md

@@ -14,7 +14,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.12.2
+    app.kubernetes.io/version: 2021.12.3
   name: authentik-outpost-api
 stringData:
   authentik_host: "__AUTHENTIK_URL__"
@@ -29,7 +29,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.12.2
+    app.kubernetes.io/version: 2021.12.3
   name: authentik-outpost
 spec:
   ports:
@@ -54,7 +54,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.12.2
+    app.kubernetes.io/version: 2021.12.3
   name: authentik-outpost
 spec:
   selector:
@@ -62,14 +62,14 @@ spec:
       app.kubernetes.io/instance: __OUTPOST_NAME__
       app.kubernetes.io/managed-by: goauthentik.io
       app.kubernetes.io/name: authentik-proxy
-      app.kubernetes.io/version: 2021.12.2
+      app.kubernetes.io/version: 2021.12.3
   template:
     metadata:
       labels:
         app.kubernetes.io/instance: __OUTPOST_NAME__
         app.kubernetes.io/managed-by: goauthentik.io
         app.kubernetes.io/name: authentik-proxy
-        app.kubernetes.io/version: 2021.12.2
+        app.kubernetes.io/version: 2021.12.3
     spec:
       containers:
         - env:
@@ -88,7 +88,7 @@ spec:
               secretKeyRef:
                 key: authentik_host_insecure
                 name: authentik-outpost-api
-        image: goauthentik.io/proxy:2021.12.2
+        image: goauthentik.io/proxy:2021.12.3
         name: proxy
         ports:
           - containerPort: 9000
@@ -110,7 +110,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.12.2
+    app.kubernetes.io/version: 2021.12.3
   name: authentik-outpost
 spec:
   rules:

website/docs/providers/proxy/_traefik_compose.md

@@ -34,7 +34,7 @@ services:
       # `authentik-proxy` refers to the service name in the compose file.
       traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik
       traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
-      traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^.*$$
+      traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^(Auth|Remote|X).*$$
     restart: unless-stopped
 
   whoami:

website/docs/providers/proxy/_traefik_ingress.md

@@ -9,7 +9,7 @@ spec:
   forwardAuth:
     address: http://outpost.company:9000/akprox/auth/traefik
     trustForwardHeader: true
-    authResponseHeadersRegex: ^.*$
+    authResponseHeadersRegex: ^(Auth|Remote|X).*$
 ```
 
 Add the following settings to your IngressRoute

website/docs/providers/proxy/_traefik_standalone.md

@@ -5,7 +5,7 @@ http:
       forwardAuth:
         address: http://outpost.company:9000/akprox/auth/traefik
         trustForwardHeader: true
-        authResponseHeadersRegex: ^.*$
+        authResponseHeadersRegex: ^(Auth|Remote|X).*$
   routers:
     default-router:
       rule: "Host(`app.company`)"

website/docs/releases/v2021.10.md

@@ -233,6 +233,6 @@ Update your values to use the new images:
 
 ```yaml
 image:
-  repository: goauthentik.io/server
+  repository: ghcr.io/goauthentik/server
   tag: 2021.10.1
 ```

website/docs/releases/v2021.12.md

@@ -177,6 +177,28 @@ This release does not have any headline features, and mostly fixes bugs.
 - web/admin: fix background colour for application sidebar
 - web/elements: fix border between search buttons
 
+## Fixed in 2021.12.3
+
+- *: revert to using GHCR directly
+- core: fix error when getting launch URL for application with non-existent Provider
+- internal: fix sentry sample rate not applying to proxy
+- internal: rework global logging settings, embedded outpost no longer overwrites core
+- outpost: re-run globalSetup when updating config, allowing for live log level changes
+- outposts: handle/ignore http Abort handler
+- outposts/ldap: fix log formatter and level not being set correctly
+- outposts/proxy: add initial redirect-loop prevention
+- outposts/proxy: fix allowlist for forward_auth and traefik
+- outposts/proxy: fix ping URI not being routed
+- outposts/proxy: fix session not expiring correctly due to miscalculation
+- root: allow trace log level to work for core/embedded
+- root: don't set secure cross opener policy
+- root: drop redis cache sentry errors
+- root: fix inconsistent URL quoting of redis URLs
+- web/admin: add outpost type to list
+- web/admin: auto set the embedded outpost's authentik_host on first view
+- web/admin: don't auto-select certificate for LDAP source verification
+- web/admin: fix border for outpost health status
+
 ## Upgrading
 
 This release does not introduce any new requirements.
@@ -191,6 +213,6 @@ Update your values to use the new images:
 
 ```yaml
 image:
-  repository: goauthentik.io/server
+  repository: ghcr.io/goauthentik/server
   tag: 2021.12.1-rc1
 ```

website/docs/releases/v2021.8.md

@@ -151,6 +151,6 @@ Update your values to use the new images:
 
 ```yaml
 image:
-  repository: goauthentik.io/server
+  repository: ghcr.io/goauthentik/server
   tag: 2021.8.5
 ```

website/docs/releases/v2021.9.md

@@ -206,6 +206,6 @@ Update your values to use the new images:
 
 ```yaml
 image:
-  repository: goauthentik.io/server
+  repository: ghcr.io/goauthentik/server
   tag: 2021.9.1
 ```

website/integrations/services/gitea/index.md

@@ -62,6 +62,21 @@ Change the following fields
 - Icon URL: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.png
 - OpenID Connect Auto Discovery URL: https://authentik.company/application/o/gitea-slug/.well-known/openid-configuration
 
+
 ![](./gitea1.png)
 
-`Add Authentication Source` and you should be done. Your Gitea login page should now have a `Sign in With` followed by the authentik logo which you can click on to sign-in to Gitea with Authentik creds.
+`Add Authentication Source` 
+
+Next you should edit your Gitea's 'app.ini' to make Gitea request the proper OIDC Scope from Authentik. (It'll by default only ask for the 'openid' scope which doesn't provide us with the relevant information.)
+
+
+In your Gitea instance, navigate to your app.ini and make the following changes
+
+- If it doesn't exist yet, create a `[oauth2_client]` section
+- Set `OPENID_CONNECT_SCOPES` to `email profile` 
+
+
+Restart Gitea and you should be done!
+
+
+