release: 2021.4.6

ci: run apt update before installing dependencies
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-05-12 14:13:16 +02:00 · 2021-05-12 13:44:15 +02:00 · 2021-05-12 13:36:19 +02:00 · 2021-04-29 23:03:09 +02:00 · 2021-04-29 15:27:41 +02:00 · 2021-04-29 15:18:28 +02:00
223 changed files with 8457 additions and 7071 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.4.1-rc1
+current_version = 2021.4.6
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -18,11 +18,11 @@ jobs:
      - name: Building Docker Image
        run: docker build
          --no-cache
-          -t beryju/authentik:2021.4.1-rc1
+          -t beryju/authentik:2021.4.6
          -t beryju/authentik:latest
          -f Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik:2021.4.1-rc1
+        run: docker push beryju/authentik:2021.4.6
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/authentik:latest
  build-proxy:
@ -48,11 +48,11 @@ jobs:
          cd outpost/
          docker build \
          --no-cache \
-          -t beryju/authentik-proxy:2021.4.1-rc1 \
+          -t beryju/authentik-proxy:2021.4.6 \
          -t beryju/authentik-proxy:latest \
          -f proxy.Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik-proxy:2021.4.1-rc1
+        run: docker push beryju/authentik-proxy:2021.4.6
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/authentik-proxy:latest
  build-static:
@ -72,11 +72,11 @@ jobs:
          cd web/
          docker build \
          --no-cache \
-          -t beryju/authentik-static:2021.4.1-rc1 \
+          -t beryju/authentik-static:2021.4.6 \
          -t beryju/authentik-static:latest \
          -f Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik-static:2021.4.1-rc1
+        run: docker push beryju/authentik-static:2021.4.6
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/authentik-static:latest
  test-release:
@ -110,5 +110,5 @@ jobs:
          SENTRY_PROJECT: authentik
          SENTRY_URL: https://sentry.beryju.org
        with:
-          tagName: 2021.4.1-rc1
+          tagName: 2021.4.6
          environment: beryjuorg-prod
--- a/Pipfile.lock
+++ b/Pipfile.lock
@ -116,17 +116,18 @@
        },
        "boto3": {
            "hashes": [
-                "sha256:e86c15049dc07cb67e8b466795f004f1f23c1acf078d47283cd5e4a692a5aa37"
+                "sha256:1e55df93aa47a84e2a12a639c7f145e16e6e9ef959542d69d5526d50d2e92692",
+                "sha256:eab42daaaf68cdad5b112d31dcb0684162098f6558ba7b64156be44f993525fa"
            ],
            "index": "pypi",
-            "version": "==1.17.48"
+            "version": "==1.17.54"
        },
        "botocore": {
            "hashes": [
-                "sha256:99c4f96bffae406f6dec1fa94e0886993e5bcd8657604d950abb43a49121fa7c",
-                "sha256:af27a8133f5b8f6a55738ccd5efd35689f1822cfd447625a839ef7a991eab64f"
+                "sha256:20a864fc6570ba11d52532c72c3ccabab5c71a9b4a9418601a313d56f1d2ce5b",
+                "sha256:37ec76ea2df8609540ba6cb0fe360ae1c589d2e1ee91eb642fd767823f3fcedd"
            ],
-            "version": "==1.20.48"
+            "version": "==1.20.54"
        },
        "cachetools": {
            "hashes": [
@ -436,10 +437,10 @@
        },
        "google-auth": {
            "hashes": [
-                "sha256:186fe2564634d67fbbb64f3daf8bc8c9cecbb2a7f535ed1a8a71795e50db8d87",
-                "sha256:70b39558712826e41f65e5f05a8d879361deaf84df8883e5dd0ec3d0da6ab66e"
+                "sha256:010f011c4e27d3d5eb01106fba6aac39d164842dfcd8709955c4638f5b11ccf8",
+                "sha256:f30a672a64d91cc2e3137765d088c5deec26416246f7a9e956eaf69a8d7ed49c"
            ],
-            "version": "==1.28.1"
+            "version": "==1.29.0"
        },
        "gunicorn": {
            "hashes": [
@ -1105,10 +1106,10 @@
        },
        "s3transfer": {
            "hashes": [
-                "sha256:5d48b1fd2232141a9d5fb279709117aaba506cacea7f86f11bc392f06bfa8fc2",
-                "sha256:c5dadf598762899d8cfaecf68eba649cd25b0ce93b6c954b156aaa3eed160547"
+                "sha256:af1af6384bd7fb8208b06480f9be73d0295d965c4c073a5c95ea5b6661dccc18",
+                "sha256:f3dfd791cad2799403e3c8051810a7ca6ee1d2e630e5d2a8f9649d892bdb3db6"
            ],
-            "version": "==0.3.6"
+            "version": "==0.4.0"
        },
        "sentry-sdk": {
            "hashes": [
@ -1373,59 +1374,59 @@
        },
        "zope.interface": {
            "hashes": [
-                "sha256:02d3535aa18e34ce97c58d241120b7554f7d1cf4f8002fc9675cc7e7745d20e8",
-                "sha256:0378a42ec284b65706d9ef867600a4a31701a0d6773434e6537cfc744e3343f4",
-                "sha256:07d289358a8c565ea09e426590dd1179f93cf5ac3dd17d43fcc4fc63c1a9d275",
-                "sha256:0e6cdbdd94ae94d1433ab51f46a76df0f2cd041747c31baec1c1ffa4e76bd0c1",
-                "sha256:11354fb8b8bdc5cdd66358ed4f1f0ce739d78ff6d215d33b8f3ae282258c0f11",
-                "sha256:12588a46ae0a99f172c4524cbbc3bb870f32e0f8405e9fa11a5ef3fa3a808ad7",
-                "sha256:16caa44a06f6b0b2f7626ced4b193c1ae5d09c1b49c9b4962c93ae8aa2134f55",
-                "sha256:18c478b89b6505756f007dcf76a67224a23dcf0f365427742ed0c0473099caa4",
-                "sha256:221b41442cf4428fcda7fc958c9721c916709e2a3a9f584edd70f1493a09a762",
-                "sha256:26109c50ccbcc10f651f76277cfc05fba8418a907daccc300c9247f24b3158a2",
-                "sha256:28d8157f8c77662a1e0796a7d3cfa8910289131d4b4dd4e10b2686ab1309b67b",
-                "sha256:2c51689b7b40c7d9c7e8a678350e73dc647945a13b4e416e7a02bbf0c37bdb01",
-                "sha256:2ec58e1e1691dde4fbbd97f8610de0f8f1b1a38593653f7d3b8e931b9cd6d67f",
-                "sha256:416feb6500f7b6fc00d32271f6b8495e67188cb5eb51fc8e289b81fdf465a9cb",
-                "sha256:520352b18adea5478bbf387e9c77910a914985671fe36bc5ef19fdcb67a854bc",
-                "sha256:527415b5ca201b4add44026f70278fbc0b942cf0801a26ca5527cb0389b6151e",
-                "sha256:54243053316b5eec92affe43bbace7c8cd946bc0974a4aa39ff1371df0677b22",
-                "sha256:61b8454190b9cc87279232b6de28dee0bad040df879064bb2f0e505cda907918",
-                "sha256:672668729edcba0f2ee522ab177fcad91c81cfce991c24d8767765e2637d3515",
-                "sha256:67aa26097e194947d29f2b5a123830e03da1519bcce10cac034a51fcdb99c34f",
-                "sha256:6e7305e42b5f54e5ccf51820de46f0a7c951ba7cb9e3f519e908545b0f5628d0",
-                "sha256:7234ac6782ca43617de803735949f79b894f0c5d353fbc001d745503c69e6d1d",
-                "sha256:7426bea25bdf92f00fa52c7b30fcd2a2f71c21cf007178971b1f248b6c2d3145",
-                "sha256:74b331c5d5efdddf5bbd9e1f7d8cb91a0d6b9c4ba45ca3e9003047a84dca1a3b",
-                "sha256:79b6db1a18253db86e9bf1e99fa829d60fd3fc7ac04f4451c44e4bdcf6756a42",
-                "sha256:7d79cd354ae0a033ac7b86a2889c9e8bb0bb48243a6ed27fc5064ce49b842ada",
-                "sha256:823d1b4a6a028b8327e64865e2c81a8959ae9f4e7c9c8e0eec814f4f9b36b362",
-                "sha256:8715717a5861932b7fe7f3cbd498c82ff4132763e2fea182cc95e53850394ec1",
-                "sha256:89a6091f2d07936c8a96ce56f2000ecbef20fb420a94845e7d53913c558a6378",
-                "sha256:8af4b3116e4a37059bc8c7fe36d4a73d7c1d8802a1d8b6e549f1380d13a40160",
-                "sha256:8b4b0034e6c7f30133fa64a1cc276f8f1a155ef9529e7eb93a3c1728b40c0f5c",
-                "sha256:92195df3913c1de80062635bf64cd7bd0d0934a7fa1689b6d287d1cbbd16922c",
-                "sha256:96c2e68385f3848d58f19b2975a675532abdb65c8fa5f04d94b95b27b6b1ffa7",
-                "sha256:9c7044dbbf8c58420a9ef4ed6901f5a8b7698d90cd984d7f57a18c78474686f6",
-                "sha256:a1937efed7e3fe0ee74630e1960df887d8aa83c571e1cf4db9d15b9c181d457d",
-                "sha256:a38c10423a475a1658e2cb8f52cf84ec20a4c0adff724dd43a6b45183f499bc1",
-                "sha256:a413c424199bcbab71bf5fa7538246f27177fbd6dd74b2d9c5f34878658807f8",
-                "sha256:b18a855f8504743e0a2d8b75d008c7720d44e4c76687e13f959e35d9a13eb397",
-                "sha256:b4d59ab3608538e550a72cea13d3c209dd72b6e19e832688da7884081c01594e",
-                "sha256:b51d3f1cd87f488455f43046d72003689024b0fa9b2d53635db7523033b19996",
-                "sha256:c02105deda867d09cdd5088d08708f06d75759df6f83d8f7007b06f422908a30",
-                "sha256:c7b6032dc4490b0dcaf078f09f5b382dc35493cb7f473840368bf0de3196c2b6",
-                "sha256:c95b355dba2aaf5177dff943b25ded0529a7feb80021d5fdb114a99f0a1ef508",
-                "sha256:c980ae87863d76b1ea9a073d6d95554b4135032d34bc541be50c07d4a085821b",
-                "sha256:d12895cd083e35e9e032eb4b57645b91116f8979527381a8d864d1f6b8cb4a2e",
-                "sha256:d3cd9bad547a8e5fbe712a1dc1413aff1b917e8d39a2cd1389a6f933b7a21460",
-                "sha256:e8809b01f27f679e3023b9e2013051e0a3f17abff4228cb5197663afd8a0f2c7",
-                "sha256:f3c37b0dc1898e305aad4f7a1d75f6da83036588c28a9ce0afc681ff5245a601",
-                "sha256:f966765f54b536e791541458de84a737a6adba8467190f17a8fe7f85354ba908",
-                "sha256:fa939c2e2468142c9773443d4038e7c915b0cc1b670d3c9192bdc503f7ea73e9",
-                "sha256:fcc5c1f95102989d2e116ffc8467963554ce89f30a65a3ea86a4d06849c498d8"
+                "sha256:08f9636e99a9d5410181ba0729e0408d3d8748026ea938f3b970a0249daa8192",
+                "sha256:0b465ae0962d49c68aa9733ba92a001b2a0933c317780435f00be7ecb959c702",
+                "sha256:0cba8477e300d64a11a9789ed40ee8932b59f9ee05f85276dbb4b59acee5dd09",
+                "sha256:0cee5187b60ed26d56eb2960136288ce91bcf61e2a9405660d271d1f122a69a4",
+                "sha256:0ea1d73b7c9dcbc5080bb8aaffb776f1c68e807767069b9ccdd06f27a161914a",
+                "sha256:0f91b5b948686659a8e28b728ff5e74b1be6bf40cb04704453617e5f1e945ef3",
+                "sha256:15e7d1f7a6ee16572e21e3576d2012b2778cbacf75eb4b7400be37455f5ca8bf",
+                "sha256:17776ecd3a1fdd2b2cd5373e5ef8b307162f581c693575ec62e7c5399d80794c",
+                "sha256:194d0bcb1374ac3e1e023961610dc8f2c78a0f5f634d0c737691e215569e640d",
+                "sha256:1c0e316c9add0db48a5b703833881351444398b04111188069a26a61cfb4df78",
+                "sha256:205e40ccde0f37496904572035deea747390a8b7dc65146d30b96e2dd1359a83",
+                "sha256:273f158fabc5ea33cbc936da0ab3d4ba80ede5351babc4f577d768e057651531",
+                "sha256:2876246527c91e101184f63ccd1d716ec9c46519cc5f3d5375a3351c46467c46",
+                "sha256:2c98384b254b37ce50eddd55db8d381a5c53b4c10ee66e1e7fe749824f894021",
+                "sha256:2e5a26f16503be6c826abca904e45f1a44ff275fdb7e9d1b75c10671c26f8b94",
+                "sha256:334701327f37c47fa628fc8b8d28c7d7730ce7daaf4bda1efb741679c2b087fc",
+                "sha256:3748fac0d0f6a304e674955ab1365d515993b3a0a865e16a11ec9d86fb307f63",
+                "sha256:3c02411a3b62668200910090a0dff17c0b25aaa36145082a5a6adf08fa281e54",
+                "sha256:3dd4952748521205697bc2802e4afac5ed4b02909bb799ba1fe239f77fd4e117",
+                "sha256:3f24df7124c323fceb53ff6168da70dbfbae1442b4f3da439cd441681f54fe25",
+                "sha256:469e2407e0fe9880ac690a3666f03eb4c3c444411a5a5fddfdabc5d184a79f05",
+                "sha256:4de4bc9b6d35c5af65b454d3e9bc98c50eb3960d5a3762c9438df57427134b8e",
+                "sha256:5208ebd5152e040640518a77827bdfcc73773a15a33d6644015b763b9c9febc1",
+                "sha256:52de7fc6c21b419078008f697fd4103dbc763288b1406b4562554bd47514c004",
+                "sha256:5bb3489b4558e49ad2c5118137cfeaf59434f9737fa9c5deefc72d22c23822e2",
+                "sha256:5dba5f530fec3f0988d83b78cc591b58c0b6eb8431a85edd1569a0539a8a5a0e",
+                "sha256:5dd9ca406499444f4c8299f803d4a14edf7890ecc595c8b1c7115c2342cadc5f",
+                "sha256:5f931a1c21dfa7a9c573ec1f50a31135ccce84e32507c54e1ea404894c5eb96f",
+                "sha256:63b82bb63de7c821428d513607e84c6d97d58afd1fe2eb645030bdc185440120",
+                "sha256:66c0061c91b3b9cf542131148ef7ecbecb2690d48d1612ec386de9d36766058f",
+                "sha256:6f0c02cbb9691b7c91d5009108f975f8ffeab5dff8f26d62e21c493060eff2a1",
+                "sha256:71aace0c42d53abe6fc7f726c5d3b60d90f3c5c055a447950ad6ea9cec2e37d9",
+                "sha256:7d97a4306898b05404a0dcdc32d9709b7d8832c0c542b861d9a826301719794e",
+                "sha256:7df1e1c05304f26faa49fa752a8c690126cf98b40b91d54e6e9cc3b7d6ffe8b7",
+                "sha256:8270252effc60b9642b423189a2fe90eb6b59e87cbee54549db3f5562ff8d1b8",
+                "sha256:867a5ad16892bf20e6c4ea2aab1971f45645ff3102ad29bd84c86027fa99997b",
+                "sha256:877473e675fdcc113c138813a5dd440da0769a2d81f4d86614e5d62b69497155",
+                "sha256:8892f89999ffd992208754851e5a052f6b5db70a1e3f7d54b17c5211e37a98c7",
+                "sha256:9a9845c4c6bb56e508651f005c4aeb0404e518c6f000d5a1123ab077ab769f5c",
+                "sha256:a1e6e96217a0f72e2b8629e271e1b280c6fa3fe6e59fa8f6701bec14e3354325",
+                "sha256:a8156e6a7f5e2a0ff0c5b21d6bcb45145efece1909efcbbbf48c56f8da68221d",
+                "sha256:a9506a7e80bcf6eacfff7f804c0ad5350c8c95b9010e4356a4b36f5322f09abb",
+                "sha256:af310ec8335016b5e52cae60cda4a4f2a60a788cbb949a4fbea13d441aa5a09e",
+                "sha256:b0297b1e05fd128d26cc2460c810d42e205d16d76799526dfa8c8ccd50e74959",
+                "sha256:bf68f4b2b6683e52bec69273562df15af352e5ed25d1b6641e7efddc5951d1a7",
+                "sha256:d0c1bc2fa9a7285719e5678584f6b92572a5b639d0e471bb8d4b650a1a910920",
+                "sha256:d4d9d6c1a455d4babd320203b918ccc7fcbefe308615c521062bc2ba1aa4d26e",
+                "sha256:db1fa631737dab9fa0b37f3979d8d2631e348c3b4e8325d6873c2541d0ae5a48",
+                "sha256:dd93ea5c0c7f3e25335ab7d22a507b1dc43976e1345508f845efc573d3d779d8",
+                "sha256:f44e517131a98f7a76696a7b21b164bcb85291cee106a23beccce454e1f433a4",
+                "sha256:f7ee479e96f7ee350db1cf24afa5685a5899e2b34992fb99e1f7c1b0b758d263"
            ],
-            "version": "==5.3.0"
+            "version": "==5.4.0"
        }
    },
    "develop": {
@ -1438,10 +1439,10 @@
        },
        "astroid": {
            "hashes": [
-                "sha256:6b0ed1af831570e500e2437625979eaa3b36011f66ddfc4ce930128610258ca9",
-                "sha256:cd80bf957c49765dce6d92c43163ff9d2abc43132ce64d4b1b47717c6d2522df"
+                "sha256:ad63b8552c70939568966811a088ef0bc880f99a24a00834abd0e3681b514f91",
+                "sha256:bea3f32799fbb8581f58431c12591bc20ce11cbc90ad82e2ea5717d94f2080d5"
            ],
-            "version": "==2.5.2"
+            "version": "==2.5.3"
        },
        "attrs": {
            "hashes": [
@ -1661,11 +1662,11 @@
        },
        "pylint-django": {
            "hashes": [
-                "sha256:355dddb25ef07dbdb77a818b0860ada722aab654c24da34aab916ec26d6390ba",
-                "sha256:f8d77f7da47a7019cda5cb669c214f03033208f9e945094661299d2637c0da06"
+                "sha256:a5a4515209a6237d1d390a4a307d53f53baaf4f058ecf4bb556c775d208f6b0d",
+                "sha256:dc5ed27bb7662d73444ccd15a0b3964ed6ced6cc2712b85db616102062d2ec35"
            ],
            "index": "pypi",
-            "version": "==2.4.2"
+            "version": "==2.4.3"
        },
        "pylint-plugin-utils": {
            "hashes": [
@ -1691,11 +1692,11 @@
        },
        "pytest-django": {
            "hashes": [
-                "sha256:10e384e6b8912ded92db64c58be8139d9ae23fb8361e5fc139d8e4f8fc601bc2",
-                "sha256:26f02c16d36fd4c8672390deebe3413678d89f30720c16efb8b2a6bf63b9041f"
+                "sha256:80f8875226ec4dc0b205f0578072034563879d98d9b1bec143a80b9045716cb0",
+                "sha256:a51150d8962200250e850c6adcab670779b9c2aa07271471059d1fb92a843fa9"
            ],
            "index": "pypi",
-            "version": "==4.1.0"
+            "version": "==4.2.0"
        },
        "pyyaml": {
            "hashes": [
@ -1816,38 +1817,38 @@
        },
        "typed-ast": {
            "hashes": [
-                "sha256:07d49388d5bf7e863f7fa2f124b1b1d89d8aa0e2f7812faff0a5658c01c59aa1",
-                "sha256:14bf1522cdee369e8f5581238edac09150c765ec1cb33615855889cf33dcb92d",
-                "sha256:240296b27397e4e37874abb1df2a608a92df85cf3e2a04d0d4d61055c8305ba6",
-                "sha256:36d829b31ab67d6fcb30e185ec996e1f72b892255a745d3a82138c97d21ed1cd",
-                "sha256:37f48d46d733d57cc70fd5f30572d11ab8ed92da6e6b28e024e4a3edfb456e37",
-                "sha256:4c790331247081ea7c632a76d5b2a265e6d325ecd3179d06e9cf8d46d90dd151",
-                "sha256:5dcfc2e264bd8a1db8b11a892bd1647154ce03eeba94b461effe68790d8b8e07",
-                "sha256:7147e2a76c75f0f64c4319886e7639e490fee87c9d25cb1d4faef1d8cf83a440",
-                "sha256:7703620125e4fb79b64aa52427ec192822e9f45d37d4b6625ab37ef403e1df70",
-                "sha256:8368f83e93c7156ccd40e49a783a6a6850ca25b556c0fa0240ed0f659d2fe496",
-                "sha256:84aa6223d71012c68d577c83f4e7db50d11d6b1399a9c779046d75e24bed74ea",
-                "sha256:85f95aa97a35bdb2f2f7d10ec5bbdac0aeb9dafdaf88e17492da0504de2e6400",
-                "sha256:8db0e856712f79c45956da0c9a40ca4246abc3485ae0d7ecc86a20f5e4c09abc",
-                "sha256:9044ef2df88d7f33692ae3f18d3be63dec69c4fb1b5a4a9ac950f9b4ba571606",
-                "sha256:963c80b583b0661918718b095e02303d8078950b26cc00b5e5ea9ababe0de1fc",
-                "sha256:987f15737aba2ab5f3928c617ccf1ce412e2e321c77ab16ca5a293e7bbffd581",
-                "sha256:9ec45db0c766f196ae629e509f059ff05fc3148f9ffd28f3cfe75d4afb485412",
-                "sha256:9fc0b3cb5d1720e7141d103cf4819aea239f7d136acf9ee4a69b047b7986175a",
-                "sha256:a2c927c49f2029291fbabd673d51a2180038f8cd5a5b2f290f78c4516be48be2",
-                "sha256:a38878a223bdd37c9709d07cd357bb79f4c760b29210e14ad0fb395294583787",
-                "sha256:b4fcdcfa302538f70929eb7b392f536a237cbe2ed9cba88e3bf5027b39f5f77f",
-                "sha256:c0c74e5579af4b977c8b932f40a5464764b2f86681327410aa028a22d2f54937",
-                "sha256:c1c876fd795b36126f773db9cbb393f19808edd2637e00fd6caba0e25f2c7b64",
-                "sha256:c9aadc4924d4b5799112837b226160428524a9a45f830e0d0f184b19e4090487",
-                "sha256:cc7b98bf58167b7f2db91a4327da24fb93368838eb84a44c472283778fc2446b",
-                "sha256:cf54cfa843f297991b7388c281cb3855d911137223c6b6d2dd82a47ae5125a41",
-                "sha256:d003156bb6a59cda9050e983441b7fa2487f7800d76bdc065566b7d728b4581a",
-                "sha256:d175297e9533d8d37437abc14e8a83cbc68af93cc9c1c59c2c292ec59a0697a3",
-                "sha256:d746a437cdbca200622385305aedd9aef68e8a645e385cc483bdc5e488f07166",
-                "sha256:e683e409e5c45d5c9082dc1daf13f6374300806240719f95dc783d1fc942af10"
+                "sha256:01ae5f73431d21eead5015997ab41afa53aa1fbe252f9da060be5dad2c730ace",
+                "sha256:067a74454df670dcaa4e59349a2e5c81e567d8d65458d480a5b3dfecec08c5ff",
+                "sha256:0fb71b8c643187d7492c1f8352f2c15b4c4af3f6338f21681d3681b3dc31a266",
+                "sha256:1b3ead4a96c9101bef08f9f7d1217c096f31667617b58de957f690c92378b528",
+                "sha256:2068531575a125b87a41802130fa7e29f26c09a2833fea68d9a40cf33902eba6",
+                "sha256:209596a4ec71d990d71d5e0d312ac935d86930e6eecff6ccc7007fe54d703808",
+                "sha256:2c726c276d09fc5c414693a2de063f521052d9ea7c240ce553316f70656c84d4",
+                "sha256:398e44cd480f4d2b7ee8d98385ca104e35c81525dd98c519acff1b79bdaac363",
+                "sha256:52b1eb8c83f178ab787f3a4283f68258525f8d70f778a2f6dd54d3b5e5fb4341",
+                "sha256:5feca99c17af94057417d744607b82dd0a664fd5e4ca98061480fd8b14b18d04",
+                "sha256:7538e495704e2ccda9b234b82423a4038f324f3a10c43bc088a1636180f11a41",
+                "sha256:760ad187b1041a154f0e4d0f6aae3e40fdb51d6de16e5c99aedadd9246450e9e",
+                "sha256:777a26c84bea6cd934422ac2e3b78863a37017618b6e5c08f92ef69853e765d3",
+                "sha256:95431a26309a21874005845c21118c83991c63ea800dd44843e42a916aec5899",
+                "sha256:9ad2c92ec681e02baf81fdfa056fe0d818645efa9af1f1cd5fd6f1bd2bdfd805",
+                "sha256:9c6d1a54552b5330bc657b7ef0eae25d00ba7ffe85d9ea8ae6540d2197a3788c",
+                "sha256:aee0c1256be6c07bd3e1263ff920c325b59849dc95392a05f258bb9b259cf39c",
+                "sha256:af3d4a73793725138d6b334d9d247ce7e5f084d96284ed23f22ee626a7b88e39",
+                "sha256:b36b4f3920103a25e1d5d024d155c504080959582b928e91cb608a65c3a49e1a",
+                "sha256:b9574c6f03f685070d859e75c7f9eeca02d6933273b5e69572e5ff9d5e3931c3",
+                "sha256:bff6ad71c81b3bba8fa35f0f1921fb24ff4476235a6e94a26ada2e54370e6da7",
+                "sha256:c190f0899e9f9f8b6b7863debfb739abcb21a5c054f911ca3596d12b8a4c4c7f",
+                "sha256:c907f561b1e83e93fad565bac5ba9c22d96a54e7ea0267c708bffe863cbe4075",
+                "sha256:cae53c389825d3b46fb37538441f75d6aecc4174f615d048321b716df2757fb0",
+                "sha256:dd4a21253f42b8d2b48410cb31fe501d32f8b9fbeb1f55063ad102fe9c425e40",
+                "sha256:dde816ca9dac1d9c01dd504ea5967821606f02e510438120091b84e852367428",
+                "sha256:f2362f3cb0f3172c42938946dbc5b7843c2a28aec307c49100c8b38764eb6927",
+                "sha256:f328adcfebed9f11301eaedfa48e15bdece9b519fb27e6a8c01aa52a17ec31b3",
+                "sha256:f8afcf15cc511ada719a88e013cec87c11aff7b91f019295eb4530f96fe5ef2f",
+                "sha256:fb1bbeac803adea29cedd70781399c99138358c26d05fcbd23c13016b7f5ec65"
            ],
-            "version": "==1.4.2"
+            "version": "==1.4.3"
        },
        "typing-extensions": {
            "hashes": [
--- a/README.md
+++ b/README.md
@ -4,13 +4,13 @@

 ---

-[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=flat-square)](https://discord.gg/KPnmtNWy)
-[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/1?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=1)
-[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/1?compact_message&style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=1)
-[![Code Coverage](https://img.shields.io/codecov/c/gh/beryju/authentik?style=flat-square)](https://codecov.io/gh/BeryJu/authentik)
+[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=flat-square)](https://discord.gg/jg33eMhnj6)
+[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/6?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
+[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/6?compact_message&style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
+[![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=flat-square)](https://codecov.io/gh/goauthentik/authentik)
 ![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=flat-square)
 ![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=flat-square)
-![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/BeryJu/authentik?style=flat-square)
+![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/goauthentik/authentik?style=flat-square)

 ## What is authentik?

@ -31,7 +31,7 @@ Light | Dark

 ## Development

-See [Development Documentation](https://goauthentik.io/docs/development/local-dev-environment)
+See [Development Documentation](https://goauthentik.io/developer-docs/)

 ## Security

--- a/authentik/init.py
+++ b/authentik/init.py
@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.4.1-rc1"
+__version__ = "2021.4.6"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@ -6,7 +6,7 @@ from drf_yasg.utils import swagger_auto_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
 from rest_framework.mixins import ListModelMixin
-from rest_framework.permissions import IsAdminUser
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet
@ -50,7 +50,9 @@ class VersionSerializer(PassiveSerializer):
 class VersionViewSet(ListModelMixin, GenericViewSet):
    """Get running and latest version."""

-    permission_classes = [IsAdminUser]
+    permission_classes = [IsAuthenticated]
+    pagination_class = None
+    filter_backends = []

    def get_queryset(self):  # pragma: no cover
        return None
--- a/authentik/admin/settings.py
+++ b/authentik/admin/settings.py
@ -4,7 +4,7 @@ from celery.schedules import crontab
 CELERY_BEAT_SCHEDULE = {
    "admin_latest_version": {
        "task": "authentik.admin.tasks.update_latest_version",
-        "schedule": crontab(minute=0),  # Run every hour
+        "schedule": crontab(minute="*/60"),  # Run every hour
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -23,7 +23,9 @@ URL_FINDER = URLValidator.regex.pattern[1:]
 def update_latest_version(self: MonitoredTask):
    """Update latest version info"""
    try:
-        response = get("https://api.github.com/repos/beryju/authentik/releases/latest")
+        response = get(
+            "https://api.github.com/repos/goauthentik/authentik/releases/latest"
+        )
        response.raise_for_status()
        data = response.json()
        tag_name = data.get("tag_name")
--- a/authentik/api/auth.py
+++ b/authentik/api/auth.py
@ -1,61 +1,65 @@
 """API Authentication"""
-from base64 import b64decode
+from base64 import b64decode, b64encode
 from binascii import Error
 from typing import Any, Optional, Union

 from rest_framework.authentication import BaseAuthentication, get_authorization_header
+from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
 from structlog.stdlib import get_logger

 from authentik.core.models import Token, TokenIntents, User

 LOGGER = get_logger()
-X_AUTHENTIK_PREVENT_BASIC_HEADER = "HTTP_X_AUTHENTIK_PREVENT_BASIC"


+# pylint: disable=too-many-return-statements
 def token_from_header(raw_header: bytes) -> Optional[Token]:
-    """raw_header in the Format of `Basic dGVzdDp0ZXN0`"""
+    """raw_header in the Format of `Bearer dGVzdDp0ZXN0`"""
    auth_credentials = raw_header.decode()
-    # Accept headers with Type format and without
-    if " " in auth_credentials:
-        auth_type, auth_credentials = auth_credentials.split()
-        if auth_type.lower() != "basic":
-            LOGGER.debug(
-                "Unsupported authentication type, denying", type=auth_type.lower()
-            )
-            return None
-    try:
-        auth_credentials = b64decode(auth_credentials.encode()).decode()
-    except (UnicodeDecodeError, Error):
+    if auth_credentials == "":
        return None
-    # Accept credentials with username and without
-    if ":" in auth_credentials:
-        _, password = auth_credentials.split(":")
-    else:
-        password = auth_credentials
+    # Legacy, accept basic auth thats fully encoded (2021.3 outposts)
+    if " " not in auth_credentials:
+        try:
+            plain = b64decode(auth_credentials.encode()).decode()
+            auth_type, body = plain.split()
+            auth_credentials = f"{auth_type} {b64encode(body.encode()).decode()}"
+        except (UnicodeDecodeError, Error):
+            raise AuthenticationFailed("Malformed header")
+    auth_type, auth_credentials = auth_credentials.split()
+    if auth_type.lower() not in ["basic", "bearer"]:
+        LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())
+        raise AuthenticationFailed("Unsupported authentication type")
+    password = auth_credentials
+    if auth_type.lower() == "basic":
+        try:
+            auth_credentials = b64decode(auth_credentials.encode()).decode()
+        except (UnicodeDecodeError, Error):
+            raise AuthenticationFailed("Malformed header")
+        # Accept credentials with username and without
+        if ":" in auth_credentials:
+            _, password = auth_credentials.split(":")
+        else:
+            password = auth_credentials
    if password == "":  # nosec
-        return None
+        raise AuthenticationFailed("Malformed header")
    tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)
    if not tokens.exists():
-        LOGGER.debug("Token not found")
-        return None
+        raise AuthenticationFailed("Token invalid/expired")
    return tokens.first()


 class AuthentikTokenAuthentication(BaseAuthentication):
-    """Token-based authentication using HTTP Basic authentication"""
+    """Token-based authentication using HTTP Bearer authentication"""

    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
-        """Token-based authentication using HTTP Basic authentication"""
+        """Token-based authentication using HTTP Bearer authentication"""
        auth = get_authorization_header(request)

        token = token_from_header(auth)
+        # None is only returned when the header isn't set.
        if not token:
            return None

        return (token.user, None)
-
-    def authenticate_header(self, request: Request) -> str:
-        if X_AUTHENTIK_PREVENT_BASIC_HEADER in request._request.META:
-            return ""
-        return 'Basic realm="authentik"'
--- a/authentik/api/templates/api/swagger.html
+++ b/authentik/api/templates/api/swagger.html
@ -11,6 +11,29 @@ authentik API Browser
 {% endblock %}

 {% block body %}
+<script>
+function getCookie(name) {
+    let cookieValue = "";
+    if (document.cookie && document.cookie !== "") {
+        const cookies = document.cookie.split(";");
+        for (let i = 0; i < cookies.length; i++) {
+            const cookie = cookies[i].trim();
+            // Does this cookie string begin with the name we want?
+            if (cookie.substring(0, name.length + 1) === name + "=") {
+                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+                break;
+            }
+        }
+    }
+    return cookieValue;
+}
+window.addEventListener('DOMContentLoaded', (event) => {
+    const rapidocEl = document.querySelector('rapi-doc');
+    rapidocEl.addEventListener('before-try', (e) => {
+        e.detail.request.headers.append('X-CSRFToken', getCookie("authentik_csrf"));
+    });
+});
+</script>
 <rapi-doc
    spec-url="{{ path }}"
    heading-text="authentik"
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@ -3,6 +3,7 @@ from base64 import b64encode

 from django.test import TestCase
 from guardian.shortcuts import get_anonymous_user
+from rest_framework.exceptions import AuthenticationFailed

 from authentik.api.auth import token_from_header
 from authentik.core.models import Token, TokenIntents
@ -11,7 +12,7 @@ from authentik.core.models import Token, TokenIntents
 class TestAPIAuth(TestCase):
    """Test API Authentication"""

-    def test_valid(self):
+    def test_valid_basic(self):
        """Test valid token"""
        token = Token.objects.create(
            intent=TokenIntents.INTENT_API, user=get_anonymous_user()
@ -19,19 +20,30 @@ class TestAPIAuth(TestCase):
        auth = b64encode(f":{token.key}".encode()).decode()
        self.assertEqual(token_from_header(f"Basic {auth}".encode()), token)

+    def test_valid_bearer(self):
+        """Test valid token"""
+        token = Token.objects.create(
+            intent=TokenIntents.INTENT_API, user=get_anonymous_user()
+        )
+        self.assertEqual(token_from_header(f"Bearer {token.key}".encode()), token)
+
    def test_invalid_type(self):
        """Test invalid type"""
-        self.assertIsNone(token_from_header("foo bar".encode()))
+        with self.assertRaises(AuthenticationFailed):
+            token_from_header("foo bar".encode())

    def test_invalid_decode(self):
        """Test invalid bas64"""
-        self.assertIsNone(token_from_header("Basic bar".encode()))
+        with self.assertRaises(AuthenticationFailed):
+            token_from_header("Basic bar".encode())

    def test_invalid_empty_password(self):
        """Test invalid with empty password"""
-        self.assertIsNone(token_from_header("Basic :".encode()))
+        with self.assertRaises(AuthenticationFailed):
+            token_from_header("Basic :".encode())

    def test_invalid_no_token(self):
        """Test invalid with no token"""
-        auth = b64encode(":abc".encode()).decode()
-        self.assertIsNone(token_from_header(f"Basic :{auth}".encode()))
+        with self.assertRaises(AuthenticationFailed):
+            auth = b64encode(":abc".encode()).decode()
+            self.assertIsNone(token_from_header(f"Basic :{auth}".encode()))
--- a/authentik/api/v2/urls.py
+++ b/authentik/api/v2/urls.py
@ -113,6 +113,7 @@ router.register("core/user_consent", UserConsentViewSet)
 router.register("core/tokens", TokenViewSet)

 router.register("outposts/outposts", OutpostViewSet)
+router.register("outposts/instances", OutpostViewSet)
 router.register("outposts/service_connections/all", ServiceConnectionViewSet)
 router.register("outposts/service_connections/docker", DockerServiceConnectionViewSet)
 router.register(
@ -195,7 +196,8 @@ info = openapi.Info(
    default_version="v2beta",
    contact=openapi.Contact(email="hello@beryju.org"),
    license=openapi.License(
-        name="GNU GPLv3", url="https://github.com/BeryJu/authentik/blob/master/LICENSE"
+        name="GNU GPLv3",
+        url="https://github.com/goauthentik/authentik/blob/master/LICENSE",
    ),
 )
 SchemaView = get_schema_view(info, public=True, permission_classes=(AllowAny,))
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -91,6 +91,15 @@ class ApplicationViewSet(ModelViewSet):
                applications.append(application)
        return applications

+    @swagger_auto_schema(
+        manual_parameters=[
+            openapi.Parameter(
+                name="superuser_full_list",
+                in_=openapi.IN_QUERY,
+                type=openapi.TYPE_BOOLEAN,
+            )
+        ]
+    )
    def list(self, request: Request) -> Response:
        """Custom list method that checks Policy based access instead of guardian"""
        queryset = self._filter_queryset_for_list(self.get_queryset())
@ -98,6 +107,13 @@ class ApplicationViewSet(ModelViewSet):

        should_cache = request.GET.get("search", "") == ""

+        superuser_full_list = (
+            str(request.GET.get("superuser_full_list", "false")).lower() == "true"
+        )
+        if superuser_full_list and request.user.is_superuser:
+            serializer = self.get_serializer(queryset, many=True)
+            return self.get_paginated_response(serializer.data)
+
        allowed_applications = []
        if not should_cache:
            allowed_applications = self._get_allowed_applications(queryset)
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -1,13 +1,17 @@
 """Groups API Viewset"""
+from rest_framework.fields import JSONField
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

+from authentik.core.api.utils import is_dict
 from authentik.core.models import Group


 class GroupSerializer(ModelSerializer):
    """Group Serializer"""

+    attributes = JSONField(validators=[is_dict], required=False)
+
    class Meta:

        model = Group
--- a/authentik/core/api/propertymappings.py
+++ b/authentik/core/api/propertymappings.py
@ -1,6 +1,7 @@
 """PropertyMapping API Views"""
 from json import dumps

+from drf_yasg import openapi
 from drf_yasg.utils import swagger_auto_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
@ -91,7 +92,9 @@ class PropertyMappingViewSet(
                {
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
-                    "component": subclass.component,
+                    # pyright: reportGeneralTypeIssues=false
+                    "component": subclass().component,
+                    "model_name": subclass._meta.model_name,
                }
            )
        return Response(TypeCreateSerializer(data, many=True).data)
@ -100,6 +103,13 @@ class PropertyMappingViewSet(
    @swagger_auto_schema(
        request_body=PolicyTestSerializer(),
        responses={200: PropertyMappingTestResultSerializer, 400: "Invalid parameters"},
+        manual_parameters=[
+            openapi.Parameter(
+                name="format_result",
+                in_=openapi.IN_QUERY,
+                type=openapi.TYPE_BOOLEAN,
+            )
+        ],
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
    # pylint: disable=unused-argument, invalid-name
@ -110,6 +120,8 @@ class PropertyMappingViewSet(
        if not test_params.is_valid():
            return Response(test_params.errors, status=400)

+        format_result = str(request.GET.get("format_result", "false")).lower() == "true"
+
        # User permission check, only allow mapping testing for users that are readable
        users = get_objects_for_user(request.user, "authentik_core.view_user").filter(
            pk=test_params.validated_data["user"].pk
@ -124,7 +136,9 @@ class PropertyMappingViewSet(
                self.request,
                **test_params.validated_data.get("context", {}),
            )
-            response_data["result"] = dumps(result)
+            response_data["result"] = dumps(
+                result, indent=(4 if format_result else None)
+            )
        except Exception as exc:  # pylint: disable=broad-except
            response_data["result"] = str(exc)
            response_data["successful"] = False
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -78,6 +78,7 @@ class ProviderViewSet(
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": subclass().component,
+                    "model_name": subclass._meta.model_name,
                }
            )
        data.append(
@ -85,6 +86,7 @@ class ProviderViewSet(
                "name": _("SAML Provider from Metadata"),
                "description": _("Create a SAML Provider by importing its Metadata."),
                "component": "ak-provider-saml-import-form",
+                "model_name": "",
            }
        )
        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -81,6 +81,7 @@ class SourceViewSet(
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": component,
+                    "model_name": subclass._meta.model_name,
                }
            )
        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -11,7 +11,7 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.api.decorators import permission_required
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import PassiveSerializer
-from authentik.core.models import Token
+from authentik.core.models import Token, TokenIntents
 from authentik.events.models import Event, EventAction
 from authentik.managed.api import ManagedSerializer

@ -64,7 +64,7 @@ class TokenViewSet(ModelViewSet):
    ordering = ["expires"]

    def perform_create(self, serializer: TokenSerializer):
-        serializer.save(user=self.request.user)
+        serializer.save(user=self.request.user, intent=TokenIntents.INTENT_API)

    @permission_required("authentik_core.view_token_key")
    @swagger_auto_schema(
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -1,10 +1,11 @@
 """User API Views"""
+from django.http.response import Http404
 from django.urls import reverse_lazy
 from django.utils.http import urlencode
 from drf_yasg.utils import swagger_auto_schema, swagger_serializer_method
 from guardian.utils import get_anonymous_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, SerializerMethodField
+from rest_framework.fields import CharField, JSONField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import BooleanField, ModelSerializer
@ -12,13 +13,14 @@ from rest_framework.viewsets import ModelViewSet

 from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
 from authentik.api.decorators import permission_required
-from authentik.core.api.utils import LinkSerializer, PassiveSerializer
+from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import (
    SESSION_IMPERSONATE_ORIGINAL_USER,
    SESSION_IMPERSONATE_USER,
 )
 from authentik.core.models import Token, TokenIntents, User
 from authentik.events.models import EventAction
+from authentik.flows.models import Flow, FlowDesignation


 class UserSerializer(ModelSerializer):
@ -26,6 +28,7 @@ class UserSerializer(ModelSerializer):

    is_superuser = BooleanField(read_only=True)
    avatar = CharField(read_only=True)
+    attributes = JSONField(validators=[is_dict], required=False)

    class Meta:

@ -120,12 +123,16 @@ class UserViewSet(ModelViewSet):

    @permission_required("authentik_core.reset_user_password")
    @swagger_auto_schema(
-        responses={"200": LinkSerializer(many=False)},
+        responses={"200": LinkSerializer(many=False), "404": "No recovery flow found."},
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=invalid-name, unused-argument
    def recovery(self, request: Request, pk: int) -> Response:
        """Create a temporary link that a user can use to recover their accounts"""
+        # Check that there is a recovery flow, if not return an error
+        flow = Flow.with_policy(request, designation=FlowDesignation.RECOVERY)
+        if not flow:
+            raise Http404
        user: User = self.get_object()
        token, __ = Token.objects.get_or_create(
            identifier=f"{user.uid}-password-reset",
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -1,7 +1,20 @@
 """API Utilities"""
+from typing import Any
+
 from django.db.models import Model
 from rest_framework.fields import CharField, IntegerField
-from rest_framework.serializers import Serializer, SerializerMethodField
+from rest_framework.serializers import (
+    Serializer,
+    SerializerMethodField,
+    ValidationError,
+)
+
+
+def is_dict(value: Any):
+    """Ensure a value is a dictionary, useful for JSONFields"""
+    if isinstance(value, dict):
+        return
+    raise ValidationError("Value must be a dictionary.")


 class PassiveSerializer(Serializer):
@ -35,6 +48,7 @@ class TypeCreateSerializer(PassiveSerializer):
    name = CharField(required=True)
    description = CharField(required=True)
    component = CharField(required=True)
+    model_name = CharField(required=True)


 class CacheSerializer(PassiveSerializer):
--- a/authentik/core/channels.py
+++ b/authentik/core/channels.py
@ -1,6 +1,7 @@
 """Channels base classes"""
 from channels.exceptions import DenyConnection
 from channels.generic.websocket import JsonWebsocketConsumer
+from rest_framework.exceptions import AuthenticationFailed
 from structlog.stdlib import get_logger

 from authentik.api.auth import token_from_header
@ -22,9 +23,13 @@ class AuthJsonConsumer(JsonWebsocketConsumer):

        raw_header = headers[b"authorization"]

-        token = token_from_header(raw_header)
-        if not token:
-            LOGGER.warning("Failed to authenticate")
+        try:
+            token = token_from_header(raw_header)
+            # token is only None when no header was given, in which case we deny too
+            if not token:
+                raise DenyConnection()
+        except AuthenticationFailed as exc:
+            LOGGER.warning("Failed to authenticate", exc=exc)
            raise DenyConnection()

        self.user = token.user
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -10,9 +10,15 @@
        <title>{% block title %}{% trans title|default:config.authentik.branding.title %}{% endblock %}</title>
        <link rel="icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}?v={{ ak_version }}">
        <link rel="shortcut icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}?v={{ ak_version }}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/empty-state.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/spinner.css' %}?v={{ ak_version }}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}?v={{ ak_version }}">
+        {% block head_before %}
+        {% endblock %}
        <script src="{% static 'dist/poly.js' %}?v={{ ak_version }}" type="module"></script>
+        <script>window["polymerSkipLoadingFontRoboto"] = true;</script>
        {% block head %}
        {% endblock %}
    </head>
--- a/authentik/core/templates/error/generic.html
+++ b/authentik/core/templates/error/generic.html
@ -12,7 +12,7 @@
 {% endblock %}

 {% block body %}
-<section class="pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+<section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
    <div class="pf-c-empty-state">
        <div class="pf-c-empty-state__content">
            <i class="fas fa-exclamation-circle pf-c-empty-state__icon" aria-hidden="true"></i>
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -10,7 +10,7 @@
 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-interface-admin>
-    <section class="pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
        <div class="pf-c-empty-state" style="height: 100vh;">
            <div class="pf-c-empty-state__content">
                <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="{% trans 'Loading...' %}">
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@ -3,6 +3,10 @@
 {% load static %}
 {% load i18n %}

+{% block head_before %}
+<script>ShadyDOM = { force: !navigator.webdriver };</script>
+{% endblock %}
+
 {% block head %}
 <script src="{% static 'dist/FlowInterface.js' %}?v={{ ak_version }}" type="module"></script>
 {% endblock %}
@ -10,7 +14,7 @@
 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-flow-executor>
-    <section class="pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
+    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
        <div class="pf-c-empty-state" style="height: 100vh;">
            <div class="pf-c-empty-state__content">
                <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="{% trans 'Loading...' %}">
--- a/authentik/core/tests/test_api_utils.py
+++ b/authentik/core/tests/test_api_utils.py
@ -0,0 +1,15 @@
+"""Test API Utils"""
+from rest_framework.exceptions import ValidationError
+from rest_framework.test import APITestCase
+
+from authentik.core.api.utils import is_dict
+
+
+class TestAPIUtils(APITestCase):
+    """Test API Utils"""
+
+    def test_is_dict(self):
+        """Test is_dict"""
+        self.assertIsNone(is_dict({}))
+        with self.assertRaises(ValidationError):
+            is_dict("foo")
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@ -2,7 +2,7 @@
 from django.urls.base import reverse
 from rest_framework.test import APITestCase

-from authentik.core.models import Token, User
+from authentik.core.models import Token, TokenIntents, User


 class TestTokenAPI(APITestCase):
@ -19,4 +19,6 @@ class TestTokenAPI(APITestCase):
            reverse("authentik_api:token-list"), {"identifier": "test-token"}
        )
        self.assertEqual(response.status_code, 201)
-        self.assertEqual(Token.objects.get(identifier="test-token").user, self.user)
+        token = Token.objects.get(identifier="test-token")
+        self.assertEqual(token.user, self.user)
+        self.assertEqual(token.intent, TokenIntents.INTENT_API)
--- a/authentik/events/api/event.py
+++ b/authentik/events/api/event.py
@ -153,10 +153,6 @@ class EventViewSet(ReadOnlyModelViewSet):
        data = []
        for value, name in EventAction.choices:
            data.append(
-                {
-                    "name": name,
-                    "description": "",
-                    "component": value,
-                }
+                {"name": name, "description": "", "component": value, "model_name": ""}
            )
        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/flows/api/stages.py
+++ b/authentik/flows/api/stages.py
@ -4,6 +4,7 @@ from typing import Iterable
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
+from rest_framework.fields import BooleanField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, SerializerMethodField
@ -19,6 +20,12 @@ from authentik.lib.utils.reflection import all_subclasses
 LOGGER = get_logger()


+class StageUserSettingSerializer(UserSettingSerializer):
+    """User settings but can include a configure flow"""
+
+    configure_flow = BooleanField(required=False)
+
+
 class StageSerializer(ModelSerializer, MetaNameSerializer):
    """Stage Serializer"""

@ -73,12 +80,13 @@ class StageViewSet(
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": subclass().component,
+                    "model_name": subclass._meta.model_name,
                }
            )
        data = sorted(data, key=lambda x: x["name"])
        return Response(TypeCreateSerializer(data, many=True).data)

-    @swagger_auto_schema(responses={200: UserSettingSerializer(many=True)})
+    @swagger_auto_schema(responses={200: StageUserSettingSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def user_settings(self, request: Request) -> Response:
        """Get all stages the user can configure"""
@ -89,6 +97,10 @@ class StageViewSet(
            if not user_settings:
                continue
            user_settings.initial_data["object_uid"] = str(stage.pk)
+            if hasattr(stage, "configure_flow"):
+                user_settings.initial_data["configure_flow"] = bool(
+                    stage.configure_flow
+                )
            if not user_settings.is_valid():
                LOGGER.warning(user_settings.errors)
            matching_stages.append(user_settings.initial_data)
--- a/authentik/flows/transfer/importer.py
+++ b/authentik/flows/transfer/importer.py
@ -160,7 +160,7 @@ class FlowImporter:
            try:
                model: SerializerModel = apps.get_model(model_app_label, model_name)
            except LookupError:
-                self.logger.error(
+                self.logger.warning(
                    "app or model does not exist", app=model_app_label, model=model_name
                )
                return False
@ -168,7 +168,7 @@ class FlowImporter:
            try:
                serializer = self._validate_single(entry)
            except EntryInvalidError as exc:
-                self.logger.error("entry not valid", entry=entry, error=exc)
+                self.logger.warning("entry not valid", entry=entry, error=exc)
                return False

            model = serializer.save()
--- a/authentik/flows/views.py
+++ b/authentik/flows/views.py
@ -14,6 +14,7 @@ from drf_yasg import openapi
 from drf_yasg.utils import no_body, swagger_auto_schema
 from rest_framework.permissions import AllowAny
 from rest_framework.views import APIView
+from sentry_sdk import capture_exception
 from structlog.stdlib import BoundLogger, get_logger

 from authentik.core.models import USER_ATTRIBUTE_DEBUG
@ -127,6 +128,7 @@ class FlowExecutorView(APIView):
    @swagger_auto_schema(
        responses={
            200: Challenge(),
+            404: "No Token found",  # This error can be raised by the email stage
        },
        request_body=no_body,
        manual_parameters=[
@ -151,7 +153,8 @@ class FlowExecutorView(APIView):
            stage_response = self.current_stage_view.get(request, *args, **kwargs)
            return to_stage_response(request, stage_response)
        except Exception as exc:  # pylint: disable=broad-except
-            self._logger.exception(exc)
+            capture_exception(exc)
+            self._logger.warning(exc)
            return to_stage_response(request, FlowErrorResponse(request, exc))

    @swagger_auto_schema(
@ -179,7 +182,8 @@ class FlowExecutorView(APIView):
            stage_response = self.current_stage_view.post(request, *args, **kwargs)
            return to_stage_response(request, stage_response)
        except Exception as exc:  # pylint: disable=broad-except
-            self._logger.exception(exc)
+            capture_exception(exc)
+            self._logger.warning(exc)
            return to_stage_response(request, FlowErrorResponse(request, exc))

    def _initiate_plan(self) -> FlowPlan:
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -5,21 +5,39 @@ from aioredis.errors import ConnectionClosedError, ReplyError
 from billiard.exceptions import WorkerLostError
 from botocore.client import ClientError
 from celery.exceptions import CeleryError
+from channels.middleware import BaseMiddleware
 from channels_redis.core import ChannelFull
-from django.core.exceptions import DisallowedHost, ValidationError
+from django.core.exceptions import SuspiciousOperation, ValidationError
 from django.db import InternalError, OperationalError, ProgrammingError
+from django.http.response import Http404
 from django_redis.exceptions import ConnectionInterrupted
 from docker.errors import DockerException
 from ldap3.core.exceptions import LDAPException
 from redis.exceptions import ConnectionError as RedisConnectionError
 from redis.exceptions import RedisError, ResponseError
 from rest_framework.exceptions import APIException
+from sentry_sdk import Hub
+from sentry_sdk.tracing import Transaction
 from structlog.stdlib import get_logger
 from websockets.exceptions import WebSocketException

+from authentik.lib.utils.reflection import class_to_path
+
 LOGGER = get_logger()


+class SentryWSMiddleware(BaseMiddleware):
+    """Sentry Websocket middleweare to set the transaction name based on
+    consumer class path"""
+
+    async def __call__(self, scope, receive, send):
+        transaction: Optional[Transaction] = Hub.current.scope.transaction
+        class_path = class_to_path(self.inner.consumer_class)
+        if transaction:
+            transaction.name = class_path
+        return await self.inner(scope, receive, send)
+
+
 class SentryIgnoredException(Exception):
    """Base Class for all errors that are suppressed, and not sent to sentry."""

@ -36,7 +54,7 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        OperationalError,
        InternalError,
        ProgrammingError,
-        DisallowedHost,
+        SuspiciousOperation,
        ValidationError,
        # Redis errors
        RedisConnectionError,
@ -61,6 +79,8 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        LDAPException,
        # Docker errors
        DockerException,
+        # End-user errors
+        Http404,
    )
    if "exc_info" in hint:
        _, exc_value, _ = hint["exc_info"]
--- a/authentik/outposts/api/outpost_service_connections.py
+++ b/authentik/outposts/api/outpost_service_connections.py
@ -82,6 +82,7 @@ class ServiceConnectionViewSet(
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": subclass().component,
+                    "model_name": subclass._meta.model_name,
                }
            )
        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/outposts/api/outposts.py
+++ b/authentik/outposts/api/outposts.py
@ -8,14 +8,14 @@ from rest_framework.serializers import JSONField, ModelSerializer
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.providers import ProviderSerializer
-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer, is_dict
 from authentik.outposts.models import Outpost, default_outpost_config


 class OutpostSerializer(ModelSerializer):
    """Outpost Serializer"""

-    _config = JSONField()
+    _config = JSONField(validators=[is_dict])
    providers_obj = ProviderSerializer(source="providers", many=True, read_only=True)

    class Meta:
--- a/authentik/outposts/apps.py
+++ b/authentik/outposts/apps.py
@ -1,17 +1,8 @@
 """authentik outposts app config"""
 from importlib import import_module
-from os import R_OK, access
-from os.path import expanduser
-from pathlib import Path
-from socket import gethostname
-from urllib.parse import urlparse

-import yaml
 from django.apps import AppConfig
 from django.db import ProgrammingError
-from docker.constants import DEFAULT_UNIX_SOCKET
-from kubernetes.config.incluster_config import SERVICE_TOKEN_FILENAME
-from kubernetes.config.kube_config import KUBE_CONFIG_DEFAULT_LOCATION
 from structlog.stdlib import get_logger

 LOGGER = get_logger()
@ -27,49 +18,8 @@ class AuthentikOutpostConfig(AppConfig):
    def ready(self):
        import_module("authentik.outposts.signals")
        try:
-            AuthentikOutpostConfig.init_local_connection()
+            from authentik.outposts.tasks import outpost_local_connection
+
+            outpost_local_connection.delay()
        except ProgrammingError:
            pass
-
-    @staticmethod
-    def init_local_connection():
-        """Check if local kubernetes or docker connections should be created"""
-        from authentik.outposts.models import (
-            DockerServiceConnection,
-            KubernetesServiceConnection,
-        )
-
-        # Explicitly check against token filename, as thats
-        # only present when the integration is enabled
-        if Path(SERVICE_TOKEN_FILENAME).exists():
-            LOGGER.debug("Detected in-cluster Kubernetes Config")
-            if not KubernetesServiceConnection.objects.filter(local=True).exists():
-                LOGGER.debug("Created Service Connection for in-cluster")
-                KubernetesServiceConnection.objects.create(
-                    name="Local Kubernetes Cluster", local=True, kubeconfig={}
-                )
-        # For development, check for the existence of a kubeconfig file
-        kubeconfig_path = expanduser(KUBE_CONFIG_DEFAULT_LOCATION)
-        if Path(kubeconfig_path).exists():
-            LOGGER.debug("Detected kubeconfig")
-            kubeconfig_local_name = f"k8s-{gethostname()}"
-            if not KubernetesServiceConnection.objects.filter(
-                name=kubeconfig_local_name
-            ).exists():
-                LOGGER.debug("Creating kubeconfig Service Connection")
-                with open(kubeconfig_path, "r") as _kubeconfig:
-                    KubernetesServiceConnection.objects.create(
-                        name=kubeconfig_local_name,
-                        kubeconfig=yaml.safe_load(_kubeconfig),
-                    )
-        unix_socket_path = urlparse(DEFAULT_UNIX_SOCKET).path
-        socket = Path(unix_socket_path)
-        if socket.exists() and access(socket, R_OK):
-            LOGGER.debug("Detected local docker socket")
-            if len(DockerServiceConnection.objects.filter(local=True)) == 0:
-                LOGGER.debug("Created Service Connection for docker")
-                DockerServiceConnection.objects.create(
-                    name="Local Docker connection",
-                    local=True,
-                    url=unix_socket_path,
-                )
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@ -134,7 +134,8 @@ class DockerController(BaseController):
    def down(self):
        try:
            container, _ = self._get_container()
-            container.kill()
+            if container.status == "running":
+                container.kill()
            container.remove()
        except DockerException as exc:
            raise ControllerException from exc
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -201,7 +201,7 @@ class DockerServiceConnection(OutpostServiceConnection):
                )
            client.containers.list()
        except DockerException as exc:
-            LOGGER.error(exc)
+            LOGGER.warning(exc)
            raise ServiceConnectionInvalid from exc
        return client

@ -356,7 +356,7 @@ class Outpost(models.Model):
            intent=TokenIntents.INTENT_API,
            description=f"Autogenerated by authentik for Outpost {self.name}",
            expiring=False,
-            managed="goauthentik.io/outpost",
+            managed=f"goauthentik.io/outpost/{self.token_identifier}",
        )

    def get_required_objects(self) -> Iterable[models.Model]:
--- a/authentik/outposts/settings.py
+++ b/authentik/outposts/settings.py
@ -9,7 +9,7 @@ CELERY_BEAT_SCHEDULE = {
    },
    "outposts_service_connection_check": {
        "task": "authentik.outposts.tasks.outpost_service_connection_monitor",
-        "schedule": crontab(minute=0, hour="*"),
+        "schedule": crontab(minute="*/60"),
        "options": {"queue": "authentik_scheduled"},
    },
    "outpost_token_ensurer": {
@ -17,4 +17,9 @@ CELERY_BEAT_SCHEDULE = {
        "schedule": crontab(minute="*/5"),
        "options": {"queue": "authentik_scheduled"},
    },
+    "outpost_local_connection": {
+        "task": "authentik.outposts.tasks.outpost_local_connection",
+        "schedule": crontab(minute="*/60"),
+        "options": {"queue": "authentik_scheduled"},
+    },
 }
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@ -1,11 +1,20 @@
 """outpost tasks"""
+from os import R_OK, access
+from os.path import expanduser
+from pathlib import Path
+from socket import gethostname
 from typing import Any
+from urllib.parse import urlparse

+import yaml
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.core.cache import cache
 from django.db.models.base import Model
 from django.utils.text import slugify
+from docker.constants import DEFAULT_UNIX_SOCKET
+from kubernetes.config.incluster_config import SERVICE_TOKEN_FILENAME
+from kubernetes.config.kube_config import KUBE_CONFIG_DEFAULT_LOCATION
 from structlog.stdlib import get_logger

 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
@ -67,6 +76,8 @@ def outpost_controller(self: MonitoredTask, outpost_pk: str):
    outpost: Outpost = Outpost.objects.get(pk=outpost_pk)
    self.set_uid(slugify(outpost.name))
    try:
+        if not outpost.service_connection:
+            return
        if outpost.type == OutpostType.PROXY:
            service_connection = outpost.service_connection
            if isinstance(service_connection, DockerServiceConnection):
@ -183,3 +194,42 @@ def _outpost_single_update(outpost: Outpost, layer=None):
    for state in OutpostState.for_outpost(outpost):
        LOGGER.debug("sending update", channel=state.uid, outpost=outpost)
        async_to_sync(layer.send)(state.uid, {"type": "event.update"})
+
+
+@CELERY_APP.task()
+def outpost_local_connection():
+    """Checks the local environment and create Service connections."""
+    # Explicitly check against token filename, as thats
+    # only present when the integration is enabled
+    if Path(SERVICE_TOKEN_FILENAME).exists():
+        LOGGER.debug("Detected in-cluster Kubernetes Config")
+        if not KubernetesServiceConnection.objects.filter(local=True).exists():
+            LOGGER.debug("Created Service Connection for in-cluster")
+            KubernetesServiceConnection.objects.create(
+                name="Local Kubernetes Cluster", local=True, kubeconfig={}
+            )
+    # For development, check for the existence of a kubeconfig file
+    kubeconfig_path = expanduser(KUBE_CONFIG_DEFAULT_LOCATION)
+    if Path(kubeconfig_path).exists():
+        LOGGER.debug("Detected kubeconfig")
+        kubeconfig_local_name = f"k8s-{gethostname()}"
+        if not KubernetesServiceConnection.objects.filter(
+            name=kubeconfig_local_name
+        ).exists():
+            LOGGER.debug("Creating kubeconfig Service Connection")
+            with open(kubeconfig_path, "r") as _kubeconfig:
+                KubernetesServiceConnection.objects.create(
+                    name=kubeconfig_local_name,
+                    kubeconfig=yaml.safe_load(_kubeconfig),
+                )
+    unix_socket_path = urlparse(DEFAULT_UNIX_SOCKET).path
+    socket = Path(unix_socket_path)
+    if socket.exists() and access(socket, R_OK):
+        LOGGER.debug("Detected local docker socket")
+        if len(DockerServiceConnection.objects.filter(local=True)) == 0:
+            LOGGER.debug("Created Service Connection for docker")
+            DockerServiceConnection.objects.create(
+                name="Local Docker connection",
+                local=True,
+                url=unix_socket_path,
+            )
--- a/authentik/policies/api/exec.py
+++ b/authentik/policies/api/exec.py
@ -2,7 +2,7 @@
 from rest_framework.fields import BooleanField, CharField, JSONField, ListField
 from rest_framework.relations import PrimaryKeyRelatedField

-from authentik.core.api.utils import PassiveSerializer
+from authentik.core.api.utils import PassiveSerializer, is_dict
 from authentik.core.models import User


@ -10,7 +10,7 @@ class PolicyTestSerializer(PassiveSerializer):
    """Test policy execution for a user with context"""

    user = PrimaryKeyRelatedField(queryset=User.objects.all())
-    context = JSONField(required=False)
+    context = JSONField(required=False, validators=[is_dict])


 class PolicyTestResultSerializer(PassiveSerializer):
--- a/authentik/policies/api/policies.py
+++ b/authentik/policies/api/policies.py
@ -108,6 +108,7 @@ class PolicyViewSet(
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": subclass().component,
+                    "model_name": subclass._meta.model_name,
                }
            )
        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/providers/oauth2/tests/test_views_authorize.py
+++ b/authentik/providers/oauth2/tests/test_views_authorize.py
@ -1,13 +1,23 @@
 """Test authorize view"""
 from django.test import RequestFactory, TestCase
+from django.urls import reverse
+from django.utils.encoding import force_str

+from authentik.core.models import Application, User
+from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import Flow
 from authentik.providers.oauth2.errors import (
    AuthorizeError,
    ClientIdError,
    RedirectUriError,
 )
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.generators import generate_client_id
+from authentik.providers.oauth2.models import (
+    AuthorizationCode,
+    GrantTypes,
+    OAuth2Provider,
+    RefreshToken,
+)
 from authentik.providers.oauth2.views.authorize import OAuthAuthorizationParams


@ -32,15 +42,194 @@ class TestViewsAuthorize(TestCase):
            )
            OAuthAuthorizationParams.from_request(request)

-    def test_missing_redirect_uri(self):
-        """test missing redirect URI"""
+    def test_request(self):
+        """test request param"""
        OAuth2Provider.objects.create(
            name="test",
            client_id="test",
            authorization_flow=Flow.objects.first(),
+            redirect_uris="http://local.invalid",
+        )
+        with self.assertRaises(AuthorizeError):
+            request = self.factory.get(
+                "/",
+                data={
+                    "response_type": "code",
+                    "client_id": "test",
+                    "redirect_uri": "http://local.invalid",
+                    "request": "foo",
+                },
+            )
+            OAuthAuthorizationParams.from_request(request)
+
+    def test_redirect_uri(self):
+        """test missing/invalid redirect URI"""
+        OAuth2Provider.objects.create(
+            name="test",
+            client_id="test",
+            authorization_flow=Flow.objects.first(),
+            redirect_uris="http://local.invalid",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get(
                "/", data={"response_type": "code", "client_id": "test"}
            )
            OAuthAuthorizationParams.from_request(request)
+        with self.assertRaises(RedirectUriError):
+            request = self.factory.get(
+                "/",
+                data={
+                    "response_type": "code",
+                    "client_id": "test",
+                    "redirect_uri": "http://localhost",
+                },
+            )
+            OAuthAuthorizationParams.from_request(request)
+
+    def test_response_type(self):
+        """test response_type"""
+        OAuth2Provider.objects.create(
+            name="test",
+            client_id="test",
+            authorization_flow=Flow.objects.first(),
+            redirect_uris="http://local.invalid",
+        )
+        request = self.factory.get(
+            "/",
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "redirect_uri": "http://local.invalid",
+            },
+        )
+        self.assertEqual(
+            OAuthAuthorizationParams.from_request(request).grant_type,
+            GrantTypes.AUTHORIZATION_CODE,
+        )
+        request = self.factory.get(
+            "/",
+            data={
+                "response_type": "id_token",
+                "client_id": "test",
+                "redirect_uri": "http://local.invalid",
+                "scope": "openid",
+                "state": "foo",
+            },
+        )
+        self.assertEqual(
+            OAuthAuthorizationParams.from_request(request).grant_type,
+            GrantTypes.IMPLICIT,
+        )
+        # Implicit without openid scope
+        with self.assertRaises(AuthorizeError):
+            request = self.factory.get(
+                "/",
+                data={
+                    "response_type": "id_token",
+                    "client_id": "test",
+                    "redirect_uri": "http://local.invalid",
+                    "state": "foo",
+                },
+            )
+            self.assertEqual(
+                OAuthAuthorizationParams.from_request(request).grant_type,
+                GrantTypes.IMPLICIT,
+            )
+        request = self.factory.get(
+            "/",
+            data={
+                "response_type": "code token",
+                "client_id": "test",
+                "redirect_uri": "http://local.invalid",
+                "scope": "openid",
+                "state": "foo",
+            },
+        )
+        self.assertEqual(
+            OAuthAuthorizationParams.from_request(request).grant_type, GrantTypes.HYBRID
+        )
+        with self.assertRaises(AuthorizeError):
+            request = self.factory.get(
+                "/",
+                data={
+                    "response_type": "invalid",
+                    "client_id": "test",
+                    "redirect_uri": "http://local.invalid",
+                },
+            )
+            OAuthAuthorizationParams.from_request(request)
+
+    def test_full_code(self):
+        """Test full authorization"""
+        flow = Flow.objects.create(slug="empty")
+        provider = OAuth2Provider.objects.create(
+            name="test",
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="foo://localhost",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_client_id()
+        user = User.objects.get(username="akadmin")
+        self.client.force_login(user)
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "code",
+                "client_id": "test",
+                "state": state,
+                "redirect_uri": "foo://localhost",
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            force_str(response.content),
+            {
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": f"foo://localhost?code={code.code}&state={state}",
+            },
+        )
+
+    def test_full_implicit(self):
+        """Test full authorization"""
+        flow = Flow.objects.create(slug="empty")
+        provider = OAuth2Provider.objects.create(
+            name="test",
+            client_id="test",
+            authorization_flow=flow,
+            redirect_uris="http://localhost",
+        )
+        Application.objects.create(name="app", slug="app", provider=provider)
+        state = generate_client_id()
+        user = User.objects.get(username="akadmin")
+        self.client.force_login(user)
+        # Step 1, initiate params and get redirect to flow
+        self.client.get(
+            reverse("authentik_providers_oauth2:authorize"),
+            data={
+                "response_type": "id_token",
+                "client_id": "test",
+                "state": state,
+                "scope": "openid",
+                "redirect_uri": "http://localhost",
+            },
+        )
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+        )
+        token: RefreshToken = RefreshToken.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            force_str(response.content),
+            {
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": (
+                    f"http://localhost#access_token={token.access_token}"
+                    f"&id_token={provider.encode(token.id_token.to_dict())}&token_type=bearer"
+                    f"&expires_in=600&state={state}"
+                ),
+            },
+        )
--- a/authentik/providers/oauth2/tests/test_views_token.py
+++ b/authentik/providers/oauth2/tests/test_views_token.py
@ -0,0 +1,222 @@
+"""Test token view"""
+from base64 import b64encode
+
+from django.test import RequestFactory, TestCase
+from django.urls import reverse
+from django.utils.encoding import force_str
+
+from authentik.core.models import User
+from authentik.flows.models import Flow
+from authentik.providers.oauth2.constants import (
+    GRANT_TYPE_AUTHORIZATION_CODE,
+    GRANT_TYPE_REFRESH_TOKEN,
+)
+from authentik.providers.oauth2.generators import (
+    generate_client_id,
+    generate_client_secret,
+)
+from authentik.providers.oauth2.models import (
+    AuthorizationCode,
+    OAuth2Provider,
+    RefreshToken,
+)
+from authentik.providers.oauth2.views.token import TokenParams
+
+
+class TestViewsToken(TestCase):
+    """Test token view"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.factory = RequestFactory()
+
+    def test_request_auth_code(self):
+        """test request param"""
+        provider = OAuth2Provider.objects.create(
+            name="test",
+            client_id=generate_client_id(),
+            client_secret=generate_client_secret(),
+            authorization_flow=Flow.objects.first(),
+            redirect_uris="http://local.invalid",
+        )
+        header = b64encode(
+            f"{provider.client_id}:{provider.client_secret}".encode()
+        ).decode()
+        user = User.objects.get(username="akadmin")
+        code = AuthorizationCode.objects.create(
+            code="foobar", provider=provider, user=user
+        )
+        request = self.factory.post(
+            "/",
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                "redirect_uri": "http://local.invalid",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        params = TokenParams.from_request(request)
+        self.assertEqual(params.provider, provider)
+
+    def test_request_refresh_token(self):
+        """test request param"""
+        provider = OAuth2Provider.objects.create(
+            name="test",
+            client_id=generate_client_id(),
+            client_secret=generate_client_secret(),
+            authorization_flow=Flow.objects.first(),
+            redirect_uris="http://local.invalid",
+        )
+        header = b64encode(
+            f"{provider.client_id}:{provider.client_secret}".encode()
+        ).decode()
+        user = User.objects.get(username="akadmin")
+        token: RefreshToken = RefreshToken.objects.create(
+            provider=provider,
+            user=user,
+            refresh_token=generate_client_id(),
+        )
+        request = self.factory.post(
+            "/",
+            data={
+                "grant_type": GRANT_TYPE_REFRESH_TOKEN,
+                "refresh_token": token.refresh_token,
+                "redirect_uri": "http://local.invalid",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        params = TokenParams.from_request(request)
+        self.assertEqual(params.provider, provider)
+
+    def test_auth_code_view(self):
+        """test request param"""
+        provider = OAuth2Provider.objects.create(
+            name="test",
+            client_id=generate_client_id(),
+            client_secret=generate_client_secret(),
+            authorization_flow=Flow.objects.first(),
+            redirect_uris="http://local.invalid",
+        )
+        header = b64encode(
+            f"{provider.client_id}:{provider.client_secret}".encode()
+        ).decode()
+        user = User.objects.get(username="akadmin")
+        code = AuthorizationCode.objects.create(
+            code="foobar", provider=provider, user=user
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
+                "code": code.code,
+                "redirect_uri": "http://local.invalid",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+        )
+        new_token: RefreshToken = RefreshToken.objects.filter(user=user).first()
+        self.assertJSONEqual(
+            force_str(response.content),
+            {
+                "access_token": new_token.access_token,
+                "refresh_token": new_token.refresh_token,
+                "token_type": "bearer",
+                "expires_in": 600,
+                "id_token": provider.encode(
+                    new_token.id_token.to_dict(),
+                ),
+            },
+        )
+
+    def test_refresh_token_view(self):
+        """test request param"""
+        provider = OAuth2Provider.objects.create(
+            name="test",
+            client_id=generate_client_id(),
+            client_secret=generate_client_secret(),
+            authorization_flow=Flow.objects.first(),
+            redirect_uris="http://local.invalid",
+        )
+        header = b64encode(
+            f"{provider.client_id}:{provider.client_secret}".encode()
+        ).decode()
+        user = User.objects.get(username="akadmin")
+        token: RefreshToken = RefreshToken.objects.create(
+            provider=provider,
+            user=user,
+            refresh_token=generate_client_id(),
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_REFRESH_TOKEN,
+                "refresh_token": token.refresh_token,
+                "redirect_uri": "http://local.invalid",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+            HTTP_ORIGIN="http://local.invalid",
+        )
+        new_token: RefreshToken = (
+            RefreshToken.objects.filter(user=user).exclude(pk=token.pk).first()
+        )
+        self.assertEqual(response["Access-Control-Allow-Credentials"], "true")
+        self.assertEqual(
+            response["Access-Control-Allow-Origin"], "http://local.invalid"
+        )
+        self.assertJSONEqual(
+            force_str(response.content),
+            {
+                "access_token": new_token.access_token,
+                "refresh_token": new_token.refresh_token,
+                "token_type": "bearer",
+                "expires_in": 600,
+                "id_token": provider.encode(
+                    new_token.id_token.to_dict(),
+                ),
+            },
+        )
+
+    def test_refresh_token_view_invalid_origin(self):
+        """test request param"""
+        provider = OAuth2Provider.objects.create(
+            name="test",
+            client_id=generate_client_id(),
+            client_secret=generate_client_secret(),
+            authorization_flow=Flow.objects.first(),
+            redirect_uris="http://local.invalid",
+        )
+        header = b64encode(
+            f"{provider.client_id}:{provider.client_secret}".encode()
+        ).decode()
+        user = User.objects.get(username="akadmin")
+        token: RefreshToken = RefreshToken.objects.create(
+            provider=provider,
+            user=user,
+            refresh_token=generate_client_id(),
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            data={
+                "grant_type": GRANT_TYPE_REFRESH_TOKEN,
+                "refresh_token": token.refresh_token,
+                "redirect_uri": "http://local.invalid",
+            },
+            HTTP_AUTHORIZATION=f"Basic {header}",
+            HTTP_ORIGIN="http://another.invalid",
+        )
+        new_token: RefreshToken = (
+            RefreshToken.objects.filter(user=user).exclude(pk=token.pk).first()
+        )
+        self.assertNotIn("Access-Control-Allow-Credentials", response)
+        self.assertNotIn("Access-Control-Allow-Origin", response)
+        self.assertJSONEqual(
+            force_str(response.content),
+            {
+                "access_token": new_token.access_token,
+                "refresh_token": new_token.refresh_token,
+                "token_type": "bearer",
+                "expires_in": 600,
+                "id_token": provider.encode(
+                    new_token.id_token.to_dict(),
+                ),
+            },
+        )
--- a/authentik/providers/oauth2/utils.py
+++ b/authentik/providers/oauth2/utils.py
@ -2,9 +2,11 @@
 import re
 from base64 import b64decode
 from binascii import Error
-from typing import Optional
+from typing import Any, Optional
+from urllib.parse import urlparse

 from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.http.response import HttpResponseRedirect
 from django.utils.cache import patch_vary_headers
 from structlog.stdlib import get_logger

@ -25,15 +27,34 @@ class TokenResponse(JsonResponse):
        self["Pragma"] = "no-cache"


-def cors_allow_any(request, response):
-    """
-    Add headers to permit CORS requests from any origin, with or without credentials,
-    with any headers.
-    """
+def cors_allow(request: HttpRequest, response: HttpResponse, *allowed_origins: str):
+    """Add headers to permit CORS requests from allowed_origins, with or without credentials,
+    with any headers."""
    origin = request.META.get("HTTP_ORIGIN")
    if not origin:
        return response

+    # OPTIONS requests don't have an authorization header -> hence
+    # we can't extract the provider this request is for
+    # so for options requests we allow the calling origin without checking
+    allowed = request.method == "OPTIONS"
+    received_origin = urlparse(origin)
+    for allowed_origin in allowed_origins:
+        url = urlparse(allowed_origin)
+        if (
+            received_origin.scheme == url.scheme
+            and received_origin.hostname == url.hostname
+            and received_origin.port == url.port
+        ):
+            allowed = True
+    if not allowed:
+        LOGGER.warning(
+            "CORS: Origin is not an allowed origin",
+            requested=origin,
+            allowed=allowed_origins,
+        )
+        return response
+
    # From the CORS spec: The string "*" cannot be used for a resource that supports credentials.
    response["Access-Control-Allow-Origin"] = origin
    patch_vary_headers(response, ["Origin"])
@ -141,3 +162,18 @@ def protected_resource_view(scopes: list[str]):
        return view_wrapper

    return wrapper
+
+
+class HttpResponseRedirectScheme(HttpResponseRedirect):
+    """HTTP Response to redirect, can be to a non-http scheme"""
+
+    def __init__(
+        self,
+        redirect_to: str,
+        *args: Any,
+        allowed_schemes: Optional[list[str]] = None,
+        **kwargs: Any,
+    ) -> None:
+        self.allowed_schemes = allowed_schemes or ["http", "https", "ftp"]
+        # pyright: reportGeneralTypeIssues=false
+        super().__init__(redirect_to, *args, **kwargs)
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -2,12 +2,12 @@
 from dataclasses import dataclass, field
 from datetime import timedelta
 from typing import Optional
-from urllib.parse import parse_qs, urlencode, urlsplit, urlunsplit
+from urllib.parse import parse_qs, urlencode, urlparse, urlsplit, urlunsplit
 from uuid import uuid4

 from django.http import HttpRequest, HttpResponse
-from django.http.response import Http404, HttpResponseRedirect
-from django.shortcuts import get_object_or_404, redirect
+from django.http.response import Http404, HttpResponseBadRequest, HttpResponseRedirect
+from django.shortcuts import get_object_or_404
 from django.utils import timezone
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
@ -46,6 +46,7 @@ from authentik.providers.oauth2.models import (
    OAuth2Provider,
    ResponseTypes,
 )
+from authentik.providers.oauth2.utils import HttpResponseRedirectScheme
 from authentik.providers.oauth2.views.userinfo import UserInfoView
 from authentik.stages.consent.models import ConsentMode, ConsentStage
 from authentik.stages.consent.stage import (
@ -233,9 +234,17 @@ class OAuthFulfillmentStage(StageView):
    params: OAuthAuthorizationParams
    provider: OAuth2Provider

+    def redirect(self, uri: str) -> HttpResponse:
+        """Redirect using HttpResponseRedirectScheme, compatible with non-http schemes"""
+        parsed = urlparse(uri)
+        return HttpResponseRedirectScheme(uri, allowed_schemes=[parsed.scheme])
+
    # pylint: disable=unused-argument
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """final Stage of an OAuth2 Flow"""
+        if PLAN_CONTEXT_PARAMS not in self.executor.plan.context:
+            LOGGER.warning("Got to fulfillment stage with no pending context")
+            return HttpResponseBadRequest()
        self.params: OAuthAuthorizationParams = self.executor.plan.context.pop(
            PLAN_CONTEXT_PARAMS
        )
@ -258,7 +267,7 @@ class OAuthFulfillmentStage(StageView):
                flow=self.executor.plan.flow_pk,
                scopes=", ".join(self.params.scope),
            ).from_http(self.request)
-            return redirect(self.create_response_uri())
+            return self.redirect(self.create_response_uri())
        except (ClientIdError, RedirectUriError) as error:
            error.to_event(application=application).from_http(request)
            self.executor.stage_invalid()
@ -267,7 +276,7 @@ class OAuthFulfillmentStage(StageView):
        except AuthorizeError as error:
            error.to_event(application=application).from_http(request)
            self.executor.stage_invalid()
-            return redirect(error.create_uri())
+            return self.redirect(error.create_uri())

    def create_response_uri(self) -> str:
        """Create a final Response URI the user is redirected to."""
@ -301,7 +310,7 @@ class OAuthFulfillmentStage(StageView):
                return urlunsplit(uri)
            raise OAuth2Error()
        except OAuth2Error as error:
-            LOGGER.exception("Error when trying to create response uri", error=error)
+            LOGGER.warning("Error when trying to create response uri", error=error)
            raise AuthorizeError(
                self.params.redirect_uri,
                "server_error",
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@ -19,7 +19,7 @@ from authentik.providers.oauth2.models import (
    ResponseTypes,
    ScopeMapping,
 )
-from authentik.providers.oauth2.utils import cors_allow_any
+from authentik.providers.oauth2.utils import cors_allow

 LOGGER = get_logger()

@ -30,6 +30,8 @@ PLAN_CONTEXT_SCOPES = "scopes"
 class ProviderInfoView(View):
    """OpenID-compliant Provider Info"""

+    provider: OAuth2Provider
+
    def get_info(self, provider: OAuth2Provider) -> dict[str, Any]:
        """Get dictionary for OpenID Connect information"""
        scopes = list(
@ -95,19 +97,20 @@ class ProviderInfoView(View):
        }

    # pylint: disable=unused-argument
-    def get(
-        self, request: HttpRequest, application_slug: str, *args, **kwargs
-    ) -> HttpResponse:
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """OpenID-compliant Provider Info"""
+        return JsonResponse(
+            self.get_info(self.provider), json_dumps_params={"indent": 2}
+        )

+    def dispatch(
+        self, request: HttpRequest, application_slug: str, *args: Any, **kwargs: Any
+    ) -> HttpResponse:
+        # Since this view only supports get, we can statically set the CORS headers
        application = get_object_or_404(Application, slug=application_slug)
-        provider: OAuth2Provider = get_object_or_404(
+        self.provider: OAuth2Provider = get_object_or_404(
            OAuth2Provider, pk=application.provider_id
        )
-        return JsonResponse(self.get_info(provider), json_dumps_params={"indent": 2})
-
-    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
-        # Since this view only supports get, we can statically set the CORS headers
        response = super().dispatch(request, *args, **kwargs)
-        cors_allow_any(request, response)
+        cors_allow(request, response, *self.provider.redirect_uris.split("\n"))
        return response
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -19,7 +19,11 @@ from authentik.providers.oauth2.models import (
    OAuth2Provider,
    RefreshToken,
 )
-from authentik.providers.oauth2.utils import TokenResponse, extract_client_auth
+from authentik.providers.oauth2.utils import (
+    TokenResponse,
+    cors_allow,
+    extract_client_auth,
+)

 LOGGER = get_logger()

@ -154,7 +158,18 @@ class TokenParams:
 class TokenView(View):
    """Generate tokens for clients"""

-    params: TokenParams
+    params: Optional[TokenParams] = None
+
+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        response = super().dispatch(request, *args, **kwargs)
+        allowed_origins = []
+        if self.params:
+            allowed_origins = self.params.provider.redirect_uris.split("\n")
+        cors_allow(self.request, response, *allowed_origins)
+        return response
+
+    def options(self, request: HttpRequest) -> HttpResponse:
+        return TokenResponse({})

    def post(self, request: HttpRequest) -> HttpResponse:
        """Generate tokens for clients"""
@ -198,7 +213,7 @@ class TokenView(View):
        response_dict = {
            "access_token": refresh_token.access_token,
            "refresh_token": refresh_token.refresh_token,
-            "token_type": "Bearer",
+            "token_type": "bearer",
            "expires_in": timedelta_from_string(
                self.params.provider.token_validity
            ).seconds,
--- a/authentik/providers/oauth2/views/userinfo.py
+++ b/authentik/providers/oauth2/views/userinfo.py
@ -1,7 +1,8 @@
 """authentik OAuth2 OpenID Userinfo views"""
-from typing import Any
+from typing import Any, Optional

 from django.http import HttpRequest, HttpResponse
+from django.http.response import HttpResponseBadRequest
 from django.utils.translation import gettext_lazy as _
 from django.views import View
 from structlog.stdlib import get_logger
@ -13,7 +14,7 @@ from authentik.providers.oauth2.constants import (
    SCOPE_GITHUB_USER_READ,
 )
 from authentik.providers.oauth2.models import RefreshToken, ScopeMapping
-from authentik.providers.oauth2.utils import TokenResponse, cors_allow_any
+from authentik.providers.oauth2.utils import TokenResponse, cors_allow

 LOGGER = get_logger()

@ -22,6 +23,8 @@ class UserInfoView(View):
    """Create a dictionary with all the requested claims about the End-User.
    See: http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse"""

+    token: Optional[RefreshToken]
+
    def get_scope_descriptions(self, scopes: list[str]) -> list[dict[str, str]]:
        """Get a list of all Scopes's descriptions"""
        scope_descriptions = []
@ -79,16 +82,25 @@ class UserInfoView(View):
            final_claims.update(value)
        return final_claims

+    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        self.token = kwargs.get("token", None)
+        response = super().dispatch(request, *args, **kwargs)
+        allowed_origins = []
+        if self.token:
+            allowed_origins = self.token.provider.redirect_uris.split("\n")
+        cors_allow(self.request, response, *allowed_origins)
+        return response
+
    def options(self, request: HttpRequest) -> HttpResponse:
-        return cors_allow_any(self.request, TokenResponse({}))
+        return TokenResponse({})

    def get(self, request: HttpRequest, **kwargs) -> HttpResponse:
        """Handle GET Requests for UserInfo"""
-        token: RefreshToken = kwargs["token"]
-        claims = self.get_claims(token)
-        claims["sub"] = token.id_token.sub
+        if not self.token:
+            return HttpResponseBadRequest()
+        claims = self.get_claims(self.token)
+        claims["sub"] = self.token.id_token.sub
        response = TokenResponse(claims)
-        cors_allow_any(self.request, response)
        return response

    def post(self, request: HttpRequest, **kwargs) -> HttpResponse:
--- a/authentik/providers/proxy/managed.py
+++ b/authentik/providers/proxy/managed.py
@ -21,7 +21,7 @@ class ProxyScopeMappingManager(ObjectManager):
            EnsureExists(
                ScopeMapping,
                "goauthentik.io/providers/proxy/scope-proxy",
-                name="authentik default OAuth Mapping: proxy outpost",
+                name="authentik default OAuth Mapping: Proxy outpost",
                scope_name=SCOPE_AK_PROXY,
                expression=SCOPE_AK_PROXY_EXPRESSION,
            ),
--- a/authentik/root/messages/storage.py
+++ b/authentik/root/messages/storage.py
@ -1,13 +1,12 @@
 """Channels Messages storage"""
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
-from django.contrib.messages.storage.base import Message
-from django.contrib.messages.storage.fallback import FallbackStorage
+from django.contrib.messages.storage.base import BaseStorage, Message
 from django.core.cache import cache
 from django.http.request import HttpRequest


-class ChannelsStorage(FallbackStorage):
+class ChannelsStorage(BaseStorage):
    """Send contrib.messages over websocket"""

    def __init__(self, request: HttpRequest) -> None:
@ -15,6 +14,9 @@ class ChannelsStorage(FallbackStorage):
        super().__init__(request)
        self.channel = get_channel_layer()

+    def _get(self):
+        return [], True
+
    def _store(self, messages: list[Message], response, *args, **kwargs):
        prefix = f"user_{self.request.session.session_key}_messages_"
        keys = cache.keys(f"{prefix}*")
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -143,7 +143,7 @@ SWAGGER_SETTINGS = {
        "authentik.api.pagination_schema.PaginationInspector",
    ],
    "SECURITY_DEFINITIONS": {
-        "token": {"type": "apiKey", "name": "Authorization", "in": "header"}
+        "Bearer": {"type": "apiKey", "name": "Authorization", "in": "header"}
    },
 }

@ -254,8 +254,8 @@ EMAIL_HOST = CONFIG.y("email.host")
 EMAIL_PORT = int(CONFIG.y("email.port"))
 EMAIL_HOST_USER = CONFIG.y("email.username")
 EMAIL_HOST_PASSWORD = CONFIG.y("email.password")
-EMAIL_USE_TLS = CONFIG.y("email.use_tls")
-EMAIL_USE_SSL = CONFIG.y("email.use_ssl")
+EMAIL_USE_TLS = CONFIG.y_bool("email.use_tls", True)
+EMAIL_USE_SSL = CONFIG.y_bool("email.use_ssl", False)
 EMAIL_TIMEOUT = int(CONFIG.y("email.timeout"))
 DEFAULT_FROM_EMAIL = CONFIG.y("email.from")
 SERVER_EMAIL = DEFAULT_FROM_EMAIL
@ -337,7 +337,8 @@ if CONFIG.y("postgresql.s3_backup"):

 # Sentry integration
 _ERROR_REPORTING = CONFIG.y_bool("error_reporting.enabled", False)
-if not DEBUG and _ERROR_REPORTING:
+if _ERROR_REPORTING:
+    # pylint: disable=abstract-class-instantiated
    sentry_init(
        dsn="https://a579bb09306d4f8b8d8847c052d3a1d3@sentry.beryju.org/8",
        integrations=[
--- a/authentik/root/websocket.py
+++ b/authentik/root/websocket.py
@ -2,10 +2,13 @@
 from channels.auth import AuthMiddlewareStack
 from django.urls import path

+from authentik.lib.sentry import SentryWSMiddleware
 from authentik.outposts.channels import OutpostConsumer
 from authentik.root.messages.consumer import MessageConsumer

 websocket_urlpatterns = [
-    path("ws/outpost/<uuid:pk>/", OutpostConsumer.as_asgi()),
-    path("ws/client/", AuthMiddlewareStack(MessageConsumer.as_asgi())),
+    path("ws/outpost/<uuid:pk>/", SentryWSMiddleware(OutpostConsumer.as_asgi())),
+    path(
+        "ws/client/", AuthMiddlewareStack(SentryWSMiddleware(MessageConsumer.as_asgi()))
+    ),
 ]
--- a/authentik/sources/ldap/settings.py
+++ b/authentik/sources/ldap/settings.py
@ -8,7 +8,7 @@ AUTHENTICATION_BACKENDS = [
 CELERY_BEAT_SCHEDULE = {
    "sources_ldap_sync": {
        "task": "authentik.sources.ldap.tasks.ldap_sync_all",
-        "schedule": crontab(minute=0),  # Run every hour
+        "schedule": crontab(minute="*/60"),  # Run every hour
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/sources/ldap/sync/groups.py
+++ b/authentik/sources/ldap/sync/groups.py
@ -1,9 +1,11 @@
 """Sync LDAP Users and groups into authentik"""
 import ldap3
 import ldap3.core.exceptions
+from django.core.exceptions import FieldError
 from django.db.utils import IntegrityError

 from authentik.core.models import Group
+from authentik.events.models import Event, EventAction
 from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer


@ -47,14 +49,17 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                        "defaults": defaults,
                    }
                )
-            except IntegrityError as exc:
-                self._logger.warning("Failed to create group", exc=exc)
-                self._logger.warning(
-                    (
-                        "To merge new group with existing group, set the group's "
+            except (IntegrityError, FieldError) as exc:
+                Event.new(
+                    EventAction.CONFIGURATION_ERROR,
+                    message=(
+                        f"Failed to create group: {str(exc)} "
+                        "To merge new group with existing group, set the groups's "
                        f"Attribute '{LDAP_UNIQUENESS}' to '{uniq}'"
-                    )
-                )
+                    ),
+                    source=self._source,
+                    dn=group_dn,
+                ).save()
            else:
                self._logger.debug("Synced group", group=ak_group.name, created=created)
                group_count += 1
--- a/authentik/sources/ldap/sync/users.py
+++ b/authentik/sources/ldap/sync/users.py
@ -3,6 +3,7 @@ from datetime import datetime

 import ldap3
 import ldap3.core.exceptions
+from django.core.exceptions import FieldError
 from django.db.utils import IntegrityError
 from pytz import UTC

@ -48,7 +49,7 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                        "defaults": defaults,
                    }
                )
-            except IntegrityError as exc:
+            except (IntegrityError, FieldError) as exc:
                Event.new(
                    EventAction.CONFIGURATION_ERROR,
                    message=(
--- a/authentik/sources/oauth/api/source.py
+++ b/authentik/sources/oauth/api/source.py
@ -5,6 +5,7 @@ from rest_framework.decorators import action
 from rest_framework.fields import BooleanField, CharField, SerializerMethodField
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import ValidationError
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.sources import SourceSerializer
@ -47,6 +48,20 @@ class OAuthSourceSerializer(SourceSerializer):
        """Get source's type configuration"""
        return SourceTypeSerializer(instace.type).data

+    def validate(self, attrs: dict) -> dict:
+        provider_type = MANAGER.find_type(attrs.get("provider_type", ""))
+        for url in [
+            "authorization_url",
+            "access_token_url",
+            "profile_url",
+        ]:
+            if getattr(provider_type, url, None) is None:
+                if url not in attrs:
+                    raise ValidationError(
+                        f"{url} is required for provider {provider_type.name}"
+                    )
+        return attrs
+
    class Meta:
        model = OAuthSource
        fields = SourceSerializer.Meta.fields + [
--- a/authentik/sources/oauth/clients/base.py
+++ b/authentik/sources/oauth/clients/base.py
@ -9,6 +9,7 @@ from requests.models import Response
 from structlog.stdlib import get_logger

 from authentik import __version__
+from authentik.events.models import Event, EventAction
 from authentik.sources.oauth.models import OAuthSource

 LOGGER = get_logger()
@ -39,8 +40,11 @@ class BaseOAuthClient:

    def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
        "Fetch user profile information."
+        profile_url = self.source.type.profile_url or ""
+        if self.source.type.urls_customizable and self.source.profile_url:
+            profile_url = self.source.profile_url
        try:
-            response = self.do_request("get", self.source.profile_url, token=token)
+            response = self.do_request("get", profile_url, token=token)
            response.raise_for_status()
        except RequestException as exc:
            LOGGER.warning("Unable to fetch user profile", exc=exc)
@ -59,7 +63,16 @@ class BaseOAuthClient:
        args.update(additional)
        params = urlencode(args)
        LOGGER.info("redirect args", **args)
-        return f"{self.source.authorization_url}?{params}"
+        authorization_url = self.source.type.authorization_url or ""
+        if self.source.type.urls_customizable and self.source.authorization_url:
+            authorization_url = self.source.authorization_url
+        if authorization_url == "":
+            Event.new(
+                EventAction.CONFIGURATION_ERROR,
+                source=self.source,
+                message="Source has an empty authorization URL.",
+            ).save()
+        return f"{authorization_url}?{params}"

    def parse_raw_token(self, raw_token: str) -> dict[str, Any]:
        "Parse token and secret from raw token response."
--- a/authentik/sources/oauth/clients/oauth1.py
+++ b/authentik/sources/oauth/clients/oauth1.py
@ -28,9 +28,12 @@ class OAuthClient(BaseOAuthClient):
        if raw_token is not None and verifier is not None:
            token = self.parse_raw_token(raw_token)
            try:
+                access_token_url = self.source.type.access_token_url or ""
+                if self.source.type.urls_customizable and self.source.access_token_url:
+                    access_token_url = self.source.access_token_url
                response = self.do_request(
                    "post",
-                    self.source.access_token_url,
+                    access_token_url,
                    token=token,
                    headers=self._default_headers,
                    oauth_verifier=verifier,
@ -48,9 +51,12 @@ class OAuthClient(BaseOAuthClient):
        "Fetch the OAuth request token. Only required for OAuth 1.0."
        callback = self.request.build_absolute_uri(self.callback)
        try:
+            request_token_url = self.source.type.request_token_url or ""
+            if self.source.type.urls_customizable and self.source.request_token_url:
+                request_token_url = self.source.request_token_url
            response = self.do_request(
                "post",
-                self.source.request_token_url,
+                request_token_url,
                headers=self._default_headers,
                oauth_callback=callback,
            )
--- a/authentik/sources/oauth/clients/oauth2.py
+++ b/authentik/sources/oauth/clients/oauth2.py
@ -56,9 +56,12 @@ class OAuth2Client(BaseOAuthClient):
            LOGGER.warning("No code returned by the source")
            return None
        try:
+            access_token_url = self.source.type.access_token_url or ""
+            if self.source.type.urls_customizable and self.source.access_token_url:
+                access_token_url = self.source.access_token_url
            response = self.session.request(
                "post",
-                self.source.access_token_url,
+                access_token_url,
                data=args,
                headers=self._default_headers,
            )
--- a/authentik/sources/oauth/migrations/0003_auto_20210416_0726.py
+++ b/authentik/sources/oauth/migrations/0003_auto_20210416_0726.py
@ -0,0 +1,43 @@
+# Generated by Django 3.2 on 2021-04-16 07:26
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_oauth", "0002_auto_20200520_1108"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="oauthsource",
+            name="access_token_url",
+            field=models.CharField(
+                blank=True,
+                help_text="URL used by authentik to retrive tokens.",
+                max_length=255,
+                verbose_name="Access Token URL",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="oauthsource",
+            name="authorization_url",
+            field=models.CharField(
+                blank=True,
+                help_text="URL the user is redirect to to conest the flow.",
+                max_length=255,
+                verbose_name="Authorization URL",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="oauthsource",
+            name="profile_url",
+            field=models.CharField(
+                blank=True,
+                help_text="URL used by authentik to get user information.",
+                max_length=255,
+                verbose_name="Profile URL",
+            ),
+        ),
+    ]
--- a/authentik/sources/oauth/migrations/0004_auto_20210417_1900.py
+++ b/authentik/sources/oauth/migrations/0004_auto_20210417_1900.py
@ -0,0 +1,79 @@
+# Generated by Django 3.2 on 2021-04-17 19:00
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def update_empty_urls(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    OAuthSource = apps.get_model("authentik_sources_oauth", "oauthsource")
+
+    db_alias = schema_editor.connection.alias
+
+    for source in OAuthSource.objects.using(db_alias).all():
+        changed = False
+        if source.access_token_url == "":
+            source.access_token_url = None
+            changed = True
+        if source.authorization_url == "":
+            source.authorization_url = None
+            changed = True
+        if source.profile_url == "":
+            source.profile_url = None
+            changed = True
+        if source.request_token_url == "":
+            source.request_token_url = None
+            changed = True
+
+        if changed:
+            source.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_sources_oauth", "0003_auto_20210416_0726"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="oauthsource",
+            name="access_token_url",
+            field=models.CharField(
+                help_text="URL used by authentik to retrive tokens.",
+                max_length=255,
+                null=True,
+                verbose_name="Access Token URL",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="oauthsource",
+            name="authorization_url",
+            field=models.CharField(
+                help_text="URL the user is redirect to to conest the flow.",
+                max_length=255,
+                null=True,
+                verbose_name="Authorization URL",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="oauthsource",
+            name="profile_url",
+            field=models.CharField(
+                help_text="URL used by authentik to get user information.",
+                max_length=255,
+                null=True,
+                verbose_name="Profile URL",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="oauthsource",
+            name="request_token_url",
+            field=models.CharField(
+                help_text="URL used to request the initial token. This URL is only required for OAuth 1.",
+                max_length=255,
+                null=True,
+                verbose_name="Request Token URL",
+            ),
+        ),
+        migrations.RunPython(update_empty_urls),
+    ]
--- a/authentik/sources/oauth/models.py
+++ b/authentik/sources/oauth/models.py
@ -19,7 +19,7 @@ class OAuthSource(Source):

    provider_type = models.CharField(max_length=255)
    request_token_url = models.CharField(
-        blank=True,
+        null=True,
        max_length=255,
        verbose_name=_("Request Token URL"),
        help_text=_(
@ -28,16 +28,19 @@ class OAuthSource(Source):
    )
    authorization_url = models.CharField(
        max_length=255,
+        null=True,
        verbose_name=_("Authorization URL"),
        help_text=_("URL the user is redirect to to conest the flow."),
    )
    access_token_url = models.CharField(
        max_length=255,
+        null=True,
        verbose_name=_("Access Token URL"),
        help_text=_("URL used by authentik to retrive tokens."),
    )
    profile_url = models.CharField(
        max_length=255,
+        null=True,
        verbose_name=_("Profile URL"),
        help_text=_("URL used by authentik to get user information."),
    )
@ -49,7 +52,7 @@ class OAuthSource(Source):
        """Return the provider instance for this source"""
        from authentik.sources.oauth.types.manager import MANAGER

-        return MANAGER.find_type(self)
+        return MANAGER.find_type(self.provider_type)

    @property
    def component(self) -> str:
@ -160,6 +163,16 @@ class OpenIDOAuthSource(OAuthSource):
        verbose_name_plural = _("OpenID OAuth Sources")


+class PlexOAuthSource(OAuthSource):
+    """Login using plex.tv."""
+
+    class Meta:
+
+        abstract = True
+        verbose_name = _("Plex OAuth Source")
+        verbose_name_plural = _("Plex OAuth Sources")
+
+
 class UserOAuthSourceConnection(UserSourceConnection):
    """Authorized remote OAuth provider."""

--- a/authentik/sources/oauth/settings.py
+++ b/authentik/sources/oauth/settings.py
@ -9,4 +9,5 @@ AUTHENTIK_SOURCES_OAUTH_TYPES = [
    "authentik.sources.oauth.types.twitter",
    "authentik.sources.oauth.types.azure_ad",
    "authentik.sources.oauth.types.oidc",
+    "authentik.sources.oauth.types.plex",
 ]
--- a/authentik/sources/oauth/tests/test_views.py
+++ b/authentik/sources/oauth/tests/test_views.py
@ -2,6 +2,7 @@
 from django.test import TestCase
 from django.urls import reverse

+from authentik.sources.oauth.api.source import OAuthSourceSerializer
 from authentik.sources.oauth.models import OAuthSource


@ -18,6 +19,31 @@ class TestOAuthSource(TestCase):
            consumer_key="",
        )

+    def test_api_validate(self):
+        """Test API validation"""
+        self.assertTrue(
+            OAuthSourceSerializer(
+                data={
+                    "name": "foo",
+                    "slug": "bar",
+                    "provider_type": "google",
+                    "consumer_key": "foo",
+                    "consumer_secret": "foo",
+                }
+            ).is_valid()
+        )
+        self.assertFalse(
+            OAuthSourceSerializer(
+                data={
+                    "name": "foo",
+                    "slug": "bar",
+                    "provider_type": "openid-connect",
+                    "consumer_key": "foo",
+                    "consumer_secret": "foo",
+                }
+            ).is_valid()
+        )
+
    def test_source_redirect(self):
        """test redirect view"""
        self.client.get(
--- a/authentik/sources/oauth/types/azure_ad.py
+++ b/authentik/sources/oauth/types/azure_ad.py
@ -1,5 +1,5 @@
 """AzureAD OAuth2 Views"""
-from typing import Any
+from typing import Any, Optional
 from uuid import UUID

 from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
@ -10,8 +10,11 @@ from authentik.sources.oauth.views.callback import OAuthCallback
 class AzureADOAuthCallback(OAuthCallback):
    """AzureAD OAuth2 Callback"""

-    def get_user_id(self, source: OAuthSource, info: dict[str, Any]) -> str:
-        return str(UUID(info.get("objectId")).int)
+    def get_user_id(self, source: OAuthSource, info: dict[str, Any]) -> Optional[str]:
+        try:
+            return str(UUID(info.get("objectId")).int)
+        except TypeError:
+            return None

    def get_user_enroll_context(
        self,
--- a/authentik/sources/oauth/types/manager.py
+++ b/authentik/sources/oauth/types/manager.py
@ -1,6 +1,6 @@
 """Source type manager"""
 from enum import Enum
-from typing import TYPE_CHECKING, Callable, Optional
+from typing import Callable, Optional

 from structlog.stdlib import get_logger

@ -9,9 +9,6 @@ from authentik.sources.oauth.views.redirect import OAuthRedirect

 LOGGER = get_logger()

-if TYPE_CHECKING:
-    from authentik.sources.oauth.models import OAuthSource
-

 class RequestKind(Enum):
    """Enum of OAuth Request types"""
@ -58,24 +55,24 @@ class SourceTypeManager:
        """Get list of tuples of all registered names"""
        return [(x.slug, x.name) for x in self.__sources]

-    def find_type(self, source: "OAuthSource") -> SourceType:
+    def find_type(self, type_name: str) -> SourceType:
        """Find type based on source"""
        found_type = None
        for src_type in self.__sources:
-            if src_type.slug == source.provider_type:
+            if src_type.slug == type_name:
                return src_type
        if not found_type:
            found_type = SourceType()
            LOGGER.warning(
                "no matching type found, using default",
-                wanted=source.provider_type,
-                have=[x.name for x in self.__sources],
+                wanted=type_name,
+                have=[x.slug for x in self.__sources],
            )
        return found_type

-    def find(self, source: "OAuthSource", kind: RequestKind) -> Callable:
+    def find(self, type_name: str, kind: RequestKind) -> Callable:
        """Find fitting Source Type"""
-        found_type = self.find_type(source)
+        found_type = self.find_type(type_name)
        if kind == RequestKind.CALLBACK:
            return found_type.callback_view
        if kind == RequestKind.REDIRECT:
--- a/authentik/sources/oauth/types/plex.py
+++ b/authentik/sources/oauth/types/plex.py
@ -0,0 +1,134 @@
+"""Plex OAuth Views"""
+from typing import Any, Optional
+from urllib.parse import urlencode
+
+from django.http.response import Http404
+from requests import post
+from requests.api import get
+from requests.exceptions import RequestException
+from structlog.stdlib import get_logger
+
+from authentik import __version__
+from authentik.sources.oauth.clients.oauth2 import OAuth2Client
+from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
+from authentik.sources.oauth.types.manager import MANAGER, SourceType
+from authentik.sources.oauth.views.callback import OAuthCallback
+from authentik.sources.oauth.views.redirect import OAuthRedirect
+
+LOGGER = get_logger()
+SESSION_ID_KEY = "PLEX_ID"
+SESSION_CODE_KEY = "PLEX_CODE"
+DEFAULT_PAYLOAD = {
+    "X-Plex-Product": "authentik",
+    "X-Plex-Version": __version__,
+    "X-Plex-Device-Vendor": "BeryJu.org",
+}
+
+
+class PlexRedirect(OAuthRedirect):
+    """Plex Auth redirect, get a pin then redirect to a URL to claim it"""
+
+    headers = {}
+
+    def get_pin(self, **data) -> dict:
+        """Get plex pin that the user will claim
+        https://forums.plex.tv/t/authenticating-with-plex/609370"""
+        return post(
+            "https://plex.tv/api/v2/pins.json?strong=true",
+            data=data,
+            headers=self.headers,
+        ).json()
+
+    def get_redirect_url(self, **kwargs) -> str:
+        slug = kwargs.get("source_slug", "")
+        self.headers = {"Origin": self.request.build_absolute_uri("/")}
+        try:
+            source: OAuthSource = OAuthSource.objects.get(slug=slug)
+        except OAuthSource.DoesNotExist:
+            raise Http404(f"Unknown OAuth source '{slug}'.")
+        else:
+            payload = DEFAULT_PAYLOAD.copy()
+            payload["X-Plex-Client-Identifier"] = source.consumer_key
+            # Get a pin first
+            pin = self.get_pin(**payload)
+            LOGGER.debug("Got pin", **pin)
+            self.request.session[SESSION_ID_KEY] = pin["id"]
+            self.request.session[SESSION_CODE_KEY] = pin["code"]
+            qs = {
+                "clientID": source.consumer_key,
+                "code": pin["code"],
+                "forwardUrl": self.request.build_absolute_uri(
+                    self.get_callback_url(source)
+                ),
+            }
+            return f"https://app.plex.tv/auth#!?{urlencode(qs)}"
+
+
+class PlexOAuthClient(OAuth2Client):
+    """Retrive the plex token after authentication, then ask the plex API about user info"""
+
+    def check_application_state(self) -> bool:
+        return SESSION_ID_KEY in self.request.session
+
+    def get_access_token(self, **request_kwargs) -> Optional[dict[str, Any]]:
+        payload = dict(DEFAULT_PAYLOAD)
+        payload["X-Plex-Client-Identifier"] = self.source.consumer_key
+        payload["Accept"] = "application/json"
+        response = get(
+            f"https://plex.tv/api/v2/pins/{self.request.session[SESSION_ID_KEY]}",
+            headers=payload,
+        )
+        response.raise_for_status()
+        token = response.json()["authToken"]
+        return {"plex_token": token}
+
+    def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
+        "Fetch user profile information."
+        qs = {"X-Plex-Token": token["plex_token"]}
+        try:
+            response = self.do_request(
+                "get", f"https://plex.tv/users/account.json?{urlencode(qs)}"
+            )
+            response.raise_for_status()
+        except RequestException as exc:
+            LOGGER.warning("Unable to fetch user profile", exc=exc)
+            return None
+        else:
+            return response.json().get("user", {})
+
+
+class PlexOAuth2Callback(OAuthCallback):
+    """Plex OAuth2 Callback"""
+
+    client_class = PlexOAuthClient
+
+    def get_user_id(
+        self, source: UserOAuthSourceConnection, info: dict[str, Any]
+    ) -> Optional[str]:
+        return info.get("uuid")
+
+    def get_user_enroll_context(
+        self,
+        source: OAuthSource,
+        access: UserOAuthSourceConnection,
+        info: dict[str, Any],
+    ) -> dict[str, Any]:
+        return {
+            "username": info.get("username"),
+            "email": info.get("email"),
+            "name": info.get("title"),
+        }
+
+
+@MANAGER.type()
+class PlexType(SourceType):
+    """Plex Type definition"""
+
+    redirect_view = PlexRedirect
+    callback_view = PlexOAuth2Callback
+    name = "Plex"
+    slug = "plex"
+
+    authorization_url = ""
+    access_token_url = ""  # nosec
+    profile_url = ""
--- a/authentik/sources/oauth/views/base.py
+++ b/authentik/sources/oauth/views/base.py
@ -2,12 +2,15 @@
 from typing import Optional, Type

 from django.http.request import HttpRequest
+from structlog.stdlib import get_logger

 from authentik.sources.oauth.clients.base import BaseOAuthClient
 from authentik.sources.oauth.clients.oauth1 import OAuthClient
 from authentik.sources.oauth.clients.oauth2 import OAuth2Client
 from authentik.sources.oauth.models import OAuthSource

+LOGGER = get_logger()
+

 # pylint: disable=too-few-public-methods
 class OAuthClientMixin:
@ -22,6 +25,9 @@ class OAuthClientMixin:
        if self.client_class is not None:
            # pylint: disable=not-callable
            return self.client_class(source, self.request, **kwargs)
-        if source.request_token_url:
-            return OAuthClient(source, self.request, **kwargs)
-        return OAuth2Client(source, self.request, **kwargs)
+        if source.type.request_token_url or source.request_token_url:
+            client = OAuthClient(source, self.request, **kwargs)
+        else:
+            client = OAuth2Client(source, self.request, **kwargs)
+        LOGGER.debug("Using client for oauth request", client=client)
+        return client
--- a/authentik/sources/oauth/views/callback.py
+++ b/authentik/sources/oauth/views/callback.py
@ -209,9 +209,9 @@ class OAuthCallback(OAuthClientMixin, View):
        )
        return redirect(
            reverse(
-                "authentik_sources_oauth:oauth-client-user",
-                kwargs={"source_slug": self.source.slug},
+                "authentik_core:if-admin",
            )
+            + f"#/user;page-{self.source.slug}"
        )

    def handle_enroll(
--- a/authentik/sources/oauth/views/dispatcher.py
+++ b/authentik/sources/oauth/views/dispatcher.py
@ -21,6 +21,6 @@ class DispatcherView(View):
        if not slug:
            raise Http404
        source = get_object_or_404(OAuthSource, slug=slug)
-        view = MANAGER.find(source, kind=RequestKind(self.kind))
+        view = MANAGER.find(source.provider_type, kind=RequestKind(self.kind))
        LOGGER.debug("dispatching OAuth2 request to", view=view, kind=self.kind)
        return view.as_view()(*args, **kwargs)
--- a/authentik/sources/saml/processors/response.py
+++ b/authentik/sources/saml/processors/response.py
@ -39,13 +39,13 @@ from authentik.sources.saml.processors.constants import (
 from authentik.sources.saml.processors.request import SESSION_REQUEST_ID
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
+from authentik.stages.user_login.stage import DEFAULT_BACKEND

 LOGGER = get_logger()
 if TYPE_CHECKING:
    from xml.etree.ElementTree import Element  # nosec

 CACHE_SEEN_REQUEST_ID = "authentik_saml_seen_ids_%s"
-DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend"


 class ResponseProcessor:
--- a/authentik/stages/email/api.py
+++ b/authentik/stages/email/api.py
@ -52,7 +52,6 @@ class EmailStageViewSet(ModelViewSet):
    queryset = EmailStage.objects.all()
    serializer_class = EmailStageSerializer

-    # TODO: Validate connection settings when use_global_settings is unchecked
    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def templates(self, request: Request) -> Response:
@ -64,6 +63,7 @@ class EmailStageViewSet(ModelViewSet):
                    "name": value,
                    "description": label,
                    "component": "",
+                    "model_name": "",
                }
            )
        return Response(TypeCreateSerializer(choices, many=True).data)
--- a/authentik/stages/email/tasks.py
+++ b/authentik/stages/email/tasks.py
@ -68,7 +68,7 @@ def send_mail(
                messages=["Successfully sent Mail."],
            )
        )
-    except (SMTPException, ConnectionError) as exc:
+    except (SMTPException, ConnectionError, ValueError) as exc:
        LOGGER.debug("Error sending email, retrying...", exc=exc)
        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
        raise exc
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@ -1,5 +1,6 @@
 """Identification stage logic"""
 from dataclasses import asdict
+from time import sleep
 from typing import Optional

 from django.db.models import Q
@ -46,6 +47,7 @@ class IdentificationChallengeResponse(ChallengeResponse):
        """Validate that user exists"""
        pre_user = self.stage.get_user(value)
        if not pre_user:
+            sleep(0.150)
            LOGGER.debug("invalid_login", identifier=value)
            raise ValidationError("Failed to authenticate.")
        self.pre_user = pre_user
@ -68,7 +70,7 @@ class IdentificationStageView(ChallengeStageView):
            else:
                model_field += "__exact"
            query |= Q(**{model_field: uid_value})
-        users = User.objects.filter(query)
+        users = User.objects.filter(query, is_active=True)
        if users.exists():
            LOGGER.debug("Found user", user=users.first(), query=query)
            return users.first()
--- a/authentik/stages/invitation/api.py
+++ b/authentik/stages/invitation/api.py
@ -1,7 +1,10 @@
 """Invitation Stage API Views"""
+from rest_framework.fields import JSONField
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

+from authentik.core.api.users import UserSerializer
+from authentik.core.api.utils import is_dict
 from authentik.flows.api.stages import StageSerializer
 from authentik.stages.invitation.models import Invitation, InvitationStage

@ -27,6 +30,9 @@ class InvitationStageViewSet(ModelViewSet):
 class InvitationSerializer(ModelSerializer):
    """Invitation Serializer"""

+    created_by = UserSerializer(read_only=True)
+    fixed_data = JSONField(validators=[is_dict], required=False)
+
    class Meta:

        model = Invitation
@ -36,7 +42,6 @@ class InvitationSerializer(ModelSerializer):
            "fixed_data",
            "created_by",
        ]
-        depth = 2


 class InvitationViewSet(ModelViewSet):
--- a/authentik/stages/invitation/stage.py
+++ b/authentik/stages/invitation/stage.py
@ -1,8 +1,11 @@
 """invitation stage logic"""
+from typing import Optional
+
 from django.http import HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404

 from authentik.flows.stage import StageView
+from authentik.flows.views import SESSION_KEY_GET
 from authentik.stages.invitation.models import Invitation, InvitationStage
 from authentik.stages.invitation.signals import invitation_used
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
@ -14,16 +17,26 @@ INVITATION_IN_EFFECT = "invitation_in_effect"
 class InvitationStageView(StageView):
    """Finalise Authentication flow by logging the user in"""

+    def get_token(self) -> Optional[str]:
+        """Get token from saved get-arguments or prompt_data"""
+        if INVITATION_TOKEN_KEY in self.request.session.get(SESSION_KEY_GET, {}):
+            return self.request.session[SESSION_KEY_GET][INVITATION_TOKEN_KEY]
+        if INVITATION_TOKEN_KEY in self.executor.plan.context.get(
+            PLAN_CONTEXT_PROMPT, {}
+        ):
+            return self.executor.plan.context[PLAN_CONTEXT_PROMPT][INVITATION_TOKEN_KEY]
+        return None
+
    def get(self, request: HttpRequest) -> HttpResponse:
        """Apply data to the current flow based on a URL"""
        stage: InvitationStage = self.executor.current_stage
-        if INVITATION_TOKEN_KEY not in request.GET:
+        token = self.get_token()
+        if not token:
            # No Invitation was given, raise error or continue
            if stage.continue_flow_without_invitation:
                return self.executor.stage_ok()
            return self.executor.stage_invalid()

-        token = request.GET[INVITATION_TOKEN_KEY]
        invite: Invitation = get_object_or_404(Invitation, pk=token)
        self.executor.plan.context[PLAN_CONTEXT_PROMPT] = invite.fixed_data
        self.executor.plan.context[INVITATION_IN_EFFECT] = True
--- a/authentik/stages/invitation/tests.py
+++ b/authentik/stages/invitation/tests.py
@ -4,6 +4,7 @@ from unittest.mock import MagicMock, patch
 from django.test import Client, TestCase
 from django.urls import reverse
 from django.utils.encoding import force_str
+from django.utils.http import urlencode
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.test import APITestCase

@ -94,15 +95,11 @@ class TestUserLoginStage(TestCase):
        self.stage.continue_flow_without_invitation = False
        self.stage.save()

-    def test_with_invitation(self):
+    def test_with_invitation_get(self):
        """Test with invitation, check data in session"""
        plan = FlowPlan(
            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
        )
-        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
-        plan.context[
-            PLAN_CONTEXT_AUTHENTICATION_BACKEND
-        ] = "django.contrib.auth.backends.ModelBackend"
        session = self.client.session
        session[SESSION_KEY_PLAN] = plan
        session.save()
@ -116,9 +113,39 @@ class TestUserLoginStage(TestCase):
            base_url = reverse(
                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
            )
-            response = self.client.get(
-                base_url + f"?{INVITATION_TOKEN_KEY}={invite.pk.hex}"
+            args = urlencode({INVITATION_TOKEN_KEY: invite.pk.hex})
+            response = self.client.get(base_url + f"?query={args}")
+
+        session = self.client.session
+        plan: FlowPlan = session[SESSION_KEY_PLAN]
+        self.assertEqual(plan.context[PLAN_CONTEXT_PROMPT], data)
+
+        self.assertEqual(response.status_code, 200)
+        self.assertJSONEqual(
+            force_str(response.content),
+            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
+        )
+
+    def test_with_invitation_prompt_data(self):
+        """Test with invitation, check data in session"""
+        data = {"foo": "bar"}
+        invite = Invitation.objects.create(
+            created_by=get_anonymous_user(), fixed_data=data
+        )
+
+        plan = FlowPlan(
+            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
+        )
+        plan.context[PLAN_CONTEXT_PROMPT] = {INVITATION_TOKEN_KEY: invite.pk.hex}
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        with patch("authentik.flows.views.FlowExecutorView.cancel", MagicMock()):
+            base_url = reverse(
+                "authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}
            )
+            response = self.client.get(base_url)

        session = self.client.session
        plan: FlowPlan = session[SESSION_KEY_PLAN]
@ -142,7 +169,9 @@ class TestInvitationsAPI(APITestCase):
    def test_invite_create(self):
        """Test Invitations creation endpoint"""
        response = self.client.post(
-            reverse("authentik_api:invitation-list"), {"identifier": "test-token"}
+            reverse("authentik_api:invitation-list"),
+            {"identifier": "test-token", "fixed_data": {}},
+            format="json",
        )
        self.assertEqual(response.status_code, 201)
        self.assertEqual(Invitation.objects.first().created_by, self.user)
--- a/authentik/stages/user_login/stage.py
+++ b/authentik/stages/user_login/stage.py
@ -11,6 +11,7 @@ from authentik.lib.utils.time import timedelta_from_string
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND

 LOGGER = get_logger()
+DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend"


 class UserLoginStageView(StageView):
@ -23,12 +24,9 @@ class UserLoginStageView(StageView):
            messages.error(request, message)
            LOGGER.debug(message)
            return self.executor.stage_invalid()
-        if PLAN_CONTEXT_AUTHENTICATION_BACKEND not in self.executor.plan.context:
-            message = _("Pending user has no backend.")
-            messages.error(request, message)
-            LOGGER.debug(message)
-            return self.executor.stage_invalid()
-        backend = self.executor.plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND]
+        backend = self.executor.plan.context.get(
+            PLAN_CONTEXT_AUTHENTICATION_BACKEND, DEFAULT_BACKEND
+        )
        login(
            self.request,
            self.executor.plan.context[PLAN_CONTEXT_PENDING_USER],
--- a/authentik/stages/user_login/tests.py
+++ b/authentik/stages/user_login/tests.py
@ -1,4 +1,5 @@
 """login tests"""
+from time import sleep
 from unittest.mock import patch

 from django.test import Client, TestCase
@ -12,7 +13,6 @@ from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.tests.test_views import TO_STAGE_RESPONSE_MOCK
 from authentik.flows.views import SESSION_KEY_PLAN
-from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.user_login.models import UserLoginStage


@ -38,9 +38,6 @@ class TestUserLoginStage(TestCase):
            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
        )
        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
-        plan.context[
-            PLAN_CONTEXT_AUTHENTICATION_BACKEND
-        ] = "django.contrib.auth.backends.ModelBackend"
        session = self.client.session
        session[SESSION_KEY_PLAN] = plan
        session.save()
@ -55,6 +52,31 @@ class TestUserLoginStage(TestCase):
            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
        )

+    def test_expiry(self):
+        """Test with expiry"""
+        self.stage.session_duration = "seconds=2"
+        self.stage.save()
+        plan = FlowPlan(
+            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
+        )
+        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertJSONEqual(
+            force_str(response.content),
+            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
+        )
+        self.assertNotEqual(list(self.client.session.keys()), [])
+        sleep(3)
+        self.client.session.clear_expired()
+        self.assertEqual(list(self.client.session.keys()), [])
+
    @patch(
        "authentik.flows.views.to_stage_response",
        TO_STAGE_RESPONSE_MOCK,
@ -82,32 +104,3 @@ class TestUserLoginStage(TestCase):
                "type": ChallengeTypes.NATIVE.value,
            },
        )
-
-    @patch(
-        "authentik.flows.views.to_stage_response",
-        TO_STAGE_RESPONSE_MOCK,
-    )
-    def test_without_backend(self):
-        """Test a plan with pending user, without backend, resulting in a denied"""
-        plan = FlowPlan(
-            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
-        )
-        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
-        session = self.client.session
-        session[SESSION_KEY_PLAN] = plan
-        session.save()
-
-        response = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
-        )
-
-        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(
-            force_str(response.content),
-            {
-                "component": "ak-stage-access-denied",
-                "error_message": None,
-                "title": "",
-                "type": ChallengeTypes.NATIVE.value,
-            },
-        )
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@ -34,6 +34,7 @@ stages:
          - task: CmdLine@2
            inputs:
              script: |
+                sudo apt update
                sudo apt install -y libxmlsec1-dev pkg-config
                sudo pip install -U wheel pipenv
                pipenv install --dev
@ -50,6 +51,7 @@ stages:
          - task: CmdLine@2
            inputs:
              script: |
+                sudo apt update
                sudo apt install -y libxmlsec1-dev pkg-config
                sudo pip install -U wheel pipenv
                pipenv install --dev
@ -66,6 +68,7 @@ stages:
          - task: CmdLine@2
            inputs:
              script: |
+                sudo apt update
                sudo apt install -y libxmlsec1-dev pkg-config
                sudo pip install -U wheel pipenv
                pipenv install --dev
@ -82,6 +85,7 @@ stages:
          - task: CmdLine@2
            inputs:
              script: |
+                sudo apt update
                sudo apt install -y libxmlsec1-dev pkg-config
                sudo pip install -U wheel pipenv
                pipenv install --dev
@ -104,6 +108,7 @@ stages:
          - task: CmdLine@2
            inputs:
              script: |
+                sudo apt update
                sudo apt install -y libxmlsec1-dev pkg-config
                sudo pip install -U wheel pipenv
                pipenv install --dev
@ -128,6 +133,7 @@ stages:
          - task: CmdLine@2
            inputs:
              script: |
+                sudo apt update
                sudo apt install -y libxmlsec1-dev pkg-config
                sudo pip install -U wheel pipenv
                pipenv install --dev
@ -157,6 +163,7 @@ stages:
                # Copy current, latest config to local
                cp authentik/lib/default.yml local.env.yml
                git checkout $(git describe --abbrev=0 --match 'version/*')
+                sudo apt update
                sudo apt install -y libxmlsec1-dev pkg-config
                sudo pip install -U wheel pipenv
                pipenv install --dev
@ -194,6 +201,7 @@ stages:
          - task: CmdLine@2
            inputs:
              script: |
+                sudo apt update
                sudo apt install -y libxmlsec1-dev pkg-config
                sudo pip install -U wheel pipenv
                pipenv install --dev
@ -229,6 +237,7 @@ stages:
          - task: CmdLine@2
            inputs:
              script: |
+                sudo apt update
                sudo apt install -y libxmlsec1-dev pkg-config
                sudo pip install -U wheel pipenv
                pipenv install --dev
@ -271,6 +280,7 @@ stages:
          - task: CmdLine@2
            inputs:
              script: |
+                sudo apt update
                sudo apt install -y libxmlsec1-dev pkg-config
                sudo pip install -U wheel pipenv
                pipenv install --dev --python python3.9
@ -348,6 +358,7 @@ stages:
          - task: CmdLine@2
            inputs:
              script: |
+                sudo apt update
                sudo apt install -y libxmlsec1-dev pkg-config
                sudo pip install -U wheel pipenv
                pipenv install --dev
@ -369,8 +380,6 @@ stages:
                coverage-unittest/unittest.xml
              mergeTestResults: true
          - task: CmdLine@2
-            env:
-              CODECOV_TOKEN: $(CODECOV_TOKEN)
            inputs:
              script: bash <(curl -s https://codecov.io/bash)
  - stage: Build
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -4,6 +4,7 @@ version: '3.2'
 services:
  postgresql:
    image: postgres:12
+    restart: unless-stopped
    volumes:
      - database:/var/lib/postgresql/data
    networks:
@ -19,7 +20,8 @@ services:
    networks:
      - internal
  server:
-    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.1-rc1}
+    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.6}
+    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
@ -33,8 +35,6 @@ services:
      - ./media:/media
      - ./custom-templates:/templates
      - geoip:/geoip
-    ports:
-      - 8000
    networks:
      - internal
    labels:
@ -48,7 +48,8 @@ services:
    env_file:
      - .env
  worker:
-    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.1-rc1}
+    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.6}
+    restart: unless-stopped
    command: worker
    networks:
      - internal
@ -67,7 +68,8 @@ services:
    env_file:
      - .env
  static:
-    image: ${AUTHENTIK_IMAGE_STATIC:-beryju/authentik-static}:${AUTHENTIK_TAG:-2021.4.1-rc1}
+    image: ${AUTHENTIK_IMAGE_STATIC:-beryju/authentik-static}:${AUTHENTIK_TAG:-2021.4.6}
+    restart: unless-stopped
    networks:
      - internal
    labels:
@ -76,13 +78,14 @@ services:
      traefik.http.routers.static-router.rule: PathPrefix(`/static`, `/if`, `/media`, `/robots.txt`, `/favicon.ico`)
      traefik.http.routers.static-router.tls: 'true'
      traefik.http.routers.static-router.service: static-service
-      traefik.http.services.static-service.loadbalancer.healthcheck.path: /-/health/ready/
+      traefik.http.services.static-service.loadbalancer.healthcheck.path: /
      traefik.http.services.static-service.loadbalancer.healthcheck.interval: 30s
      traefik.http.services.static-service.loadbalancer.server.port: '80'
    volumes:
      - ./media:/usr/share/nginx/html/media
  traefik:
    image: traefik:2.3
+    restart: unless-stopped
    command:
      - "--log.format=json"
      - "--api.insecure=true"
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@ -3,9 +3,9 @@ description: authentik is an open-source Identity Provider focused on flexibilit
 name: authentik
 home: https://goauthentik.io
 sources:
-  - https://github.com/BeryJu/authentik
-version: "2021.4.1-rc1"
-icon: https://raw.githubusercontent.com/BeryJu/authentik/master/web/icons/icon.svg
+  - https://github.com/goauthentik/authentik
+version: "2021.4.6"
+icon: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.svg
 dependencies:
  - name: postgresql
    version: 9.4.1
--- a/helm/README.md
+++ b/helm/README.md
@ -4,12 +4,12 @@
 |-----------------------------------|-------------------------|-------------|
 | image.name                        | beryju/authentik        | Image used to run the authentik server and worker |
 | image.name_static                 | beryju/authentik-static | Image used to run the authentik static server (CSS and JS Files) |
-| image.tag                         | 2021.4.1-rc1                | Image tag |
+| image.tag                         | 2021.4.6                | Image tag |
 | image.pullPolicy                  | IfNotPresent            | Image Pull Policy used for all deployments |
 | serverReplicas                    | 1                       | Replicas for the Server deployment |
 | workerReplicas                    | 1                       | Replicas for the Worker deployment |
 | kubernetesIntegration             | true                    | Enable/disable the Kubernetes integration for authentik. This will create a service account for authentik to create and update outposts in authentik |
-| config.secretKey                  |                         | Secret key used to sign session cookies, generate with `pwgen 50 1` for example. |
+| config.secretKey                  |                         | Secret key used to sign session cookies, generate with `pwgen 50 1` or `openssl rand -base64 36` for example. |
 | config.errorReporting.enabled     | false                   | Enable/disable error reporting |
 | config.errorReporting.environment | customer                | Environment sent with the error reporting |
 | config.errorReporting.sendPii     | false                   | Whether to send Personally-identifiable data with the error reporting |
@ -22,6 +22,11 @@
 | config.email.use_ssl              | false                   | Enable SSL |
 | config.email.timeout              | 10                      | SMTP Timeout |
 | config.email.from                 | authentik@localhost     | Email address authentik will send from, should have a correct @domain |
+| pvc.mode                          | ReadWriteMany           | Mode that the PVCs are created in (uploads and GeoIP, if enabled) |
+| pvc.uploadsSize                   | 5Gi                     | Size for the uploads PVC |
+| pvc.uploadsStorageClass           | null                    | Storage class for the uploads PVC (default: use default storage class) |
+| pvc.geoIpSize                     | 1Gi                     | Size for the GeoIP PVC |
+| pvc.geoIpStorageClass             | null                    | Storage class for the GeoIP PVC (default: use default storage class) |
 | geoip.enabled                     | false                   | Optionally enable GeoIP |
 | geoip.accountId                   |                         | GeoIP MaxMind Account ID |
 | geoip.licenseKey                  |                         | GeoIP MaxMind License key |
--- a/helm/templates/geoip-pvc.yaml
+++ b/helm/templates/geoip-pvc.yaml
@ -10,8 +10,9 @@ metadata:
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
  accessModes:
-  - ReadWriteMany
+  - {{ .Values.pvc.mode }}
+  storageClassName: {{ .Values.pvc.geoIpStorageClass }}
  resources:
    requests:
-      storage: 1Gi
+      storage: {{ .Values.pvc.geoIpSize }}
 {{- end }}
--- a/helm/templates/pvc.yaml
+++ b/helm/templates/pvc.yaml
@ -9,7 +9,8 @@ metadata:
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
  accessModes:
-  - ReadWriteMany
+  - {{ .Values.pvc.mode }}
+  storageClassName: {{ .Values.pvc.uploadsStorageClass }}
  resources:
    requests:
-      storage: 5Gi
+      storage: {{ .Values.pvc.uploadsSize }}
--- a/helm/templates/web-deployment.yaml
+++ b/helm/templates/web-deployment.yaml
@ -43,29 +43,6 @@ spec:
                  values:
                  - web
              topologyKey: "kubernetes.io/hostname"
-      initContainers:
-        - name: authentik-database-migrations
-          image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
-          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
-          args: [migrate]
-          envFrom:
-            - configMapRef:
-                name: {{ include "authentik.fullname" . }}-config
-              prefix: AUTHENTIK_
-            - secretRef:
-                name: {{ include "authentik.fullname" . }}-secret-key
-              prefix: AUTHENTIK_
-          env:
-            - name: AUTHENTIK_REDIS__PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ .Release.Name }}-redis"
-                  key: redis-password
-            - name: AUTHENTIK_POSTGRESQL__PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: "{{ .Release.Name }}-postgresql"
-                  key: postgresql-password
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
--- a/helm/values.yaml
+++ b/helm/values.yaml
@ -5,7 +5,7 @@ image:
  name: beryju/authentik
  name_static: beryju/authentik-static
  name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended
-  tag: 2021.4.1-rc1
+  tag: 2021.4.6
  pullPolicy: IfNotPresent

 serverReplicas: 1
@ -15,7 +15,14 @@ workerReplicas: 1
 kubernetesIntegration: true

 monitoring:
-  enabled: true
+  enabled: false
+
+pvc:
+  mode: ReadWriteMany
+  uploadsSize: 5Gi
+  uploadsStorageClass: null
+  geoIpSize: 1Gi
+  geoIpStorageClass: null

 config:
  # Optionally specify fixed secret_key, otherwise generated automatically
--- a/lifecycle/bootstrap.sh
+++ b/lifecycle/bootstrap.sh
@ -2,13 +2,13 @@
 python -m lifecycle.wait_for_db
 printf '{"event": "Bootstrap completed", "level": "info", "logger": "bootstrap", "command": "%s"}\n' "$@" > /dev/stderr
 if [[ "$1" == "server" ]]; then
+    python -m lifecycle.migrate
    gunicorn -c /lifecycle/gunicorn.conf.py authentik.root.asgi:application
 elif [[ "$1" == "worker" ]]; then
    celery -A authentik.root.celery worker --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events
 elif [[ "$1" == "migrate" ]]; then
-    # Run system migrations first, run normal migrations after
+    printf "DEPERECATED: database migrations are now executed automatically on startup."
    python -m lifecycle.migrate
-    python -m manage migrate
 elif [[ "$1" == "backup" ]]; then
    python -m manage dbbackup --clean
 elif [[ "$1" == "restore" ]]; then
--- a/lifecycle/migrate.py
+++ b/lifecycle/migrate.py
@ -1,5 +1,6 @@
 #!/usr/bin/env python
 """System Migration handler"""
+import os
 from importlib.util import module_from_spec, spec_from_file_location
 from inspect import getmembers, isclass
 from pathlib import Path
@ -11,6 +12,7 @@ from structlog.stdlib import get_logger
 from authentik.lib.config import CONFIG

 LOGGER = get_logger()
+ADV_LOCK_UID = 1000


 class BaseMigration:
@ -40,18 +42,36 @@ if __name__ == "__main__":
        host=CONFIG.y("postgresql.host"),
    )
    curr = conn.cursor()
+    # lock an advisory lock to prevent multiple instances from migrating at once
+    LOGGER.info("waiting to acquire database lock")
+    curr.execute("SELECT pg_advisory_lock(%s)", (ADV_LOCK_UID,))
+    try:
+        for migration in (
+            Path(__file__).parent.absolute().glob("system_migrations/*.py")
+        ):
+            spec = spec_from_file_location("lifecycle.system_migrations", migration)
+            mod = module_from_spec(spec)
+            # pyright: reportGeneralTypeIssues=false
+            spec.loader.exec_module(mod)

-    for migration in Path(__file__).parent.absolute().glob("system_migrations/*.py"):
-        spec = spec_from_file_location("lifecycle.system_migrations", migration)
-        mod = module_from_spec(spec)
-        # pyright: reportGeneralTypeIssues=false
-        spec.loader.exec_module(mod)
-
-        for name, sub in getmembers(mod, isclass):
-            if name != "Migration":
-                continue
-            migration = sub(curr, conn)
-            if migration.needs_migration():
-                LOGGER.info("Migration needs to be applied", migration=sub)
-                migration.run()
-                LOGGER.info("Migration finished applying", migration=sub)
+            for name, sub in getmembers(mod, isclass):
+                if name != "Migration":
+                    continue
+                migration = sub(curr, conn)
+                if migration.needs_migration():
+                    LOGGER.info("Migration needs to be applied", migration=sub)
+                    migration.run()
+                    LOGGER.info("Migration finished applying", migration=sub)
+        LOGGER.info("applying django migrations")
+        os.environ.setdefault("DJANGO_SETTINGS_MODULE", "authentik.root.settings")
+        try:
+            from django.core.management import execute_from_command_line
+        except ImportError as exc:
+            raise ImportError(
+                "Couldn't import Django. Are you sure it's installed and "
+                "available on your PYTHONPATH environment variable? Did you "
+                "forget to activate a virtual environment?"
+            ) from exc
+        execute_from_command_line(["", "migrate"])
+    finally:
+        curr.execute("SELECT pg_advisory_unlock(%s)", (ADV_LOCK_UID,))
--- a/outpost/README.md
+++ b/outpost/README.md
@ -1,6 +1,6 @@
 # authentik outpost

-[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/3?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=3)
+[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/3?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=8)
 ![Docker pulls (proxy)](https://img.shields.io/docker/pulls/beryju/authentik-proxy.svg?style=flat-square)

 Reverse Proxy based on [oauth2_proxy](https://github.com/oauth2-proxy/oauth2-proxy), completely managed and monitored by authentik.
--- a/outpost/azure-pipelines.yml
+++ b/outpost/azure-pipelines.yml
@ -18,15 +18,12 @@ stages:
        steps:
          - task: GoTool@0
            inputs:
-              version: '1.15'
+              version: '1.16.3'
          - task: CmdLine@2
            inputs:
              script: |
-                sudo apt install gnupg ca-certificates
-                sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 379CE192D401AB61
-                echo "deb https://dl.bintray.com/go-swagger/goswagger-debian ubuntu main" | sudo tee /etc/apt/sources.list.d/goswagger.list
-                sudo apt update
-                sudo apt install swagger
+                sudo wget -O /usr/local/bin/swagger https://github.com/go-swagger/go-swagger/releases/latest/download/swagger_linux_amd64
+                sudo chmod +x /usr/local/bin/swagger
                mkdir -p $(go env GOPATH)
                swagger generate client -f ../swagger.yaml -A authentik -t pkg/
              workingDirectory: 'outpost/'
@ -43,11 +40,7 @@ stages:
        steps:
          - task: GoTool@0
            inputs:
-              version: '1.15'
-          - task: Go@0
-            inputs:
-              command: 'get'
-              arguments: '-u golang.org/x/lint/golint'
+              version: '1.16.3'
          - task: DownloadPipelineArtifact@2
            inputs:
              buildType: 'current'
@ -56,7 +49,7 @@ stages:
          - task: CmdLine@2
            inputs:
              script: |
-                $(go list -f {{.Target}} golang.org/x/lint/golint) ./...
+                docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.39.0 golangci-lint run -v --timeout 200s
              workingDirectory: 'outpost/'
  - stage: proxy_build_go
    jobs:
@ -66,7 +59,7 @@ stages:
        steps:
          - task: GoTool@0
            inputs:
-              version: '1.15'
+              version: '1.16.3'
          - task: DownloadPipelineArtifact@2
            inputs:
              buildType: 'current'
@ -85,7 +78,7 @@ stages:
        steps:
          - task: GoTool@0
            inputs:
-              version: '1.15'
+              version: '1.16.3'
          - task: DownloadPipelineArtifact@2
            inputs:
              buildType: 'current'
--- a/outpost/cmd/proxy/server.go
+++ b/outpost/cmd/proxy/server.go
@ -52,13 +52,14 @@ func main() {

 	ac.Server = proxy.NewServer(ac)

-	ac.Start()
+	err = ac.Start()
+	if err != nil {
+		log.WithError(err).Panic("Failed to run server")
+	}

 	for {
-		select {
-		case <-interrupt:
-			ac.Shutdown()
-			os.Exit(0)
-		}
+		<-interrupt
+		ac.Shutdown()
+		os.Exit(0)
 	}
 }
--- a/outpost/go.mod
+++ b/outpost/go.mod
@ -6,13 +6,14 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/getsentry/sentry-go v0.10.0
+	github.com/go-openapi/analysis v0.20.1 // indirect
 	github.com/go-openapi/errors v0.20.0
-	github.com/go-openapi/runtime v0.19.27
+	github.com/go-openapi/runtime v0.19.28
 	github.com/go-openapi/strfmt v0.20.1
 	github.com/go-openapi/swag v0.19.15
 	github.com/go-openapi/validate v0.20.2
 	github.com/go-redis/redis/v7 v7.4.0 // indirect
-	github.com/golang/protobuf v1.4.3 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/gorilla/websocket v1.4.2
 	github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a
 	github.com/justinas/alice v1.2.0
@ -20,9 +21,9 @@ require (
 	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/oauth2-proxy/oauth2-proxy v0.0.0-20200831161845-e4e5580852dc
-	github.com/pelletier/go-toml v1.8.1 // indirect
+	github.com/pelletier/go-toml v1.9.0 // indirect
 	github.com/pkg/errors v0.9.1
-	github.com/pquerna/cachecontrol v0.0.0-20200921180117-858c6e7e6b7e // indirect
+	github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac // indirect
 	github.com/recws-org/recws v1.3.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/afero v1.6.0 // indirect
@ -30,9 +31,10 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.7.1 // indirect
-	golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392 // indirect
-	golang.org/x/net v0.0.0-20210331060903-cb1fcc7394e5 // indirect
-	golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58 // indirect
+	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 // indirect
+	golang.org/x/net v0.0.0-20210415231046-e915ea6b2b7d // indirect
+	golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558 // indirect
+	golang.org/x/sys v0.0.0-20210415045647-66c3f260301c // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
--- a/outpost/go.sum
+++ b/outpost/go.sum
@ -154,8 +154,9 @@ github.com/go-openapi/analysis v0.19.4/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9sn
 github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU=
 github.com/go-openapi/analysis v0.19.10/go.mod h1:qmhS3VNFxBlquFJ0RGoDtylO9y4pgTAUNE9AEEMdlJQ=
 github.com/go-openapi/analysis v0.19.16/go.mod h1:GLInF007N83Ad3m8a/CbQ5TPzdnGT7workfHwuVjNVk=
-github.com/go-openapi/analysis v0.20.0 h1:UN09o0kNhleunxW7LR+KnltD0YrJ8FF03pSqvAN3Vro=
 github.com/go-openapi/analysis v0.20.0/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og=
+github.com/go-openapi/analysis v0.20.1 h1:zdVbw8yoD4SWZeq+cWdGgquaB0W4VrsJvDJHJND/Ktc=
+github.com/go-openapi/analysis v0.20.1/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og=
 github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
 github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
 github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
@ -195,8 +196,8 @@ github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29g
 github.com/go-openapi/runtime v0.19.15/go.mod h1:dhGWCTKRXlAfGnQG0ONViOZpjfg0m2gUt9nTQPQZuoo=
 github.com/go-openapi/runtime v0.19.16/go.mod h1:5P9104EJgYcizotuXhEuUrzVc+j1RiSjahULvYmlv98=
 github.com/go-openapi/runtime v0.19.24/go.mod h1:Lm9YGCeecBnUUkFTxPC4s1+lwrkJ0pthx8YvyjCfkgk=
-github.com/go-openapi/runtime v0.19.27 h1:4zrQCJoP7rqNCUaApDv1MdPkaa5TuPfO05Lq5WLhX9I=
-github.com/go-openapi/runtime v0.19.27/go.mod h1:BvrQtn6iVb2QmiVXRsFAm6ZCAZBpbVKFfN6QWCp582M=
+github.com/go-openapi/runtime v0.19.28 h1:9lYu6axek8LJrVkMVViVirRcpoaCxXX7+sSvmizGVnA=
+github.com/go-openapi/runtime v0.19.28/go.mod h1:BvrQtn6iVb2QmiVXRsFAm6ZCAZBpbVKFfN6QWCp582M=
 github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
 github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
 github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=
@ -300,8 +301,9 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
-github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/gomodule/redigo v1.7.1-0.20190322064113-39e2c31b7ca3/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4=
 github.com/gomodule/redigo v1.7.1-0.20190724094224-574c33c3df38/go.mod h1:B4C85qUVwatsJoIUNIfCRsp7qO0iAmpGFZ4EELWSbC4=
@ -316,8 +318,9 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
@ -503,8 +506,8 @@ github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtP
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
-github.com/pelletier/go-toml v1.8.1 h1:1Nf83orprkJyknT6h7zbuEGUEjcyVlCxSUGTENmNCRM=
-github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
+github.com/pelletier/go-toml v1.9.0 h1:NOd0BRdOKpPf0SxkL3HxSQOG7rNh+4kl6PHcBPFs7Q0=
+github.com/pelletier/go-toml v1.9.0/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI=
 github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pingcap/errors v0.11.4 h1:lFuQV/oaUMGcD2tqt+01ROSmJs75VG1ToEOkZIZ4nE4=
@ -518,8 +521,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
-github.com/pquerna/cachecontrol v0.0.0-20200921180117-858c6e7e6b7e h1:BLqxdwZ6j771IpSCRx7s/GJjXHUE00Hmu7/YegCGdzA=
-github.com/pquerna/cachecontrol v0.0.0-20200921180117-858c6e7e6b7e/go.mod h1:hoLfEwdY11HjRfKFH6KqnPsfxlo3BP6bJehpDv8t6sQ=
+github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac h1:jWKYCNlX4J5s8M0nHYkh7Y7c9gRVDEb3mq51j5J0F5M=
+github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac/go.mod h1:hoLfEwdY11HjRfKFH6KqnPsfxlo3BP6bJehpDv8t6sQ=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
@ -662,8 +665,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191227163750-53104e6ec876/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392 h1:xYJJ3S178yv++9zXV/hnr29plCAGO9vAFG9dorqaFQc=
-golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w=
+golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -738,15 +741,16 @@ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210331060903-cb1fcc7394e5 h1:zuP3axpB9rV3xH0EA7n3/gCrNPZm2SRl0l4mVH2BRj4=
-golang.org/x/net v0.0.0-20210331060903-cb1fcc7394e5/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210415231046-e915ea6b2b7d h1:BgJvlyh+UqCUaPlscHJ+PN8GcpfrFdr7NHjd1JL0+Gs=
+golang.org/x/net v0.0.0-20210415231046-e915ea6b2b7d/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58 h1:Mj83v+wSRNEar42a/MQgxk9X42TdEmrOl9i+y8WbxLo=
-golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558 h1:D7nTwh4J0i+5mW4Zjzn5omvlr6YBcWywE6KOcatyNxY=
+golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -806,9 +810,9 @@ golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44 h1:Bli41pIlzTzf3KEY06n+xnzK/BESIg2ze4Pgfh/aI8c=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
+golang.org/x/sys v0.0.0-20210415045647-66c3f260301c h1:6L+uOeS3OQt/f4eFHXZcTxeZrGCuz+CLElgEBjbcTA4=
+golang.org/x/sys v0.0.0-20210415045647-66c3f260301c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -816,8 +820,9 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.5 h1:i6eZZ+zk0SOf0xgBpEpPD18qWcJda6q1sxt3S0kzyUQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@ -957,8 +962,10 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
-google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/outpost/pkg/ak/api.go
+++ b/outpost/pkg/ak/api.go
@ -4,6 +4,7 @@ import (
 	"fmt"
 	"math/rand"
 	"net/url"
+	"os"
 	"time"

 	"github.com/go-openapi/runtime"
@ -30,8 +31,7 @@ type APIController struct {

 	Server Outpost

-	lastBundleHash string
-	logger         *log.Entry
+	logger *log.Entry

 	reloadOffset time.Duration

@ -39,12 +39,12 @@ type APIController struct {
 }

 // NewAPIController initialise new API Controller instance from URL and API token
-func NewAPIController(pbURL url.URL, token string) *APIController {
-	transport := httptransport.New(pbURL.Host, client.DefaultBasePath, []string{pbURL.Scheme})
+func NewAPIController(akURL url.URL, token string) *APIController {
+	transport := httptransport.New(akURL.Host, client.DefaultBasePath, []string{akURL.Scheme})
 	transport.Transport = SetUserAgent(getTLSTransport(), fmt.Sprintf("authentik-proxy@%s", pkg.VERSION))

 	// create the transport
-	auth := httptransport.BasicAuth("", token)
+	auth := httptransport.BearerToken(token)

 	// create the API client, with the transport
 	apiClient := client.New(transport, strfmt.Default)
@ -53,10 +53,11 @@ func NewAPIController(pbURL url.URL, token string) *APIController {

 	// Because we don't know the outpost UUID, we simply do a list and pick the first
 	// The service account this token belongs to should only have access to a single outpost
-	outposts, err := apiClient.Outposts.OutpostsOutpostsList(outposts.NewOutpostsOutpostsListParams(), auth)
+	outposts, err := apiClient.Outposts.OutpostsInstancesList(outposts.NewOutpostsInstancesListParams(), auth)

 	if err != nil {
-		log.WithError(err).Panic("Failed to fetch configuration")
+		log.WithError(err).Error("Failed to fetch configuration")
+		os.Exit(1)
 	}
 	outpost := outposts.Payload.Results[0]
 	doGlobalSetup(outpost.Config.(map[string]interface{}))
@ -69,18 +70,12 @@ func NewAPIController(pbURL url.URL, token string) *APIController {
 		logger: log,

 		reloadOffset: time.Duration(rand.Intn(10)) * time.Second,
-
-		lastBundleHash: "",
 	}
 	ac.logger.Debugf("HA Reload offset: %s", ac.reloadOffset)
-	ac.initWS(pbURL, outpost.Pk)
+	ac.initWS(akURL, outpost.Pk)
 	return ac
 }

-func (a *APIController) GetLastBundleHash() string {
-	return a.lastBundleHash
-}
-
 // Start Starts all handlers, non-blocking
 func (a *APIController) Start() error {
 	err := a.Server.Refresh()
@ -96,7 +91,10 @@ func (a *APIController) Start() error {
 		a.startWSHealth()
 	}()
 	go func() {
-		a.Server.Start()
+		err := a.Server.Start()
+		if err != nil {
+			panic(err)
+		}
 	}()
 	return nil
 }
--- a/outpost/pkg/ak/api_update.go
+++ b/outpost/pkg/ak/api_update.go
@ -1,10 +1,6 @@
 package ak

 import (
-	"crypto/sha512"
-	"encoding/hex"
-	"encoding/json"
-
 	"goauthentik.io/outpost/pkg/client/outposts"
 	"goauthentik.io/outpost/pkg/models"
 )
@ -15,16 +11,5 @@ func (a *APIController) Update() ([]*models.ProxyOutpostConfig, error) {
 		a.logger.WithError(err).Error("Failed to fetch providers")
 		return nil, err
 	}
-	// Check provider hash to see if anything is changed
-	hasher := sha512.New()
-	out, err := json.Marshal(providers.Payload.Results)
-	if err != nil {
-		return nil, nil
-	}
-	hash := hex.EncodeToString(hasher.Sum(out))
-	if hash == a.lastBundleHash {
-		return nil, nil
-	}
-	a.lastBundleHash = hash
 	return providers.Payload.Results, nil
 }
--- a/outpost/pkg/ak/api_ws.go
+++ b/outpost/pkg/ak/api_ws.go
@ -2,7 +2,6 @@ package ak

 import (
 	"crypto/tls"
-	"encoding/base64"
 	"fmt"
 	"net/http"
 	"net/url"
@ -16,11 +15,11 @@ import (
 	"goauthentik.io/outpost/pkg"
 )

-func (ac *APIController) initWS(pbURL url.URL, outpostUUID strfmt.UUID) {
+func (ac *APIController) initWS(akURL url.URL, outpostUUID strfmt.UUID) {
 	pathTemplate := "%s://%s/ws/outpost/%s/"
-	scheme := strings.ReplaceAll(pbURL.Scheme, "http", "ws")
+	scheme := strings.ReplaceAll(akURL.Scheme, "http", "ws")

-	authHeader := base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("Basic :%s", ac.token)))
+	authHeader := fmt.Sprintf("Bearer %s", ac.token)

 	header := http.Header{
 		"Authorization": []string{authHeader},
@ -38,7 +37,7 @@ func (ac *APIController) initWS(pbURL url.URL, outpostUUID strfmt.UUID) {
 			InsecureSkipVerify: strings.ToLower(value) == "true",
 		},
 	}
-	ws.Dial(fmt.Sprintf(pathTemplate, scheme, pbURL.Host, outpostUUID.String()), header)
+	ws.Dial(fmt.Sprintf(pathTemplate, scheme, akURL.Host, outpostUUID.String()), header)

 	ac.logger.WithField("logger", "authentik.outpost.ak-ws").WithField("outpost", outpostUUID.String()).Debug("connecting to authentik")

@ -65,7 +64,6 @@ func (ac *APIController) Shutdown() {
 		ac.logger.Println("write close:", err)
 		return
 	}
-	return
 }

 func (ac *APIController) startWSHandler() {
@ -93,7 +91,8 @@ func (ac *APIController) startWSHandler() {
 }

 func (ac *APIController) startWSHealth() {
-	for ; true; <-time.Tick(time.Second * 10) {
+	ticker := time.NewTicker(time.Second * 10)
+	for ; true; <-ticker.C {
 		if !ac.wsConn.IsConnected() {
 			continue
 		}
--- a/outpost/pkg/proxy/api_bundle.go
+++ b/outpost/pkg/proxy/api_bundle.go
@ -38,7 +38,11 @@ func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *opti
 		return nil
 	}
 	providerOpts := &options.Options{}
-	copier.Copy(&providerOpts, getCommonOptions())
+	err = copier.Copy(&providerOpts, getCommonOptions())
+	if err != nil {
+		log.WithError(err).Warning("Failed to copy options, skipping provider")
+		return nil
+	}
 	providerOpts.ClientID = provider.ClientID
 	providerOpts.ClientSecret = provider.ClientSecret

@ -62,7 +66,7 @@ func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *opti
 			ID:                    "default",
 			URI:                   *provider.InternalHost,
 			Path:                  "/",
-			InsecureSkipTLSVerify: *&provider.InternalHostSslValidation,
+			InsecureSkipTLSVerify: provider.InternalHostSslValidation,
 		},
 	}

@ -85,7 +89,7 @@ func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *opti
 			return providerOpts
 		}

-		x509cert, err := tls.X509KeyPair([]byte(*&cert.Payload.Data), []byte(key.Payload.Data))
+		x509cert, err := tls.X509KeyPair([]byte(cert.Payload.Data), []byte(key.Payload.Data))
 		if err != nil {
 			pb.log.WithField("provider", provider.ClientID).WithError(err).Warning("Failed to parse certificate")
 			return providerOpts
@ -135,7 +139,7 @@ func (pb *providerBundle) Build(provider *models.ProxyOutpostConfig) {
 		os.Exit(1)
 	}

-	if *&provider.BasicAuthEnabled {
+	if provider.BasicAuthEnabled {
 		oauthproxy.SetBasicAuth = true
 		oauthproxy.BasicAuthUserAttribute = provider.BasicAuthUserAttribute
 		oauthproxy.BasicAuthPasswordAttribute = provider.BasicAuthPasswordAttribute
--- a/outpost/pkg/proxy/middleware.go
+++ b/outpost/pkg/proxy/middleware.go
@ -107,7 +107,7 @@ func (h loggingHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	duration := float64(time.Since(t)) / float64(time.Millisecond)
 	h.logger.WithFields(log.Fields{
 		"host":              req.RemoteAddr,
-		"vhost":             req.Host,
+		"vhost":             getHost(req),
 		"request_protocol":  req.Proto,
 		"runtime":           fmt.Sprintf("%0.3f", duration),
 		"method":            req.Method,
--- a/outpost/pkg/proxy/oauth.go
+++ b/outpost/pkg/proxy/oauth.go
@ -161,7 +161,7 @@ func (p *OAuthProxy) OAuthStart(rw http.ResponseWriter, req *http.Request) {
 		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
 		return
 	}
-	redirectURI := p.GetRedirectURI(req.Host)
+	redirectURI := p.GetRedirectURI(getHost(req))
 	http.Redirect(rw, req, p.provider.GetLoginURL(redirectURI, fmt.Sprintf("%v:%v", nonce, redirect)), http.StatusFound)
 }

@ -184,7 +184,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 		return
 	}

-	session, err := p.redeemCode(req.Context(), req.Host, req.Form.Get("code"))
+	session, err := p.redeemCode(req.Context(), getHost(req), req.Form.Get("code"))
 	if err != nil {
 		p.logger.Errorf("Error redeeming code during OAuth2 callback: %v", err)
 		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", "Internal Error")
--- a/Show More
+++ b/Show More