release: 2021.4.4

providers/oauth2: add proper support for non-http schemes as redirect URIs
closes #772 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-04-24 21:03:29 +02:00 · 2021-04-23 16:34:52 +02:00 · 2021-04-23 14:27:23 +02:00 · 2021-04-23 14:07:44 +02:00 · 2021-04-23 10:08:19 +02:00 · 2021-04-22 23:50:37 +02:00
164 changed files with 7249 additions and 6354 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.4.2
+current_version = 2021.4.4
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -18,11 +18,11 @@ jobs:
      - name: Building Docker Image
        run: docker build
          --no-cache
-          -t beryju/authentik:2021.4.2
+          -t beryju/authentik:2021.4.4
          -t beryju/authentik:latest
          -f Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik:2021.4.2
+        run: docker push beryju/authentik:2021.4.4
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/authentik:latest
  build-proxy:
@ -48,11 +48,11 @@ jobs:
          cd outpost/
          docker build \
          --no-cache \
-          -t beryju/authentik-proxy:2021.4.2 \
+          -t beryju/authentik-proxy:2021.4.4 \
          -t beryju/authentik-proxy:latest \
          -f proxy.Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik-proxy:2021.4.2
+        run: docker push beryju/authentik-proxy:2021.4.4
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/authentik-proxy:latest
  build-static:
@ -72,11 +72,11 @@ jobs:
          cd web/
          docker build \
          --no-cache \
-          -t beryju/authentik-static:2021.4.2 \
+          -t beryju/authentik-static:2021.4.4 \
          -t beryju/authentik-static:latest \
          -f Dockerfile .
      - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik-static:2021.4.2
+        run: docker push beryju/authentik-static:2021.4.4
      - name: Push Docker Container to Registry (latest)
        run: docker push beryju/authentik-static:latest
  test-release:
@ -110,5 +110,5 @@ jobs:
          SENTRY_PROJECT: authentik
          SENTRY_URL: https://sentry.beryju.org
        with:
-          tagName: 2021.4.2
+          tagName: 2021.4.4
          environment: beryjuorg-prod
--- a/Pipfile.lock
+++ b/Pipfile.lock
@ -116,18 +116,18 @@
        },
        "boto3": {
            "hashes": [
-                "sha256:73bcd04f6f919e7f8acc27c9d83dab5aee22225fe624c028b2e1c7feaf771098",
+                "sha256:1e55df93aa47a84e2a12a639c7f145e16e6e9ef959542d69d5526d50d2e92692",
-                "sha256:c45e7d3aef8965ae1b42c9855c31ded19fbb38cfad0a34cc37dc880ded3672c2"
+                "sha256:eab42daaaf68cdad5b112d31dcb0684162098f6558ba7b64156be44f993525fa"
            ],
            "index": "pypi",
-            "version": "==1.17.51"
+            "version": "==1.17.54"
        },
        "botocore": {
            "hashes": [
-                "sha256:ae45ea7451513373666b7571064c173d649e61fd3e8f413f0e1f1f9db26b3513",
+                "sha256:20a864fc6570ba11d52532c72c3ccabab5c71a9b4a9418601a313d56f1d2ce5b",
-                "sha256:c853d6c2321e2f2328282c7d49d7b1a06201826ba0e7049c6975ab5f22927ea8"
+                "sha256:37ec76ea2df8609540ba6cb0fe360ae1c589d2e1ee91eb642fd767823f3fcedd"
            ],
-            "version": "==1.20.51"
+            "version": "==1.20.54"
        },
        "cachetools": {
            "hashes": [
@ -437,10 +437,10 @@
        },
        "google-auth": {
            "hashes": [
-                "sha256:186fe2564634d67fbbb64f3daf8bc8c9cecbb2a7f535ed1a8a71795e50db8d87",
+                "sha256:010f011c4e27d3d5eb01106fba6aac39d164842dfcd8709955c4638f5b11ccf8",
-                "sha256:70b39558712826e41f65e5f05a8d879361deaf84df8883e5dd0ec3d0da6ab66e"
+                "sha256:f30a672a64d91cc2e3137765d088c5deec26416246f7a9e956eaf69a8d7ed49c"
            ],
-            "version": "==1.28.1"
+            "version": "==1.29.0"
        },
        "gunicorn": {
            "hashes": [
@ -1106,10 +1106,10 @@
        },
        "s3transfer": {
            "hashes": [
-                "sha256:35627b86af8ff97e7ac27975fe0a98a312814b46c6333d8a6b889627bcd80994",
+                "sha256:af1af6384bd7fb8208b06480f9be73d0295d965c4c073a5c95ea5b6661dccc18",
-                "sha256:efa5bd92a897b6a8d5c1383828dca3d52d0790e0756d49740563a3fb6ed03246"
+                "sha256:f3dfd791cad2799403e3c8051810a7ca6ee1d2e630e5d2a8f9649d892bdb3db6"
            ],
-            "version": "==0.3.7"
+            "version": "==0.4.0"
        },
        "sentry-sdk": {
            "hashes": [
@ -1374,59 +1374,59 @@
        },
        "zope.interface": {
            "hashes": [
-                "sha256:02d3535aa18e34ce97c58d241120b7554f7d1cf4f8002fc9675cc7e7745d20e8",
+                "sha256:08f9636e99a9d5410181ba0729e0408d3d8748026ea938f3b970a0249daa8192",
-                "sha256:0378a42ec284b65706d9ef867600a4a31701a0d6773434e6537cfc744e3343f4",
+                "sha256:0b465ae0962d49c68aa9733ba92a001b2a0933c317780435f00be7ecb959c702",
-                "sha256:07d289358a8c565ea09e426590dd1179f93cf5ac3dd17d43fcc4fc63c1a9d275",
+                "sha256:0cba8477e300d64a11a9789ed40ee8932b59f9ee05f85276dbb4b59acee5dd09",
-                "sha256:0e6cdbdd94ae94d1433ab51f46a76df0f2cd041747c31baec1c1ffa4e76bd0c1",
+                "sha256:0cee5187b60ed26d56eb2960136288ce91bcf61e2a9405660d271d1f122a69a4",
-                "sha256:11354fb8b8bdc5cdd66358ed4f1f0ce739d78ff6d215d33b8f3ae282258c0f11",
+                "sha256:0ea1d73b7c9dcbc5080bb8aaffb776f1c68e807767069b9ccdd06f27a161914a",
-                "sha256:12588a46ae0a99f172c4524cbbc3bb870f32e0f8405e9fa11a5ef3fa3a808ad7",
+                "sha256:0f91b5b948686659a8e28b728ff5e74b1be6bf40cb04704453617e5f1e945ef3",
-                "sha256:16caa44a06f6b0b2f7626ced4b193c1ae5d09c1b49c9b4962c93ae8aa2134f55",
+                "sha256:15e7d1f7a6ee16572e21e3576d2012b2778cbacf75eb4b7400be37455f5ca8bf",
-                "sha256:18c478b89b6505756f007dcf76a67224a23dcf0f365427742ed0c0473099caa4",
+                "sha256:17776ecd3a1fdd2b2cd5373e5ef8b307162f581c693575ec62e7c5399d80794c",
-                "sha256:221b41442cf4428fcda7fc958c9721c916709e2a3a9f584edd70f1493a09a762",
+                "sha256:194d0bcb1374ac3e1e023961610dc8f2c78a0f5f634d0c737691e215569e640d",
-                "sha256:26109c50ccbcc10f651f76277cfc05fba8418a907daccc300c9247f24b3158a2",
+                "sha256:1c0e316c9add0db48a5b703833881351444398b04111188069a26a61cfb4df78",
-                "sha256:28d8157f8c77662a1e0796a7d3cfa8910289131d4b4dd4e10b2686ab1309b67b",
+                "sha256:205e40ccde0f37496904572035deea747390a8b7dc65146d30b96e2dd1359a83",
-                "sha256:2c51689b7b40c7d9c7e8a678350e73dc647945a13b4e416e7a02bbf0c37bdb01",
+                "sha256:273f158fabc5ea33cbc936da0ab3d4ba80ede5351babc4f577d768e057651531",
-                "sha256:2ec58e1e1691dde4fbbd97f8610de0f8f1b1a38593653f7d3b8e931b9cd6d67f",
+                "sha256:2876246527c91e101184f63ccd1d716ec9c46519cc5f3d5375a3351c46467c46",
-                "sha256:416feb6500f7b6fc00d32271f6b8495e67188cb5eb51fc8e289b81fdf465a9cb",
+                "sha256:2c98384b254b37ce50eddd55db8d381a5c53b4c10ee66e1e7fe749824f894021",
-                "sha256:520352b18adea5478bbf387e9c77910a914985671fe36bc5ef19fdcb67a854bc",
+                "sha256:2e5a26f16503be6c826abca904e45f1a44ff275fdb7e9d1b75c10671c26f8b94",
-                "sha256:527415b5ca201b4add44026f70278fbc0b942cf0801a26ca5527cb0389b6151e",
+                "sha256:334701327f37c47fa628fc8b8d28c7d7730ce7daaf4bda1efb741679c2b087fc",
-                "sha256:54243053316b5eec92affe43bbace7c8cd946bc0974a4aa39ff1371df0677b22",
+                "sha256:3748fac0d0f6a304e674955ab1365d515993b3a0a865e16a11ec9d86fb307f63",
-                "sha256:61b8454190b9cc87279232b6de28dee0bad040df879064bb2f0e505cda907918",
+                "sha256:3c02411a3b62668200910090a0dff17c0b25aaa36145082a5a6adf08fa281e54",
-                "sha256:672668729edcba0f2ee522ab177fcad91c81cfce991c24d8767765e2637d3515",
+                "sha256:3dd4952748521205697bc2802e4afac5ed4b02909bb799ba1fe239f77fd4e117",
-                "sha256:67aa26097e194947d29f2b5a123830e03da1519bcce10cac034a51fcdb99c34f",
+                "sha256:3f24df7124c323fceb53ff6168da70dbfbae1442b4f3da439cd441681f54fe25",
-                "sha256:6e7305e42b5f54e5ccf51820de46f0a7c951ba7cb9e3f519e908545b0f5628d0",
+                "sha256:469e2407e0fe9880ac690a3666f03eb4c3c444411a5a5fddfdabc5d184a79f05",
-                "sha256:7234ac6782ca43617de803735949f79b894f0c5d353fbc001d745503c69e6d1d",
+                "sha256:4de4bc9b6d35c5af65b454d3e9bc98c50eb3960d5a3762c9438df57427134b8e",
-                "sha256:7426bea25bdf92f00fa52c7b30fcd2a2f71c21cf007178971b1f248b6c2d3145",
+                "sha256:5208ebd5152e040640518a77827bdfcc73773a15a33d6644015b763b9c9febc1",
-                "sha256:74b331c5d5efdddf5bbd9e1f7d8cb91a0d6b9c4ba45ca3e9003047a84dca1a3b",
+                "sha256:52de7fc6c21b419078008f697fd4103dbc763288b1406b4562554bd47514c004",
-                "sha256:79b6db1a18253db86e9bf1e99fa829d60fd3fc7ac04f4451c44e4bdcf6756a42",
+                "sha256:5bb3489b4558e49ad2c5118137cfeaf59434f9737fa9c5deefc72d22c23822e2",
-                "sha256:7d79cd354ae0a033ac7b86a2889c9e8bb0bb48243a6ed27fc5064ce49b842ada",
+                "sha256:5dba5f530fec3f0988d83b78cc591b58c0b6eb8431a85edd1569a0539a8a5a0e",
-                "sha256:823d1b4a6a028b8327e64865e2c81a8959ae9f4e7c9c8e0eec814f4f9b36b362",
+                "sha256:5dd9ca406499444f4c8299f803d4a14edf7890ecc595c8b1c7115c2342cadc5f",
-                "sha256:8715717a5861932b7fe7f3cbd498c82ff4132763e2fea182cc95e53850394ec1",
+                "sha256:5f931a1c21dfa7a9c573ec1f50a31135ccce84e32507c54e1ea404894c5eb96f",
-                "sha256:89a6091f2d07936c8a96ce56f2000ecbef20fb420a94845e7d53913c558a6378",
+                "sha256:63b82bb63de7c821428d513607e84c6d97d58afd1fe2eb645030bdc185440120",
-                "sha256:8af4b3116e4a37059bc8c7fe36d4a73d7c1d8802a1d8b6e549f1380d13a40160",
+                "sha256:66c0061c91b3b9cf542131148ef7ecbecb2690d48d1612ec386de9d36766058f",
-                "sha256:8b4b0034e6c7f30133fa64a1cc276f8f1a155ef9529e7eb93a3c1728b40c0f5c",
+                "sha256:6f0c02cbb9691b7c91d5009108f975f8ffeab5dff8f26d62e21c493060eff2a1",
-                "sha256:92195df3913c1de80062635bf64cd7bd0d0934a7fa1689b6d287d1cbbd16922c",
+                "sha256:71aace0c42d53abe6fc7f726c5d3b60d90f3c5c055a447950ad6ea9cec2e37d9",
-                "sha256:96c2e68385f3848d58f19b2975a675532abdb65c8fa5f04d94b95b27b6b1ffa7",
+                "sha256:7d97a4306898b05404a0dcdc32d9709b7d8832c0c542b861d9a826301719794e",
-                "sha256:9c7044dbbf8c58420a9ef4ed6901f5a8b7698d90cd984d7f57a18c78474686f6",
+                "sha256:7df1e1c05304f26faa49fa752a8c690126cf98b40b91d54e6e9cc3b7d6ffe8b7",
-                "sha256:a1937efed7e3fe0ee74630e1960df887d8aa83c571e1cf4db9d15b9c181d457d",
+                "sha256:8270252effc60b9642b423189a2fe90eb6b59e87cbee54549db3f5562ff8d1b8",
-                "sha256:a38c10423a475a1658e2cb8f52cf84ec20a4c0adff724dd43a6b45183f499bc1",
+                "sha256:867a5ad16892bf20e6c4ea2aab1971f45645ff3102ad29bd84c86027fa99997b",
-                "sha256:a413c424199bcbab71bf5fa7538246f27177fbd6dd74b2d9c5f34878658807f8",
+                "sha256:877473e675fdcc113c138813a5dd440da0769a2d81f4d86614e5d62b69497155",
-                "sha256:b18a855f8504743e0a2d8b75d008c7720d44e4c76687e13f959e35d9a13eb397",
+                "sha256:8892f89999ffd992208754851e5a052f6b5db70a1e3f7d54b17c5211e37a98c7",
-                "sha256:b4d59ab3608538e550a72cea13d3c209dd72b6e19e832688da7884081c01594e",
+                "sha256:9a9845c4c6bb56e508651f005c4aeb0404e518c6f000d5a1123ab077ab769f5c",
-                "sha256:b51d3f1cd87f488455f43046d72003689024b0fa9b2d53635db7523033b19996",
+                "sha256:a1e6e96217a0f72e2b8629e271e1b280c6fa3fe6e59fa8f6701bec14e3354325",
-                "sha256:c02105deda867d09cdd5088d08708f06d75759df6f83d8f7007b06f422908a30",
+                "sha256:a8156e6a7f5e2a0ff0c5b21d6bcb45145efece1909efcbbbf48c56f8da68221d",
-                "sha256:c7b6032dc4490b0dcaf078f09f5b382dc35493cb7f473840368bf0de3196c2b6",
+                "sha256:a9506a7e80bcf6eacfff7f804c0ad5350c8c95b9010e4356a4b36f5322f09abb",
-                "sha256:c95b355dba2aaf5177dff943b25ded0529a7feb80021d5fdb114a99f0a1ef508",
+                "sha256:af310ec8335016b5e52cae60cda4a4f2a60a788cbb949a4fbea13d441aa5a09e",
-                "sha256:c980ae87863d76b1ea9a073d6d95554b4135032d34bc541be50c07d4a085821b",
+                "sha256:b0297b1e05fd128d26cc2460c810d42e205d16d76799526dfa8c8ccd50e74959",
-                "sha256:d12895cd083e35e9e032eb4b57645b91116f8979527381a8d864d1f6b8cb4a2e",
+                "sha256:bf68f4b2b6683e52bec69273562df15af352e5ed25d1b6641e7efddc5951d1a7",
-                "sha256:d3cd9bad547a8e5fbe712a1dc1413aff1b917e8d39a2cd1389a6f933b7a21460",
+                "sha256:d0c1bc2fa9a7285719e5678584f6b92572a5b639d0e471bb8d4b650a1a910920",
-                "sha256:e8809b01f27f679e3023b9e2013051e0a3f17abff4228cb5197663afd8a0f2c7",
+                "sha256:d4d9d6c1a455d4babd320203b918ccc7fcbefe308615c521062bc2ba1aa4d26e",
-                "sha256:f3c37b0dc1898e305aad4f7a1d75f6da83036588c28a9ce0afc681ff5245a601",
+                "sha256:db1fa631737dab9fa0b37f3979d8d2631e348c3b4e8325d6873c2541d0ae5a48",
-                "sha256:f966765f54b536e791541458de84a737a6adba8467190f17a8fe7f85354ba908",
+                "sha256:dd93ea5c0c7f3e25335ab7d22a507b1dc43976e1345508f845efc573d3d779d8",
-                "sha256:fa939c2e2468142c9773443d4038e7c915b0cc1b670d3c9192bdc503f7ea73e9",
+                "sha256:f44e517131a98f7a76696a7b21b164bcb85291cee106a23beccce454e1f433a4",
-                "sha256:fcc5c1f95102989d2e116ffc8467963554ce89f30a65a3ea86a4d06849c498d8"
+                "sha256:f7ee479e96f7ee350db1cf24afa5685a5899e2b34992fb99e1f7c1b0b758d263"
            ],
-            "version": "==5.3.0"
+            "version": "==5.4.0"
        }
    },
    "develop": {
--- a/README.md
+++ b/README.md
@ -4,13 +4,13 @@
 ---
-[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=flat-square)](https://discord.gg/KPnmtNWy)
+[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=flat-square)](https://discord.gg/jg33eMhnj6)
-[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/1?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=1)
+[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/6?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
-[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/1?compact_message&style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=1)
+[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/6?compact_message&style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
-[![Code Coverage](https://img.shields.io/codecov/c/gh/beryju/authentik?style=flat-square)](https://codecov.io/gh/BeryJu/authentik)
+[![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=flat-square)](https://codecov.io/gh/goauthentik/authentik)
 ![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=flat-square)
 ![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=flat-square)
-![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/BeryJu/authentik?style=flat-square)
+![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/goauthentik/authentik?style=flat-square)
 ## What is authentik?
@ -31,7 +31,7 @@ Light | Dark
 ## Development
-See [Development Documentation](https://goauthentik.io/docs/development/local-dev-environment)
+See [Development Documentation](https://goauthentik.io/developer-docs/)
 ## Security
--- a/authentik/init.py
+++ b/authentik/init.py
@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.4.2"
+__version__ = "2021.4.4"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/settings.py
+++ b/authentik/admin/settings.py
@ -4,7 +4,7 @@ from celery.schedules import crontab
 CELERY_BEAT_SCHEDULE = {
    "admin_latest_version": {
        "task": "authentik.admin.tasks.update_latest_version",
-        "schedule": crontab(minute=0),  # Run every hour
+        "schedule": crontab(minute="*/60"),  # Run every hour
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -23,7 +23,9 @@ URL_FINDER = URLValidator.regex.pattern[1:]
 def update_latest_version(self: MonitoredTask):
    """Update latest version info"""
    try:
-        response = get("https://api.github.com/repos/beryju/authentik/releases/latest")
+        response = get(
            "https://api.github.com/repos/goauthentik/authentik/releases/latest"
        )
        response.raise_for_status()
        data = response.json()
        tag_name = data.get("tag_name")
--- a/authentik/api/auth.py
+++ b/authentik/api/auth.py
@ -4,6 +4,7 @@ from binascii import Error
 from typing import Any, Optional, Union
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
@ -14,7 +15,7 @@ LOGGER = get_logger()
 # pylint: disable=too-many-return-statements
 def token_from_header(raw_header: bytes) -> Optional[Token]:
-    """raw_header in the Format of `Basic dGVzdDp0ZXN0`"""
+    """raw_header in the Format of `Bearer dGVzdDp0ZXN0`"""
    auth_credentials = raw_header.decode()
    if auth_credentials == "":
        return None
@ -25,28 +26,27 @@ def token_from_header(raw_header: bytes) -> Optional[Token]:
            auth_type, body = plain.split()
            auth_credentials = f"{auth_type} {b64encode(body.encode()).decode()}"
        except (UnicodeDecodeError, Error):
-            return None
+            raise AuthenticationFailed("Malformed header")
    auth_type, auth_credentials = auth_credentials.split()
    if auth_type.lower() not in ["basic", "bearer"]:
        LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())
-        return None
+        raise AuthenticationFailed("Unsupported authentication type")
    password = auth_credentials
    if auth_type.lower() == "basic":
        try:
            auth_credentials = b64decode(auth_credentials.encode()).decode()
        except (UnicodeDecodeError, Error):
-            return None
+            raise AuthenticationFailed("Malformed header")
        # Accept credentials with username and without
        if ":" in auth_credentials:
            _, password = auth_credentials.split(":")
        else:
            password = auth_credentials
    if password == "":  # nosec
-        return None
+        raise AuthenticationFailed("Malformed header")
    tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)
    if not tokens.exists():
-        LOGGER.debug("Token not found")
+        raise AuthenticationFailed("Token invalid/expired")
        return None
    return tokens.first()
@ -58,10 +58,8 @@ class AuthentikTokenAuthentication(BaseAuthentication):
        auth = get_authorization_header(request)
        token = token_from_header(auth)
        # None is only returned when the header isn't set.
        if not token:
            return None
        return (token.user, None)
    def authenticate_header(self, request: Request) -> str:
        return "Bearer"
--- a/authentik/api/templates/api/swagger.html
+++ b/authentik/api/templates/api/swagger.html
@ -11,6 +11,29 @@ authentik API Browser
 {% endblock %}
 {% block body %}
 <script>
 function getCookie(name) {
    let cookieValue = "";
    if (document.cookie && document.cookie !== "") {
        const cookies = document.cookie.split(";");
        for (let i = 0; i < cookies.length; i++) {
            const cookie = cookies[i].trim();
            // Does this cookie string begin with the name we want?
            if (cookie.substring(0, name.length + 1) === name + "=") {
                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
                break;
            }
        }
    }
    return cookieValue;
 }
 window.addEventListener('DOMContentLoaded', (event) => {
    const rapidocEl = document.querySelector('rapi-doc');
    rapidocEl.addEventListener('before-try', (e) => {
        e.detail.request.headers.append('X-CSRFToken', getCookie("authentik_csrf"));
    });
 });
 </script>
 <rapi-doc
    spec-url="{{ path }}"
    heading-text="authentik"
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@ -3,6 +3,7 @@ from base64 import b64encode
 from django.test import TestCase
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.exceptions import AuthenticationFailed
 from authentik.api.auth import token_from_header
 from authentik.core.models import Token, TokenIntents
@ -28,17 +29,21 @@ class TestAPIAuth(TestCase):
    def test_invalid_type(self):
        """Test invalid type"""
-        self.assertIsNone(token_from_header("foo bar".encode()))
+        with self.assertRaises(AuthenticationFailed):
            token_from_header("foo bar".encode())
    def test_invalid_decode(self):
        """Test invalid bas64"""
-        self.assertIsNone(token_from_header("Basic bar".encode()))
+        with self.assertRaises(AuthenticationFailed):
            token_from_header("Basic bar".encode())
    def test_invalid_empty_password(self):
        """Test invalid with empty password"""
-        self.assertIsNone(token_from_header("Basic :".encode()))
+        with self.assertRaises(AuthenticationFailed):
            token_from_header("Basic :".encode())
    def test_invalid_no_token(self):
        """Test invalid with no token"""
-        auth = b64encode(":abc".encode()).decode()
+        with self.assertRaises(AuthenticationFailed):
-        self.assertIsNone(token_from_header(f"Basic :{auth}".encode()))
+            auth = b64encode(":abc".encode()).decode()
            self.assertIsNone(token_from_header(f"Basic :{auth}".encode()))
--- a/authentik/api/v2/urls.py
+++ b/authentik/api/v2/urls.py
@ -113,6 +113,7 @@ router.register("core/user_consent", UserConsentViewSet)
 router.register("core/tokens", TokenViewSet)
 router.register("outposts/outposts", OutpostViewSet)
 router.register("outposts/instances", OutpostViewSet)
 router.register("outposts/service_connections/all", ServiceConnectionViewSet)
 router.register("outposts/service_connections/docker", DockerServiceConnectionViewSet)
 router.register(
@ -195,7 +196,8 @@ info = openapi.Info(
    default_version="v2beta",
    contact=openapi.Contact(email="hello@beryju.org"),
    license=openapi.License(
-        name="GNU GPLv3", url="https://github.com/BeryJu/authentik/blob/master/LICENSE"
+        name="GNU GPLv3",
        url="https://github.com/goauthentik/authentik/blob/master/LICENSE",
    ),
 )
 SchemaView = get_schema_view(info, public=True, permission_classes=(AllowAny,))
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -91,6 +91,15 @@ class ApplicationViewSet(ModelViewSet):
                applications.append(application)
        return applications
    @swagger_auto_schema(
        manual_parameters=[
            openapi.Parameter(
                name="superuser_full_list",
                in_=openapi.IN_QUERY,
                type=openapi.TYPE_BOOLEAN,
            )
        ]
    )
    def list(self, request: Request) -> Response:
        """Custom list method that checks Policy based access instead of guardian"""
        queryset = self._filter_queryset_for_list(self.get_queryset())
@ -98,6 +107,13 @@ class ApplicationViewSet(ModelViewSet):
        should_cache = request.GET.get("search", "") == ""
        superuser_full_list = (
            str(request.GET.get("superuser_full_list", "false")).lower() == "true"
        )
        if superuser_full_list and request.user.is_superuser:
            serializer = self.get_serializer(queryset, many=True)
            return self.get_paginated_response(serializer.data)
        allowed_applications = []
        if not should_cache:
            allowed_applications = self._get_allowed_applications(queryset)
--- a/authentik/core/api/propertymappings.py
+++ b/authentik/core/api/propertymappings.py
@ -1,6 +1,7 @@
 """PropertyMapping API Views"""
 from json import dumps
 from drf_yasg import openapi
 from drf_yasg.utils import swagger_auto_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
@ -93,6 +94,7 @@ class PropertyMappingViewSet(
                    "description": subclass.__doc__,
                    # pyright: reportGeneralTypeIssues=false
                    "component": subclass().component,
                    "model_name": subclass._meta.model_name,
                }
            )
        return Response(TypeCreateSerializer(data, many=True).data)
@ -101,6 +103,13 @@ class PropertyMappingViewSet(
    @swagger_auto_schema(
        request_body=PolicyTestSerializer(),
        responses={200: PropertyMappingTestResultSerializer, 400: "Invalid parameters"},
        manual_parameters=[
            openapi.Parameter(
                name="format_result",
                in_=openapi.IN_QUERY,
                type=openapi.TYPE_BOOLEAN,
            )
        ],
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
    # pylint: disable=unused-argument, invalid-name
@ -111,6 +120,8 @@ class PropertyMappingViewSet(
        if not test_params.is_valid():
            return Response(test_params.errors, status=400)
        format_result = str(request.GET.get("format_result", "false")).lower() == "true"
        # User permission check, only allow mapping testing for users that are readable
        users = get_objects_for_user(request.user, "authentik_core.view_user").filter(
            pk=test_params.validated_data["user"].pk
@ -125,7 +136,9 @@ class PropertyMappingViewSet(
                self.request,
                **test_params.validated_data.get("context", {}),
            )
-            response_data["result"] = dumps(result)
+            response_data["result"] = dumps(
                result, indent=(4 if format_result else None)
            )
        except Exception as exc:  # pylint: disable=broad-except
            response_data["result"] = str(exc)
            response_data["successful"] = False
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -78,6 +78,7 @@ class ProviderViewSet(
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": subclass().component,
                    "model_name": subclass._meta.model_name,
                }
            )
        data.append(
@ -85,6 +86,7 @@ class ProviderViewSet(
                "name": _("SAML Provider from Metadata"),
                "description": _("Create a SAML Provider by importing its Metadata."),
                "component": "ak-provider-saml-import-form",
                "model_name": "",
            }
        )
        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -81,6 +81,7 @@ class SourceViewSet(
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": component,
                    "model_name": subclass._meta.model_name,
                }
            )
        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -11,7 +11,7 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.api.decorators import permission_required
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import PassiveSerializer
-from authentik.core.models import Token
+from authentik.core.models import Token, TokenIntents
 from authentik.events.models import Event, EventAction
 from authentik.managed.api import ManagedSerializer
@ -64,7 +64,7 @@ class TokenViewSet(ModelViewSet):
    ordering = ["expires"]
    def perform_create(self, serializer: TokenSerializer):
-        serializer.save(user=self.request.user)
+        serializer.save(user=self.request.user, intent=TokenIntents.INTENT_API)
    @permission_required("authentik_core.view_token_key")
    @swagger_auto_schema(
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -48,6 +48,7 @@ class TypeCreateSerializer(PassiveSerializer):
    name = CharField(required=True)
    description = CharField(required=True)
    component = CharField(required=True)
    model_name = CharField(required=True)
 class CacheSerializer(PassiveSerializer):
--- a/authentik/core/channels.py
+++ b/authentik/core/channels.py
@ -1,6 +1,7 @@
 """Channels base classes"""
 from channels.exceptions import DenyConnection
 from channels.generic.websocket import JsonWebsocketConsumer
 from rest_framework.exceptions import AuthenticationFailed
 from structlog.stdlib import get_logger
 from authentik.api.auth import token_from_header
@ -22,9 +23,13 @@ class AuthJsonConsumer(JsonWebsocketConsumer):
        raw_header = headers[b"authorization"]
-        token = token_from_header(raw_header)
+        try:
-        if not token:
+            token = token_from_header(raw_header)
-            LOGGER.warning("Failed to authenticate")
+            # token is only None when no header was given, in which case we deny too
            if not token:
                raise DenyConnection()
        except AuthenticationFailed as exc:
            LOGGER.warning("Failed to authenticate", exc=exc)
            raise DenyConnection()
        self.user = token.user
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@ -2,7 +2,7 @@
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
-from authentik.core.models import Token, User
+from authentik.core.models import Token, TokenIntents, User
 class TestTokenAPI(APITestCase):
@ -19,4 +19,6 @@ class TestTokenAPI(APITestCase):
            reverse("authentik_api:token-list"), {"identifier": "test-token"}
        )
        self.assertEqual(response.status_code, 201)
-        self.assertEqual(Token.objects.get(identifier="test-token").user, self.user)
+        token = Token.objects.get(identifier="test-token")
        self.assertEqual(token.user, self.user)
        self.assertEqual(token.intent, TokenIntents.INTENT_API)
--- a/authentik/events/api/event.py
+++ b/authentik/events/api/event.py
@ -153,10 +153,6 @@ class EventViewSet(ReadOnlyModelViewSet):
        data = []
        for value, name in EventAction.choices:
            data.append(
-                {
+                {"name": name, "description": "", "component": value, "model_name": ""}
                    "name": name,
                    "description": "",
                    "component": value,
                }
            )
        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/flows/api/stages.py
+++ b/authentik/flows/api/stages.py
@ -80,6 +80,7 @@ class StageViewSet(
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": subclass().component,
                    "model_name": subclass._meta.model_name,
                }
            )
        data = sorted(data, key=lambda x: x["name"])
--- a/authentik/flows/views.py
+++ b/authentik/flows/views.py
@ -14,6 +14,7 @@ from drf_yasg import openapi
 from drf_yasg.utils import no_body, swagger_auto_schema
 from rest_framework.permissions import AllowAny
 from rest_framework.views import APIView
 from sentry_sdk import capture_exception
 from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.models import USER_ATTRIBUTE_DEBUG
@ -152,7 +153,8 @@ class FlowExecutorView(APIView):
            stage_response = self.current_stage_view.get(request, *args, **kwargs)
            return to_stage_response(request, stage_response)
        except Exception as exc:  # pylint: disable=broad-except
-            self._logger.exception(exc)
+            capture_exception(exc)
            self._logger.warning(exc)
            return to_stage_response(request, FlowErrorResponse(request, exc))
    @swagger_auto_schema(
@ -180,7 +182,8 @@ class FlowExecutorView(APIView):
            stage_response = self.current_stage_view.post(request, *args, **kwargs)
            return to_stage_response(request, stage_response)
        except Exception as exc:  # pylint: disable=broad-except
-            self._logger.exception(exc)
+            capture_exception(exc)
            self._logger.warning(exc)
            return to_stage_response(request, FlowErrorResponse(request, exc))
    def _initiate_plan(self) -> FlowPlan:
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -6,7 +6,7 @@ from billiard.exceptions import WorkerLostError
 from botocore.client import ClientError
 from celery.exceptions import CeleryError
 from channels_redis.core import ChannelFull
-from django.core.exceptions import DisallowedHost, ValidationError
+from django.core.exceptions import SuspiciousOperation, ValidationError
 from django.db import InternalError, OperationalError, ProgrammingError
 from django_redis.exceptions import ConnectionInterrupted
 from docker.errors import DockerException
@ -36,7 +36,7 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        OperationalError,
        InternalError,
        ProgrammingError,
-        DisallowedHost,
+        SuspiciousOperation,
        ValidationError,
        # Redis errors
        RedisConnectionError,
--- a/authentik/outposts/api/outpost_service_connections.py
+++ b/authentik/outposts/api/outpost_service_connections.py
@ -82,6 +82,7 @@ class ServiceConnectionViewSet(
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": subclass().component,
                    "model_name": subclass._meta.model_name,
                }
            )
        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/outposts/apps.py
+++ b/authentik/outposts/apps.py
@ -1,17 +1,8 @@
 """authentik outposts app config"""
 from importlib import import_module
 from os import R_OK, access
 from os.path import expanduser
 from pathlib import Path
 from socket import gethostname
 from urllib.parse import urlparse
 import yaml
 from django.apps import AppConfig
 from django.db import ProgrammingError
 from docker.constants import DEFAULT_UNIX_SOCKET
 from kubernetes.config.incluster_config import SERVICE_TOKEN_FILENAME
 from kubernetes.config.kube_config import KUBE_CONFIG_DEFAULT_LOCATION
 from structlog.stdlib import get_logger
 LOGGER = get_logger()
@ -27,49 +18,8 @@ class AuthentikOutpostConfig(AppConfig):
    def ready(self):
        import_module("authentik.outposts.signals")
        try:
-            AuthentikOutpostConfig.init_local_connection()
+            from authentik.outposts.tasks import outpost_local_connection
            outpost_local_connection.delay()
        except ProgrammingError:
            pass
    @staticmethod
    def init_local_connection():
        """Check if local kubernetes or docker connections should be created"""
        from authentik.outposts.models import (
            DockerServiceConnection,
            KubernetesServiceConnection,
        )
        # Explicitly check against token filename, as thats
        # only present when the integration is enabled
        if Path(SERVICE_TOKEN_FILENAME).exists():
            LOGGER.debug("Detected in-cluster Kubernetes Config")
            if not KubernetesServiceConnection.objects.filter(local=True).exists():
                LOGGER.debug("Created Service Connection for in-cluster")
                KubernetesServiceConnection.objects.create(
                    name="Local Kubernetes Cluster", local=True, kubeconfig={}
                )
        # For development, check for the existence of a kubeconfig file
        kubeconfig_path = expanduser(KUBE_CONFIG_DEFAULT_LOCATION)
        if Path(kubeconfig_path).exists():
            LOGGER.debug("Detected kubeconfig")
            kubeconfig_local_name = f"k8s-{gethostname()}"
            if not KubernetesServiceConnection.objects.filter(
                name=kubeconfig_local_name
            ).exists():
                LOGGER.debug("Creating kubeconfig Service Connection")
                with open(kubeconfig_path, "r") as _kubeconfig:
                    KubernetesServiceConnection.objects.create(
                        name=kubeconfig_local_name,
                        kubeconfig=yaml.safe_load(_kubeconfig),
                    )
        unix_socket_path = urlparse(DEFAULT_UNIX_SOCKET).path
        socket = Path(unix_socket_path)
        if socket.exists() and access(socket, R_OK):
            LOGGER.debug("Detected local docker socket")
            if len(DockerServiceConnection.objects.filter(local=True)) == 0:
                LOGGER.debug("Created Service Connection for docker")
                DockerServiceConnection.objects.create(
                    name="Local Docker connection",
                    local=True,
                    url=unix_socket_path,
                )
--- a/authentik/outposts/settings.py
+++ b/authentik/outposts/settings.py
@ -9,7 +9,7 @@ CELERY_BEAT_SCHEDULE = {
    },
    "outposts_service_connection_check": {
        "task": "authentik.outposts.tasks.outpost_service_connection_monitor",
-        "schedule": crontab(minute=0, hour="*"),
+        "schedule": crontab(minute="*/60"),
        "options": {"queue": "authentik_scheduled"},
    },
    "outpost_token_ensurer": {
@ -17,4 +17,9 @@ CELERY_BEAT_SCHEDULE = {
        "schedule": crontab(minute="*/5"),
        "options": {"queue": "authentik_scheduled"},
    },
    "outpost_local_connection": {
        "task": "authentik.outposts.tasks.outpost_local_connection",
        "schedule": crontab(minute="*/60"),
        "options": {"queue": "authentik_scheduled"},
    },
 }
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@ -1,11 +1,20 @@
 """outpost tasks"""
 from os import R_OK, access
 from os.path import expanduser
 from pathlib import Path
 from socket import gethostname
 from typing import Any
 from urllib.parse import urlparse
 import yaml
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.core.cache import cache
 from django.db.models.base import Model
 from django.utils.text import slugify
 from docker.constants import DEFAULT_UNIX_SOCKET
 from kubernetes.config.incluster_config import SERVICE_TOKEN_FILENAME
 from kubernetes.config.kube_config import KUBE_CONFIG_DEFAULT_LOCATION
 from structlog.stdlib import get_logger
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
@ -67,6 +76,8 @@ def outpost_controller(self: MonitoredTask, outpost_pk: str):
    outpost: Outpost = Outpost.objects.get(pk=outpost_pk)
    self.set_uid(slugify(outpost.name))
    try:
        if not outpost.service_connection:
            return
        if outpost.type == OutpostType.PROXY:
            service_connection = outpost.service_connection
            if isinstance(service_connection, DockerServiceConnection):
@ -183,3 +194,42 @@ def _outpost_single_update(outpost: Outpost, layer=None):
    for state in OutpostState.for_outpost(outpost):
        LOGGER.debug("sending update", channel=state.uid, outpost=outpost)
        async_to_sync(layer.send)(state.uid, {"type": "event.update"})
@CELERY_APP.task()
 def outpost_local_connection():
    """Checks the local environment and create Service connections."""
    # Explicitly check against token filename, as thats
    # only present when the integration is enabled
    if Path(SERVICE_TOKEN_FILENAME).exists():
        LOGGER.debug("Detected in-cluster Kubernetes Config")
        if not KubernetesServiceConnection.objects.filter(local=True).exists():
            LOGGER.debug("Created Service Connection for in-cluster")
            KubernetesServiceConnection.objects.create(
                name="Local Kubernetes Cluster", local=True, kubeconfig={}
            )
    # For development, check for the existence of a kubeconfig file
    kubeconfig_path = expanduser(KUBE_CONFIG_DEFAULT_LOCATION)
    if Path(kubeconfig_path).exists():
        LOGGER.debug("Detected kubeconfig")
        kubeconfig_local_name = f"k8s-{gethostname()}"
        if not KubernetesServiceConnection.objects.filter(
            name=kubeconfig_local_name
        ).exists():
            LOGGER.debug("Creating kubeconfig Service Connection")
            with open(kubeconfig_path, "r") as _kubeconfig:
                KubernetesServiceConnection.objects.create(
                    name=kubeconfig_local_name,
                    kubeconfig=yaml.safe_load(_kubeconfig),
                )
    unix_socket_path = urlparse(DEFAULT_UNIX_SOCKET).path
    socket = Path(unix_socket_path)
    if socket.exists() and access(socket, R_OK):
        LOGGER.debug("Detected local docker socket")
        if len(DockerServiceConnection.objects.filter(local=True)) == 0:
            LOGGER.debug("Created Service Connection for docker")
            DockerServiceConnection.objects.create(
                name="Local Docker connection",
                local=True,
                url=unix_socket_path,
            )
--- a/authentik/policies/api/policies.py
+++ b/authentik/policies/api/policies.py
@ -108,6 +108,7 @@ class PolicyViewSet(
                    "name": subclass._meta.verbose_name,
                    "description": subclass.__doc__,
                    "component": subclass().component,
                    "model_name": subclass._meta.model_name,
                }
            )
        return Response(TypeCreateSerializer(data, many=True).data)
--- a/authentik/providers/oauth2/tests/test_views_authorize.py
+++ b/authentik/providers/oauth2/tests/test_views_authorize.py
@ -1,13 +1,23 @@
 """Test authorize view"""
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
 from django.utils.encoding import force_str
 from authentik.core.models import Application, User
 from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import Flow
 from authentik.providers.oauth2.errors import (
    AuthorizeError,
    ClientIdError,
    RedirectUriError,
 )
-from authentik.providers.oauth2.models import OAuth2Provider
+from authentik.providers.oauth2.generators import generate_client_id
 from authentik.providers.oauth2.models import (
    AuthorizationCode,
    GrantTypes,
    OAuth2Provider,
    RefreshToken,
 )
 from authentik.providers.oauth2.views.authorize import OAuthAuthorizationParams
@ -32,15 +42,194 @@ class TestViewsAuthorize(TestCase):
            )
            OAuthAuthorizationParams.from_request(request)
-    def test_missing_redirect_uri(self):
+    def test_request(self):
-        """test missing redirect URI"""
+        """test request param"""
        OAuth2Provider.objects.create(
            name="test",
            client_id="test",
            authorization_flow=Flow.objects.first(),
            redirect_uris="http://local.invalid",
        )
        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
                "/",
                data={
                    "response_type": "code",
                    "client_id": "test",
                    "redirect_uri": "http://local.invalid",
                    "request": "foo",
                },
            )
            OAuthAuthorizationParams.from_request(request)
    def test_redirect_uri(self):
        """test missing/invalid redirect URI"""
        OAuth2Provider.objects.create(
            name="test",
            client_id="test",
            authorization_flow=Flow.objects.first(),
            redirect_uris="http://local.invalid",
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get(
                "/", data={"response_type": "code", "client_id": "test"}
            )
            OAuthAuthorizationParams.from_request(request)
        with self.assertRaises(RedirectUriError):
            request = self.factory.get(
                "/",
                data={
                    "response_type": "code",
                    "client_id": "test",
                    "redirect_uri": "http://localhost",
                },
            )
            OAuthAuthorizationParams.from_request(request)
    def test_response_type(self):
        """test response_type"""
        OAuth2Provider.objects.create(
            name="test",
            client_id="test",
            authorization_flow=Flow.objects.first(),
            redirect_uris="http://local.invalid",
        )
        request = self.factory.get(
            "/",
            data={
                "response_type": "code",
                "client_id": "test",
                "redirect_uri": "http://local.invalid",
            },
        )
        self.assertEqual(
            OAuthAuthorizationParams.from_request(request).grant_type,
            GrantTypes.AUTHORIZATION_CODE,
        )
        request = self.factory.get(
            "/",
            data={
                "response_type": "id_token",
                "client_id": "test",
                "redirect_uri": "http://local.invalid",
                "scope": "openid",
                "state": "foo",
            },
        )
        self.assertEqual(
            OAuthAuthorizationParams.from_request(request).grant_type,
            GrantTypes.IMPLICIT,
        )
        # Implicit without openid scope
        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
                "/",
                data={
                    "response_type": "id_token",
                    "client_id": "test",
                    "redirect_uri": "http://local.invalid",
                    "state": "foo",
                },
            )
            self.assertEqual(
                OAuthAuthorizationParams.from_request(request).grant_type,
                GrantTypes.IMPLICIT,
            )
        request = self.factory.get(
            "/",
            data={
                "response_type": "code token",
                "client_id": "test",
                "redirect_uri": "http://local.invalid",
                "scope": "openid",
                "state": "foo",
            },
        )
        self.assertEqual(
            OAuthAuthorizationParams.from_request(request).grant_type, GrantTypes.HYBRID
        )
        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
                "/",
                data={
                    "response_type": "invalid",
                    "client_id": "test",
                    "redirect_uri": "http://local.invalid",
                },
            )
            OAuthAuthorizationParams.from_request(request)
    def test_full_code(self):
        """Test full authorization"""
        flow = Flow.objects.create(slug="empty")
        provider = OAuth2Provider.objects.create(
            name="test",
            client_id="test",
            authorization_flow=flow,
            redirect_uris="foo://localhost",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
        state = generate_client_id()
        user = User.objects.get(username="akadmin")
        self.client.force_login(user)
        # Step 1, initiate params and get redirect to flow
        self.client.get(
            reverse("authentik_providers_oauth2:authorize"),
            data={
                "response_type": "code",
                "client_id": "test",
                "state": state,
                "redirect_uri": "foo://localhost",
            },
        )
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
        self.assertJSONEqual(
            force_str(response.content),
            {
                "type": ChallengeTypes.REDIRECT.value,
                "to": f"foo://localhost?code={code.code}&state={state}",
            },
        )
    def test_full_implicit(self):
        """Test full authorization"""
        flow = Flow.objects.create(slug="empty")
        provider = OAuth2Provider.objects.create(
            name="test",
            client_id="test",
            authorization_flow=flow,
            redirect_uris="http://localhost",
        )
        Application.objects.create(name="app", slug="app", provider=provider)
        state = generate_client_id()
        user = User.objects.get(username="akadmin")
        self.client.force_login(user)
        # Step 1, initiate params and get redirect to flow
        self.client.get(
            reverse("authentik_providers_oauth2:authorize"),
            data={
                "response_type": "id_token",
                "client_id": "test",
                "state": state,
                "scope": "openid",
                "redirect_uri": "http://localhost",
            },
        )
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        token: RefreshToken = RefreshToken.objects.filter(user=user).first()
        self.assertJSONEqual(
            force_str(response.content),
            {
                "type": ChallengeTypes.REDIRECT.value,
                "to": (
                    f"http://localhost#access_token={token.access_token}"
                    f"&id_token={provider.encode(token.id_token.to_dict())}&token_type=bearer"
                    f"&expires_in=600&state={state}"
                ),
            },
        )
--- a/authentik/providers/oauth2/tests/test_views_token.py
+++ b/authentik/providers/oauth2/tests/test_views_token.py
@ -0,0 +1,222 @@
 """Test token view"""
 from base64 import b64encode
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
 from django.utils.encoding import force_str
 from authentik.core.models import User
 from authentik.flows.models import Flow
 from authentik.providers.oauth2.constants import (
    GRANT_TYPE_AUTHORIZATION_CODE,
    GRANT_TYPE_REFRESH_TOKEN,
 )
 from authentik.providers.oauth2.generators import (
    generate_client_id,
    generate_client_secret,
 )
 from authentik.providers.oauth2.models import (
    AuthorizationCode,
    OAuth2Provider,
    RefreshToken,
 )
 from authentik.providers.oauth2.views.token import TokenParams
 class TestViewsToken(TestCase):
    """Test token view"""
    def setUp(self) -> None:
        super().setUp()
        self.factory = RequestFactory()
    def test_request_auth_code(self):
        """test request param"""
        provider = OAuth2Provider.objects.create(
            name="test",
            client_id=generate_client_id(),
            client_secret=generate_client_secret(),
            authorization_flow=Flow.objects.first(),
            redirect_uris="http://local.invalid",
        )
        header = b64encode(
            f"{provider.client_id}:{provider.client_secret}".encode()
        ).decode()
        user = User.objects.get(username="akadmin")
        code = AuthorizationCode.objects.create(
            code="foobar", provider=provider, user=user
        )
        request = self.factory.post(
            "/",
            data={
                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
                "code": code.code,
                "redirect_uri": "http://local.invalid",
            },
            HTTP_AUTHORIZATION=f"Basic {header}",
        )
        params = TokenParams.from_request(request)
        self.assertEqual(params.provider, provider)
    def test_request_refresh_token(self):
        """test request param"""
        provider = OAuth2Provider.objects.create(
            name="test",
            client_id=generate_client_id(),
            client_secret=generate_client_secret(),
            authorization_flow=Flow.objects.first(),
            redirect_uris="http://local.invalid",
        )
        header = b64encode(
            f"{provider.client_id}:{provider.client_secret}".encode()
        ).decode()
        user = User.objects.get(username="akadmin")
        token: RefreshToken = RefreshToken.objects.create(
            provider=provider,
            user=user,
            refresh_token=generate_client_id(),
        )
        request = self.factory.post(
            "/",
            data={
                "grant_type": GRANT_TYPE_REFRESH_TOKEN,
                "refresh_token": token.refresh_token,
                "redirect_uri": "http://local.invalid",
            },
            HTTP_AUTHORIZATION=f"Basic {header}",
        )
        params = TokenParams.from_request(request)
        self.assertEqual(params.provider, provider)
    def test_auth_code_view(self):
        """test request param"""
        provider = OAuth2Provider.objects.create(
            name="test",
            client_id=generate_client_id(),
            client_secret=generate_client_secret(),
            authorization_flow=Flow.objects.first(),
            redirect_uris="http://local.invalid",
        )
        header = b64encode(
            f"{provider.client_id}:{provider.client_secret}".encode()
        ).decode()
        user = User.objects.get(username="akadmin")
        code = AuthorizationCode.objects.create(
            code="foobar", provider=provider, user=user
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            data={
                "grant_type": GRANT_TYPE_AUTHORIZATION_CODE,
                "code": code.code,
                "redirect_uri": "http://local.invalid",
            },
            HTTP_AUTHORIZATION=f"Basic {header}",
        )
        new_token: RefreshToken = RefreshToken.objects.filter(user=user).first()
        self.assertJSONEqual(
            force_str(response.content),
            {
                "access_token": new_token.access_token,
                "refresh_token": new_token.refresh_token,
                "token_type": "bearer",
                "expires_in": 600,
                "id_token": provider.encode(
                    new_token.id_token.to_dict(),
                ),
            },
        )
    def test_refresh_token_view(self):
        """test request param"""
        provider = OAuth2Provider.objects.create(
            name="test",
            client_id=generate_client_id(),
            client_secret=generate_client_secret(),
            authorization_flow=Flow.objects.first(),
            redirect_uris="http://local.invalid",
        )
        header = b64encode(
            f"{provider.client_id}:{provider.client_secret}".encode()
        ).decode()
        user = User.objects.get(username="akadmin")
        token: RefreshToken = RefreshToken.objects.create(
            provider=provider,
            user=user,
            refresh_token=generate_client_id(),
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            data={
                "grant_type": GRANT_TYPE_REFRESH_TOKEN,
                "refresh_token": token.refresh_token,
                "redirect_uri": "http://local.invalid",
            },
            HTTP_AUTHORIZATION=f"Basic {header}",
            HTTP_ORIGIN="http://local.invalid",
        )
        new_token: RefreshToken = (
            RefreshToken.objects.filter(user=user).exclude(pk=token.pk).first()
        )
        self.assertEqual(response["Access-Control-Allow-Credentials"], "true")
        self.assertEqual(
            response["Access-Control-Allow-Origin"], "http://local.invalid"
        )
        self.assertJSONEqual(
            force_str(response.content),
            {
                "access_token": new_token.access_token,
                "refresh_token": new_token.refresh_token,
                "token_type": "bearer",
                "expires_in": 600,
                "id_token": provider.encode(
                    new_token.id_token.to_dict(),
                ),
            },
        )
    def test_refresh_token_view_invalid_origin(self):
        """test request param"""
        provider = OAuth2Provider.objects.create(
            name="test",
            client_id=generate_client_id(),
            client_secret=generate_client_secret(),
            authorization_flow=Flow.objects.first(),
            redirect_uris="http://local.invalid",
        )
        header = b64encode(
            f"{provider.client_id}:{provider.client_secret}".encode()
        ).decode()
        user = User.objects.get(username="akadmin")
        token: RefreshToken = RefreshToken.objects.create(
            provider=provider,
            user=user,
            refresh_token=generate_client_id(),
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            data={
                "grant_type": GRANT_TYPE_REFRESH_TOKEN,
                "refresh_token": token.refresh_token,
                "redirect_uri": "http://local.invalid",
            },
            HTTP_AUTHORIZATION=f"Basic {header}",
            HTTP_ORIGIN="http://another.invalid",
        )
        new_token: RefreshToken = (
            RefreshToken.objects.filter(user=user).exclude(pk=token.pk).first()
        )
        self.assertNotIn("Access-Control-Allow-Credentials", response)
        self.assertNotIn("Access-Control-Allow-Origin", response)
        self.assertJSONEqual(
            force_str(response.content),
            {
                "access_token": new_token.access_token,
                "refresh_token": new_token.refresh_token,
                "token_type": "bearer",
                "expires_in": 600,
                "id_token": provider.encode(
                    new_token.id_token.to_dict(),
                ),
            },
        )
--- a/authentik/providers/oauth2/utils.py
+++ b/authentik/providers/oauth2/utils.py
@ -2,9 +2,11 @@
 import re
 from base64 import b64decode
 from binascii import Error
-from typing import Optional
+from typing import Any, Optional
 from urllib.parse import urlparse
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.http.response import HttpResponseRedirect
 from django.utils.cache import patch_vary_headers
 from structlog.stdlib import get_logger
@ -25,15 +27,34 @@ class TokenResponse(JsonResponse):
        self["Pragma"] = "no-cache"
-def cors_allow_any(request, response):
+def cors_allow(request: HttpRequest, response: HttpResponse, *allowed_origins: str):
-    """
+    """Add headers to permit CORS requests from allowed_origins, with or without credentials,
-    Add headers to permit CORS requests from any origin, with or without credentials,
+    with any headers."""
    with any headers.
    """
    origin = request.META.get("HTTP_ORIGIN")
    if not origin:
        return response
    # OPTIONS requests don't have an authorization header -> hence
    # we can't extract the provider this request is for
    # so for options requests we allow the calling origin without checking
    allowed = request.method == "OPTIONS"
    received_origin = urlparse(origin)
    for allowed_origin in allowed_origins:
        url = urlparse(allowed_origin)
        if (
            received_origin.scheme == url.scheme
            and received_origin.hostname == url.hostname
            and received_origin.port == url.port
        ):
            allowed = True
    if not allowed:
        LOGGER.warning(
            "CORS: Origin is not an allowed origin",
            requested=origin,
            allowed=allowed_origins,
        )
        return response
    # From the CORS spec: The string "*" cannot be used for a resource that supports credentials.
    response["Access-Control-Allow-Origin"] = origin
    patch_vary_headers(response, ["Origin"])
@ -141,3 +162,18 @@ def protected_resource_view(scopes: list[str]):
        return view_wrapper
    return wrapper
 class HttpResponseRedirectScheme(HttpResponseRedirect):
    """HTTP Response to redirect, can be to a non-http scheme"""
    def __init__(
        self,
        redirect_to: str,
        *args: Any,
        allowed_schemes: Optional[list[str]] = None,
        **kwargs: Any,
    ) -> None:
        self.allowed_schemes = allowed_schemes or ["http", "https", "ftp"]
        # pyright: reportGeneralTypeIssues=false
        super().__init__(redirect_to, *args, **kwargs)
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -2,12 +2,12 @@
 from dataclasses import dataclass, field
 from datetime import timedelta
 from typing import Optional
-from urllib.parse import parse_qs, urlencode, urlsplit, urlunsplit
+from urllib.parse import parse_qs, urlencode, urlparse, urlsplit, urlunsplit
 from uuid import uuid4
 from django.http import HttpRequest, HttpResponse
-from django.http.response import Http404, HttpResponseRedirect
+from django.http.response import Http404, HttpResponseBadRequest, HttpResponseRedirect
-from django.shortcuts import get_object_or_404, redirect
+from django.shortcuts import get_object_or_404
 from django.utils import timezone
 from django.utils.translation import gettext as _
 from structlog.stdlib import get_logger
@ -46,6 +46,7 @@ from authentik.providers.oauth2.models import (
    OAuth2Provider,
    ResponseTypes,
 )
 from authentik.providers.oauth2.utils import HttpResponseRedirectScheme
 from authentik.providers.oauth2.views.userinfo import UserInfoView
 from authentik.stages.consent.models import ConsentMode, ConsentStage
 from authentik.stages.consent.stage import (
@ -233,9 +234,17 @@ class OAuthFulfillmentStage(StageView):
    params: OAuthAuthorizationParams
    provider: OAuth2Provider
    def redirect(self, uri: str) -> HttpResponse:
        """Redirect using HttpResponseRedirectScheme, compatible with non-http schemes"""
        parsed = urlparse(uri)
        return HttpResponseRedirectScheme(uri, allowed_schemes=[parsed.scheme])
    # pylint: disable=unused-argument
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """final Stage of an OAuth2 Flow"""
        if PLAN_CONTEXT_PARAMS not in self.executor.plan.context:
            LOGGER.warning("Got to fulfillment stage with no pending context")
            return HttpResponseBadRequest()
        self.params: OAuthAuthorizationParams = self.executor.plan.context.pop(
            PLAN_CONTEXT_PARAMS
        )
@ -258,7 +267,7 @@ class OAuthFulfillmentStage(StageView):
                flow=self.executor.plan.flow_pk,
                scopes=", ".join(self.params.scope),
            ).from_http(self.request)
-            return redirect(self.create_response_uri())
+            return self.redirect(self.create_response_uri())
        except (ClientIdError, RedirectUriError) as error:
            error.to_event(application=application).from_http(request)
            self.executor.stage_invalid()
@ -267,7 +276,7 @@ class OAuthFulfillmentStage(StageView):
        except AuthorizeError as error:
            error.to_event(application=application).from_http(request)
            self.executor.stage_invalid()
-            return redirect(error.create_uri())
+            return self.redirect(error.create_uri())
    def create_response_uri(self) -> str:
        """Create a final Response URI the user is redirected to."""
@ -301,7 +310,7 @@ class OAuthFulfillmentStage(StageView):
                return urlunsplit(uri)
            raise OAuth2Error()
        except OAuth2Error as error:
-            LOGGER.exception("Error when trying to create response uri", error=error)
+            LOGGER.warning("Error when trying to create response uri", error=error)
            raise AuthorizeError(
                self.params.redirect_uri,
                "server_error",
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@ -19,7 +19,7 @@ from authentik.providers.oauth2.models import (
    ResponseTypes,
    ScopeMapping,
 )
-from authentik.providers.oauth2.utils import cors_allow_any
+from authentik.providers.oauth2.utils import cors_allow
 LOGGER = get_logger()
@ -30,6 +30,8 @@ PLAN_CONTEXT_SCOPES = "scopes"
 class ProviderInfoView(View):
    """OpenID-compliant Provider Info"""
    provider: OAuth2Provider
    def get_info(self, provider: OAuth2Provider) -> dict[str, Any]:
        """Get dictionary for OpenID Connect information"""
        scopes = list(
@ -95,19 +97,20 @@ class ProviderInfoView(View):
        }
    # pylint: disable=unused-argument
-    def get(
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        self, request: HttpRequest, application_slug: str, *args, **kwargs
    ) -> HttpResponse:
        """OpenID-compliant Provider Info"""
        return JsonResponse(
            self.get_info(self.provider), json_dumps_params={"indent": 2}
        )
    def dispatch(
        self, request: HttpRequest, application_slug: str, *args: Any, **kwargs: Any
    ) -> HttpResponse:
        # Since this view only supports get, we can statically set the CORS headers
        application = get_object_or_404(Application, slug=application_slug)
-        provider: OAuth2Provider = get_object_or_404(
+        self.provider: OAuth2Provider = get_object_or_404(
            OAuth2Provider, pk=application.provider_id
        )
        return JsonResponse(self.get_info(provider), json_dumps_params={"indent": 2})
    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
        # Since this view only supports get, we can statically set the CORS headers
        response = super().dispatch(request, *args, **kwargs)
-        cors_allow_any(request, response)
+        cors_allow(request, response, *self.provider.redirect_uris.split("\n"))
        return response
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -19,7 +19,11 @@ from authentik.providers.oauth2.models import (
    OAuth2Provider,
    RefreshToken,
 )
-from authentik.providers.oauth2.utils import TokenResponse, extract_client_auth
+from authentik.providers.oauth2.utils import (
    TokenResponse,
    cors_allow,
    extract_client_auth,
 )
 LOGGER = get_logger()
@ -154,7 +158,18 @@ class TokenParams:
 class TokenView(View):
    """Generate tokens for clients"""
-    params: TokenParams
+    params: Optional[TokenParams] = None
    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
        response = super().dispatch(request, *args, **kwargs)
        allowed_origins = []
        if self.params:
            allowed_origins = self.params.provider.redirect_uris.split("\n")
        cors_allow(self.request, response, *allowed_origins)
        return response
    def options(self, request: HttpRequest) -> HttpResponse:
        return TokenResponse({})
    def post(self, request: HttpRequest) -> HttpResponse:
        """Generate tokens for clients"""
@ -198,7 +213,7 @@ class TokenView(View):
        response_dict = {
            "access_token": refresh_token.access_token,
            "refresh_token": refresh_token.refresh_token,
-            "token_type": "Bearer",
+            "token_type": "bearer",
            "expires_in": timedelta_from_string(
                self.params.provider.token_validity
            ).seconds,
--- a/authentik/providers/oauth2/views/userinfo.py
+++ b/authentik/providers/oauth2/views/userinfo.py
@ -1,7 +1,8 @@
 """authentik OAuth2 OpenID Userinfo views"""
-from typing import Any
+from typing import Any, Optional
 from django.http import HttpRequest, HttpResponse
 from django.http.response import HttpResponseBadRequest
 from django.utils.translation import gettext_lazy as _
 from django.views import View
 from structlog.stdlib import get_logger
@ -13,7 +14,7 @@ from authentik.providers.oauth2.constants import (
    SCOPE_GITHUB_USER_READ,
 )
 from authentik.providers.oauth2.models import RefreshToken, ScopeMapping
-from authentik.providers.oauth2.utils import TokenResponse, cors_allow_any
+from authentik.providers.oauth2.utils import TokenResponse, cors_allow
 LOGGER = get_logger()
@ -22,6 +23,8 @@ class UserInfoView(View):
    """Create a dictionary with all the requested claims about the End-User.
    See: http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse"""
    token: Optional[RefreshToken]
    def get_scope_descriptions(self, scopes: list[str]) -> list[dict[str, str]]:
        """Get a list of all Scopes's descriptions"""
        scope_descriptions = []
@ -79,16 +82,25 @@ class UserInfoView(View):
            final_claims.update(value)
        return final_claims
    def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
        self.token = kwargs.get("token", None)
        response = super().dispatch(request, *args, **kwargs)
        allowed_origins = []
        if self.token:
            allowed_origins = self.token.provider.redirect_uris.split("\n")
        cors_allow(self.request, response, *allowed_origins)
        return response
    def options(self, request: HttpRequest) -> HttpResponse:
-        return cors_allow_any(self.request, TokenResponse({}))
+        return TokenResponse({})
    def get(self, request: HttpRequest, **kwargs) -> HttpResponse:
        """Handle GET Requests for UserInfo"""
-        token: RefreshToken = kwargs["token"]
+        if not self.token:
-        claims = self.get_claims(token)
+            return HttpResponseBadRequest()
-        claims["sub"] = token.id_token.sub
+        claims = self.get_claims(self.token)
        claims["sub"] = self.token.id_token.sub
        response = TokenResponse(claims)
        cors_allow_any(self.request, response)
        return response
    def post(self, request: HttpRequest, **kwargs) -> HttpResponse:
--- a/authentik/providers/proxy/managed.py
+++ b/authentik/providers/proxy/managed.py
@ -21,7 +21,7 @@ class ProxyScopeMappingManager(ObjectManager):
            EnsureExists(
                ScopeMapping,
                "goauthentik.io/providers/proxy/scope-proxy",
-                name="authentik default OAuth Mapping: proxy outpost",
+                name="authentik default OAuth Mapping: Proxy outpost",
                scope_name=SCOPE_AK_PROXY,
                expression=SCOPE_AK_PROXY_EXPRESSION,
            ),
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -337,7 +337,7 @@ if CONFIG.y("postgresql.s3_backup"):
 # Sentry integration
 _ERROR_REPORTING = CONFIG.y_bool("error_reporting.enabled", False)
-if not DEBUG and _ERROR_REPORTING:
+if _ERROR_REPORTING:
    # pylint: disable=abstract-class-instantiated
    sentry_init(
        dsn="https://a579bb09306d4f8b8d8847c052d3a1d3@sentry.beryju.org/8",
--- a/authentik/sources/ldap/settings.py
+++ b/authentik/sources/ldap/settings.py
@ -8,7 +8,7 @@ AUTHENTICATION_BACKENDS = [
 CELERY_BEAT_SCHEDULE = {
    "sources_ldap_sync": {
        "task": "authentik.sources.ldap.tasks.ldap_sync_all",
-        "schedule": crontab(minute=0),  # Run every hour
+        "schedule": crontab(minute="*/60"),  # Run every hour
        "options": {"queue": "authentik_scheduled"},
    }
 }
--- a/authentik/sources/oauth/clients/base.py
+++ b/authentik/sources/oauth/clients/base.py
@ -9,6 +9,7 @@ from requests.models import Response
 from structlog.stdlib import get_logger
 from authentik import __version__
 from authentik.events.models import Event, EventAction
 from authentik.sources.oauth.models import OAuthSource
 LOGGER = get_logger()
@ -39,8 +40,11 @@ class BaseOAuthClient:
    def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
        "Fetch user profile information."
        profile_url = self.source.type.profile_url or ""
        if self.source.type.urls_customizable and self.source.profile_url:
            profile_url = self.source.profile_url
        try:
-            response = self.do_request("get", self.source.profile_url, token=token)
+            response = self.do_request("get", profile_url, token=token)
            response.raise_for_status()
        except RequestException as exc:
            LOGGER.warning("Unable to fetch user profile", exc=exc)
@ -59,7 +63,16 @@ class BaseOAuthClient:
        args.update(additional)
        params = urlencode(args)
        LOGGER.info("redirect args", **args)
-        return f"{self.source.authorization_url}?{params}"
+        authorization_url = self.source.type.authorization_url or ""
        if self.source.type.urls_customizable and self.source.authorization_url:
            authorization_url = self.source.authorization_url
        if authorization_url == "":
            Event.new(
                EventAction.CONFIGURATION_ERROR,
                source=self.source,
                message="Source has an empty authorization URL.",
            ).save()
        return f"{authorization_url}?{params}"
    def parse_raw_token(self, raw_token: str) -> dict[str, Any]:
        "Parse token and secret from raw token response."
--- a/authentik/sources/oauth/clients/oauth1.py
+++ b/authentik/sources/oauth/clients/oauth1.py
@ -28,9 +28,12 @@ class OAuthClient(BaseOAuthClient):
        if raw_token is not None and verifier is not None:
            token = self.parse_raw_token(raw_token)
            try:
                access_token_url = self.source.type.access_token_url or ""
                if self.source.type.urls_customizable and self.source.access_token_url:
                    access_token_url = self.source.access_token_url
                response = self.do_request(
                    "post",
-                    self.source.access_token_url,
+                    access_token_url,
                    token=token,
                    headers=self._default_headers,
                    oauth_verifier=verifier,
@ -48,9 +51,12 @@ class OAuthClient(BaseOAuthClient):
        "Fetch the OAuth request token. Only required for OAuth 1.0."
        callback = self.request.build_absolute_uri(self.callback)
        try:
            request_token_url = self.source.type.request_token_url or ""
            if self.source.type.urls_customizable and self.source.request_token_url:
                request_token_url = self.source.request_token_url
            response = self.do_request(
                "post",
-                self.source.request_token_url,
+                request_token_url,
                headers=self._default_headers,
                oauth_callback=callback,
            )
--- a/authentik/sources/oauth/clients/oauth2.py
+++ b/authentik/sources/oauth/clients/oauth2.py
@ -56,9 +56,12 @@ class OAuth2Client(BaseOAuthClient):
            LOGGER.warning("No code returned by the source")
            return None
        try:
            access_token_url = self.source.type.access_token_url or ""
            if self.source.type.urls_customizable and self.source.access_token_url:
                access_token_url = self.source.access_token_url
            response = self.session.request(
                "post",
-                self.source.access_token_url,
+                access_token_url,
                data=args,
                headers=self._default_headers,
            )
--- a/authentik/sources/oauth/migrations/0004_auto_20210417_1900.py
+++ b/authentik/sources/oauth/migrations/0004_auto_20210417_1900.py
@ -0,0 +1,79 @@
 # Generated by Django 3.2 on 2021-04-17 19:00
 from django.apps.registry import Apps
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def update_empty_urls(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    OAuthSource = apps.get_model("authentik_sources_oauth", "oauthsource")
    db_alias = schema_editor.connection.alias
    for source in OAuthSource.objects.using(db_alias).all():
        changed = False
        if source.access_token_url == "":
            source.access_token_url = None
            changed = True
        if source.authorization_url == "":
            source.authorization_url = None
            changed = True
        if source.profile_url == "":
            source.profile_url = None
            changed = True
        if source.request_token_url == "":
            source.request_token_url = None
            changed = True
        if changed:
            source.save()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_sources_oauth", "0003_auto_20210416_0726"),
    ]
    operations = [
        migrations.AlterField(
            model_name="oauthsource",
            name="access_token_url",
            field=models.CharField(
                help_text="URL used by authentik to retrive tokens.",
                max_length=255,
                null=True,
                verbose_name="Access Token URL",
            ),
        ),
        migrations.AlterField(
            model_name="oauthsource",
            name="authorization_url",
            field=models.CharField(
                help_text="URL the user is redirect to to conest the flow.",
                max_length=255,
                null=True,
                verbose_name="Authorization URL",
            ),
        ),
        migrations.AlterField(
            model_name="oauthsource",
            name="profile_url",
            field=models.CharField(
                help_text="URL used by authentik to get user information.",
                max_length=255,
                null=True,
                verbose_name="Profile URL",
            ),
        ),
        migrations.AlterField(
            model_name="oauthsource",
            name="request_token_url",
            field=models.CharField(
                help_text="URL used to request the initial token. This URL is only required for OAuth 1.",
                max_length=255,
                null=True,
                verbose_name="Request Token URL",
            ),
        ),
        migrations.RunPython(update_empty_urls),
    ]
--- a/authentik/sources/oauth/models.py
+++ b/authentik/sources/oauth/models.py
@ -19,7 +19,7 @@ class OAuthSource(Source):
    provider_type = models.CharField(max_length=255)
    request_token_url = models.CharField(
-        blank=True,
+        null=True,
        max_length=255,
        verbose_name=_("Request Token URL"),
        help_text=_(
@ -28,19 +28,19 @@ class OAuthSource(Source):
    )
    authorization_url = models.CharField(
        max_length=255,
-        blank=True,
+        null=True,
        verbose_name=_("Authorization URL"),
        help_text=_("URL the user is redirect to to conest the flow."),
    )
    access_token_url = models.CharField(
        max_length=255,
-        blank=True,
+        null=True,
        verbose_name=_("Access Token URL"),
        help_text=_("URL used by authentik to retrive tokens."),
    )
    profile_url = models.CharField(
        max_length=255,
-        blank=True,
+        null=True,
        verbose_name=_("Profile URL"),
        help_text=_("URL used by authentik to get user information."),
    )
@ -163,6 +163,16 @@ class OpenIDOAuthSource(OAuthSource):
        verbose_name_plural = _("OpenID OAuth Sources")
 class PlexOAuthSource(OAuthSource):
    """Login using plex.tv."""
    class Meta:
        abstract = True
        verbose_name = _("Plex OAuth Source")
        verbose_name_plural = _("Plex OAuth Sources")
 class UserOAuthSourceConnection(UserSourceConnection):
    """Authorized remote OAuth provider."""
--- a/authentik/sources/oauth/settings.py
+++ b/authentik/sources/oauth/settings.py
@ -9,4 +9,5 @@ AUTHENTIK_SOURCES_OAUTH_TYPES = [
    "authentik.sources.oauth.types.twitter",
    "authentik.sources.oauth.types.azure_ad",
    "authentik.sources.oauth.types.oidc",
    "authentik.sources.oauth.types.plex",
 ]
--- a/authentik/sources/oauth/types/azure_ad.py
+++ b/authentik/sources/oauth/types/azure_ad.py
@ -1,5 +1,5 @@
 """AzureAD OAuth2 Views"""
-from typing import Any
+from typing import Any, Optional
 from uuid import UUID
 from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
@ -10,8 +10,11 @@ from authentik.sources.oauth.views.callback import OAuthCallback
 class AzureADOAuthCallback(OAuthCallback):
    """AzureAD OAuth2 Callback"""
-    def get_user_id(self, source: OAuthSource, info: dict[str, Any]) -> str:
+    def get_user_id(self, source: OAuthSource, info: dict[str, Any]) -> Optional[str]:
-        return str(UUID(info.get("objectId")).int)
+        try:
            return str(UUID(info.get("objectId")).int)
        except TypeError:
            return None
    def get_user_enroll_context(
        self,
--- a/authentik/sources/oauth/types/plex.py
+++ b/authentik/sources/oauth/types/plex.py
@ -0,0 +1,134 @@
 """Plex OAuth Views"""
 from typing import Any, Optional
 from urllib.parse import urlencode
 from django.http.response import Http404
 from requests import post
 from requests.api import get
 from requests.exceptions import RequestException
 from structlog.stdlib import get_logger
 from authentik import __version__
 from authentik.sources.oauth.clients.oauth2 import OAuth2Client
 from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
 from authentik.sources.oauth.types.manager import MANAGER, SourceType
 from authentik.sources.oauth.views.callback import OAuthCallback
 from authentik.sources.oauth.views.redirect import OAuthRedirect
 LOGGER = get_logger()
 SESSION_ID_KEY = "PLEX_ID"
 SESSION_CODE_KEY = "PLEX_CODE"
 DEFAULT_PAYLOAD = {
    "X-Plex-Product": "authentik",
    "X-Plex-Version": __version__,
    "X-Plex-Device-Vendor": "BeryJu.org",
 }
 class PlexRedirect(OAuthRedirect):
    """Plex Auth redirect, get a pin then redirect to a URL to claim it"""
    headers = {}
    def get_pin(self, **data) -> dict:
        """Get plex pin that the user will claim
        https://forums.plex.tv/t/authenticating-with-plex/609370"""
        return post(
            "https://plex.tv/api/v2/pins.json?strong=true",
            data=data,
            headers=self.headers,
        ).json()
    def get_redirect_url(self, **kwargs) -> str:
        slug = kwargs.get("source_slug", "")
        self.headers = {"Origin": self.request.build_absolute_uri("/")}
        try:
            source: OAuthSource = OAuthSource.objects.get(slug=slug)
        except OAuthSource.DoesNotExist:
            raise Http404(f"Unknown OAuth source '{slug}'.")
        else:
            payload = DEFAULT_PAYLOAD.copy()
            payload["X-Plex-Client-Identifier"] = source.consumer_key
            # Get a pin first
            pin = self.get_pin(**payload)
            LOGGER.debug("Got pin", **pin)
            self.request.session[SESSION_ID_KEY] = pin["id"]
            self.request.session[SESSION_CODE_KEY] = pin["code"]
            qs = {
                "clientID": source.consumer_key,
                "code": pin["code"],
                "forwardUrl": self.request.build_absolute_uri(
                    self.get_callback_url(source)
                ),
            }
            return f"https://app.plex.tv/auth#!?{urlencode(qs)}"
 class PlexOAuthClient(OAuth2Client):
    """Retrive the plex token after authentication, then ask the plex API about user info"""
    def check_application_state(self) -> bool:
        return SESSION_ID_KEY in self.request.session
    def get_access_token(self, **request_kwargs) -> Optional[dict[str, Any]]:
        payload = dict(DEFAULT_PAYLOAD)
        payload["X-Plex-Client-Identifier"] = self.source.consumer_key
        payload["Accept"] = "application/json"
        response = get(
            f"https://plex.tv/api/v2/pins/{self.request.session[SESSION_ID_KEY]}",
            headers=payload,
        )
        response.raise_for_status()
        token = response.json()["authToken"]
        return {"plex_token": token}
    def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
        "Fetch user profile information."
        qs = {"X-Plex-Token": token["plex_token"]}
        try:
            response = self.do_request(
                "get", f"https://plex.tv/users/account.json?{urlencode(qs)}"
            )
            response.raise_for_status()
        except RequestException as exc:
            LOGGER.warning("Unable to fetch user profile", exc=exc)
            return None
        else:
            return response.json().get("user", {})
 class PlexOAuth2Callback(OAuthCallback):
    """Plex OAuth2 Callback"""
    client_class = PlexOAuthClient
    def get_user_id(
        self, source: UserOAuthSourceConnection, info: dict[str, Any]
    ) -> Optional[str]:
        return info.get("uuid")
    def get_user_enroll_context(
        self,
        source: OAuthSource,
        access: UserOAuthSourceConnection,
        info: dict[str, Any],
    ) -> dict[str, Any]:
        return {
            "username": info.get("username"),
            "email": info.get("email"),
            "name": info.get("title"),
        }
@MANAGER.type()
 class PlexType(SourceType):
    """Plex Type definition"""
    redirect_view = PlexRedirect
    callback_view = PlexOAuth2Callback
    name = "Plex"
    slug = "plex"
    authorization_url = ""
    access_token_url = ""  # nosec
    profile_url = ""
--- a/authentik/sources/oauth/views/base.py
+++ b/authentik/sources/oauth/views/base.py
@ -2,12 +2,15 @@
 from typing import Optional, Type
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
 from authentik.sources.oauth.clients.base import BaseOAuthClient
 from authentik.sources.oauth.clients.oauth1 import OAuthClient
 from authentik.sources.oauth.clients.oauth2 import OAuth2Client
 from authentik.sources.oauth.models import OAuthSource
 LOGGER = get_logger()
 # pylint: disable=too-few-public-methods
 class OAuthClientMixin:
@ -22,6 +25,9 @@ class OAuthClientMixin:
        if self.client_class is not None:
            # pylint: disable=not-callable
            return self.client_class(source, self.request, **kwargs)
-        if source.request_token_url:
+        if source.type.request_token_url or source.request_token_url:
-            return OAuthClient(source, self.request, **kwargs)
+            client = OAuthClient(source, self.request, **kwargs)
-        return OAuth2Client(source, self.request, **kwargs)
+        else:
            client = OAuth2Client(source, self.request, **kwargs)
        LOGGER.debug("Using client for oauth request", client=client)
        return client
--- a/authentik/sources/oauth/views/callback.py
+++ b/authentik/sources/oauth/views/callback.py
@ -209,9 +209,9 @@ class OAuthCallback(OAuthClientMixin, View):
        )
        return redirect(
            reverse(
-                "authentik_sources_oauth:oauth-client-user",
+                "authentik_core:if-admin",
                kwargs={"source_slug": self.source.slug},
            )
            + f"#/user;page-{self.source.slug}"
        )
    def handle_enroll(
--- a/authentik/sources/saml/processors/response.py
+++ b/authentik/sources/saml/processors/response.py
@ -39,13 +39,13 @@ from authentik.sources.saml.processors.constants import (
 from authentik.sources.saml.processors.request import SESSION_REQUEST_ID
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_login.stage import DEFAULT_BACKEND
 LOGGER = get_logger()
 if TYPE_CHECKING:
    from xml.etree.ElementTree import Element  # nosec
 CACHE_SEEN_REQUEST_ID = "authentik_saml_seen_ids_%s"
 DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend"
 class ResponseProcessor:
--- a/authentik/stages/email/api.py
+++ b/authentik/stages/email/api.py
@ -63,6 +63,7 @@ class EmailStageViewSet(ModelViewSet):
                    "name": value,
                    "description": label,
                    "component": "",
                    "model_name": "",
                }
            )
        return Response(TypeCreateSerializer(choices, many=True).data)
--- a/authentik/stages/identification/stage.py
+++ b/authentik/stages/identification/stage.py
@ -1,5 +1,6 @@
 """Identification stage logic"""
 from dataclasses import asdict
 from time import sleep
 from typing import Optional
 from django.db.models import Q
@ -46,6 +47,7 @@ class IdentificationChallengeResponse(ChallengeResponse):
        """Validate that user exists"""
        pre_user = self.stage.get_user(value)
        if not pre_user:
            sleep(0.150)
            LOGGER.debug("invalid_login", identifier=value)
            raise ValidationError("Failed to authenticate.")
        self.pre_user = pre_user
@ -68,7 +70,7 @@ class IdentificationStageView(ChallengeStageView):
            else:
                model_field += "__exact"
            query |= Q(**{model_field: uid_value})
-        users = User.objects.filter(query)
+        users = User.objects.filter(query, is_active=True)
        if users.exists():
            LOGGER.debug("Found user", user=users.first(), query=query)
            return users.first()
--- a/authentik/stages/user_login/stage.py
+++ b/authentik/stages/user_login/stage.py
@ -11,6 +11,7 @@ from authentik.lib.utils.time import timedelta_from_string
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 LOGGER = get_logger()
 DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend"
 class UserLoginStageView(StageView):
@ -23,12 +24,9 @@ class UserLoginStageView(StageView):
            messages.error(request, message)
            LOGGER.debug(message)
            return self.executor.stage_invalid()
-        if PLAN_CONTEXT_AUTHENTICATION_BACKEND not in self.executor.plan.context:
+        backend = self.executor.plan.context.get(
-            message = _("Pending user has no backend.")
+            PLAN_CONTEXT_AUTHENTICATION_BACKEND, DEFAULT_BACKEND
-            messages.error(request, message)
+        )
            LOGGER.debug(message)
            return self.executor.stage_invalid()
        backend = self.executor.plan.context[PLAN_CONTEXT_AUTHENTICATION_BACKEND]
        login(
            self.request,
            self.executor.plan.context[PLAN_CONTEXT_PENDING_USER],
--- a/authentik/stages/user_login/tests.py
+++ b/authentik/stages/user_login/tests.py
@ -12,7 +12,6 @@ from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlan
 from authentik.flows.tests.test_views import TO_STAGE_RESPONSE_MOCK
 from authentik.flows.views import SESSION_KEY_PLAN
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.user_login.models import UserLoginStage
@ -38,9 +37,6 @@ class TestUserLoginStage(TestCase):
            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
        )
        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
        plan.context[
            PLAN_CONTEXT_AUTHENTICATION_BACKEND
        ] = "django.contrib.auth.backends.ModelBackend"
        session = self.client.session
        session[SESSION_KEY_PLAN] = plan
        session.save()
@ -82,32 +78,3 @@ class TestUserLoginStage(TestCase):
                "type": ChallengeTypes.NATIVE.value,
            },
        )
    @patch(
        "authentik.flows.views.to_stage_response",
        TO_STAGE_RESPONSE_MOCK,
    )
    def test_without_backend(self):
        """Test a plan with pending user, without backend, resulting in a denied"""
        plan = FlowPlan(
            flow_pk=self.flow.pk.hex, stages=[self.stage], markers=[StageMarker()]
        )
        plan.context[PLAN_CONTEXT_PENDING_USER] = self.user
        session = self.client.session
        session[SESSION_KEY_PLAN] = plan
        session.save()
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug})
        )
        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(
            force_str(response.content),
            {
                "component": "ak-stage-access-denied",
                "error_message": None,
                "title": "",
                "type": ChallengeTypes.NATIVE.value,
            },
        )
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@ -369,8 +369,6 @@ stages:
                coverage-unittest/unittest.xml
              mergeTestResults: true
          - task: CmdLine@2
            env:
              CODECOV_TOKEN: $(CODECOV_TOKEN)
            inputs:
              script: bash <(curl -s https://codecov.io/bash)
  - stage: Build
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -20,7 +20,7 @@ services:
    networks:
      - internal
  server:
-    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.2}
+    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.4}
    restart: unless-stopped
    command: server
    environment:
@ -48,7 +48,7 @@ services:
    env_file:
      - .env
  worker:
-    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.2}
+    image: ${AUTHENTIK_IMAGE:-beryju/authentik}:${AUTHENTIK_TAG:-2021.4.4}
    restart: unless-stopped
    command: worker
    networks:
@ -68,7 +68,7 @@ services:
    env_file:
      - .env
  static:
-    image: ${AUTHENTIK_IMAGE_STATIC:-beryju/authentik-static}:${AUTHENTIK_TAG:-2021.4.2}
+    image: ${AUTHENTIK_IMAGE_STATIC:-beryju/authentik-static}:${AUTHENTIK_TAG:-2021.4.4}
    restart: unless-stopped
    networks:
      - internal
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@ -3,9 +3,9 @@ description: authentik is an open-source Identity Provider focused on flexibilit
 name: authentik
 home: https://goauthentik.io
 sources:
-  - https://github.com/BeryJu/authentik
+  - https://github.com/goauthentik/authentik
-version: "2021.4.2"
+version: "2021.4.4"
-icon: https://raw.githubusercontent.com/BeryJu/authentik/master/web/icons/icon.svg
+icon: https://raw.githubusercontent.com/goauthentik/authentik/master/web/icons/icon.svg
 dependencies:
  - name: postgresql
    version: 9.4.1
--- a/helm/README.md
+++ b/helm/README.md
@ -4,12 +4,12 @@
 |-----------------------------------|-------------------------|-------------|
 | image.name                        | beryju/authentik        | Image used to run the authentik server and worker |
 | image.name_static                 | beryju/authentik-static | Image used to run the authentik static server (CSS and JS Files) |
-| image.tag                         | 2021.4.2                | Image tag |
+| image.tag                         | 2021.4.4                | Image tag |
 | image.pullPolicy                  | IfNotPresent            | Image Pull Policy used for all deployments |
 | serverReplicas                    | 1                       | Replicas for the Server deployment |
 | workerReplicas                    | 1                       | Replicas for the Worker deployment |
 | kubernetesIntegration             | true                    | Enable/disable the Kubernetes integration for authentik. This will create a service account for authentik to create and update outposts in authentik |
-| config.secretKey                  |                         | Secret key used to sign session cookies, generate with `pwgen 50 1` for example. |
+| config.secretKey                  |                         | Secret key used to sign session cookies, generate with `pwgen 50 1` or `openssl rand -base64 36` for example. |
 | config.errorReporting.enabled     | false                   | Enable/disable error reporting |
 | config.errorReporting.environment | customer                | Environment sent with the error reporting |
 | config.errorReporting.sendPii     | false                   | Whether to send Personally-identifiable data with the error reporting |
--- a/helm/templates/web-deployment.yaml
+++ b/helm/templates/web-deployment.yaml
@ -43,29 +43,6 @@ spec:
                  values:
                  - web
              topologyKey: "kubernetes.io/hostname"
      initContainers:
        - name: authentik-database-migrations
          image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
          imagePullPolicy: "{{ .Values.image.pullPolicy }}"
          args: [migrate]
          envFrom:
            - configMapRef:
                name: {{ include "authentik.fullname" . }}-config
              prefix: AUTHENTIK_
            - secretRef:
                name: {{ include "authentik.fullname" . }}-secret-key
              prefix: AUTHENTIK_
          env:
            - name: AUTHENTIK_REDIS__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "{{ .Release.Name }}-redis"
                  key: redis-password
            - name: AUTHENTIK_POSTGRESQL__PASSWORD
              valueFrom:
                secretKeyRef:
                  name: "{{ .Release.Name }}-postgresql"
                  key: postgresql-password
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.name }}:{{ .Values.image.tag }}"
--- a/helm/values.yaml
+++ b/helm/values.yaml
@ -5,7 +5,7 @@ image:
  name: beryju/authentik
  name_static: beryju/authentik-static
  name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended
-  tag: 2021.4.2
+  tag: 2021.4.4
  pullPolicy: IfNotPresent
 serverReplicas: 1
--- a/lifecycle/bootstrap.sh
+++ b/lifecycle/bootstrap.sh
@ -2,13 +2,13 @@
 python -m lifecycle.wait_for_db
 printf '{"event": "Bootstrap completed", "level": "info", "logger": "bootstrap", "command": "%s"}\n' "$@" > /dev/stderr
 if [[ "$1" == "server" ]]; then
    python -m lifecycle.migrate
    gunicorn -c /lifecycle/gunicorn.conf.py authentik.root.asgi:application
 elif [[ "$1" == "worker" ]]; then
    celery -A authentik.root.celery worker --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events
 elif [[ "$1" == "migrate" ]]; then
-    # Run system migrations first, run normal migrations after
+    printf "DEPERECATED: database migrations are now executed automatically on startup."
    python -m lifecycle.migrate
    python -m manage migrate
 elif [[ "$1" == "backup" ]]; then
    python -m manage dbbackup --clean
 elif [[ "$1" == "restore" ]]; then
--- a/lifecycle/migrate.py
+++ b/lifecycle/migrate.py
@ -1,5 +1,6 @@
 #!/usr/bin/env python
 """System Migration handler"""
 import os
 from importlib.util import module_from_spec, spec_from_file_location
 from inspect import getmembers, isclass
 from pathlib import Path
@ -11,6 +12,7 @@ from structlog.stdlib import get_logger
 from authentik.lib.config import CONFIG
 LOGGER = get_logger()
 ADV_LOCK_UID = 1000
 class BaseMigration:
@ -40,18 +42,36 @@ if __name__ == "__main__":
        host=CONFIG.y("postgresql.host"),
    )
    curr = conn.cursor()
    # lock an advisory lock to prevent multiple instances from migrating at once
    LOGGER.info("waiting to acquire database lock")
    curr.execute("SELECT pg_advisory_lock(%s)", (ADV_LOCK_UID,))
    try:
        for migration in (
            Path(__file__).parent.absolute().glob("system_migrations/*.py")
        ):
            spec = spec_from_file_location("lifecycle.system_migrations", migration)
            mod = module_from_spec(spec)
            # pyright: reportGeneralTypeIssues=false
            spec.loader.exec_module(mod)
-    for migration in Path(__file__).parent.absolute().glob("system_migrations/*.py"):
+            for name, sub in getmembers(mod, isclass):
-        spec = spec_from_file_location("lifecycle.system_migrations", migration)
+                if name != "Migration":
-        mod = module_from_spec(spec)
+                    continue
-        # pyright: reportGeneralTypeIssues=false
+                migration = sub(curr, conn)
-        spec.loader.exec_module(mod)
+                if migration.needs_migration():
-
+                    LOGGER.info("Migration needs to be applied", migration=sub)
-        for name, sub in getmembers(mod, isclass):
+                    migration.run()
-            if name != "Migration":
+                    LOGGER.info("Migration finished applying", migration=sub)
-                continue
+        LOGGER.info("applying django migrations")
-            migration = sub(curr, conn)
+        os.environ.setdefault("DJANGO_SETTINGS_MODULE", "authentik.root.settings")
-            if migration.needs_migration():
+        try:
-                LOGGER.info("Migration needs to be applied", migration=sub)
+            from django.core.management import execute_from_command_line
-                migration.run()
+        except ImportError as exc:
-                LOGGER.info("Migration finished applying", migration=sub)
+            raise ImportError(
                "Couldn't import Django. Are you sure it's installed and "
                "available on your PYTHONPATH environment variable? Did you "
                "forget to activate a virtual environment?"
            ) from exc
        execute_from_command_line(["", "migrate"])
    finally:
        curr.execute("SELECT pg_advisory_unlock(%s)", (ADV_LOCK_UID,))
--- a/outpost/README.md
+++ b/outpost/README.md
@ -1,6 +1,6 @@
 # authentik outpost
-[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/3?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=3)
+[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/3?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=8)
 ![Docker pulls (proxy)](https://img.shields.io/docker/pulls/beryju/authentik-proxy.svg?style=flat-square)
 Reverse Proxy based on [oauth2_proxy](https://github.com/oauth2-proxy/oauth2-proxy), completely managed and monitored by authentik.
--- a/outpost/azure-pipelines.yml
+++ b/outpost/azure-pipelines.yml
@ -41,10 +41,6 @@ stages:
          - task: GoTool@0
            inputs:
              version: '1.16.3'
          - task: Go@0
            inputs:
              command: 'get'
              arguments: '-u golang.org/x/lint/golint'
          - task: DownloadPipelineArtifact@2
            inputs:
              buildType: 'current'
@ -53,7 +49,7 @@ stages:
          - task: CmdLine@2
            inputs:
              script: |
-                $(go list -f {{.Target}} golang.org/x/lint/golint) ./...
+                docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:v1.39.0 golangci-lint run -v --timeout 200s
              workingDirectory: 'outpost/'
  - stage: proxy_build_go
    jobs:
--- a/outpost/cmd/proxy/server.go
+++ b/outpost/cmd/proxy/server.go
@ -52,13 +52,14 @@ func main() {
 	ac.Server = proxy.NewServer(ac)
-	ac.Start()
+	err = ac.Start()
 	if err != nil {
 		log.WithError(err).Panic("Failed to run server")
 	}
 	for {
-		select {
+		<-interrupt
-		case <-interrupt:
+		ac.Shutdown()
-			ac.Shutdown()
+		os.Exit(0)
 			os.Exit(0)
 		}
 	}
 }
--- a/outpost/go.mod
+++ b/outpost/go.mod
@ -8,12 +8,12 @@ require (
 	github.com/getsentry/sentry-go v0.10.0
 	github.com/go-openapi/analysis v0.20.1 // indirect
 	github.com/go-openapi/errors v0.20.0
-	github.com/go-openapi/runtime v0.19.27
+	github.com/go-openapi/runtime v0.19.28
 	github.com/go-openapi/strfmt v0.20.1
 	github.com/go-openapi/swag v0.19.15
 	github.com/go-openapi/validate v0.20.2
 	github.com/go-redis/redis/v7 v7.4.0 // indirect
-	github.com/go-swagger/go-swagger v0.27.0 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/gorilla/websocket v1.4.2
 	github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a
 	github.com/justinas/alice v1.2.0
@ -23,6 +23,7 @@ require (
 	github.com/oauth2-proxy/oauth2-proxy v0.0.0-20200831161845-e4e5580852dc
 	github.com/pelletier/go-toml v1.9.0 // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac // indirect
 	github.com/recws-org/recws v1.3.1
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/afero v1.6.0 // indirect
@ -30,10 +31,11 @@ require (
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.7.1 // indirect
-	golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1 // indirect
+	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 // indirect
-	golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57 // indirect
+	golang.org/x/net v0.0.0-20210415231046-e915ea6b2b7d // indirect
 	golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558 // indirect
 	golang.org/x/sys v0.0.0-20210415045647-66c3f260301c // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/grpc v1.31.0 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 )
--- a/outpost/go.sum
+++ b/outpost/go.sum
@ -102,7 +102,6 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@ -124,8 +123,6 @@ github.com/etcd-io/bbolt v1.3.3/go.mod h1:ZF2nL25h33cCyBtcyWeZ2/I3HQOfTP+0PIEvHj
 github.com/fasthttp-contrib/websocket v0.0.0-20160511215533-1f3b11f56072/go.mod h1:duJ4Jxv5lDcvg4QuQr0oowTf7dz4/CR8NtyCooz9HL8=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/felixge/httpsnoop v1.0.1 h1:lvB5Jl89CsZtGIWuTcDM1E/vkVs49/Ml7JJe07l8SPQ=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.10.0 h1:Gfh+GAJZOAoKZsIZeZbdn2JF10kN1XHNvjsvQK8gVkE=
 github.com/frankban/quicktest v1.10.0/go.mod h1:ui7WezCLWMWxVWr1GETZY3smRy0G4KWq9vcPtJmFl7Y=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@ -157,7 +154,6 @@ github.com/go-openapi/analysis v0.19.4/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9sn
 github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU=
 github.com/go-openapi/analysis v0.19.10/go.mod h1:qmhS3VNFxBlquFJ0RGoDtylO9y4pgTAUNE9AEEMdlJQ=
 github.com/go-openapi/analysis v0.19.16/go.mod h1:GLInF007N83Ad3m8a/CbQ5TPzdnGT7workfHwuVjNVk=
 github.com/go-openapi/analysis v0.20.0 h1:UN09o0kNhleunxW7LR+KnltD0YrJ8FF03pSqvAN3Vro=
 github.com/go-openapi/analysis v0.20.0/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og=
 github.com/go-openapi/analysis v0.20.1 h1:zdVbw8yoD4SWZeq+cWdGgquaB0W4VrsJvDJHJND/Ktc=
 github.com/go-openapi/analysis v0.20.1/go.mod h1:BMchjvaHDykmRMsK40iPtvyOfFdMMxlOmQr9FBZk+Og=
@ -171,8 +167,6 @@ github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpX
 github.com/go-openapi/errors v0.19.9/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
 github.com/go-openapi/errors v0.20.0 h1:Sxpo9PjEHDzhs3FbnGNonvDgWcMW2U7wGTcDDSFSceM=
 github.com/go-openapi/errors v0.20.0/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M=
 github.com/go-openapi/inflect v0.19.0 h1:9jCH9scKIbHeV9m12SmPilScz6krDxKRasNNSNPXu/4=
 github.com/go-openapi/inflect v0.19.0/go.mod h1:lHpZVlpIQqLyKwJ4N+YSc9hchQy/i12fJykb83CRBH4=
 github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
 github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
 github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
@ -202,8 +196,8 @@ github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29g
 github.com/go-openapi/runtime v0.19.15/go.mod h1:dhGWCTKRXlAfGnQG0ONViOZpjfg0m2gUt9nTQPQZuoo=
 github.com/go-openapi/runtime v0.19.16/go.mod h1:5P9104EJgYcizotuXhEuUrzVc+j1RiSjahULvYmlv98=
 github.com/go-openapi/runtime v0.19.24/go.mod h1:Lm9YGCeecBnUUkFTxPC4s1+lwrkJ0pthx8YvyjCfkgk=
-github.com/go-openapi/runtime v0.19.27 h1:4zrQCJoP7rqNCUaApDv1MdPkaa5TuPfO05Lq5WLhX9I=
+github.com/go-openapi/runtime v0.19.28 h1:9lYu6axek8LJrVkMVViVirRcpoaCxXX7+sSvmizGVnA=
-github.com/go-openapi/runtime v0.19.27/go.mod h1:BvrQtn6iVb2QmiVXRsFAm6ZCAZBpbVKFfN6QWCp582M=
+github.com/go-openapi/runtime v0.19.28/go.mod h1:BvrQtn6iVb2QmiVXRsFAm6ZCAZBpbVKFfN6QWCp582M=
 github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
 github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
 github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=
@ -252,9 +246,6 @@ github.com/go-redis/redis/v7 v7.4.0/go.mod h1:JDNMw23GTyLNC4GZu9njt15ctBQVn7xjRf
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-swagger/go-swagger v0.27.0 h1:K7+nkBuf4oS1jTBrdvWqYFpqD69V5CN8HamZzCDDhAI=
 github.com/go-swagger/go-swagger v0.27.0/go.mod h1:WodZVysInJilkW7e6IRw+dZGp5yW6rlMFZ4cb+THl9A=
 github.com/go-swagger/scan-repo-boundary v0.0.0-20180623220736-973b3573c013/go.mod h1:b65mBPzqzZWxOZGxSWrqs4GInLIn+u99Q9q7p+GKni0=
 github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0=
 github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY=
 github.com/gobuffalo/depgen v0.1.0/go.mod h1:+ifsuy7fhi15RWncXQQKjWS9JPkdah5sZvtHc2RXGlg=
@ -310,8 +301,6 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
@ -329,8 +318,8 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2 h1:X2ev0eStA3AbceY54o37/0PQ/UWqKEiiO2dKL5OPaFM=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@ -352,8 +341,6 @@ github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
 github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
@ -392,8 +379,6 @@ github.com/iris-contrib/go.uuid v2.0.0+incompatible/go.mod h1:iz2lgM/1UnEf1kP0L/
 github.com/iris-contrib/jade v1.1.3/go.mod h1:H/geBymxJhShH5kecoiOCSssPX7QWYH7UaeZTSWddIk=
 github.com/iris-contrib/pongo2 v0.0.1/go.mod h1:Ssh+00+3GAZqSQb30AvBRNxBx7rf0GqwkjqxNd0u65g=
 github.com/iris-contrib/schema v0.0.1/go.mod h1:urYA3uvUNG1TIIjOSCzHr9/LmbQo8LrOcOqfqxa4hXw=
 github.com/jessevdk/go-flags v1.5.0 h1:1jKYvbxEjfUl0fmqTCOfonvskHHXMjBySTLW4y9LFvc=
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
 github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt70eK/BSch+gFAGrNzecsoENgu2o=
 github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
@ -521,8 +506,6 @@ github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtP
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.4.0/go.mod h1:PN7xzY2wHTK0K9p34ErDQMlFxa51Fk0OUruD3k1mMwo=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
 github.com/pelletier/go-toml v1.8.1 h1:1Nf83orprkJyknT6h7zbuEGUEjcyVlCxSUGTENmNCRM=
 github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
 github.com/pelletier/go-toml v1.9.0 h1:NOd0BRdOKpPf0SxkL3HxSQOG7rNh+4kl6PHcBPFs7Q0=
 github.com/pelletier/go-toml v1.9.0/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pierrec/lz4 v2.5.2+incompatible h1:WCjObylUIOlKy/+7Abdn34TLIkXiA4UWUMhxq9m9ZXI=
@ -538,8 +521,6 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/pquerna/cachecontrol v0.0.0-20200921180117-858c6e7e6b7e h1:BLqxdwZ6j771IpSCRx7s/GJjXHUE00Hmu7/YegCGdzA=
 github.com/pquerna/cachecontrol v0.0.0-20200921180117-858c6e7e6b7e/go.mod h1:hoLfEwdY11HjRfKFH6KqnPsfxlo3BP6bJehpDv8t6sQ=
 github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac h1:jWKYCNlX4J5s8M0nHYkh7Y7c9gRVDEb3mq51j5J0F5M=
 github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac/go.mod h1:hoLfEwdY11HjRfKFH6KqnPsfxlo3BP6bJehpDv8t6sQ=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@ -559,7 +540,6 @@ github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/schollz/closestmatch v2.1.0+incompatible/go.mod h1:RtP1ddjLong6gTkbtmuhtR2uUrrJOpYzYRvbcPAid+g=
@ -586,7 +566,6 @@ github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
 github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
@ -595,7 +574,6 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/spf13/viper v1.6.3/go.mod h1:jUMtyi0/lB5yZH/FjyGAoH7IMNrIhlBf6pXZmbMDvzw=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/spf13/viper v1.7.1 h1:pM5oEahlgWv/WnHXpgbKz7iLIxRf65tye2Ci+XFK5sk=
 github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@ -613,8 +591,6 @@ github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69
 github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
 github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM=
 github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
@ -649,7 +625,6 @@ github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZ
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/gopher-lua v0.0.0-20190206043414-8bfc7677f583/go.mod h1:gqRgreBUhTSL0GeU64rtZ3Uq3wtjOa/TB2YfrtkCbVQ=
 github.com/yuin/gopher-lua v0.0.0-20191213034115-f46add6fdb5c/go.mod h1:gqRgreBUhTSL0GeU64rtZ3Uq3wtjOa/TB2YfrtkCbVQ=
 github.com/yuin/gopher-lua v0.0.0-20191220021717-ab39c6098bdb h1:ZkM6LRnq40pR1Ox0hTHlnpkcOTuFIDQpZ1IN8rKKhX0=
@ -690,8 +665,6 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191227163750-53104e6ec876/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392 h1:xYJJ3S178yv++9zXV/hnr29plCAGO9vAFG9dorqaFQc=
 golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@ -715,7 +688,6 @@ golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHl
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
@ -725,8 +697,6 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB
 golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -767,23 +737,18 @@ golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210331060903-cb1fcc7394e5 h1:zuP3axpB9rV3xH0EA7n3/gCrNPZm2SRl0l4mVH2BRj4=
+golang.org/x/net v0.0.0-20210415231046-e915ea6b2b7d h1:BgJvlyh+UqCUaPlscHJ+PN8GcpfrFdr7NHjd1JL0+Gs=
-golang.org/x/net v0.0.0-20210331060903-cb1fcc7394e5/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20210415231046-e915ea6b2b7d/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1 h1:4qWs8cYYH6PoEFy4dfhDFgoMGkwAcETd+MmPdCPMzUc=
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58 h1:Mj83v+wSRNEar42a/MQgxk9X42TdEmrOl9i+y8WbxLo=
 golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558 h1:D7nTwh4J0i+5mW4Zjzn5omvlr6YBcWywE6KOcatyNxY=
 golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -795,7 +760,6 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -846,13 +810,9 @@ golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44 h1:Bli41pIlzTzf3KEY06n+xnzK/BESIg2ze4Pgfh/aI8c=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57 h1:F5Gozwx4I1xtr/sr/8CFbb57iKi3297KFs0QDbGN60A=
+golang.org/x/sys v0.0.0-20210415045647-66c3f260301c h1:6L+uOeS3OQt/f4eFHXZcTxeZrGCuz+CLElgEBjbcTA4=
-golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210415045647-66c3f260301c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -860,7 +820,6 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5 h1:i6eZZ+zk0SOf0xgBpEpPD18qWcJda6q1sxt3S0kzyUQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@ -920,8 +879,6 @@ golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -1005,7 +962,6 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk=
--- a/outpost/pkg/ak/api.go
+++ b/outpost/pkg/ak/api.go
@ -4,6 +4,7 @@ import (
 	"fmt"
 	"math/rand"
 	"net/url"
 	"os"
 	"time"
 	"github.com/go-openapi/runtime"
@ -30,8 +31,7 @@ type APIController struct {
 	Server Outpost
-	lastBundleHash string
+	logger *log.Entry
 	logger         *log.Entry
 	reloadOffset time.Duration
@ -39,8 +39,8 @@ type APIController struct {
 }
 // NewAPIController initialise new API Controller instance from URL and API token
-func NewAPIController(pbURL url.URL, token string) *APIController {
+func NewAPIController(akURL url.URL, token string) *APIController {
-	transport := httptransport.New(pbURL.Host, client.DefaultBasePath, []string{pbURL.Scheme})
+	transport := httptransport.New(akURL.Host, client.DefaultBasePath, []string{akURL.Scheme})
 	transport.Transport = SetUserAgent(getTLSTransport(), fmt.Sprintf("authentik-proxy@%s", pkg.VERSION))
 	// create the transport
@ -53,10 +53,11 @@ func NewAPIController(pbURL url.URL, token string) *APIController {
 	// Because we don't know the outpost UUID, we simply do a list and pick the first
 	// The service account this token belongs to should only have access to a single outpost
-	outposts, err := apiClient.Outposts.OutpostsOutpostsList(outposts.NewOutpostsOutpostsListParams(), auth)
+	outposts, err := apiClient.Outposts.OutpostsInstancesList(outposts.NewOutpostsInstancesListParams(), auth)
 	if err != nil {
-		log.WithError(err).Panic("Failed to fetch configuration")
+		log.WithError(err).Error("Failed to fetch configuration")
 		os.Exit(1)
 	}
 	outpost := outposts.Payload.Results[0]
 	doGlobalSetup(outpost.Config.(map[string]interface{}))
@ -69,18 +70,12 @@ func NewAPIController(pbURL url.URL, token string) *APIController {
 		logger: log,
 		reloadOffset: time.Duration(rand.Intn(10)) * time.Second,
 		lastBundleHash: "",
 	}
 	ac.logger.Debugf("HA Reload offset: %s", ac.reloadOffset)
-	ac.initWS(pbURL, outpost.Pk)
+	ac.initWS(akURL, outpost.Pk)
 	return ac
 }
 func (a *APIController) GetLastBundleHash() string {
 	return a.lastBundleHash
 }
 // Start Starts all handlers, non-blocking
 func (a *APIController) Start() error {
 	err := a.Server.Refresh()
@ -96,7 +91,10 @@ func (a *APIController) Start() error {
 		a.startWSHealth()
 	}()
 	go func() {
-		a.Server.Start()
+		err := a.Server.Start()
 		if err != nil {
 			panic(err)
 		}
 	}()
 	return nil
 }
--- a/outpost/pkg/ak/api_update.go
+++ b/outpost/pkg/ak/api_update.go
@ -1,10 +1,6 @@
 package ak
 import (
 	"crypto/sha512"
 	"encoding/hex"
 	"encoding/json"
 	"goauthentik.io/outpost/pkg/client/outposts"
 	"goauthentik.io/outpost/pkg/models"
 )
@ -15,16 +11,5 @@ func (a *APIController) Update() ([]*models.ProxyOutpostConfig, error) {
 		a.logger.WithError(err).Error("Failed to fetch providers")
 		return nil, err
 	}
 	// Check provider hash to see if anything is changed
 	hasher := sha512.New()
 	out, err := json.Marshal(providers.Payload.Results)
 	if err != nil {
 		return nil, nil
 	}
 	hash := hex.EncodeToString(hasher.Sum(out))
 	if hash == a.lastBundleHash {
 		return nil, nil
 	}
 	a.lastBundleHash = hash
 	return providers.Payload.Results, nil
 }
--- a/outpost/pkg/ak/api_ws.go
+++ b/outpost/pkg/ak/api_ws.go
@ -15,9 +15,9 @@ import (
 	"goauthentik.io/outpost/pkg"
 )
-func (ac *APIController) initWS(pbURL url.URL, outpostUUID strfmt.UUID) {
+func (ac *APIController) initWS(akURL url.URL, outpostUUID strfmt.UUID) {
 	pathTemplate := "%s://%s/ws/outpost/%s/"
-	scheme := strings.ReplaceAll(pbURL.Scheme, "http", "ws")
+	scheme := strings.ReplaceAll(akURL.Scheme, "http", "ws")
 	authHeader := fmt.Sprintf("Bearer %s", ac.token)
@ -37,7 +37,7 @@ func (ac *APIController) initWS(pbURL url.URL, outpostUUID strfmt.UUID) {
 			InsecureSkipVerify: strings.ToLower(value) == "true",
 		},
 	}
-	ws.Dial(fmt.Sprintf(pathTemplate, scheme, pbURL.Host, outpostUUID.String()), header)
+	ws.Dial(fmt.Sprintf(pathTemplate, scheme, akURL.Host, outpostUUID.String()), header)
 	ac.logger.WithField("logger", "authentik.outpost.ak-ws").WithField("outpost", outpostUUID.String()).Debug("connecting to authentik")
@ -64,7 +64,6 @@ func (ac *APIController) Shutdown() {
 		ac.logger.Println("write close:", err)
 		return
 	}
 	return
 }
 func (ac *APIController) startWSHandler() {
@ -92,7 +91,8 @@ func (ac *APIController) startWSHandler() {
 }
 func (ac *APIController) startWSHealth() {
-	for ; true; <-time.Tick(time.Second * 10) {
+	ticker := time.NewTicker(time.Second * 10)
 	for ; true; <-ticker.C {
 		if !ac.wsConn.IsConnected() {
 			continue
 		}
--- a/outpost/pkg/proxy/api_bundle.go
+++ b/outpost/pkg/proxy/api_bundle.go
@ -38,7 +38,11 @@ func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *opti
 		return nil
 	}
 	providerOpts := &options.Options{}
-	copier.Copy(&providerOpts, getCommonOptions())
+	err = copier.Copy(&providerOpts, getCommonOptions())
 	if err != nil {
 		log.WithError(err).Warning("Failed to copy options, skipping provider")
 		return nil
 	}
 	providerOpts.ClientID = provider.ClientID
 	providerOpts.ClientSecret = provider.ClientSecret
@ -62,7 +66,7 @@ func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *opti
 			ID:                    "default",
 			URI:                   *provider.InternalHost,
 			Path:                  "/",
-			InsecureSkipTLSVerify: *&provider.InternalHostSslValidation,
+			InsecureSkipTLSVerify: provider.InternalHostSslValidation,
 		},
 	}
@ -85,7 +89,7 @@ func (pb *providerBundle) prepareOpts(provider *models.ProxyOutpostConfig) *opti
 			return providerOpts
 		}
-		x509cert, err := tls.X509KeyPair([]byte(*&cert.Payload.Data), []byte(key.Payload.Data))
+		x509cert, err := tls.X509KeyPair([]byte(cert.Payload.Data), []byte(key.Payload.Data))
 		if err != nil {
 			pb.log.WithField("provider", provider.ClientID).WithError(err).Warning("Failed to parse certificate")
 			return providerOpts
@ -135,7 +139,7 @@ func (pb *providerBundle) Build(provider *models.ProxyOutpostConfig) {
 		os.Exit(1)
 	}
-	if *&provider.BasicAuthEnabled {
+	if provider.BasicAuthEnabled {
 		oauthproxy.SetBasicAuth = true
 		oauthproxy.BasicAuthUserAttribute = provider.BasicAuthUserAttribute
 		oauthproxy.BasicAuthPasswordAttribute = provider.BasicAuthPasswordAttribute
--- a/outpost/pkg/proxy/middleware.go
+++ b/outpost/pkg/proxy/middleware.go
@ -107,7 +107,7 @@ func (h loggingHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	duration := float64(time.Since(t)) / float64(time.Millisecond)
 	h.logger.WithFields(log.Fields{
 		"host":              req.RemoteAddr,
-		"vhost":             req.Host,
+		"vhost":             getHost(req),
 		"request_protocol":  req.Proto,
 		"runtime":           fmt.Sprintf("%0.3f", duration),
 		"method":            req.Method,
--- a/outpost/pkg/proxy/oauth.go
+++ b/outpost/pkg/proxy/oauth.go
@ -161,7 +161,7 @@ func (p *OAuthProxy) OAuthStart(rw http.ResponseWriter, req *http.Request) {
 		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
 		return
 	}
-	redirectURI := p.GetRedirectURI(req.Host)
+	redirectURI := p.GetRedirectURI(getHost(req))
 	http.Redirect(rw, req, p.provider.GetLoginURL(redirectURI, fmt.Sprintf("%v:%v", nonce, redirect)), http.StatusFound)
 }
@ -184,7 +184,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
-	session, err := p.redeemCode(req.Context(), req.Host, req.Form.Get("code"))
+	session, err := p.redeemCode(req.Context(), getHost(req), req.Form.Get("code"))
 	if err != nil {
 		p.logger.Errorf("Error redeeming code during OAuth2 callback: %v", err)
 		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", "Internal Error")
--- a/outpost/pkg/proxy/server.go
+++ b/outpost/pkg/proxy/server.go
@ -42,7 +42,8 @@ func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(204)
 		return
 	}
-	handler, ok := s.Handlers[r.Host]
+	host := getHost(r)
 	handler, ok := s.Handlers[host]
 	if !ok {
 		// If we only have one handler, host name switching doesn't matter
 		if len(s.Handlers) == 1 {
@ -56,7 +57,7 @@ func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
 		for k := range s.Handlers {
 			hostKeys = append(hostKeys, k)
 		}
-		s.logger.WithField("host", r.Host).WithField("known-hosts", strings.Join(hostKeys, ", ")).Debug("Host header does not match any we know of")
+		s.logger.WithField("host", host).WithField("known-hosts", strings.Join(hostKeys, ", ")).Debug("Host header does not match any we know of")
 		w.WriteHeader(404)
 		return
 	}
--- a/outpost/pkg/proxy/utils.go
+++ b/outpost/pkg/proxy/utils.go
@ -0,0 +1,12 @@
 package proxy
 import "net/http"
 var xForwardedHost = http.CanonicalHeaderKey("X-Forwarded-Host")
 func getHost(req *http.Request) string {
 	if req.Header.Get(xForwardedHost) != "" {
 		return req.Header.Get(xForwardedHost)
 	}
 	return req.Host
 }
--- a/outpost/pkg/version.go
+++ b/outpost/pkg/version.go
@ -1,3 +1,3 @@
 package pkg
-const VERSION = "2021.4.2"
+const VERSION = "2021.4.4"
--- a/swagger.yaml
+++ b/swagger.yaml
@ -5,7 +5,7 @@ info:
    email: hello@beryju.org
  license:
    name: GNU GPLv3
-    url: https://github.com/BeryJu/authentik/blob/master/LICENSE
+    url: https://github.com/goauthentik/authentik/blob/master/LICENSE
  version: v2beta
 basePath: /api/v2beta
 consumes:
@ -1152,6 +1152,9 @@ paths:
          description: Page Size
          required: false
          type: integer
        - name: superuser_full_list
          in: query
          type: boolean
      responses:
        '200':
          description: ''
@ -4366,6 +4369,281 @@ paths:
        description: A unique integer value identifying this OAuth2 Token.
        required: true
        type: integer
  /outposts/instances/:
    get:
      operationId: outposts_instances_list
      description: Outpost Viewset
      parameters:
        - name: providers__isnull
          in: query
          description: ''
          required: false
          type: string
        - name: ordering
          in: query
          description: Which field to use when ordering the results.
          required: false
          type: string
        - name: search
          in: query
          description: A search term.
          required: false
          type: string
        - name: page
          in: query
          description: Page Index
          required: false
          type: integer
        - name: page_size
          in: query
          description: Page Size
          required: false
          type: integer
      responses:
        '200':
          description: ''
          schema:
            required:
              - results
              - pagination
            type: object
            properties:
              pagination:
                required:
                  - next
                  - previous
                  - count
                  - current
                  - total_pages
                  - start_index
                  - end_index
                type: object
                properties:
                  next:
                    type: number
                  previous:
                    type: number
                  count:
                    type: number
                  current:
                    type: number
                  total_pages:
                    type: number
                  start_index:
                    type: number
                  end_index:
                    type: number
              results:
                type: array
                items:
                  $ref: '#/definitions/Outpost'
        '403':
          description: Authentication credentials were invalid, absent or insufficient.
          schema:
            $ref: '#/definitions/GenericError'
      tags:
        - outposts
    post:
      operationId: outposts_instances_create
      description: Outpost Viewset
      parameters:
        - name: data
          in: body
          required: true
          schema:
            $ref: '#/definitions/Outpost'
      responses:
        '201':
          description: ''
          schema:
            $ref: '#/definitions/Outpost'
        '400':
          description: Invalid input.
          schema:
            $ref: '#/definitions/ValidationError'
        '403':
          description: Authentication credentials were invalid, absent or insufficient.
          schema:
            $ref: '#/definitions/GenericError'
      tags:
        - outposts
    parameters: []
  /outposts/instances/default_settings/:
    get:
      operationId: outposts_instances_default_settings
      description: Global default outpost config
      parameters:
        - name: providers__isnull
          in: query
          description: ''
          required: false
          type: string
        - name: ordering
          in: query
          description: Which field to use when ordering the results.
          required: false
          type: string
        - name: search
          in: query
          description: A search term.
          required: false
          type: string
        - name: page
          in: query
          description: Page Index
          required: false
          type: integer
        - name: page_size
          in: query
          description: Page Size
          required: false
          type: integer
      responses:
        '200':
          description: ''
          schema:
            $ref: '#/definitions/OutpostDefaultConfig'
        '403':
          description: Authentication credentials were invalid, absent or insufficient.
          schema:
            $ref: '#/definitions/GenericError'
      tags:
        - outposts
    parameters: []
  /outposts/instances/{uuid}/:
    get:
      operationId: outposts_instances_read
      description: Outpost Viewset
      parameters: []
      responses:
        '200':
          description: ''
          schema:
            $ref: '#/definitions/Outpost'
        '403':
          description: Authentication credentials were invalid, absent or insufficient.
          schema:
            $ref: '#/definitions/GenericError'
        '404':
          description: Object does not exist or caller has insufficient permissions
            to access it.
          schema:
            $ref: '#/definitions/APIException'
      tags:
        - outposts
    put:
      operationId: outposts_instances_update
      description: Outpost Viewset
      parameters:
        - name: data
          in: body
          required: true
          schema:
            $ref: '#/definitions/Outpost'
      responses:
        '200':
          description: ''
          schema:
            $ref: '#/definitions/Outpost'
        '400':
          description: Invalid input.
          schema:
            $ref: '#/definitions/ValidationError'
        '403':
          description: Authentication credentials were invalid, absent or insufficient.
          schema:
            $ref: '#/definitions/GenericError'
        '404':
          description: Object does not exist or caller has insufficient permissions
            to access it.
          schema:
            $ref: '#/definitions/APIException'
      tags:
        - outposts
    patch:
      operationId: outposts_instances_partial_update
      description: Outpost Viewset
      parameters:
        - name: data
          in: body
          required: true
          schema:
            $ref: '#/definitions/Outpost'
      responses:
        '200':
          description: ''
          schema:
            $ref: '#/definitions/Outpost'
        '400':
          description: Invalid input.
          schema:
            $ref: '#/definitions/ValidationError'
        '403':
          description: Authentication credentials were invalid, absent or insufficient.
          schema:
            $ref: '#/definitions/GenericError'
        '404':
          description: Object does not exist or caller has insufficient permissions
            to access it.
          schema:
            $ref: '#/definitions/APIException'
      tags:
        - outposts
    delete:
      operationId: outposts_instances_delete
      description: Outpost Viewset
      parameters: []
      responses:
        '204':
          description: ''
        '403':
          description: Authentication credentials were invalid, absent or insufficient.
          schema:
            $ref: '#/definitions/GenericError'
        '404':
          description: Object does not exist or caller has insufficient permissions
            to access it.
          schema:
            $ref: '#/definitions/APIException'
      tags:
        - outposts
    parameters:
      - name: uuid
        in: path
        description: A UUID string identifying this outpost.
        required: true
        type: string
        format: uuid
  /outposts/instances/{uuid}/health/:
    get:
      operationId: outposts_instances_health
      description: Get outposts current health
      parameters: []
      responses:
        '200':
          description: ''
          schema:
            type: array
            items:
              $ref: '#/definitions/OutpostHealth'
        '403':
          description: Authentication credentials were invalid, absent or insufficient.
          schema:
            $ref: '#/definitions/GenericError'
        '404':
          description: Object does not exist or caller has insufficient permissions
            to access it.
          schema:
            $ref: '#/definitions/APIException'
      tags:
        - outposts
    parameters:
      - name: uuid
        in: path
        description: A UUID string identifying this outpost.
        required: true
        type: string
        format: uuid
  /outposts/outposts/:
    get:
      operationId: outposts_outposts_list
@ -7671,6 +7949,9 @@ paths:
          required: true
          schema:
            $ref: '#/definitions/PolicyTest'
        - name: format_result
          in: query
          type: boolean
      responses:
        '200':
          description: ''
@ -14771,6 +15052,7 @@ definitions:
      - name
      - description
      - component
      - model_name
    type: object
    properties:
      name:
@ -14785,6 +15067,10 @@ definitions:
        title: Component
        type: string
        minLength: 1
      model_name:
        title: Model name
        type: string
        minLength: 1
  EventTopPerUser:
    required:
      - application
@ -17029,21 +17315,29 @@ definitions:
          for OAuth 1.
        type: string
        maxLength: 255
        minLength: 1
        x-nullable: true
      authorization_url:
        title: Authorization URL
        description: URL the user is redirect to to conest the flow.
        type: string
        maxLength: 255
        minLength: 1
        x-nullable: true
      access_token_url:
        title: Access Token URL
        description: URL used by authentik to retrive tokens.
        type: string
        maxLength: 255
        minLength: 1
        x-nullable: true
      profile_url:
        title: Profile URL
        description: URL used by authentik to get user information.
        type: string
        maxLength: 255
        minLength: 1
        x-nullable: true
      consumer_key:
        title: Consumer key
        type: string
--- a/tests/e2e/test_provider_proxy.py
+++ b/tests/e2e/test_provider_proxy.py
@ -13,13 +13,13 @@ from selenium.webdriver.common.by import By
 from authentik import __version__
 from authentik.core.models import Application
 from authentik.flows.models import Flow
 from authentik.outposts.apps import AuthentikOutpostConfig
 from authentik.outposts.models import (
    DockerServiceConnection,
    Outpost,
    OutpostConfig,
    OutpostType,
 )
 from authentik.outposts.tasks import outpost_local_connection
 from authentik.providers.proxy.models import ProxyProvider
 from tests.e2e.utils import SeleniumTestCase, apply_migration, object_manager, retry
@ -117,7 +117,7 @@ class TestProviderProxyConnect(ChannelsLiveServerTestCase):
    @object_manager
    def test_proxy_connectivity(self):
        """Test proxy connectivity over websocket"""
-        AuthentikOutpostConfig.init_local_connection()
+        outpost_local_connection()
        proxy: ProxyProvider = ProxyProvider.objects.create(
            name="proxy_provider",
            authorization_flow=Flow.objects.get(
--- a/tests/e2e/test_source_oauth.py
+++ b/tests/e2e/test_source_oauth.py
@ -4,6 +4,7 @@ from sys import platform
 from time import sleep
 from typing import Any, Optional
 from unittest.case import skipUnless
 from unittest.mock import Mock, patch
 from django.test import override_settings
 from docker.models.containers import Container
@ -22,12 +23,31 @@ from authentik.providers.oauth2.generators import (
    generate_client_secret,
 )
 from authentik.sources.oauth.models import OAuthSource
 from authentik.sources.oauth.types.manager import SourceType
 from authentik.sources.oauth.types.twitter import TwitterOAuthCallback
 from tests.e2e.utils import SeleniumTestCase, apply_migration, object_manager, retry
 CONFIG_PATH = "/tmp/dex.yml"  # nosec
 LOGGER = get_logger()
 class OAUth1Type(SourceType):
    """Twitter Type definition"""
    callback_view = TwitterOAuthCallback
    name = "Twitter"
    slug = "twitter"
    request_token_url = "http://localhost:5000/oauth/request_token"  # nosec
    access_token_url = "http://localhost:5000/oauth/access_token"  # nosec
    authorization_url = "http://localhost:5000/oauth/authorize"
    profile_url = "http://localhost:5000/api/me"
    urls_customizable = False
 SOURCE_TYPE_MOCK = Mock(return_value=OAUth1Type())
@skipUnless(platform.startswith("linux"), "requires local docker")
 class TestSourceOAuth2(SeleniumTestCase):
    """test OAuth Source flow"""
@ -291,10 +311,6 @@ class TestSourceOAuth1(SeleniumTestCase):
            authentication_flow=authentication_flow,
            enrollment_flow=enrollment_flow,
            provider_type="twitter",
            request_token_url="http://localhost:5000/oauth/request_token",
            access_token_url="http://localhost:5000/oauth/access_token",
            authorization_url="http://localhost:5000/oauth/authorize",
            profile_url="http://localhost:5000/api/me",
            consumer_key=self.client_id,
            consumer_secret=self.client_secret,
        )
@ -304,6 +320,10 @@ class TestSourceOAuth1(SeleniumTestCase):
    @apply_migration("authentik_flows", "0008_default_flows")
    @apply_migration("authentik_flows", "0009_source_flows")
    @apply_migration("authentik_crypto", "0002_create_self_signed_kp")
    @patch(
        "authentik.sources.oauth.types.manager.SourceTypeManager.find_type",
        SOURCE_TYPE_MOCK,
    )
    @object_manager
    def test_oauth_enroll(self):
        """test OAuth Source With With OIDC"""
--- a/tests/integration/test_outpost_docker.py
+++ b/tests/integration/test_outpost_docker.py
@ -12,9 +12,9 @@ from docker.types.healthcheck import Healthcheck
 from authentik import __version__
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
 from authentik.outposts.apps import AuthentikOutpostConfig
 from authentik.outposts.controllers.docker import DockerController
 from authentik.outposts.models import DockerServiceConnection, Outpost, OutpostType
 from authentik.outposts.tasks import outpost_local_connection
 from authentik.providers.proxy.models import ProxyProvider
@ -53,7 +53,7 @@ class OutpostDockerTests(TestCase):
        self.ssl_folder = mkdtemp()
        self.container = self._start_container(self.ssl_folder)
        # Ensure that local connection have been created
-        AuthentikOutpostConfig.init_local_connection()
+        outpost_local_connection()
        self.provider: ProxyProvider = ProxyProvider.objects.create(
            name="test",
            internal_host="http://localhost",
--- a/tests/integration/test_outpost_kubernetes.py
+++ b/tests/integration/test_outpost_kubernetes.py
@ -3,11 +3,11 @@ from django.test import TestCase
 from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
 from authentik.outposts.apps import AuthentikOutpostConfig
 from authentik.outposts.controllers.k8s.base import NeedsUpdate
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.kubernetes import KubernetesController
 from authentik.outposts.models import KubernetesServiceConnection, Outpost, OutpostType
 from authentik.outposts.tasks import outpost_local_connection
 from authentik.providers.proxy.models import ProxyProvider
@ -17,7 +17,7 @@ class OutpostKubernetesTests(TestCase):
    def setUp(self):
        super().setUp()
        # Ensure that local connection have been created
-        AuthentikOutpostConfig.init_local_connection()
+        outpost_local_connection()
        self.provider: ProxyProvider = ProxyProvider.objects.create(
            name="test",
            internal_host="http://localhost",
--- a/tests/integration/test_proxy_docker.py
+++ b/tests/integration/test_proxy_docker.py
@ -12,8 +12,8 @@ from docker.types.healthcheck import Healthcheck
 from authentik import __version__
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
 from authentik.outposts.apps import AuthentikOutpostConfig
 from authentik.outposts.models import DockerServiceConnection, Outpost, OutpostType
 from authentik.outposts.tasks import outpost_local_connection
 from authentik.providers.proxy.controllers.docker import DockerController
 from authentik.providers.proxy.models import ProxyProvider
@ -53,7 +53,7 @@ class TestProxyDocker(TestCase):
        self.ssl_folder = mkdtemp()
        self.container = self._start_container(self.ssl_folder)
        # Ensure that local connection have been created
-        AuthentikOutpostConfig.init_local_connection()
+        outpost_local_connection()
        self.provider: ProxyProvider = ProxyProvider.objects.create(
            name="test",
            internal_host="http://localhost",
--- a/tests/integration/test_proxy_kubernetes.py
+++ b/tests/integration/test_proxy_kubernetes.py
@ -3,8 +3,8 @@ import yaml
 from django.test import TestCase
 from authentik.flows.models import Flow
 from authentik.outposts.apps import AuthentikOutpostConfig
 from authentik.outposts.models import KubernetesServiceConnection, Outpost, OutpostType
 from authentik.outposts.tasks import outpost_local_connection
 from authentik.providers.proxy.controllers.kubernetes import ProxyKubernetesController
 from authentik.providers.proxy.models import ProxyProvider
@ -14,7 +14,7 @@ class TestProxyKubernetes(TestCase):
    def setUp(self):
        # Ensure that local connection have been created
-        AuthentikOutpostConfig.init_local_connection()
+        outpost_local_connection()
    def test_kubernetes_controller_static(self):
        """Test Kubernetes Controller"""
--- a/web/authentik/sources/plex.svg
+++ b/web/authentik/sources/plex.svg
@ -0,0 +1 @@
 <?xml version="1.0" ?><svg role="img" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><title/><path d="M11.643 0H4.68l7.679 12L4.68 24h6.963l7.677-12-7.677-12"/></svg>
--- a/web/nginx.conf
+++ b/web/nginx.conf
@ -81,7 +81,7 @@ http {
        location /static/ {
            expires 31d;
            add_header Cache-Control "public, no-transform";
-            add_header X-authentik-version "2021.4.2";
+            add_header X-authentik-version "2021.4.4";
            add_header Vary X-authentik-version;
        }
--- a/web/package-lock.json
+++ b/web/package-lock.json
@ -26,19 +26,19 @@
            "integrity": "sha512-3eJJ841uKxeV8dcN/2yGEUy+RfgQspPEgQat85umsE1rotuquQ2AbIub4S6j7c50a2d+4myc+zSlnXeIHrOnhQ=="
        },
        "@babel/core": {
-            "version": "7.13.15",
+            "version": "7.13.16",
-            "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.13.15.tgz",
+            "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.13.16.tgz",
-            "integrity": "sha512-6GXmNYeNjS2Uz+uls5jalOemgIhnTMeaXo+yBUA72kC2uX/8VW6XyhVIo2L8/q0goKQA3EVKx0KOQpVKSeWadQ==",
+            "integrity": "sha512-sXHpixBiWWFti0AV2Zq7avpTasr6sIAu7Y396c608541qAU2ui4a193m0KSQmfPSKFZLnQ3cvlKDOm3XkuXm3Q==",
            "requires": {
                "@babel/code-frame": "^7.12.13",
-                "@babel/generator": "^7.13.9",
+                "@babel/generator": "^7.13.16",
-                "@babel/helper-compilation-targets": "^7.13.13",
+                "@babel/helper-compilation-targets": "^7.13.16",
                "@babel/helper-module-transforms": "^7.13.14",
-                "@babel/helpers": "^7.13.10",
+                "@babel/helpers": "^7.13.16",
-                "@babel/parser": "^7.13.15",
+                "@babel/parser": "^7.13.16",
                "@babel/template": "^7.12.13",
                "@babel/traverse": "^7.13.15",
-                "@babel/types": "^7.13.14",
+                "@babel/types": "^7.13.16",
                "convert-source-map": "^1.7.0",
                "debug": "^4.1.0",
                "gensync": "^1.0.0-beta.2",
@ -55,6 +55,32 @@
                        "@babel/highlight": "^7.12.13"
                    }
                },
                "@babel/compat-data": {
                    "version": "7.13.15",
                    "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-7.13.15.tgz",
                    "integrity": "sha512-ltnibHKR1VnrU4ymHyQ/CXtNXI6yZC0oJThyW78Hft8XndANwi+9H+UIklBDraIjFEJzw8wmcM427oDd9KS5wA=="
                },
                "@babel/generator": {
                    "version": "7.13.16",
                    "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.13.16.tgz",
                    "integrity": "sha512-grBBR75UnKOcUWMp8WoDxNsWCFl//XCK6HWTrBQKTr5SV9f5g0pNOjdyzi/DTBv12S9GnYPInIXQBTky7OXEMg==",
                    "requires": {
                        "@babel/types": "^7.13.16",
                        "jsesc": "^2.5.1",
                        "source-map": "^0.5.0"
                    }
                },
                "@babel/helper-compilation-targets": {
                    "version": "7.13.16",
                    "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-7.13.16.tgz",
                    "integrity": "sha512-3gmkYIrpqsLlieFwjkGgLaSHmhnvlAYzZLlYVjlW+QwI+1zE17kGxuJGmIqDQdYp56XdmGeD+Bswx0UTyG18xA==",
                    "requires": {
                        "@babel/compat-data": "^7.13.15",
                        "@babel/helper-validator-option": "^7.12.17",
                        "browserslist": "^4.14.5",
                        "semver": "^6.3.0"
                    }
                },
                "@babel/helper-validator-identifier": {
                    "version": "7.12.11",
                    "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.12.11.tgz",
@ -71,25 +97,34 @@
                    }
                },
                "@babel/parser": {
-                    "version": "7.13.15",
+                    "version": "7.13.16",
-                    "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.13.15.tgz",
+                    "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.13.16.tgz",
-                    "integrity": "sha512-b9COtcAlVEQljy/9fbcMHpG+UIW9ReF+gpaxDHTlZd0c6/UU9ng8zdySAW9sRTzpvcdCHn6bUcbuYUgGzLAWVQ=="
+                    "integrity": "sha512-6bAg36mCwuqLO0hbR+z7PHuqWiCeP7Dzg73OpQwsAB1Eb8HnGEz5xYBzCfbu+YjoaJsJs+qheDxVAuqbt3ILEw=="
                },
                "@babel/traverse": {
-                    "version": "7.13.15",
+                    "version": "7.13.17",
-                    "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.13.15.tgz",
+                    "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.13.17.tgz",
-                    "integrity": "sha512-/mpZMNvj6bce59Qzl09fHEs8Bt8NnpEDQYleHUPZQ3wXUMvXi+HJPLars68oAbmp839fGoOkv2pSL2z9ajCIaQ==",
+                    "integrity": "sha512-BMnZn0R+X6ayqm3C3To7o1j7Q020gWdqdyP50KEoVqaCO2c/Im7sYZSmVgvefp8TTMQ+9CtwuBp0Z1CZ8V3Pvg==",
                    "requires": {
                        "@babel/code-frame": "^7.12.13",
-                        "@babel/generator": "^7.13.9",
+                        "@babel/generator": "^7.13.16",
                        "@babel/helper-function-name": "^7.12.13",
                        "@babel/helper-split-export-declaration": "^7.12.13",
-                        "@babel/parser": "^7.13.15",
+                        "@babel/parser": "^7.13.16",
-                        "@babel/types": "^7.13.14",
+                        "@babel/types": "^7.13.17",
                        "debug": "^4.1.0",
                        "globals": "^11.1.0"
                    }
                },
                "@babel/types": {
                    "version": "7.13.17",
                    "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.13.17.tgz",
                    "integrity": "sha512-RawydLgxbOPDlTLJNtoIypwdmAy//uQIzlKt2+iBiJaRlVuI6QLUxVAyWGNfOzp8Yu4L4lLIacoCyTNtpb4wiA==",
                    "requires": {
                        "@babel/helper-validator-identifier": "^7.12.11",
                        "to-fast-properties": "^2.0.0"
                    }
                },
                "globals": {
                    "version": "11.12.0",
                    "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz",
@ -355,13 +390,87 @@
            }
        },
        "@babel/helpers": {
-            "version": "7.13.10",
+            "version": "7.13.17",
-            "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.13.10.tgz",
+            "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.13.17.tgz",
-            "integrity": "sha512-4VO883+MWPDUVRF3PhiLBUFHoX/bsLTGFpFK/HqvvfBZz2D57u9XzPVNFVBTc0PW/CWR9BXTOKt8NF4DInUHcQ==",
+            "integrity": "sha512-Eal4Gce4kGijo1/TGJdqp3WuhllaMLSrW6XcL0ulyUAQOuxHcCafZE8KHg9857gcTehsm/v7RcOx2+jp0Ryjsg==",
            "requires": {
                "@babel/template": "^7.12.13",
-                "@babel/traverse": "^7.13.0",
+                "@babel/traverse": "^7.13.17",
-                "@babel/types": "^7.13.0"
+                "@babel/types": "^7.13.17"
            },
            "dependencies": {
                "@babel/code-frame": {
                    "version": "7.12.13",
                    "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.12.13.tgz",
                    "integrity": "sha512-HV1Cm0Q3ZrpCR93tkWOYiuYIgLxZXZFVG2VgK+MBWjUqZTundupbfx2aXarXuw5Ko5aMcjtJgbSs4vUGBS5v6g==",
                    "requires": {
                        "@babel/highlight": "^7.12.13"
                    }
                },
                "@babel/generator": {
                    "version": "7.13.16",
                    "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.13.16.tgz",
                    "integrity": "sha512-grBBR75UnKOcUWMp8WoDxNsWCFl//XCK6HWTrBQKTr5SV9f5g0pNOjdyzi/DTBv12S9GnYPInIXQBTky7OXEMg==",
                    "requires": {
                        "@babel/types": "^7.13.16",
                        "jsesc": "^2.5.1",
                        "source-map": "^0.5.0"
                    }
                },
                "@babel/helper-validator-identifier": {
                    "version": "7.12.11",
                    "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.12.11.tgz",
                    "integrity": "sha512-np/lG3uARFybkoHokJUmf1QfEvRVCPbmQeUQpKow5cQ3xWrV9i3rUHodKDJPQfTVX61qKi+UdYk8kik84n7XOw=="
                },
                "@babel/highlight": {
                    "version": "7.13.10",
                    "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.13.10.tgz",
                    "integrity": "sha512-5aPpe5XQPzflQrFwL1/QoeHkP2MsA4JCntcXHRhEsdsfPVkvPi2w7Qix4iV7t5S/oC9OodGrggd8aco1g3SZFg==",
                    "requires": {
                        "@babel/helper-validator-identifier": "^7.12.11",
                        "chalk": "^2.0.0",
                        "js-tokens": "^4.0.0"
                    }
                },
                "@babel/parser": {
                    "version": "7.13.16",
                    "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.13.16.tgz",
                    "integrity": "sha512-6bAg36mCwuqLO0hbR+z7PHuqWiCeP7Dzg73OpQwsAB1Eb8HnGEz5xYBzCfbu+YjoaJsJs+qheDxVAuqbt3ILEw=="
                },
                "@babel/traverse": {
                    "version": "7.13.17",
                    "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.13.17.tgz",
                    "integrity": "sha512-BMnZn0R+X6ayqm3C3To7o1j7Q020gWdqdyP50KEoVqaCO2c/Im7sYZSmVgvefp8TTMQ+9CtwuBp0Z1CZ8V3Pvg==",
                    "requires": {
                        "@babel/code-frame": "^7.12.13",
                        "@babel/generator": "^7.13.16",
                        "@babel/helper-function-name": "^7.12.13",
                        "@babel/helper-split-export-declaration": "^7.12.13",
                        "@babel/parser": "^7.13.16",
                        "@babel/types": "^7.13.17",
                        "debug": "^4.1.0",
                        "globals": "^11.1.0"
                    }
                },
                "@babel/types": {
                    "version": "7.13.17",
                    "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.13.17.tgz",
                    "integrity": "sha512-RawydLgxbOPDlTLJNtoIypwdmAy//uQIzlKt2+iBiJaRlVuI6QLUxVAyWGNfOzp8Yu4L4lLIacoCyTNtpb4wiA==",
                    "requires": {
                        "@babel/helper-validator-identifier": "^7.12.11",
                        "to-fast-properties": "^2.0.0"
                    }
                },
                "globals": {
                    "version": "11.12.0",
                    "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz",
                    "integrity": "sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA=="
                },
                "source-map": {
                    "version": "0.5.7",
                    "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",
                    "integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w="
                }
            }
        },
        "@babel/highlight": {
@ -1336,86 +1445,28 @@
            }
        },
        "@lingui/babel-plugin-extract-messages": {
-            "version": "3.8.9",
+            "version": "3.8.10",
-            "resolved": "https://registry.npmjs.org/@lingui/babel-plugin-extract-messages/-/babel-plugin-extract-messages-3.8.9.tgz",
+            "resolved": "https://registry.npmjs.org/@lingui/babel-plugin-extract-messages/-/babel-plugin-extract-messages-3.8.10.tgz",
-            "integrity": "sha512-zPpSl89nvUrLyGHfVosZHCP9fylfCfkEMc29wGdjE6f0U+frJ59NRLilWMy7xaE8uz97cD5vkhYaaF1wnavhxA==",
+            "integrity": "sha512-16EnNRb1HXNjdDLMY3xS7jh0wKA00x21LC1CIKRAki80u92jvkSMOJYk+lD6yhdrcl0dH5OMAbdluAm1+rpEPw==",
            "requires": {
                "@babel/generator": "^7.11.6",
                "@babel/runtime": "^7.11.2",
-                "@lingui/conf": "^3.8.9",
+                "@lingui/conf": "^3.8.10",
                "mkdirp": "^1.0.4"
            },
            "dependencies": {
                "@lingui/conf": {
                    "version": "3.8.9",
                    "resolved": "https://registry.npmjs.org/@lingui/conf/-/conf-3.8.9.tgz",
                    "integrity": "sha512-r0RGchwiALjCE6CSOtOKbOqVrNg1EQ78AXjyvbrtJoPWVlChDasWCckXEF0BSnsoZaRP6nQCAI+dsQiGW1deWg==",
                    "requires": {
                        "@babel/runtime": "^7.11.2",
                        "@endemolshinegroup/cosmiconfig-typescript-loader": "^3.0.2",
                        "chalk": "^4.1.0",
                        "cosmiconfig": "^7.0.0",
                        "jest-validate": "^26.5.2",
                        "lodash.get": "^4.4.2"
                    }
                },
                "ansi-styles": {
                    "version": "4.3.0",
                    "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
                    "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
                    "requires": {
                        "color-convert": "^2.0.1"
                    }
                },
                "chalk": {
                    "version": "4.1.0",
                    "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.0.tgz",
                    "integrity": "sha512-qwx12AxXe2Q5xQ43Ac//I6v5aXTipYrSESdOgzrN+9XjgEpyjpKuvSGaN4qE93f7TQTlerQQ8S+EQ0EyDoVL1A==",
                    "requires": {
                        "ansi-styles": "^4.1.0",
                        "supports-color": "^7.1.0"
                    }
                },
                "color-convert": {
                    "version": "2.0.1",
                    "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
                    "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
                    "requires": {
                        "color-name": "~1.1.4"
                    }
                },
                "color-name": {
                    "version": "1.1.4",
                    "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
                    "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA=="
                },
                "has-flag": {
                    "version": "4.0.0",
                    "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
                    "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ=="
                },
                "supports-color": {
                    "version": "7.2.0",
                    "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
                    "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
                    "requires": {
                        "has-flag": "^4.0.0"
                    }
                }
            }
        },
        "@lingui/cli": {
-            "version": "3.8.9",
+            "version": "3.8.10",
-            "resolved": "https://registry.npmjs.org/@lingui/cli/-/cli-3.8.9.tgz",
+            "resolved": "https://registry.npmjs.org/@lingui/cli/-/cli-3.8.10.tgz",
-            "integrity": "sha512-UccLtfwrTjXrZcTxpqA4ggYhuUMbXZtzbUVks8nDVt3emVqU56C3VMvVD8WKXLL8Qmq9cEDXPwIZy7IKRL4mEQ==",
+            "integrity": "sha512-YLkT5e6JRwVcXEwLD0++/m1p/wvRQbLj/+m8geXfrcFfrsQyT3uhHNZRFK0GdsjyDslSqJYbalYibJUbgC2sOA==",
            "requires": {
                "@babel/generator": "^7.11.6",
                "@babel/parser": "^7.11.5",
                "@babel/plugin-syntax-jsx": "^7.10.4",
                "@babel/runtime": "^7.11.2",
                "@babel/types": "^7.11.5",
-                "@lingui/babel-plugin-extract-messages": "^3.8.9",
+                "@lingui/babel-plugin-extract-messages": "^3.8.10",
-                "@lingui/conf": "^3.8.9",
+                "@lingui/conf": "^3.8.10",
                "babel-plugin-macros": "^3.0.1",
                "bcp-47": "^1.0.7",
                "chalk": "^4.1.0",
@ -1442,19 +1493,6 @@
                "ramda": "^0.27.1"
            },
            "dependencies": {
                "@lingui/conf": {
                    "version": "3.8.9",
                    "resolved": "https://registry.npmjs.org/@lingui/conf/-/conf-3.8.9.tgz",
                    "integrity": "sha512-r0RGchwiALjCE6CSOtOKbOqVrNg1EQ78AXjyvbrtJoPWVlChDasWCckXEF0BSnsoZaRP6nQCAI+dsQiGW1deWg==",
                    "requires": {
                        "@babel/runtime": "^7.11.2",
                        "@endemolshinegroup/cosmiconfig-typescript-loader": "^3.0.2",
                        "chalk": "^4.1.0",
                        "cosmiconfig": "^7.0.0",
                        "jest-validate": "^26.5.2",
                        "lodash.get": "^4.4.2"
                    }
                },
                "ansi-styles": {
                    "version": "4.3.0",
                    "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
@ -1531,9 +1569,9 @@
            }
        },
        "@lingui/conf": {
-            "version": "3.8.9",
+            "version": "3.8.10",
-            "resolved": "https://registry.npmjs.org/@lingui/conf/-/conf-3.8.9.tgz",
+            "resolved": "https://registry.npmjs.org/@lingui/conf/-/conf-3.8.10.tgz",
-            "integrity": "sha512-r0RGchwiALjCE6CSOtOKbOqVrNg1EQ78AXjyvbrtJoPWVlChDasWCckXEF0BSnsoZaRP6nQCAI+dsQiGW1deWg==",
+            "integrity": "sha512-4KdH+23WXZ5g+LRlvvise3z3mdd41zLgqSJ/PUCMGk60RfElvTrTdxpnm2tOF/2hr+OyGCQEy6kLq606y639qw==",
            "requires": {
                "@babel/runtime": "^7.11.2",
                "@endemolshinegroup/cosmiconfig-typescript-loader": "^3.0.2",
@ -1589,9 +1627,9 @@
            }
        },
        "@lingui/core": {
-            "version": "3.8.9",
+            "version": "3.8.10",
-            "resolved": "https://registry.npmjs.org/@lingui/core/-/core-3.8.9.tgz",
+            "resolved": "https://registry.npmjs.org/@lingui/core/-/core-3.8.10.tgz",
-            "integrity": "sha512-QmEfgukR7w/4/4USZT0LGNt7Yq/RgirFl4088wEta0vgroidxaCRgUXr8RXcdFVjTdtG5dc86JTEj4inZECKvg==",
+            "integrity": "sha512-1OzZW8iP5yAXxz49pY/WZ1acLvkekd6HgDh8zH3jMA2Hbig2jk6VGVERMO7lwEwJiyEuxaQpe8fRrhCTB7wA3A==",
            "requires": {
                "@babel/runtime": "^7.11.2",
                "make-plural": "^6.2.2",
@ -1599,12 +1637,12 @@
            }
        },
        "@lingui/macro": {
-            "version": "3.8.9",
+            "version": "3.8.10",
-            "resolved": "https://registry.npmjs.org/@lingui/macro/-/macro-3.8.9.tgz",
+            "resolved": "https://registry.npmjs.org/@lingui/macro/-/macro-3.8.10.tgz",
-            "integrity": "sha512-9LhlbkJ9wOtOLhlaVRLHCRL55S5wOFyyqEhUM+ujUmCskTmMmXzjnRsw5f11nJTK1JJETMT/VlUB5/p7D7Edkw==",
+            "integrity": "sha512-oZZ/F7HsNQkDsnHFroxzGFuEIXM624H72RIj8j2ClpR64nt+xYDxXYC6TYFicQLtBGcKKBTBoM+zbDaoIv74qQ==",
            "requires": {
                "@babel/runtime": "^7.11.2",
-                "@lingui/conf": "^3.8.9",
+                "@lingui/conf": "^3.8.10",
                "ramda": "^0.27.1"
            }
        },
@ -1828,13 +1866,13 @@
            }
        },
        "@sentry/browser": {
-            "version": "6.2.5",
+            "version": "6.3.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-6.2.5.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-6.3.0.tgz",
-            "integrity": "sha512-nlvaE+D7oaj4MxoY9ikw+krQDOjftnDYJQnOwOraXPk7KYM6YwmkakLuE+x/AkaH3FQVTQF330VAa9d6SWETlA==",
+            "integrity": "sha512-Rse9j5XwN9n7GnfW1mNscTS4YQ0oiBNJcaSk3Mw/vQT872Wh60yKyx5wxAw5GujFZI0NgdyPlZwZ/tGQwirRxA==",
            "requires": {
-                "@sentry/core": "6.2.5",
+                "@sentry/core": "6.3.0",
-                "@sentry/types": "6.2.5",
+                "@sentry/types": "6.3.0",
-                "@sentry/utils": "6.2.5",
+                "@sentry/utils": "6.3.0",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -1846,14 +1884,14 @@
            }
        },
        "@sentry/core": {
-            "version": "6.2.5",
+            "version": "6.3.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-6.2.5.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-6.3.0.tgz",
-            "integrity": "sha512-I+AkgIFO6sDUoHQticP6I27TT3L+i6TUS03in3IEtpBcSeP2jyhlxI8l/wdA7gsBqUPdQ4GHOOaNgtFIcr8qag==",
+            "integrity": "sha512-voot/lJ9gRXB6bx6tVqbEbD6jOd4Sx6Rfmm6pzfpom9C0q+fjIZTatTLq8GdXj8DzxaH1MBDSwtaq/eC3NqYpA==",
            "requires": {
-                "@sentry/hub": "6.2.5",
+                "@sentry/hub": "6.3.0",
-                "@sentry/minimal": "6.2.5",
+                "@sentry/minimal": "6.3.0",
-                "@sentry/types": "6.2.5",
+                "@sentry/types": "6.3.0",
-                "@sentry/utils": "6.2.5",
+                "@sentry/utils": "6.3.0",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -1865,12 +1903,12 @@
            }
        },
        "@sentry/hub": {
-            "version": "6.2.5",
+            "version": "6.3.0",
-            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.2.5.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.3.0.tgz",
-            "integrity": "sha512-YlEFdEhcfqpl2HC+/dWXBsBJEljyMzFS7LRRjCk8QANcOdp9PhwQjwebUB4/ulOBjHPP2WZk7fBBd/IKDasTUg==",
+            "integrity": "sha512-lAnW3Om66t9IR+t1wya1NpOF9lGbvYG6Ca8wxJJGJ1t2PxKwyxpZKzRx0q8M1QFhlZ5cETCzxmM7lBEZ4QVCBg==",
            "requires": {
-                "@sentry/types": "6.2.5",
+                "@sentry/types": "6.3.0",
-                "@sentry/utils": "6.2.5",
+                "@sentry/utils": "6.3.0",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -1882,12 +1920,12 @@
            }
        },
        "@sentry/minimal": {
-            "version": "6.2.5",
+            "version": "6.3.0",
-            "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.2.5.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.3.0.tgz",
-            "integrity": "sha512-RKP4Qx3p7Cv0oX1cPKAkNVFYM7p2k1t32cNk1+rrVQS4hwlJ7Eg6m6fsqsO+85jd6Ne/FnyYsfo9cDD3ImTlWQ==",
+            "integrity": "sha512-ZdPUwdPQkaKroy67NkwQRqmnfKyd/C1OyouM9IqYKyBjAInjOijwwc/Rd91PMHalvCOGfp1scNZYbZ+YFs/qQQ==",
            "requires": {
-                "@sentry/hub": "6.2.5",
+                "@sentry/hub": "6.3.0",
-                "@sentry/types": "6.2.5",
+                "@sentry/types": "6.3.0",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -1899,17 +1937,51 @@
            }
        },
        "@sentry/tracing": {
-            "version": "6.2.5",
+            "version": "6.3.0",
-            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-6.2.5.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-6.3.0.tgz",
-            "integrity": "sha512-j/hM0BoHxfrNLxPeEJ5Vq4R34hO/TOHMEpLR3FdnunBXbsmjoKMMygIkPxnpML5XWtvukAehbwpDXldwMYz83w==",
+            "integrity": "sha512-3UNGgQOrDKBoDqLc4vt+0n27Zv3lbNEoCbBydq4IvGfuYq7ozWMsaTcelsotMsd4ckDuOEh8V/nJTqrDjvL76g==",
            "requires": {
-                "@sentry/hub": "6.2.5",
+                "@sentry/hub": "6.3.0",
-                "@sentry/minimal": "6.2.5",
+                "@sentry/minimal": "6.3.0",
-                "@sentry/types": "6.2.5",
+                "@sentry/types": "6.3.0",
-                "@sentry/utils": "6.2.5",
+                "@sentry/utils": "6.3.0",
                "tslib": "^1.9.3"
            },
            "dependencies": {
                "@sentry/hub": {
                    "version": "6.3.0",
                    "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.3.0.tgz",
                    "integrity": "sha512-lAnW3Om66t9IR+t1wya1NpOF9lGbvYG6Ca8wxJJGJ1t2PxKwyxpZKzRx0q8M1QFhlZ5cETCzxmM7lBEZ4QVCBg==",
                    "requires": {
                        "@sentry/types": "6.3.0",
                        "@sentry/utils": "6.3.0",
                        "tslib": "^1.9.3"
                    }
                },
                "@sentry/minimal": {
                    "version": "6.3.0",
                    "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.3.0.tgz",
                    "integrity": "sha512-ZdPUwdPQkaKroy67NkwQRqmnfKyd/C1OyouM9IqYKyBjAInjOijwwc/Rd91PMHalvCOGfp1scNZYbZ+YFs/qQQ==",
                    "requires": {
                        "@sentry/hub": "6.3.0",
                        "@sentry/types": "6.3.0",
                        "tslib": "^1.9.3"
                    }
                },
                "@sentry/types": {
                    "version": "6.3.0",
                    "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.3.0.tgz",
                    "integrity": "sha512-xWyCYDmFPjS5ex60kxOOHbHEs4vs00qHbm0iShQfjl4OSg9S2azkcWofDmX8Xbn0FSOUXgdPCjNJW1B0bPVhCA=="
                },
                "@sentry/utils": {
                    "version": "6.3.0",
                    "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.3.0.tgz",
                    "integrity": "sha512-NZzw4oLelgvCsVBG2e+ZtFtaBvgA7rZYtcGFbZTphhAlYoJ6JMCQUzYk0iwJK79yR1quh510x4UE0jynvvToWg==",
                    "requires": {
                        "@sentry/types": "6.3.0",
                        "tslib": "^1.9.3"
                    }
                },
                "tslib": {
                    "version": "1.14.1",
                    "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz",
@ -1918,16 +1990,16 @@
            }
        },
        "@sentry/types": {
-            "version": "6.2.5",
+            "version": "6.3.0",
-            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.2.5.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.3.0.tgz",
-            "integrity": "sha512-1Sux6CLYrV9bETMsGP/HuLFLouwKoX93CWzG8BjMueW+Di0OGxZphYjXrGuDs8xO8bAKEVGCHgVQdcB2jevS0w=="
+            "integrity": "sha512-xWyCYDmFPjS5ex60kxOOHbHEs4vs00qHbm0iShQfjl4OSg9S2azkcWofDmX8Xbn0FSOUXgdPCjNJW1B0bPVhCA=="
        },
        "@sentry/utils": {
-            "version": "6.2.5",
+            "version": "6.3.0",
-            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.2.5.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.3.0.tgz",
-            "integrity": "sha512-fJoLUZHrd5MPylV1dT4qL74yNFDl1Ur/dab+pKNSyvnHPnbZ/LRM7aJ8VaRY/A7ZdpRowU+E14e/Yeem2c6gtQ==",
+            "integrity": "sha512-NZzw4oLelgvCsVBG2e+ZtFtaBvgA7rZYtcGFbZTphhAlYoJ6JMCQUzYk0iwJK79yR1quh510x4UE0jynvvToWg==",
            "requires": {
-                "@sentry/types": "6.2.5",
+                "@sentry/types": "6.3.0",
                "tslib": "^1.9.3"
            },
            "dependencies": {
@ -1956,9 +2028,9 @@
            }
        },
        "@types/codemirror": {
-            "version": "0.0.108",
+            "version": "0.0.109",
-            "resolved": "https://registry.npmjs.org/@types/codemirror/-/codemirror-0.0.108.tgz",
+            "resolved": "https://registry.npmjs.org/@types/codemirror/-/codemirror-0.0.109.tgz",
-            "integrity": "sha512-3FGFcus0P7C2UOGCNUVENqObEb4SFk+S8Dnxq7K6aIsLVs/vDtlangl3PEO0ykaKXyK56swVF6Nho7VsA44uhw==",
+            "integrity": "sha512-cSdiHeeLjvGn649lRTNeYrVCDOgDrtP+bDDSFDd1TF+i0jKGPDRozno2NOJ9lTniso+taiv4kiVS8dgM8Jm5lg==",
            "requires": {
                "@types/tern": "*"
            }
@ -2647,9 +2719,9 @@
            "integrity": "sha512-mT8iDcrh03qDGRRmoA2hmBJnxpllMR+0/0qlzjqZES6NdiWDcZkCNAk4rPFZ9Q85r27unkiNNg8ZOiwZXBHwcA=="
        },
        "chart.js": {
-            "version": "3.1.0",
+            "version": "3.1.1",
-            "resolved": "https://registry.npmjs.org/chart.js/-/chart.js-3.1.0.tgz",
+            "resolved": "https://registry.npmjs.org/chart.js/-/chart.js-3.1.1.tgz",
-            "integrity": "sha512-bKJi2VbC4fqZXlLbK7LKVvmG9crjoG9anfp96utZLyIGPuCx+YN+5/HDXy98QGt3lf74T8gKUPISUZL222tDJQ=="
+            "integrity": "sha512-ghNJersc9VD9MECwa5bL8gqvCkndW6RSCicdEHL9lIriNtXwKawlSmwo+u6KNXLYT2+f24GdFPBoynKW3ke4MQ=="
        },
        "chartjs-adapter-moment": {
            "version": "1.0.0",
@ -2775,9 +2847,9 @@
            "integrity": "sha1-2jCcwmPfFZlMaIypAheco8fNfH4="
        },
        "codemirror": {
-            "version": "5.60.0",
+            "version": "5.61.0",
-            "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.60.0.tgz",
+            "resolved": "https://registry.npmjs.org/codemirror/-/codemirror-5.61.0.tgz",
-            "integrity": "sha512-AEL7LhFOlxPlCL8IdTcJDblJm8yrAGib7I+DErJPdZd4l6imx8IMgKK3RblVgBQqz3TZJR4oknQ03bz+uNjBYA=="
+            "integrity": "sha512-D3wYH90tYY1BsKlUe0oNj2JAhQ9TepkD51auk3N7q+4uz7A/cgJ5JsWHreT0PqieW1QhOuqxQ2reCXV1YXzecg=="
        },
        "collection-visit": {
            "version": "1.0.0",
@ -2921,9 +2993,9 @@
            }
        },
        "date-fns": {
-            "version": "2.20.1",
+            "version": "2.21.1",
-            "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-2.20.1.tgz",
+            "resolved": "https://registry.npmjs.org/date-fns/-/date-fns-2.21.1.tgz",
-            "integrity": "sha512-8P5M8Kxbnovd0zfvOs7ipkiVJ3/zZQ0F/nrBW4x5E+I0uAZVZ80h6CKd24fSXQ5TLK5hXMtI4yb2O5rEZdUt2A=="
+            "integrity": "sha512-m1WR0xGiC6j6jNFAyW4Nvh4WxAi4JF4w9jRJwSI8nBmNcyZXPcP9VUQG+6gHQXAmqaGEKDKhOqAtENDC941UkA=="
        },
        "debug": {
            "version": "4.3.1",
--- a/web/package.json
+++ b/web/package.json
@ -35,34 +35,34 @@
        ]
    },
    "dependencies": {
-        "@babel/core": "^7.13.15",
+        "@babel/core": "^7.13.16",
        "@babel/plugin-proposal-decorators": "^7.13.15",
        "@babel/plugin-transform-runtime": "^7.13.15",
        "@babel/preset-env": "^7.13.15",
        "@babel/preset-typescript": "^7.13.0",
        "@fortawesome/fontawesome-free": "^5.15.3",
-        "@lingui/cli": "^3.8.9",
+        "@lingui/cli": "^3.8.10",
-        "@lingui/core": "^3.8.9",
+        "@lingui/core": "^3.8.10",
-        "@lingui/macro": "^3.8.9",
+        "@lingui/macro": "^3.8.10",
        "@patternfly/patternfly": "^4.96.2",
        "@polymer/iron-form": "^3.0.1",
        "@polymer/paper-input": "^3.2.1",
        "@rollup/plugin-babel": "^5.3.0",
        "@rollup/plugin-replace": "^2.4.2",
        "@rollup/plugin-typescript": "^8.2.1",
-        "@sentry/browser": "^6.2.5",
+        "@sentry/browser": "^6.3.0",
-        "@sentry/tracing": "^6.2.5",
+        "@sentry/tracing": "^6.3.0",
        "@types/chart.js": "^2.9.32",
-        "@types/codemirror": "0.0.108",
+        "@types/codemirror": "0.0.109",
        "@types/grecaptcha": "^3.0.1",
        "@typescript-eslint/eslint-plugin": "^4.22.0",
        "@typescript-eslint/parser": "^4.22.0",
        "authentik-api": "file:api",
        "babel-plugin-macros": "^3.0.1",
        "base64-js": "^1.5.1",
-        "chart.js": "^3.1.0",
+        "chart.js": "^3.1.1",
        "chartjs-adapter-moment": "^1.0.0",
-        "codemirror": "^5.60.0",
+        "codemirror": "^5.61.0",
        "construct-style-sheets-polyfill": "^2.4.16",
        "eslint": "^7.24.0",
        "eslint-config-google": "^0.14.0",
--- a/web/security.txt
+++ b/web/security.txt
@ -1,4 +1,4 @@
 Contact: mailto:security@beryju.org
 Expires: Sat, 1 Jan 2022 00:00 +0200
 Preferred-Languages: en, de
-Policy: https://github.com/BeryJu/authentik/blob/master/SECURITY.md
+Policy: https://github.com/goauthentik/authentik/blob/master/SECURITY.md
--- a/web/src/api/Config.ts
+++ b/web/src/api/Config.ts
@ -1,4 +1,4 @@
-import { Configuration, Middleware, ResponseContext } from "authentik-api";
+import { Config, Configuration, Middleware, ResponseContext, RootApi } from "authentik-api";
 import { getCookie } from "../utils";
 import { API_DRAWER_MIDDLEWARE } from "../elements/notifications/APIDrawer";
 import { MessageMiddleware } from "../elements/messages/Middleware";
@ -12,6 +12,14 @@ export class LoggingMiddleware implements Middleware {
 }
 let globalConfigPromise: Promise<Config>;
 export function config(): Promise<Config> {
    if (!globalConfigPromise) {
        globalConfigPromise = new RootApi(DEFAULT_CONFIG).rootConfigList();
    }
    return globalConfigPromise;
 }
 export const DEFAULT_CONFIG = new Configuration({
    basePath: "/api/v2beta",
    headers: {
--- a/web/src/api/Sentry.ts
+++ b/web/src/api/Sentry.ts
@ -2,12 +2,12 @@ import * as Sentry from "@sentry/browser";
 import { Integrations } from "@sentry/tracing";
 import { VERSION } from "../constants";
 import { SentryIgnoredError } from "../common/errors";
 import { Config, RootApi } from "authentik-api";
 import { me } from "./Users";
-import { DEFAULT_CONFIG } from "./Config";
+import { config } from "./Config";
 import { Config } from "authentik-api";
 export function configureSentry(): Promise<Config> {
-    return new RootApi(DEFAULT_CONFIG).rootConfigList().then((config) => {
+    return config().then((config) => {
        if (config.errorReportingEnabled) {
            Sentry.init({
                dsn: "https://a579bb09306d4f8b8d8847c052d3a1d3@sentry.beryju.org/8",
@ -19,10 +19,19 @@ export function configureSentry(): Promise<Config> {
                ],
                tracesSampleRate: 0.6,
                environment: config.errorReportingEnvironment,
-                beforeSend(event: Sentry.Event, hint: Sentry.EventHint) {
+                beforeSend: async (event: Sentry.Event, hint: Sentry.EventHint): Promise<Sentry.Event | null> => {
                    if (hint.originalException instanceof SentryIgnoredError) {
                        return null;
                    }
                    if (hint.originalException instanceof Response) {
                        const response = hint.originalException as Response;
                        // We only care about server errors
                        if (response.status < 500) {
                            return null;
                        }
                        const body = await response.json();
                        event.message = `${response.status} ${response.url}: ${JSON.stringify(body)}`
                    }
                    if (event.exception) {
                        me().then(user => {
                            Sentry.showReportDialog({
--- a/web/src/api/Users.ts
+++ b/web/src/api/Users.ts
@ -1,15 +1,21 @@
 import { CoreApi, SessionUser } from "authentik-api";
 import { DEFAULT_CONFIG } from "./Config";
-let _globalMePromise: Promise<SessionUser>;
+let globalMePromise: Promise<SessionUser>;
 export function me(): Promise<SessionUser> {
-    if (!_globalMePromise) {
+    if (!globalMePromise) {
-        _globalMePromise = new CoreApi(DEFAULT_CONFIG).coreUsersMe().catch((ex) => {
+        globalMePromise = new CoreApi(DEFAULT_CONFIG).coreUsersMe().catch((ex) => {
            const defaultUser: SessionUser = {
                user: {
                    username: "",
                    name: ""
                }
            };
            if (ex.status === 401 || ex.status === 403) {
                window.location.assign("/");
            }
-            return ex;
+            return defaultUser;
        });
    }
-    return _globalMePromise;
+    return globalMePromise;
 }
--- a/web/src/constants.ts
+++ b/web/src/constants.ts
@ -3,11 +3,11 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2021.4.2";
+export const VERSION = "2021.4.4";
 export const PAGE_SIZE = 20;
 export const EVENT_REFRESH = "ak-refresh";
 export const EVENT_NOTIFICATION_TOGGLE = "ak-notification-toggle";
 export const EVENT_SIDEBAR_TOGGLE = "ak-sidebar-toggle";
 export const EVENT_API_DRAWER_REFRESH = "ak-api-drawer-refresh";
-export const TITLE_SUFFIX = "authentik";
+export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
--- a/web/src/elements/PageHeader.ts
+++ b/web/src/elements/PageHeader.ts
@ -4,7 +4,8 @@ import PFContent from "@patternfly/patternfly/components/Content/content.css";
 import AKGlobal from "../authentik.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
-import { EVENT_SIDEBAR_TOGGLE, TITLE_SUFFIX } from "../constants";
+import { EVENT_SIDEBAR_TOGGLE, TITLE_DEFAULT } from "../constants";
 import { config } from "../api/Config";
@customElement("ak-page-header")
 export class PageHeader extends LitElement {
@ -17,11 +18,13 @@ export class PageHeader extends LitElement {
    @property()
    set header(value: string) {
-        if (value !== "") {
+        config().then(config => {
-            document.title = `${value} - ${TITLE_SUFFIX}`;
+            if (value !== "") {
-        } else {
+                document.title = `${value} - ${config.brandingTitle}`;
-            document.title = TITLE_SUFFIX;
+            } else {
-        }
+                document.title = config.brandingTitle || TITLE_DEFAULT;
            }
        });
        this._header = value;
    }
--- a/web/src/flows/FlowExecutor.ts
+++ b/web/src/flows/FlowExecutor.ts
@ -36,13 +36,14 @@ import { AuthenticatorValidateStageChallenge } from "./stages/authenticator_vali
 import { WebAuthnAuthenticatorRegisterChallenge } from "./stages/authenticator_webauthn/WebAuthnAuthenticatorRegisterStage";
 import { CaptchaChallenge } from "./stages/captcha/CaptchaStage";
 import { StageHost } from "./stages/base";
-import { Challenge, ChallengeTypeEnum, Config, FlowsApi, RootApi } from "authentik-api";
+import { Challenge, ChallengeTypeEnum, Config, FlowsApi } from "authentik-api";
-import { DEFAULT_CONFIG } from "../api/Config";
+import { config, DEFAULT_CONFIG } from "../api/Config";
 import { ifDefined } from "lit-html/directives/if-defined";
 import { until } from "lit-html/directives/until";
 import { AccessDeniedChallenge } from "./access_denied/FlowAccessDenied";
 import { PFSize } from "../elements/Spinner";
-import { TITLE_SUFFIX } from "../constants";
+import { TITLE_DEFAULT } from "../constants";
 import { configureSentry } from "../api/Sentry";
@customElement("ak-flow-executor")
 export class FlowExecutor extends LitElement implements StageHost {
@ -98,11 +99,13 @@ export class FlowExecutor extends LitElement implements StageHost {
    }
    private postUpdate(): void {
-        if (this.challenge?.title) {
+        config().then(config => {
-            document.title = `${this.challenge.title} - ${TITLE_SUFFIX}`;
+            if (this.challenge?.title) {
-        } else {
+                document.title = `${this.challenge.title} - ${config.brandingTitle}`;
-            document.title = TITLE_SUFFIX;
+            } else {
-        }
+                document.title = config.brandingTitle || TITLE_DEFAULT;
            }
        });
    }
    submit<T>(formData?: T): Promise<void> {
@ -124,7 +127,7 @@ export class FlowExecutor extends LitElement implements StageHost {
    }
    firstUpdated(): void {
-        new RootApi(DEFAULT_CONFIG).rootConfigList().then((config) => {
+        configureSentry().then((config) => {
            this.config = config;
        });
        this.loading = true;
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
--- a/web/src/pages/admin-overview/AdminOverviewPage.ts
+++ b/web/src/pages/admin-overview/AdminOverviewPage.ts
@ -44,13 +44,13 @@ export class AdminOverviewPage extends LitElement {
                <ak-aggregate-card class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-server" header=${t`Apps with most usage`} style="grid-column-end: span 2;grid-row-end: span 3;">
                    <ak-top-applications-table></ak-top-applications-table>
                </ak-aggregate-card>
-                <ak-admin-status-card-provider class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-plugged" header=${t`Providers`} headerLink="#/core/providers/">
+                <ak-admin-status-card-provider class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-plugged" header=${t`Providers without application`} headerLink="#/core/providers">
                </ak-admin-status-card-provider>
-                <ak-admin-status-card-policy-unbound class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-infrastructure" header=${t`Policies`} headerLink="#/policy/policies">
+                <ak-admin-status-card-policy-unbound class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-infrastructure" header=${t`Unbound policies`} headerLink="#/policy/policies">
                </ak-admin-status-card-policy-unbound>
                <ak-admin-status-card-user-count class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-user" header=${t`Users`} headerLink="#/identity/users">
                </ak-admin-status-card-user-count>
-                <ak-admin-status-version class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-bundle" header=${t`Version`} headerLink="https://github.com/BeryJu/authentik/releases">
+                <ak-admin-status-version class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-bundle" header=${t`Version`} headerLink="https://github.com/goauthentik/authentik/releases">
                </ak-admin-status-version>
                <ak-admin-status-card-workers class="pf-l-gallery__item pf-m-4-col" icon="pf-icon pf-icon-server" header=${t`Workers`}>
                </ak-admin-status-card-workers>
--- a/web/src/pages/applications/ApplicationListPage.ts
+++ b/web/src/pages/applications/ApplicationListPage.ts
@ -22,7 +22,7 @@ export class ApplicationListPage extends TablePage<Application> {
        return t`Applications`;
    }
    pageDescription(): string {
-        return t`External Applications which use authentik as Identity-Provider, utilizing protocols like OAuth2 and SAML.`;
+        return t`External Applications which use authentik as Identity-Provider, utilizing protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.`;
    }
    pageIcon(): string {
        return "pf-icon pf-icon-applications";
@ -37,6 +37,7 @@ export class ApplicationListPage extends TablePage<Application> {
            page: page,
            pageSize: PAGE_SIZE,
            search: this.search || "",
            superuserFullList: true,
        });
    }
--- a/web/src/pages/applications/ApplicationViewPage.ts
+++ b/web/src/pages/applications/ApplicationViewPage.ts
@ -43,7 +43,7 @@ export class ApplicationViewPage extends LitElement {
    render(): TemplateResult {
        return html`<ak-page-header
                icon=${this.application?.metaIcon || ""}
-                header=${this.application?.name}
+                header=${this.application?.name || t`Loading`}
                description=${ifDefined(this.application?.metaPublisher)}
                .iconImage=${true}>
            </ak-page-header>
@ -134,7 +134,7 @@ export class ApplicationViewPage extends LitElement {
                        </div>
                    </div>
                </section>
-                <div slot="page-policy-bindings" data-tab-title="${t`Policy Bindings`}" class="pf-c-page__main-section pf-m-no-padding-mobile">
+                <div slot="page-policy-bindings" data-tab-title="${t`Policy / Group / User Bindings`}" class="pf-c-page__main-section pf-m-no-padding-mobile">
                    <div class="pf-c-card">
                        <div class="pf-c-card__title">${t`These policies control which users can access this application.`}</div>
                        <ak-bound-policies-list .target=${this.application.pk}>
--- a/web/src/pages/events/EventInfo.ts
+++ b/web/src/pages/events/EventInfo.ts
@ -190,7 +190,7 @@ export class EventInfo extends LitElement {
                <ak-expand>${this.defaultResponse()}</ak-expand>`;
        case "update_available":
            return html`<h3>${t`New version available!`}</h3>
-                <a target="_blank" href="https://github.com/BeryJu/authentik/releases/tag/version%2F${this.event.context.new_version}">${this.event.context.new_version}</a>
+                <a target="_blank" href="https://github.com/goauthentik/authentik/releases/tag/version%2F${this.event.context.new_version}">${this.event.context.new_version}</a>
                `;
        // Action types which typically don't record any extra context.
        // If context is not empty, we fall to the default response.
--- a/web/src/pages/events/RuleListPage.ts
+++ b/web/src/pages/events/RuleListPage.ts
@ -108,7 +108,7 @@ export class RuleListPage extends TablePage<NotificationRule> {
        return html`
        <td role="cell" colspan="4">
            <div class="pf-c-table__expandable-row-content">
-                <p>${t`These policies control upon which events this rule triggers. Bindings to
+                <p>${t`These bindings control upon which events this rule triggers. Bindings to
                groups/users are checked against the user of the event.`}</p>
                <ak-bound-policies-list .target=${item.pk}>
                </ak-bound-policies-list>
--- a/Show More
+++ b/Show More
`@ -1,3 +1,3 @@`
	`package pkg`	`package pkg`

	`const VERSION = "2021.4.2"`	`const VERSION = "2021.4.4"`
		`@ -0,0 +1 @@`
							`<?xml version="1.0" ?><svg role="img" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><title/><path d="M11.643 0H4.68l7.679 12L4.68 24h6.963l7.677-12-7.677-12"/></svg>`