release: 2021.6.3

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.5.1-rc4
+current_version = 2021.6.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
@@ -31,8 +31,6 @@ values =
 
 [bumpversion:file:web/src/constants.ts]
 
-[bumpversion:file:web/nginx.conf]
-
 [bumpversion:file:website/docs/outposts/manual-deploy-docker-compose.md]
 
 [bumpversion:file:website/docs/outposts/manual-deploy-kubernetes.md]

.dockerignore

@@ -1,5 +1,4 @@
 env
-helm
 static
 htmlcov
 *.env.yml

.github/ISSUE_TEMPLATE/question.md

@@ -0,0 +1,27 @@
+---
+name: Question
+about: Ask a question about a feature or specific configuration
+title: ''
+labels: question
+assignees: ''
+
+---
+
+**Describe your question/**
+A clear and concise description of what you're trying to do.
+
+**Relevant infos**
+i.e. Version of other software you're using, specifics of your setup
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Logs**
+Output of docker-compose logs or kubectl logs respectively
+
+**Version and Deployment (please complete the following information):**
+ - authentik version: [e.g. 0.10.0-stable]
+ - Deployment: [e.g. docker-compose, helm]
+
+**Additional context**
+Add any other context about the problem here.

.github/stale.yml

@@ -0,0 +1,14 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+  - pr_wanted
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.

.github/workflows/release.yml

@@ -3,6 +3,9 @@ name: authentik-on-release
 on:
   release:
     types: [published, created]
+  push:
+    branches:
+      - version-*
 
 jobs:
   # Build
@@ -11,7 +14,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.1.0
+        uses: docker/setup-qemu-action@v1.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
       - name: Docker Login Registry
@@ -19,20 +22,32 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: prepare ts api client
+      - name: Login to GitHub Container Registry
-        run: |
+        uses: docker/login-action@v1
-          docker run --rm -v $(pwd):/local openapitools/openapi-generator-cli generate -i /local/swagger.yaml -g typescript-fetch -o /local/web/api --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Building Docker Image
         uses: docker/build-push-action@v2
         with:
-          push: true
+          push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik:2021.5.1-rc4,
+            beryju/authentik:2021.6.3,
             beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.5.1-rc4,
+            ghcr.io/goauthentik/server:2021.6.3,
             ghcr.io/goauthentik/server:latest
-          platforms: linux/amd64,linux/arm64,linux/arm
+          platforms: linux/amd64,linux/arm64
           context: .
+      - name: Building Docker Image (stable)
+        if: ${{ github.event_name == 'release' && !contains('2021.6.3', 'rc') }}
+        run: |
+          docker pull beryju/authentik:latest
+          docker tag beryju/authentik:latest beryju/authentik:stable
+          docker push beryju/authentik:stable
+          docker pull ghcr.io/goauthentik/server:latest
+          docker tag ghcr.io/goauthentik/server:latest ghcr.io/goauthentik/server:stable
+          docker push ghcr.io/goauthentik/server:stable
   build-proxy:
     runs-on: ubuntu-latest
     steps:
@@ -40,14 +55,8 @@ jobs:
       - uses: actions/setup-go@v2
         with:
           go-version: "^1.15"
-      - name: prepare go api client
-        run: |
-          cd outpost
-          go get -u github.com/go-swagger/go-swagger/cmd/swagger
-          swagger generate client -f ../swagger.yaml -A authentik -t pkg/
-          go build -v ./cmd/proxy/server.go
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.1.0
+        uses: docker/setup-qemu-action@v1.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
       - name: Docker Login Registry
@@ -55,19 +64,32 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Building Docker Image
         uses: docker/build-push-action@v2
         with:
-          push: true
+          push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-proxy:2021.5.1-rc4,
+            beryju/authentik-proxy:2021.6.3,
             beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.5.1-rc4,
+            ghcr.io/goauthentik/proxy:2021.6.3,
             ghcr.io/goauthentik/proxy:latest
-          context: outpost/
           file: outpost/proxy.Dockerfile
-          platforms: linux/amd64,linux/arm64,linux/arm
+          platforms: linux/amd64,linux/arm64
-          context: .
+      - name: Building Docker Image (stable)
+        if: ${{ github.event_name == 'release' && !contains('2021.6.3', 'rc') }}
+        run: |
+          docker pull beryju/authentik-proxy:latest
+          docker tag beryju/authentik-proxy:latest beryju/authentik-proxy:stable
+          docker push beryju/authentik-proxy:stable
+          docker pull ghcr.io/goauthentik/proxy:latest
+          docker tag ghcr.io/goauthentik/proxy:latest ghcr.io/goauthentik/proxy:stable
+          docker push ghcr.io/goauthentik/proxy:stable
   build-ldap:
     runs-on: ubuntu-latest
     steps:
@@ -75,14 +97,8 @@ jobs:
       - uses: actions/setup-go@v2
         with:
           go-version: "^1.15"
-      - name: prepare go api client
-        run: |
-          cd outpost
-          go get -u github.com/go-swagger/go-swagger/cmd/swagger
-          swagger generate client -f ../swagger.yaml -A authentik -t pkg/
-          go build -v ./cmd/ldap/server.go
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.1.0
+        uses: docker/setup-qemu-action@v1.2.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
       - name: Docker Login Registry
@@ -90,19 +106,32 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Building Docker Image
         uses: docker/build-push-action@v2
         with:
-          push: true
+          push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-ldap:2021.5.1-rc4,
+            beryju/authentik-ldap:2021.6.3,
             beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.5.1-rc4,
+            ghcr.io/goauthentik/ldap:2021.6.3,
             ghcr.io/goauthentik/ldap:latest
-          context: outpost/
           file: outpost/ldap.Dockerfile
-          platforms: linux/amd64,linux/arm64,linux/arm
+          platforms: linux/amd64,linux/arm64
-          context: .
+      - name: Building Docker Image (stable)
+        if: ${{ github.event_name == 'release' && !contains('2021.6.3', 'rc') }}
+        run: |
+          docker pull beryju/authentik-ldap:latest
+          docker tag beryju/authentik-ldap:latest beryju/authentik-ldap:stable
+          docker push beryju/authentik-ldap:stable
+          docker pull ghcr.io/goauthentik/ldap:latest
+          docker tag ghcr.io/goauthentik/ldap:latest ghcr.io/goauthentik/ldap:stable
+          docker push ghcr.io/goauthentik/ldap:stable
   test-release:
     needs:
       - build-server
@@ -119,20 +148,34 @@ jobs:
           docker-compose pull -q
           docker-compose up --no-start
           docker-compose start postgresql redis
-          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
+          docker-compose run -u root server test
   sentry-release:
+    if: ${{ github.event_name == 'release' }}
     needs:
       - test-release
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v2.1.5
+        with:
+          node-version: 12.x
+      - name: Build web api client and web ui
+        run: |
+          export NODE_ENV=production
+          make gen-web
+          cd web
+          npm i
+          npm run build
       - name: Create a Sentry.io release
         uses: getsentry/action-release@v1
+        if: ${{ github.event_name == 'release' }}
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_ORG: beryjuorg
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          version: authentik@2021.5.1-rc4
+          version: authentik@2021.6.3
           environment: beryjuorg-prod
+          sourcemaps: './web/dist'

.github/workflows/tag.yml

@@ -11,9 +11,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - name: prepare ts api client
-        run: |
-          docker run --rm -v $(pwd):/local openapitools/openapi-generator-cli generate -i /local/swagger.yaml -g typescript-fetch -o /local/web/api --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
       - name: Pre-release test
         run: |
           sudo apt-get install -y pwgen
@@ -23,21 +20,21 @@ jobs:
           docker-compose pull -q
           docker build \
             --no-cache \
-            -t beryju/authentik:latest \
+            -t ghcr.io/goauthentik/server:latest \
             -f Dockerfile .
           docker-compose up --no-start
           docker-compose start postgresql redis
-          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
+          docker-compose run -u root server test
       - name: Extract version number
         id: get_version
-        uses: actions/github-script@0.2.0
+        uses: actions/github-script@v4.0.2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             return context.payload.ref.replace(/\/refs\/tags\/version\//, '');
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1.0.0
+        uses: actions/create-release@v1.1.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.gitignore

@@ -193,10 +193,6 @@ pip-selfcheck.json
 local.env.yml
 .vscode/
 
-### Helm ###
-# Chart dependencies
-**/charts/*.tgz
-
 # Selenium Screenshots
 selenium_screenshots/
 backups/

Dockerfile

@@ -8,18 +8,30 @@ WORKDIR /app/
 
 RUN pip install pipenv && \
     pipenv lock -r > requirements.txt && \
-    pipenv lock -rd > requirements-dev.txt
+    pipenv lock -r --dev-only > requirements-dev.txt
 
-# Stage 2: Build webui
+# Stage 2: Build web API
+FROM openapitools/openapi-generator-cli as api-builder
+
+COPY ./schema.yml /local/schema.yml
+
+RUN	docker-entrypoint.sh generate \
+    -i /local/schema.yml \
+    -g typescript-fetch \
+    -o /local/web/api \
+    --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
+
+# Stage 3: Build webui
 FROM node as npm-builder
 
 COPY ./web /static/
+COPY --from=api-builder /local/web/api /static/api
 
 ENV NODE_ENV=production
-RUN cd /static && npm i --production=false && npm run build
+RUN cd /static && npm i && npm run build
 
-# Stage 3: Build go proxy
+# Stage 4: Build go proxy
-FROM golang:1.16.4 AS builder
+FROM golang:1.16.5 AS builder
 
 WORKDIR /work
 
@@ -28,7 +40,6 @@ COPY --from=npm-builder /static/security.txt /work/web/security.txt
 COPY --from=npm-builder /static/dist/ /work/web/dist/
 COPY --from=npm-builder /static/authentik/ /work/web/authentik/
 
-# RUN ls /work/web/static/authentik/ && exit 1
 COPY ./cmd /work/cmd
 COPY ./web/static.go /work/web/static.go
 COPY ./internal /work/internal
@@ -37,7 +48,7 @@ COPY ./go.sum /work/go.sum
 
 RUN go build -o /work/authentik ./cmd/server/main.go
 
-# Stage 4: Run
+# Stage 5: Run
 FROM python:3.9-slim-buster
 
 WORKDIR /
@@ -48,35 +59,29 @@ ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends curl ca-certificates gnupg && \
+    apt-get install -y --no-install-recommends curl ca-certificates gnupg git runit && \
     curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \
     echo "deb http://apt.postgresql.org/pub/repos/apt buster-pgdg main" > /etc/apt/sources.list.d/pgdg.list && \
     apt-get update && \
-    apt-get install -y --no-install-recommends postgresql-client-12 postgresql-client-11 build-essential libxmlsec1-dev pkg-config libmaxminddb0 && \
+    apt-get install -y --no-install-recommends libpq-dev postgresql-client build-essential libxmlsec1-dev pkg-config libmaxminddb0 && \
-    apt-get clean && \
     pip install -r /requirements.txt --no-cache-dir && \
-    apt-get remove --purge -y build-essential && \
+    apt-get remove --purge -y build-essential git && \
     apt-get autoremove --purge -y && \
-    # This is quite hacky, but docker has no guaranteed Group ID
+    apt-get clean && \
-    # we could instead check for the GID of the socket and add the user dynamically,
+    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
-    # but then we have to drop permmissions later
-    groupadd -g 998 docker_998 && \
-    groupadd -g 999 docker_999 && \
     adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
-    usermod -a -G docker_998 authentik && \
-    usermod -a -G docker_999 authentik && \
     mkdir /backups && \
     chown authentik:authentik /backups
 
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
 COPY ./xml /xml
+COPY ./tests /tests
 COPY ./manage.py /
 COPY ./lifecycle/ /lifecycle
 COPY --from=builder /work/authentik /authentik-proxy
 
 USER authentik
-STOPSIGNAL SIGINT
 ENV TMPDIR /dev/shm/
 ENV PYTHONUBUFFERED 1
 ENTRYPOINT [ "/lifecycle/bootstrap.sh" ]

Makefile

@@ -1,3 +1,8 @@
+.SHELLFLAGS += -x -e
+PWD = $(shell pwd)
+UID = $(shell id -u)
+GID = $(shell id -g)
+
 all: lint-fix lint test gen
 
 test-integration:
@@ -22,14 +27,39 @@ lint:
 	bandit -r authentik tests lifecycle -x node_modules
 	pylint authentik tests lifecycle
 
-gen:
+gen-build:
-	./manage.py generate_swagger -o swagger.yaml -f yaml
+	./manage.py spectacular --file schema.yml
 
-local-stack:
+gen-clean:
-	export AUTHENTIK_TAG=testing
+	rm -rf web/api/src/
-	docker build -t beryju/authentik:testng .
+	rm -rf outpost/api/
-	docker-compose up -d
+
-	docker-compose run --rm server migrate
+gen-web:
+	docker run \
+		--rm -v ${PWD}:/local \
+		--user ${UID}:${GID} \
+		openapitools/openapi-generator-cli generate \
+		-i /local/schema.yml \
+		-g typescript-fetch \
+		-o /local/web/api \
+		--additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
+	cd web/api && npx tsc
+
+gen-outpost:
+	docker run \
+		--rm -v ${PWD}:/local \
+		--user ${UID}:${GID} \
+		openapitools/openapi-generator-cli generate \
+		--git-host goauthentik.io \
+		--git-repo-id outpost \
+		--git-user-id api \
+		-i /local/schema.yml \
+		-g go \
+		-o /local/outpost/api \
+		--additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true
+	rm -f outpost/api/go.mod outpost/api/go.sum
+
+gen: gen-build gen-clean gen-web gen-outpost
 
 run:
 	go run -v cmd/server/main.go

Pipfile

@@ -11,7 +11,7 @@ channels-redis = "*"
 dacite = "*"
 defusedxml = "*"
 django = "*"
-django-dbbackup = "*"
+django-dbbackup = { git = 'https://github.com/django-dbbackup/django-dbbackup.git', ref = '9d1909c30a3271c8c9c8450add30d6e0b996e145' }
 django-filter = "*"
 django-guardian = "*"
 django-model-utils = "*"
@@ -22,7 +22,7 @@ django-storages = "*"
 djangorestframework = "*"
 djangorestframework-guardian = "*"
 docker = "*"
-drf_yasg = "*"
+drf-spectacular = "*"
 facebook-sdk = "*"
 geoip2 = "*"
 gunicorn = "*"
@@ -44,13 +44,16 @@ urllib3 = {extras = ["secure"],version = "*"}
 uvicorn = {extras = ["standard"],version = "*"}
 webauthn = "*"
 xmlsec = "*"
+duo-client = "*"
+ua-parser = "*"
+deepmerge = "*"
 
 [requires]
 python_version = "3.9"
 
 [dev-packages]
 bandit = "*"
-black = "==20.8b1"
+black = "==21.5b1"
 bump2version = "*"
 colorama = "*"
 coverage = "*"

README.md

@@ -21,7 +21,7 @@ authentik is an open-source Identity Provider focused on flexibility and versati
 
 For small/test setups it is recommended to use docker-compose, see the [documentation](https://goauthentik.io/docs/installation/docker-compose/)
 
-For bigger setups, there is a Helm Chart in the `helm/` directory. This is documented [here](https://goauthentik.io/docs/installation/kubernetes/)
+For bigger setups, there is a Helm Chart [here])(https://github.com/goauthentik/helm). This is documented [here](https://goauthentik.io/docs/installation/kubernetes/)
 
 ## Screenshots
 

authentik/__init__.py

@@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.5.1-rc4"
+__version__ = "2021.6.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"

authentik/admin/api/meta.py

@@ -1,5 +1,5 @@
 """Meta API"""
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from rest_framework.fields import CharField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
@@ -22,7 +22,7 @@ class AppsViewSet(ViewSet):
 
     permission_classes = [IsAdminUser]
 
-    @swagger_auto_schema(responses={200: AppSerializer(many=True)})
+    @extend_schema(responses={200: AppSerializer(many=True)})
     def list(self, request: Request) -> Response:
         """List current messages and pass into Serializer"""
         data = []

authentik/admin/api/metrics.py

@@ -7,12 +7,12 @@ from django.db.models import Count, ExpressionWrapper, F
 from django.db.models.fields import DurationField
 from django.db.models.functions import ExtractHour
 from django.utils.timezone import now
-from drf_yasg.utils import swagger_auto_schema, swagger_serializer_method
+from drf_spectacular.utils import extend_schema, extend_schema_field
 from rest_framework.fields import IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.viewsets import ViewSet
+from rest_framework.views import APIView
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import Event, EventAction
@@ -58,24 +58,24 @@ class LoginMetricsSerializer(PassiveSerializer):
     logins_per_1h = SerializerMethodField()
     logins_failed_per_1h = SerializerMethodField()
 
-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
     def get_logins_per_1h(self, _):
         """Get successful logins per hour for the last 24 hours"""
         return get_events_per_1h(action=EventAction.LOGIN)
 
-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
     def get_logins_failed_per_1h(self, _):
         """Get failed logins per hour for the last 24 hours"""
         return get_events_per_1h(action=EventAction.LOGIN_FAILED)
 
 
-class AdministrationMetricsViewSet(ViewSet):
+class AdministrationMetricsViewSet(APIView):
     """Login Metrics per 1h"""
 
     permission_classes = [IsAdminUser]
 
-    @swagger_auto_schema(responses={200: LoginMetricsSerializer(many=False)})
+    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
-    def list(self, request: Request) -> Response:
+    def get(self, request: Request) -> Response:
         """Login Metrics per 1h"""
         serializer = LoginMetricsSerializer(True)
         return Response(serializer.data)

authentik/admin/api/system.py

@@ -0,0 +1,91 @@
+"""authentik administration overview"""
+import os
+import platform
+from datetime import datetime
+from sys import version as python_version
+from typing import TypedDict
+
+from django.utils.timezone import now
+from drf_spectacular.utils import extend_schema
+from gunicorn import version_info as gunicorn_version
+from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
+from rest_framework.fields import SerializerMethodField
+from rest_framework.permissions import IsAdminUser
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.core.api.utils import PassiveSerializer
+
+
+class RuntimeDict(TypedDict):
+    """Runtime information"""
+
+    python_version: str
+    gunicorn_version: str
+    environment: str
+    architecture: str
+    platform: str
+    uname: str
+
+
+class SystemSerializer(PassiveSerializer):
+    """Get system information."""
+
+    http_headers = SerializerMethodField()
+    http_host = SerializerMethodField()
+    http_is_secure = SerializerMethodField()
+    runtime = SerializerMethodField()
+    tenant = SerializerMethodField()
+    server_time = SerializerMethodField()
+
+    def get_http_headers(self, request: Request) -> dict[str, str]:
+        """Get HTTP Request headers"""
+        headers = {}
+        for key, value in request.META.items():
+            if not isinstance(value, str):
+                continue
+            headers[key] = value
+        return headers
+
+    def get_http_host(self, request: Request) -> str:
+        """Get HTTP host"""
+        return request._request.get_host()
+
+    def get_http_is_secure(self, request: Request) -> bool:
+        """Get HTTP Secure flag"""
+        return request._request.is_secure()
+
+    def get_runtime(self, request: Request) -> RuntimeDict:
+        """Get versions"""
+        return {
+            "python_version": python_version,
+            "gunicorn_version": ".".join(str(x) for x in gunicorn_version),
+            "environment": "kubernetes"
+            if SERVICE_HOST_ENV_NAME in os.environ
+            else "compose",
+            "architecture": platform.machine(),
+            "platform": platform.platform(),
+            "uname": " ".join(platform.uname()),
+        }
+
+    def get_tenant(self, request: Request) -> str:
+        """Currently active tenant"""
+        return str(request._request.tenant)
+
+    def get_server_time(self, request: Request) -> datetime:
+        """Current server time"""
+        return now()
+
+
+class SystemView(APIView):
+    """Get system information."""
+
+    permission_classes = [IsAdminUser]
+    pagination_class = None
+    filter_backends = []
+
+    @extend_schema(responses={200: SystemSerializer(many=False)})
+    def get(self, request: Request) -> Response:
+        """Get system information."""
+        return Response(SystemSerializer(request).data)

authentik/admin/api/tasks.py

@@ -4,7 +4,8 @@ from importlib import import_module
 from django.contrib import messages
 from django.http.response import Http404
 from django.utils.translation import gettext_lazy as _
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, ChoiceField, DateTimeField, ListField
 from rest_framework.permissions import IsAdminUser
@@ -21,7 +22,7 @@ class TaskSerializer(PassiveSerializer):
 
     task_name = CharField()
     task_description = CharField()
-    task_finish_timestamp = DateTimeField(source="finish_timestamp")
+    task_finish_timestamp = DateTimeField(source="finish_time")
 
     status = ChoiceField(
         source="result.status.name",
@@ -29,14 +30,32 @@ class TaskSerializer(PassiveSerializer):
     )
     messages = ListField(source="result.messages")
 
+    def to_representation(self, instance):
+        """When a new version of authentik adds fields to TaskInfo,
+        the API will fail with an AttributeError, as the classes
+        are pickled in cache. In that case, just delete the info"""
+        try:
+            return super().to_representation(instance)
+        except AttributeError:
+            if isinstance(self.instance, list):
+                for inst in self.instance:
+                    inst.delete()
+            else:
+                self.instance.delete()
+            return {}
+
 
 class TaskViewSet(ViewSet):
     """Read-only view set that returns all background tasks"""
 
     permission_classes = [IsAdminUser]
+    serializer_class = TaskSerializer
 
-    @swagger_auto_schema(
+    @extend_schema(
-        responses={200: TaskSerializer(many=False), 404: "Task not found"}
+        responses={
+            200: TaskSerializer(many=False),
+            404: OpenApiResponse(description="Task not found"),
+        }
     )
     # pylint: disable=invalid-name
     def retrieve(self, request: Request, pk=None) -> Response:
@@ -46,18 +65,19 @@ class TaskViewSet(ViewSet):
             raise Http404
         return Response(TaskSerializer(task, many=False).data)
 
-    @swagger_auto_schema(responses={200: TaskSerializer(many=True)})
+    @extend_schema(responses={200: TaskSerializer(many=True)})
     def list(self, request: Request) -> Response:
         """List system tasks"""
         tasks = sorted(TaskInfo.all().values(), key=lambda task: task.task_name)
         return Response(TaskSerializer(tasks, many=True).data)
 
-    @swagger_auto_schema(
+    @extend_schema(
+        request=OpenApiTypes.NONE,
         responses={
-            204: "Task retried successfully",
+            204: OpenApiResponse(description="Task retried successfully"),
-            404: "Task not found",
+            404: OpenApiResponse(description="Task not found"),
-            500: "Failed to retry task",
+            500: OpenApiResponse(description="Failed to retry task"),
-        }
+        },
     )
     @action(detail=True, methods=["post"])
     # pylint: disable=invalid-name

authentik/admin/api/version.py

@@ -2,14 +2,13 @@
 from os import environ
 
 from django.core.cache import cache
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
-from rest_framework.mixins import ListModelMixin
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.viewsets import GenericViewSet
+from rest_framework.views import APIView
 
 from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
@@ -47,17 +46,14 @@ class VersionSerializer(PassiveSerializer):
         )
 
 
-class VersionViewSet(ListModelMixin, GenericViewSet):
+class VersionView(APIView):
     """Get running and latest version."""
 
     permission_classes = [IsAuthenticated]
     pagination_class = None
     filter_backends = []
 
-    def get_queryset(self):  # pragma: no cover
+    @extend_schema(responses={200: VersionSerializer(many=False)})
-        return None
+    def get(self, request: Request) -> Response:
-
-    @swagger_auto_schema(responses={200: VersionSerializer(many=False)})
-    def list(self, request: Request) -> Response:
         """Get running and latest version."""
         return Response(VersionSerializer(True).data)

authentik/admin/api/workers.py

@@ -1,25 +1,26 @@
 """authentik administration overview"""
-from rest_framework.mixins import ListModelMixin
+from drf_spectacular.utils import extend_schema, inline_serializer
+from prometheus_client import Gauge
+from rest_framework.fields import IntegerField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import Serializer
+from rest_framework.views import APIView
-from rest_framework.viewsets import GenericViewSet
 
 from authentik.root.celery import CELERY_APP
 
+GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
 
-class WorkerViewSet(ListModelMixin, GenericViewSet):
+
+class WorkerView(APIView):
     """Get currently connected worker count."""
 
-    serializer_class = Serializer
     permission_classes = [IsAdminUser]
 
-    def get_queryset(self):  # pragma: no cover
+    @extend_schema(
-        return None
+        responses=inline_serializer("Workers", fields={"count": IntegerField()})
-
-    def list(self, request: Request) -> Response:
-        """Get currently connected worker count."""
-        return Response(
-            {"pagination": {"count": len(CELERY_APP.control.ping(timeout=0.5))}}
     )
+    def get(self, request: Request) -> Response:
+        """Get currently connected worker count."""
+        count = len(CELERY_APP.control.ping(timeout=0.5))
+        return Response({"count": count})

authentik/admin/tasks.py

@@ -1,13 +1,15 @@
 """authentik admin tasks"""
 import re
+from os import environ
 
 from django.core.cache import cache
 from django.core.validators import URLValidator
 from packaging.version import parse
+from prometheus_client import Info
 from requests import RequestException, get
 from structlog.stdlib import get_logger
 
-from authentik import __version__
+from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.events.models import Event, EventAction
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.root.celery import CELERY_APP
@@ -17,6 +19,18 @@ VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
 # Chop of the first ^ because we want to search the entire string
 URL_FINDER = URLValidator.regex.pattern[1:]
+PROM_INFO = Info("authentik_version", "Currently running authentik version")
+
+
+def _set_prom_info():
+    """Set prometheus info for version"""
+    PROM_INFO.info(
+        {
+            "version": __version__,
+            "latest": cache.get(VERSION_CACHE_KEY, ""),
+            "build_hash": environ.get(ENV_GIT_HASH_KEY, ""),
+        }
+    )
 
 
 @CELERY_APP.task(bind=True, base=MonitoredTask)
@@ -36,6 +50,7 @@ def update_latest_version(self: MonitoredTask):
                 TaskResultStatus.SUCCESSFUL, ["Successfully updated latest Version"]
             )
         )
+        _set_prom_info()
         # Check if upstream version is newer than what we're running,
         # and if no event exists yet, create one.
         local_version = parse(__version__)
@@ -53,3 +68,6 @@ def update_latest_version(self: MonitoredTask):
     except (RequestException, IndexError) as exc:
         cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
         self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
+
+
+_set_prom_info()

authentik/admin/tests/test_api.py

@@ -7,6 +7,7 @@ from django.urls import reverse
 from authentik import __version__
 from authentik.core.models import Group, User
 from authentik.core.tasks import clean_expired_models
+from authentik.events.monitored_tasks import TaskResultStatus
 
 
 class TestAdminAPI(TestCase):
@@ -30,6 +31,26 @@ class TestAdminAPI(TestCase):
             any(task["task_name"] == "clean_expired_models" for task in body)
         )
 
+    def test_tasks_single(self):
+        """Test Task API (read single)"""
+        clean_expired_models.delay()
+        response = self.client.get(
+            reverse(
+                "authentik_api:admin_system_tasks-detail",
+                kwargs={"pk": "clean_expired_models"},
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertEqual(body["status"], TaskResultStatus.SUCCESSFUL.name)
+        self.assertEqual(body["task_name"], "clean_expired_models")
+        response = self.client.get(
+            reverse(
+                "authentik_api:admin_system_tasks-detail", kwargs={"pk": "qwerqwer"}
+            )
+        )
+        self.assertEqual(response.status_code, 404)
+
     def test_tasks_retry(self):
         """Test Task API (retry)"""
         clean_expired_models.delay()
@@ -53,24 +74,29 @@ class TestAdminAPI(TestCase):
 
     def test_version(self):
         """Test Version API"""
-        response = self.client.get(reverse("authentik_api:admin_version-list"))
+        response = self.client.get(reverse("authentik_api:admin_version"))
         self.assertEqual(response.status_code, 200)
         body = loads(response.content)
         self.assertEqual(body["version_current"], __version__)
 
     def test_workers(self):
         """Test Workers API"""
-        response = self.client.get(reverse("authentik_api:admin_workers-list"))
+        response = self.client.get(reverse("authentik_api:admin_workers"))
         self.assertEqual(response.status_code, 200)
         body = loads(response.content)
-        self.assertEqual(body["pagination"]["count"], 0)
+        self.assertEqual(body["count"], 0)
 
     def test_metrics(self):
         """Test metrics API"""
-        response = self.client.get(reverse("authentik_api:admin_metrics-list"))
+        response = self.client.get(reverse("authentik_api:admin_metrics"))
         self.assertEqual(response.status_code, 200)
 
     def test_apps(self):
         """Test apps API"""
         response = self.client.get(reverse("authentik_api:apps-list"))
         self.assertEqual(response.status_code, 200)
+
+    def test_system(self):
+        """Test system API"""
+        response = self.client.get(reverse("authentik_api:admin_system"))
+        self.assertEqual(response.status_code, 200)

authentik/api/apps.py

@@ -10,3 +10,25 @@ class AuthentikAPIConfig(AppConfig):
     label = "authentik_api"
     mountpoint = "api/"
     verbose_name = "authentik API"
+
+    def ready(self) -> None:
+        from drf_spectacular.extensions import OpenApiAuthenticationExtension
+
+        from authentik.api.authentication import TokenAuthentication
+
+        # Class is defined here as it needs to be created early enough that drf-spectacular will
+        # find it, but also won't cause any import issues
+        # pylint: disable=unused-variable
+        class TokenSchema(OpenApiAuthenticationExtension):
+            """Auth schema"""
+
+            target_class = TokenAuthentication
+            name = "authentik"
+
+            def get_security_definition(self, auto_schema):
+                """Auth schema"""
+                return {
+                    "type": "apiKey",
+                    "in": "header",
+                    "name": "Authorization",
+                }

authentik/api/authentication.py

@@ -17,9 +17,9 @@ LOGGER = get_logger()
 def token_from_header(raw_header: bytes) -> Optional[Token]:
     """raw_header in the Format of `Bearer dGVzdDp0ZXN0`"""
     auth_credentials = raw_header.decode()
-    if auth_credentials == "":
+    if auth_credentials == "" or " " not in auth_credentials:
         return None
-    auth_type, auth_credentials = auth_credentials.split()
+    auth_type, _, auth_credentials = auth_credentials.partition(" ")
     if auth_type.lower() not in ["basic", "bearer"]:
         LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())
         raise AuthenticationFailed("Unsupported authentication type")
@@ -42,7 +42,7 @@ def token_from_header(raw_header: bytes) -> Optional[Token]:
     return tokens.first()
 
 
-class AuthentikTokenAuthentication(BaseAuthentication):
+class TokenAuthentication(BaseAuthentication):
     """Token-based authentication using HTTP Bearer authentication"""
 
     def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
@@ -54,4 +54,4 @@ class AuthentikTokenAuthentication(BaseAuthentication):
         if not token:
             return None
 
-        return (token.user, None)
+        return (token.user, None)  # pragma: no cover

authentik/api/authorization.py

@@ -0,0 +1,35 @@
+"""API Authorization"""
+from django.db.models import Model
+from django.db.models.query import QuerySet
+from rest_framework.filters import BaseFilterBackend
+from rest_framework.permissions import BasePermission
+from rest_framework.request import Request
+
+
+class OwnerFilter(BaseFilterBackend):
+    """Filter objects by their owner"""
+
+    owner_key = "user"
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        return queryset.filter(**{self.owner_key: request.user})
+
+
+class OwnerPermissions(BasePermission):
+    """Authorize requests by an object's owner matching the requesting user"""
+
+    owner_key = "user"
+
+    def has_permission(self, request: Request, view) -> bool:
+        """If the user is authenticated, we allow all requests here. For listing, the
+        object-level permissions are done by the filter backend"""
+        return request.user.is_authenticated
+
+    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
+        """Check if the object's owner matches the currently logged in user"""
+        if not hasattr(obj, self.owner_key):
+            return False
+        owner = getattr(obj, self.owner_key)
+        if owner != request.user:
+            return False
+        return True

authentik/api/pagination.py

@@ -30,3 +30,47 @@ class Pagination(pagination.PageNumberPagination):
                 "results": data,
             }
         )
+
+    def get_paginated_response_schema(self, schema):
+        return {
+            "type": "object",
+            "properties": {
+                "pagination": {
+                    "type": "object",
+                    "properties": {
+                        "next": {
+                            "type": "number",
+                        },
+                        "previous": {
+                            "type": "number",
+                        },
+                        "count": {
+                            "type": "number",
+                        },
+                        "current": {
+                            "type": "number",
+                        },
+                        "total_pages": {
+                            "type": "number",
+                        },
+                        "start_index": {
+                            "type": "number",
+                        },
+                        "end_index": {
+                            "type": "number",
+                        },
+                    },
+                    "required": [
+                        "next",
+                        "previous",
+                        "count",
+                        "current",
+                        "total_pages",
+                        "start_index",
+                        "end_index",
+                    ],
+                },
+                "results": schema,
+            },
+            "required": ["pagination", "results"],
+        }

authentik/api/pagination_schema.py

@@ -1,97 +0,0 @@
-"""Swagger Pagination Schema class"""
-from typing import OrderedDict
-
-from drf_yasg import openapi
-from drf_yasg.inspectors import PaginatorInspector
-
-
-class PaginationInspector(PaginatorInspector):
-    """Swagger Pagination Schema class"""
-
-    def get_paginated_response(self, paginator, response_schema):
-        """
-        :param BasePagination paginator: the paginator
-        :param openapi.Schema response_schema: the response schema that must be paged.
-        :rtype: openapi.Schema
-        """
-
-        return openapi.Schema(
-            type=openapi.TYPE_OBJECT,
-            properties=OrderedDict(
-                (
-                    (
-                        "pagination",
-                        openapi.Schema(
-                            type=openapi.TYPE_OBJECT,
-                            properties=OrderedDict(
-                                (
-                                    ("next", openapi.Schema(type=openapi.TYPE_NUMBER)),
-                                    (
-                                        "previous",
-                                        openapi.Schema(type=openapi.TYPE_NUMBER),
-                                    ),
-                                    ("count", openapi.Schema(type=openapi.TYPE_NUMBER)),
-                                    (
-                                        "current",
-                                        openapi.Schema(type=openapi.TYPE_NUMBER),
-                                    ),
-                                    (
-                                        "total_pages",
-                                        openapi.Schema(type=openapi.TYPE_NUMBER),
-                                    ),
-                                    (
-                                        "start_index",
-                                        openapi.Schema(type=openapi.TYPE_NUMBER),
-                                    ),
-                                    (
-                                        "end_index",
-                                        openapi.Schema(type=openapi.TYPE_NUMBER),
-                                    ),
-                                )
-                            ),
-                            required=[
-                                "next",
-                                "previous",
-                                "count",
-                                "current",
-                                "total_pages",
-                                "start_index",
-                                "end_index",
-                            ],
-                        ),
-                    ),
-                    ("results", response_schema),
-                )
-            ),
-            required=["results", "pagination"],
-        )
-
-    def get_paginator_parameters(self, paginator):
-        """
-        Get the pagination parameters for a single paginator **instance**.
-
-        Should return :data:`.NotHandled` if this inspector
-        does not know how to handle the given `paginator`.
-
-        :param BasePagination paginator: the paginator
-        :rtype: list[openapi.Parameter]
-        """
-
-        return [
-            openapi.Parameter(
-                "page",
-                openapi.IN_QUERY,
-                "Page Index",
-                False,
-                None,
-                openapi.TYPE_INTEGER,
-            ),
-            openapi.Parameter(
-                "page_size",
-                openapi.IN_QUERY,
-                "Page Size",
-                False,
-                None,
-                openapi.TYPE_INTEGER,
-            ),
-        ]

authentik/api/schema.py

@@ -1,102 +1,77 @@
 """Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
-from drf_yasg import openapi
+from django.utils.translation import gettext_lazy as _
-from drf_yasg.inspectors.view import SwaggerAutoSchema
+from drf_spectacular.plumbing import (
-from drf_yasg.utils import force_real_str, is_list_view
+    ResolvedComponent,
-from rest_framework import exceptions, status
+    build_array_type,
-from rest_framework.settings import api_settings
+    build_basic_type,
+    build_object_type,
+)
+from drf_spectacular.settings import spectacular_settings
+from drf_spectacular.types import OpenApiTypes
 
 
-class ErrorResponseAutoSchema(SwaggerAutoSchema):
+def build_standard_type(obj, **kwargs):
-    """Inspector which includes an error schema"""
+    """Build a basic type with optional add ons."""
+    schema = build_basic_type(obj)
+    schema.update(kwargs)
+    return schema
 
-    def get_generic_error_schema(self):
+
-        """Get a generic error schema"""
+GENERIC_ERROR = build_object_type(
-        return openapi.Schema(
+    description=_("Generic API Error"),
-            "Generic API Error",
-            type=openapi.TYPE_OBJECT,
     properties={
-                "detail": openapi.Schema(
+        "detail": build_standard_type(OpenApiTypes.STR),
-                    type=openapi.TYPE_STRING, description="Error details"
+        "code": build_standard_type(OpenApiTypes.STR),
-                ),
-                "code": openapi.Schema(
-                    type=openapi.TYPE_STRING, description="Error code"
-                ),
     },
     required=["detail"],
 )
-
+VALIDATION_ERROR = build_object_type(
-    def get_validation_error_schema(self):
+    description=_("Validation Error"),
-        """Get a generic validation error schema"""
-        return openapi.Schema(
-            "Validation Error",
-            type=openapi.TYPE_OBJECT,
     properties={
-                api_settings.NON_FIELD_ERRORS_KEY: openapi.Schema(
+        "non_field_errors": build_array_type(build_standard_type(OpenApiTypes.STR)),
-                    description="List of validation errors not related to any field",
+        "code": build_standard_type(OpenApiTypes.STR),
-                    type=openapi.TYPE_ARRAY,
-                    items=openapi.Schema(type=openapi.TYPE_STRING),
-                ),
     },
-            additional_properties=openapi.Schema(
+    required=["detail"],
-                description=(
+    additionalProperties={},
-                    "A list of error messages for each "
-                    "field that triggered a validation error"
-                ),
-                type=openapi.TYPE_ARRAY,
-                items=openapi.Schema(type=openapi.TYPE_STRING),
-            ),
 )
 
-    def get_response_serializers(self):
-        responses = super().get_response_serializers()
-        definitions = self.components.with_scope(
-            openapi.SCHEMA_DEFINITIONS
-        )  # type: openapi.ReferenceResolver
 
-        definitions.setdefault("GenericError", self.get_generic_error_schema)
+def postprocess_schema_responses(result, generator, **kwargs):  # noqa: W0613
-        definitions.setdefault("ValidationError", self.get_validation_error_schema)
+    """Workaround to set a default response for endpoints.
-        definitions.setdefault("APIException", self.get_generic_error_schema)
+    Workaround suggested at
+    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
+    for the missing drf-spectacular feature discussed in
+    <https://github.com/tfranzel/drf-spectacular/issues/101>.
+    """
 
-        if self.get_request_serializer() or self.get_query_serializer():
+    def create_component(name, schema, type_=ResolvedComponent.SCHEMA):
-            responses.setdefault(
+        """Register a component and return a reference to it."""
-                exceptions.ValidationError.status_code,
+        component = ResolvedComponent(
-                openapi.Response(
+            name=name,
-                    description=force_real_str(
+            type=type_,
-                        exceptions.ValidationError.default_detail
+            schema=schema,
-                    ),
+            object=name,
-                    schema=openapi.SchemaRef(definitions, "ValidationError"),
+        )
-                ),
+        generator.registry.register_on_missing(component)
+        return component
+
+    generic_error = create_component("GenericError", GENERIC_ERROR)
+    validation_error = create_component("ValidationError", VALIDATION_ERROR)
+
+    for path in result["paths"].values():
+        for method in path.values():
+            method["responses"].setdefault("400", validation_error.ref)
+            method["responses"].setdefault("403", generic_error.ref)
+
+    result["components"] = generator.registry.build(
+        spectacular_settings.APPEND_COMPONENTS
     )
 
-        security = self.get_security()
+    # This is a workaround for authentik/stages/prompt/stage.py
-        if security is None or len(security) > 0:
+    # since the serializer PromptChallengeResponse
-            # Note: 401 error codes are coerced  into 403 see
+    # accepts dynamic keys
-            # rest_framework/views.py:433:handle_exception
+    for component in result["components"]["schemas"]:
-            # This is b/c the API uses token auth which doesn't have WWW-Authenticate header
+        if component == "PromptChallengeResponseRequest":
-            responses.setdefault(
+            comp = result["components"]["schemas"][component]
-                status.HTTP_403_FORBIDDEN,
+            comp["additionalProperties"] = {}
-                openapi.Response(
+    return result
-                    description="Authentication credentials were invalid, absent or insufficient.",
-                    schema=openapi.SchemaRef(definitions, "GenericError"),
-                ),
-            )
-        if not is_list_view(self.path, self.method, self.view):
-            responses.setdefault(
-                exceptions.PermissionDenied.status_code,
-                openapi.Response(
-                    description="Permission denied.",
-                    schema=openapi.SchemaRef(definitions, "APIException"),
-                ),
-            )
-            responses.setdefault(
-                exceptions.NotFound.status_code,
-                openapi.Response(
-                    description=(
-                        "Object does not exist or caller "
-                        "has insufficient permissions to access it."
-                    ),
-                    schema=openapi.SchemaRef(definitions, "APIException"),
-                ),
-            )
-
-        return responses

authentik/api/templates/api/browser.html

@@ -3,7 +3,7 @@
 {% load static %}
 
 {% block title %}
-API Browser - {{ config.authentik.branding.title }}
+API Browser - {{ tenant.branding_title }}
 {% endblock %}
 
 {% block head %}

authentik/api/tests/test_auth.py

@@ -5,7 +5,7 @@ from django.test import TestCase
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.exceptions import AuthenticationFailed
 
-from authentik.api.auth import token_from_header
+from authentik.api.authentication import token_from_header
 from authentik.core.models import Token, TokenIntents
 
 

authentik/api/tests/test_config.py

@@ -11,6 +11,6 @@ class TestConfig(APITestCase):
     def test_config(self):
         """Test YAML generation"""
         response = self.client.get(
-            reverse("authentik_api:configs-list"),
+            reverse("authentik_api:config"),
         )
         self.assertTrue(loads(response.content.decode()))

authentik/api/tests/test_schema.py

@@ -0,0 +1,22 @@
+"""Schema generation tests"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+from yaml import safe_load
+
+
+class TestSchemaGeneration(APITestCase):
+    """Generic admin tests"""
+
+    def test_schema(self):
+        """Test generation"""
+        response = self.client.get(
+            reverse("authentik_api:schema"),
+        )
+        self.assertTrue(safe_load(response.content.decode()))
+
+    def test_browser(self):
+        """Test API Browser"""
+        response = self.client.get(
+            reverse("authentik_api:schema-browser"),
+        )
+        self.assertEqual(response.status_code, 200)

authentik/api/tests/test_swagger.py

@@ -1,24 +0,0 @@
-"""Swagger generation tests"""
-from json import loads
-
-from django.urls import reverse
-from rest_framework.test import APITestCase
-from yaml import safe_load
-
-
-class TestSwaggerGeneration(APITestCase):
-    """Generic admin tests"""
-
-    def test_yaml(self):
-        """Test YAML generation"""
-        response = self.client.get(
-            reverse("authentik_api:schema-json", kwargs={"format": ".yaml"}),
-        )
-        self.assertTrue(safe_load(response.content.decode()))
-
-    def test_json(self):
-        """Test JSON generation"""
-        response = self.client.get(
-            reverse("authentik_api:schema-json", kwargs={"format": ".json"}),
-        )
-        self.assertTrue(loads(response.content.decode()))

authentik/api/v2/config.py

@@ -1,50 +1,70 @@
 """core Configs API"""
-from drf_yasg.utils import swagger_auto_schema
+from os import environ, path
-from rest_framework.fields import BooleanField, CharField, ListField
+
+from django.conf import settings
+from django.db import models
+from drf_spectacular.utils import extend_schema
+from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
+from rest_framework.fields import BooleanField, CharField, ChoiceField, ListField
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.viewsets import ViewSet
+from rest_framework.views import APIView
 
 from authentik.core.api.utils import PassiveSerializer
+from authentik.events.geo import GEOIP_READER
 from authentik.lib.config import CONFIG
 
 
-class FooterLinkSerializer(PassiveSerializer):
+class Capabilities(models.TextChoices):
-    """Links returned in Config API"""
+    """Define capabilities which influence which APIs can/should be used"""
 
-    href = CharField(read_only=True)
+    CAN_SAVE_MEDIA = "can_save_media"
-    name = CharField(read_only=True)
+    CAN_GEO_IP = "can_geo_ip"
+    CAN_BACKUP = "can_backup"
 
 
 class ConfigSerializer(PassiveSerializer):
     """Serialize authentik Config into DRF Object"""
 
-    branding_logo = CharField(read_only=True)
-    branding_title = CharField(read_only=True)
-    ui_footer_links = ListField(child=FooterLinkSerializer(), read_only=True)
-
     error_reporting_enabled = BooleanField(read_only=True)
     error_reporting_environment = CharField(read_only=True)
     error_reporting_send_pii = BooleanField(read_only=True)
 
+    capabilities = ListField(child=ChoiceField(choices=Capabilities.choices))
 
-class ConfigsViewSet(ViewSet):
+
+class ConfigView(APIView):
     """Read-only view set that returns the current session's Configs"""
 
     permission_classes = [AllowAny]
 
-    @swagger_auto_schema(responses={200: ConfigSerializer(many=False)})
+    def get_capabilities(self) -> list[Capabilities]:
-    def list(self, request: Request) -> Response:
+        """Get all capabilities this server instance supports"""
+        caps = []
+        deb_test = settings.DEBUG or settings.TEST
+        if path.ismount(settings.MEDIA_ROOT) or deb_test:
+            caps.append(Capabilities.CAN_SAVE_MEDIA)
+        if GEOIP_READER.enabled:
+            caps.append(Capabilities.CAN_GEO_IP)
+        if SERVICE_HOST_ENV_NAME in environ:
+            # Running in k8s, only s3 backup is supported
+            if CONFIG.y("postgresql.s3_backup"):
+                caps.append(Capabilities.CAN_BACKUP)
+        else:
+            # Running in compose, backup is always supported
+            caps.append(Capabilities.CAN_BACKUP)
+        return caps
+
+    @extend_schema(responses={200: ConfigSerializer(many=False)})
+    def get(self, request: Request) -> Response:
         """Retrive public configuration options"""
         config = ConfigSerializer(
             {
-                "branding_logo": CONFIG.y("authentik.branding.logo"),
-                "branding_title": CONFIG.y("authentik.branding.title"),
                 "error_reporting_enabled": CONFIG.y("error_reporting.enabled"),
                 "error_reporting_environment": CONFIG.y("error_reporting.environment"),
                 "error_reporting_send_pii": CONFIG.y("error_reporting.send_pii"),
-                "ui_footer_links": CONFIG.y("authentik.footer_links"),
+                "capabilities": self.get_capabilities(),
             }
         )
         return Response(config.data)

authentik/api/v2/urls.py

@@ -1,18 +1,18 @@
 """api v2 urls"""
-from django.urls import path, re_path
+from django.urls import path
-from drf_yasg import openapi
+from drf_spectacular.views import SpectacularAPIView
-from drf_yasg.views import get_schema_view
 from rest_framework import routers
-from rest_framework.permissions import AllowAny
 
 from authentik.admin.api.meta import AppsViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
+from authentik.admin.api.system import SystemView
 from authentik.admin.api.tasks import TaskViewSet
-from authentik.admin.api.version import VersionViewSet
+from authentik.admin.api.version import VersionView
-from authentik.admin.api.workers import WorkerViewSet
+from authentik.admin.api.workers import WorkerView
-from authentik.api.v2.config import ConfigsViewSet
+from authentik.api.v2.config import ConfigView
-from authentik.api.views import SwaggerView
+from authentik.api.views import APIBrowserView
 from authentik.core.api.applications import ApplicationViewSet
+from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
 from authentik.core.api.groups import GroupViewSet
 from authentik.core.api.propertymappings import PropertyMappingViewSet
 from authentik.core.api.providers import ProviderViewSet
@@ -28,12 +28,12 @@ from authentik.flows.api.bindings import FlowStageBindingViewSet
 from authentik.flows.api.flows import FlowViewSet
 from authentik.flows.api.stages import StageViewSet
 from authentik.flows.views import FlowExecutorView
-from authentik.outposts.api.outpost_service_connections import (
+from authentik.outposts.api.outposts import OutpostViewSet
+from authentik.outposts.api.service_connections import (
     DockerServiceConnectionViewSet,
     KubernetesServiceConnectionViewSet,
     ServiceConnectionViewSet,
 )
-from authentik.outposts.api.outposts import OutpostViewSet
 from authentik.policies.api.bindings import PolicyBindingViewSet
 from authentik.policies.api.policies import PolicyViewSet
 from authentik.policies.dummy.api import DummyPolicyViewSet
@@ -66,6 +66,11 @@ from authentik.sources.oauth.api.source_connection import (
 )
 from authentik.sources.plex.api import PlexSourceViewSet
 from authentik.sources.saml.api import SAMLSourceViewSet
+from authentik.stages.authenticator_duo.api import (
+    AuthenticatorDuoStageViewSet,
+    DuoAdminDeviceViewSet,
+    DuoDeviceViewSet,
+)
 from authentik.stages.authenticator_static.api import (
     AuthenticatorStaticStageViewSet,
     StaticAdminDeviceViewSet,
@@ -97,24 +102,21 @@ from authentik.stages.user_delete.api import UserDeleteStageViewSet
 from authentik.stages.user_login.api import UserLoginStageViewSet
 from authentik.stages.user_logout.api import UserLogoutStageViewSet
 from authentik.stages.user_write.api import UserWriteStageViewSet
+from authentik.tenants.api import TenantViewSet
 
 router = routers.DefaultRouter()
 
-router.register("root/config", ConfigsViewSet, basename="configs")
-
-router.register("admin/version", VersionViewSet, basename="admin_version")
-router.register("admin/workers", WorkerViewSet, basename="admin_workers")
-router.register("admin/metrics", AdministrationMetricsViewSet, basename="admin_metrics")
 router.register("admin/system_tasks", TaskViewSet, basename="admin_system_tasks")
 router.register("admin/apps", AppsViewSet, basename="apps")
 
+router.register("core/authenticated_sessions", AuthenticatedSessionViewSet)
 router.register("core/applications", ApplicationViewSet)
 router.register("core/groups", GroupViewSet)
 router.register("core/users", UserViewSet)
 router.register("core/user_consent", UserConsentViewSet)
 router.register("core/tokens", TokenViewSet)
+router.register("core/tenants", TenantViewSet)
 
-router.register("outposts/outposts", OutpostViewSet)
 router.register("outposts/instances", OutpostViewSet)
 router.register("outposts/service_connections/all", ServiceConnectionViewSet)
 router.register("outposts/service_connections/docker", DockerServiceConnectionViewSet)
@@ -166,14 +168,31 @@ router.register("propertymappings/ldap", LDAPPropertyMappingViewSet)
 router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
 router.register("propertymappings/scope", ScopeMappingViewSet)
 
+router.register("authenticators/duo", DuoDeviceViewSet)
 router.register("authenticators/static", StaticDeviceViewSet)
 router.register("authenticators/totp", TOTPDeviceViewSet)
 router.register("authenticators/webauthn", WebAuthnDeviceViewSet)
-router.register("authenticators/admin/static", StaticAdminDeviceViewSet)
+router.register(
-router.register("authenticators/admin/totp", TOTPAdminDeviceViewSet)
+    "authenticators/admin/duo",
-router.register("authenticators/admin/webauthn", WebAuthnAdminDeviceViewSet)
+    DuoAdminDeviceViewSet,
+    basename="admin-duodevice",
+)
+router.register(
+    "authenticators/admin/static",
+    StaticAdminDeviceViewSet,
+    basename="admin-staticdevice",
+)
+router.register(
+    "authenticators/admin/totp", TOTPAdminDeviceViewSet, basename="admin-totpdevice"
+)
+router.register(
+    "authenticators/admin/webauthn",
+    WebAuthnAdminDeviceViewSet,
+    basename="admin-webauthndevice",
+)
 
 router.register("stages/all", StageViewSet)
+router.register("stages/authenticator/duo", AuthenticatorDuoStageViewSet)
 router.register("stages/authenticator/static", AuthenticatorStaticStageViewSet)
 router.register("stages/authenticator/totp", AuthenticatorTOTPStageViewSet)
 router.register("stages/authenticator/validate", AuthenticatorValidateStageViewSet)
@@ -196,32 +215,26 @@ router.register("stages/user_write", UserWriteStageViewSet)
 router.register("stages/dummy", DummyStageViewSet)
 router.register("policies/dummy", DummyPolicyViewSet)
 
-info = openapi.Info(
-    title="authentik API",
-    default_version="v2beta",
-    contact=openapi.Contact(email="hello@beryju.org"),
-    license=openapi.License(
-        name="GNU GPLv3",
-        url="https://github.com/goauthentik/authentik/blob/master/LICENSE",
-    ),
-)
-SchemaView = get_schema_view(info, public=True, permission_classes=(AllowAny,))
-
 urlpatterns = (
     [
-        path("", SwaggerView.as_view(), name="swagger"),
+        path("", APIBrowserView.as_view(), name="schema-browser"),
     ]
     + router.urls
     + [
+        path(
+            "admin/metrics/",
+            AdministrationMetricsViewSet.as_view(),
+            name="admin_metrics",
+        ),
+        path("admin/version/", VersionView.as_view(), name="admin_version"),
+        path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
+        path("admin/system/", SystemView.as_view(), name="admin_system"),
+        path("root/config/", ConfigView.as_view(), name="config"),
         path(
             "flows/executor/<slug:flow_slug>/",
             FlowExecutorView.as_view(),
             name="flow-executor",
         ),
-        re_path(
+        path("schema/", SpectacularAPIView.as_view(), name="schema"),
-            r"^swagger(?P<format>\.json|\.yaml)$",
-            SchemaView.without_ui(cache_timeout=0),
-            name="schema-json",
-        ),
     ]
 )

authentik/api/views.py

@@ -5,18 +5,15 @@ from django.urls import reverse
 from django.views.generic import TemplateView
 
 
-class SwaggerView(TemplateView):
+class APIBrowserView(TemplateView):
-    """Show swagger view based on rapi-doc"""
+    """Show browser view based on rapi-doc"""
 
-    template_name = "api/swagger.html"
+    template_name = "api/browser.html"
 
     def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
         path = self.request.build_absolute_uri(
             reverse(
-                "authentik_api:schema-json",
+                "authentik_api:schema",
-                kwargs={
-                    "format": ".json",
-                },
             )
         )
         return super().get_context_data(path=path, **kwargs)

authentik/core/api/applications.py

@@ -1,13 +1,17 @@
 """Application API Views"""
-from typing import Optional
-
 from django.core.cache import cache
 from django.db.models import QuerySet
 from django.http.response import HttpResponseBadRequest
-from drf_yasg import openapi
+from django.shortcuts import get_object_or_404
-from drf_yasg.utils import no_body, swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import (
+    OpenApiParameter,
+    OpenApiResponse,
+    extend_schema,
+    inline_serializer,
+)
 from rest_framework.decorators import action
-from rest_framework.fields import SerializerMethodField
+from rest_framework.fields import BooleanField, CharField, FileField, ReadOnlyField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -19,9 +23,13 @@ from structlog.stdlib import get_logger
 from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
 from authentik.api.decorators import permission_required
 from authentik.core.api.providers import ProviderSerializer
-from authentik.core.models import Application
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.models import Application, User
 from authentik.events.models import EventAction
+from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
+from authentik.policies.types import PolicyResult
+from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED
 
 LOGGER = get_logger()
 
@@ -34,12 +42,10 @@ def user_app_cache_key(user_pk: str) -> str:
 class ApplicationSerializer(ModelSerializer):
     """Application Serializer"""
 
-    launch_url = SerializerMethodField()
+    launch_url = ReadOnlyField(source="get_launch_url")
     provider_obj = ProviderSerializer(source="get_provider", required=False)
 
-    def get_launch_url(self, instance: Application) -> Optional[str]:
+    meta_icon = ReadOnlyField(source="get_meta_icon")
-        """Get generated launch URL"""
-        return instance.get_launch_url()
 
     class Meta:
 
@@ -57,9 +63,12 @@ class ApplicationSerializer(ModelSerializer):
             "meta_publisher",
             "policy_engine_mode",
         ]
+        extra_kwargs = {
+            "meta_icon": {"read_only": True},
+        }
 
 
-class ApplicationViewSet(ModelViewSet):
+class ApplicationViewSet(UsedByMixin, ModelViewSet):
     """Application Viewset"""
 
     queryset = Application.objects.all()
@@ -91,34 +100,52 @@ class ApplicationViewSet(ModelViewSet):
                 applications.append(application)
         return applications
 
-    @swagger_auto_schema(
+    @extend_schema(
+        parameters=[
+            OpenApiParameter(
+                name="for_user",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.INT,
+            )
+        ],
         responses={
-            204: "Access granted",
+            200: PolicyTestResultSerializer(),
-            403: "Access denied",
+            404: OpenApiResponse(description="for_user user not found"),
-        }
+        },
     )
     @action(detail=True, methods=["GET"])
     # pylint: disable=unused-argument
     def check_access(self, request: Request, slug: str) -> Response:
         """Check access to a single application by slug"""
-        application = self.get_object()
+        # Don't use self.get_object as that checks for view_application permission
-        engine = PolicyEngine(application, self.request.user, self.request)
+        # which the user might not have, even if they have access
+        application = get_object_or_404(Application, slug=slug)
+        # If the current user is superuser, they can set `for_user`
+        for_user = self.request.user
+        if self.request.user.is_superuser and "for_user" in request.data:
+            for_user = get_object_or_404(User, pk=request.data.get("for_user"))
+        engine = PolicyEngine(application, for_user, self.request)
         engine.build()
-        if engine.passing:
+        result = engine.result
-            return Response(status=204)
+        response = PolicyTestResultSerializer(PolicyResult(False))
-        return Response(status=403)
+        if result.passing:
+            response = PolicyTestResultSerializer(PolicyResult(True))
+        if self.request.user.is_superuser:
+            response = PolicyTestResultSerializer(result)
+        return Response(response.data)
 
-    @swagger_auto_schema(
+    @extend_schema(
-        manual_parameters=[
+        parameters=[
-            openapi.Parameter(
+            OpenApiParameter(
                 name="superuser_full_list",
-                in_=openapi.IN_QUERY,
+                location=OpenApiParameter.QUERY,
-                type=openapi.TYPE_BOOLEAN,
+                type=OpenApiTypes.BOOL,
             )
         ]
     )
     def list(self, request: Request) -> Response:
         """Custom list method that checks Policy based access instead of guardian"""
+        self.request.session.pop(USER_LOGIN_AUTHENTICATED, None)
         queryset = self._filter_queryset_for_list(self.get_queryset())
         self.paginate_queryset(queryset)
 
@@ -148,17 +175,20 @@ class ApplicationViewSet(ModelViewSet):
         return self.get_paginated_response(serializer.data)
 
     @permission_required("authentik_core.change_application")
-    @swagger_auto_schema(
+    @extend_schema(
-        request_body=no_body,
+        request={
-        manual_parameters=[
+            "multipart/form-data": inline_serializer(
-            openapi.Parameter(
+                "SetIcon",
-                name="file",
+                fields={
-                in_=openapi.IN_FORM,
+                    "file": FileField(required=False),
-                type=openapi.TYPE_FILE,
+                    "clear": BooleanField(default=False),
-                required=True,
+                },
             )
-        ],
+        },
-        responses={200: "Success", 400: "Bad request"},
+        responses={
+            200: OpenApiResponse(description="Success"),
+            400: OpenApiResponse(description="Bad request"),
+        },
     )
     @action(
         detail=True,
@@ -172,16 +202,46 @@ class ApplicationViewSet(ModelViewSet):
         """Set application icon"""
         app: Application = self.get_object()
         icon = request.FILES.get("file", None)
-        if not icon:
+        clear = request.data.get("clear", "false").lower() == "true"
-            return HttpResponseBadRequest()
+        if clear:
+            # .delete() saves the model by default
+            app.meta_icon.delete()
+            return Response({})
+        if icon:
             app.meta_icon = icon
             app.save()
             return Response({})
+        return HttpResponseBadRequest()
+
+    @permission_required("authentik_core.change_application")
+    @extend_schema(
+        request=inline_serializer("SetIconURL", fields={"url": CharField()}),
+        responses={
+            200: OpenApiResponse(description="Success"),
+            400: OpenApiResponse(description="Bad request"),
+        },
+    )
+    @action(
+        detail=True,
+        pagination_class=None,
+        filter_backends=[],
+        methods=["POST"],
+    )
+    # pylint: disable=unused-argument
+    def set_icon_url(self, request: Request, slug: str):
+        """Set application icon (as URL)"""
+        app: Application = self.get_object()
+        url = request.data.get("url", None)
+        if url is None:
+            return HttpResponseBadRequest()
+        app.meta_icon.name = url
+        app.save()
+        return Response({})
 
     @permission_required(
         "authentik_core.view_application", ["authentik_events.view_event"]
     )
-    @swagger_auto_schema(responses={200: CoordinateSerializer(many=True)})
+    @extend_schema(responses={200: CoordinateSerializer(many=True)})
     @action(detail=True, pagination_class=None, filter_backends=[])
     # pylint: disable=unused-argument
     def metrics(self, request: Request, slug: str):

authentik/core/api/authenticated_sessions.py

@@ -0,0 +1,117 @@
+"""AuthenticatedSessions API Viewset"""
+from typing import Optional, TypedDict
+
+from django_filters.rest_framework import DjangoFilterBackend
+from guardian.utils import get_anonymous_user
+from rest_framework import mixins
+from rest_framework.fields import SerializerMethodField
+from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.request import Request
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import GenericViewSet
+from ua_parser import user_agent_parser
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.models import AuthenticatedSession
+from authentik.events.geo import GEOIP_READER, GeoIPDict
+
+
+class UserAgentDeviceDict(TypedDict):
+    """User agent device"""
+
+    brand: str
+    family: str
+    model: str
+
+
+class UserAgentOSDict(TypedDict):
+    """User agent os"""
+
+    family: str
+    major: str
+    minor: str
+    patch: str
+    patch_minor: str
+
+
+class UserAgentBrowserDict(TypedDict):
+    """User agent browser"""
+
+    family: str
+    major: str
+    minor: str
+    patch: str
+
+
+class UserAgentDict(TypedDict):
+    """User agent details"""
+
+    device: UserAgentDeviceDict
+    os: UserAgentOSDict
+    user_agent: UserAgentBrowserDict
+    string: str
+
+
+class AuthenticatedSessionSerializer(ModelSerializer):
+    """AuthenticatedSession Serializer"""
+
+    current = SerializerMethodField()
+    user_agent = SerializerMethodField()
+    geo_ip = SerializerMethodField()
+
+    def get_current(self, instance: AuthenticatedSession) -> bool:
+        """Check if session is currently active session"""
+        request: Request = self.context["request"]
+        return request._request.session.session_key == instance.session_key
+
+    def get_user_agent(self, instance: AuthenticatedSession) -> UserAgentDict:
+        """Get parsed user agent"""
+        return user_agent_parser.Parse(instance.last_user_agent)
+
+    def get_geo_ip(
+        self, instance: AuthenticatedSession
+    ) -> Optional[GeoIPDict]:  # pragma: no cover
+        """Get parsed user agent"""
+        return GEOIP_READER.city_dict(instance.last_ip)
+
+    class Meta:
+
+        model = AuthenticatedSession
+        fields = [
+            "uuid",
+            "current",
+            "user_agent",
+            "geo_ip",
+            "user",
+            "last_ip",
+            "last_user_agent",
+            "last_used",
+            "expires",
+        ]
+
+
+class AuthenticatedSessionViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """AuthenticatedSession Viewset"""
+
+    queryset = AuthenticatedSession.objects.all()
+    serializer_class = AuthenticatedSessionSerializer
+    search_fields = ["user__username", "last_ip", "last_user_agent"]
+    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
+    ordering = ["user__username"]
+    filter_backends = [
+        DjangoFilterBackend,
+        OrderingFilter,
+        SearchFilter,
+    ]
+
+    def get_queryset(self):
+        user = self.request.user if self.request else get_anonymous_user()
+        if user.is_superuser:
+            return super().get_queryset()
+        return super().get_queryset().filter(user=user.pk)

authentik/core/api/groups.py

@@ -5,6 +5,7 @@ from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter
 
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import is_dict
 from authentik.core.models import Group
 
@@ -20,7 +21,7 @@ class GroupSerializer(ModelSerializer):
         fields = ["pk", "name", "is_superuser", "parent", "users", "attributes"]
 
 
-class GroupViewSet(ModelViewSet):
+class GroupViewSet(UsedByMixin, ModelViewSet):
     """Group Viewset"""
 
     queryset = Group.objects.all()

authentik/core/api/propertymappings.py

@@ -1,8 +1,8 @@
 """PropertyMapping API Views"""
 from json import dumps
 
-from drf_yasg import openapi
+from drf_spectacular.types import OpenApiTypes
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
@@ -14,6 +14,7 @@ from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 
 from authentik.api.decorators import permission_required
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import (
     MetaNameSerializer,
     PassiveSerializer,
@@ -65,6 +66,7 @@ class PropertyMappingSerializer(ManagedSerializer, ModelSerializer, MetaNameSeri
 class PropertyMappingViewSet(
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
+    UsedByMixin,
     mixins.ListModelMixin,
     GenericViewSet,
 ):
@@ -78,10 +80,10 @@ class PropertyMappingViewSet(
     filterset_fields = {"managed": ["isnull"]}
     ordering = ["name"]
 
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
         return PropertyMapping.objects.select_subclasses()
 
-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
     @action(detail=False, pagination_class=None, filter_backends=[])
     def types(self, request: Request) -> Response:
         """Get all creatable property-mapping types"""
@@ -100,14 +102,17 @@ class PropertyMappingViewSet(
         return Response(TypeCreateSerializer(data, many=True).data)
 
     @permission_required("authentik_core.view_propertymapping")
-    @swagger_auto_schema(
+    @extend_schema(
-        request_body=PolicyTestSerializer(),
+        request=PolicyTestSerializer(),
-        responses={200: PropertyMappingTestResultSerializer, 400: "Invalid parameters"},
+        responses={
-        manual_parameters=[
+            200: PropertyMappingTestResultSerializer,
-            openapi.Parameter(
+            400: OpenApiResponse(description="Invalid parameters"),
+        },
+        parameters=[
+            OpenApiParameter(
                 name="format_result",
-                in_=openapi.IN_QUERY,
+                location=OpenApiParameter.QUERY,
-                type=openapi.TYPE_BOOLEAN,
+                type=OpenApiTypes.BOOL,
             )
         ],
     )

authentik/core/api/providers.py

@@ -1,6 +1,6 @@
 """Provider API Views"""
 from django.utils.translation import gettext_lazy as _
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
@@ -9,6 +9,7 @@ from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.models import Provider
 from authentik.lib.utils.reflection import all_subclasses
@@ -22,7 +23,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
 
     component = SerializerMethodField()
 
-    def get_component(self, obj: Provider):  # pragma: no cover
+    def get_component(self, obj: Provider) -> str:  # pragma: no cover
         """Get object component so that we know how to edit the object"""
         # pyright: reportGeneralTypeIssues=false
         if obj.__class__ == Provider:
@@ -48,6 +49,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
 class ProviderViewSet(
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
+    UsedByMixin,
     mixins.ListModelMixin,
     GenericViewSet,
 ):
@@ -63,10 +65,10 @@ class ProviderViewSet(
         "application__name",
     ]
 
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
         return Provider.objects.select_subclasses()
 
-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
     @action(detail=False, pagination_class=None, filter_backends=[])
     def types(self, request: Request) -> Response:
         """Get all creatable provider types"""

authentik/core/api/sources.py

@@ -1,7 +1,7 @@
 """Source API Views"""
 from typing import Iterable
 
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.request import Request
@@ -10,6 +10,7 @@ from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.models import Source
 from authentik.core.types import UserSettingSerializer
@@ -24,7 +25,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
 
     component = SerializerMethodField()
 
-    def get_component(self, obj: Source):
+    def get_component(self, obj: Source) -> str:
         """Get object component so that we know how to edit the object"""
         # pyright: reportGeneralTypeIssues=false
         if obj.__class__ == Source:
@@ -52,6 +53,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
 class SourceViewSet(
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
+    UsedByMixin,
     mixins.ListModelMixin,
     GenericViewSet,
 ):
@@ -61,10 +63,10 @@ class SourceViewSet(
     serializer_class = SourceSerializer
     lookup_field = "slug"
 
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
         return Source.objects.select_subclasses()
 
-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
     @action(detail=False, pagination_class=None, filter_backends=[])
     def types(self, request: Request) -> Response:
         """Get all creatable source types"""
@@ -87,7 +89,7 @@ class SourceViewSet(
             )
         return Response(TypeCreateSerializer(data, many=True).data)
 
-    @swagger_auto_schema(responses={200: UserSettingSerializer(many=True)})
+    @extend_schema(responses={200: UserSettingSerializer(many=True)})
     @action(detail=False, pagination_class=None, filter_backends=[])
     def user_settings(self, request: Request) -> Response:
         """Get all sources the user can configure"""

authentik/core/api/tokens.py

@@ -1,6 +1,6 @@
 """Tokens API Viewset"""
 from django.http.response import Http404
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import CharField
 from rest_framework.request import Request
@@ -9,6 +9,7 @@ from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.decorators import permission_required
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import Token, TokenIntents
@@ -43,7 +44,7 @@ class TokenViewSerializer(PassiveSerializer):
     key = CharField(read_only=True)
 
 
-class TokenViewSet(ModelViewSet):
+class TokenViewSet(UsedByMixin, ModelViewSet):
     """Token Viewset"""
 
     lookup_field = "identifier"
@@ -67,10 +68,10 @@ class TokenViewSet(ModelViewSet):
         serializer.save(user=self.request.user, intent=TokenIntents.INTENT_API)
 
     @permission_required("authentik_core.view_token_key")
-    @swagger_auto_schema(
+    @extend_schema(
         responses={
             200: TokenViewSerializer(many=False),
-            404: "Token not found or expired",
+            404: OpenApiResponse(description="Token not found or expired"),
         }
     )
     @action(detail=True, pagination_class=None, filter_backends=[])

authentik/core/api/used_by.py

@@ -0,0 +1,102 @@
+"""used_by mixin"""
+from enum import Enum
+from inspect import getmembers
+
+from django.db.models.base import Model
+from django.db.models.deletion import SET_DEFAULT, SET_NULL
+from django.db.models.manager import Manager
+from drf_spectacular.utils import extend_schema
+from guardian.shortcuts import get_objects_for_user
+from rest_framework.decorators import action
+from rest_framework.fields import CharField, ChoiceField
+from rest_framework.request import Request
+from rest_framework.response import Response
+
+from authentik.core.api.utils import PassiveSerializer
+
+
+class DeleteAction(Enum):
+    """Which action a delete will have on a used object"""
+
+    CASCADE = "cascade"
+    CASCADE_MANY = "cascade_many"
+    SET_NULL = "set_null"
+    SET_DEFAULT = "set_default"
+
+
+class UsedBySerializer(PassiveSerializer):
+    """A list of all objects referencing the queried object"""
+
+    app = CharField()
+    model_name = CharField()
+    pk = CharField()
+    name = CharField()
+    action = ChoiceField(choices=[(x.name, x.name) for x in DeleteAction])
+
+
+def get_delete_action(manager: Manager) -> str:
+    """Get the delete action from the Foreign key, falls back to cascade"""
+    if hasattr(manager, "field"):
+        if manager.field.remote_field.on_delete.__name__ == SET_NULL.__name__:
+            return DeleteAction.SET_NULL.name
+        if manager.field.remote_field.on_delete.__name__ == SET_DEFAULT.__name__:
+            return DeleteAction.SET_DEFAULT.name
+    if hasattr(manager, "source_field"):
+        return DeleteAction.CASCADE_MANY.name
+    return DeleteAction.CASCADE.name
+
+
+class UsedByMixin:
+    """Mixin to add a used_by endpoint to return a list of all objects using this object"""
+
+    @extend_schema(
+        responses={200: UsedBySerializer(many=True)},
+    )
+    @action(detail=True, pagination_class=None, filter_backends=[])
+    # pylint: disable=invalid-name, unused-argument, too-many-locals
+    def used_by(self, request: Request, *args, **kwargs) -> Response:
+        """Get a list of all objects that use this object"""
+        # pyright: reportGeneralTypeIssues=false
+        model: Model = self.get_object()
+        used_by = []
+        shadows = []
+        for attr_name, manager in getmembers(model, lambda x: isinstance(x, Manager)):
+            if attr_name == "objects":  # pragma: no cover
+                continue
+            manager: Manager
+            if manager.model._meta.abstract:
+                continue
+            app = manager.model._meta.app_label
+            model_name = manager.model._meta.model_name
+            delete_action = get_delete_action(manager)
+
+            # To make sure we only apply shadows when there are any objects,
+            # but so we only apply them once, have a simple flag for the first object
+            first_object = True
+
+            for obj in get_objects_for_user(
+                request.user, f"{app}.view_{model_name}", manager
+            ).all():
+                # Only merge shadows on first object
+                if first_object:
+                    shadows += getattr(
+                        manager.model._meta, "authentik_used_by_shadows", []
+                    )
+                first_object = False
+                serializer = UsedBySerializer(
+                    data={
+                        "app": app,
+                        "model_name": model_name,
+                        "pk": str(obj.pk),
+                        "name": str(obj),
+                        "action": delete_action,
+                    }
+                )
+                serializer.is_valid()
+                used_by.append(serializer.data)
+        # Check the shadows map and remove anything that should be shadowed
+        for idx, user in enumerate(used_by):
+            full_model_name = f"{user['app']}.{user['model_name']}"
+            if full_model_name in shadows:
+                del used_by[idx]
+        return Response(used_by)

authentik/core/api/users.py

@@ -7,7 +7,7 @@ from django.urls import reverse_lazy
 from django.utils.http import urlencode
 from django_filters.filters import BooleanFilter, CharFilter
 from django_filters.filterset import FilterSet
-from drf_yasg.utils import swagger_auto_schema, swagger_serializer_method
+from drf_spectacular.utils import OpenApiResponse, extend_schema, extend_schema_field
 from guardian.utils import get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, JSONField, SerializerMethodField
@@ -25,6 +25,7 @@ from rest_framework_guardian.filters import ObjectPermissionsFilter
 from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
 from authentik.api.decorators import permission_required
 from authentik.core.api.groups import GroupSerializer
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import (
     SESSION_IMPERSONATE_ORIGINAL_USER,
@@ -32,7 +33,7 @@ from authentik.core.middleware import (
 )
 from authentik.core.models import Token, TokenIntents, User
 from authentik.events.models import EventAction
-from authentik.flows.models import Flow, FlowDesignation
+from authentik.tenants.models import Tenant
 
 
 class UserSerializer(ModelSerializer):
@@ -77,13 +78,13 @@ class UserMetricsSerializer(PassiveSerializer):
     logins_failed_per_1h = SerializerMethodField()
     authorizations_per_1h = SerializerMethodField()
 
-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
     def get_logins_per_1h(self, _):
         """Get successful logins per hour for the last 24 hours"""
         user = self.context["user"]
         return get_events_per_1h(action=EventAction.LOGIN, user__pk=user.pk)
 
-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
     def get_logins_failed_per_1h(self, _):
         """Get failed logins per hour for the last 24 hours"""
         user = self.context["user"]
@@ -91,7 +92,7 @@ class UserMetricsSerializer(PassiveSerializer):
             action=EventAction.LOGIN_FAILED, context__username=user.username
         )
 
-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
     def get_authorizations_per_1h(self, _):
         """Get failed logins per hour for the last 24 hours"""
         user = self.context["user"]
@@ -131,7 +132,7 @@ class UsersFilter(FilterSet):
         fields = ["username", "name", "is_active", "is_superuser", "attributes"]
 
 
-class UserViewSet(ModelViewSet):
+class UserViewSet(UsedByMixin, ModelViewSet):
     """User Viewset"""
 
     queryset = User.objects.none()
@@ -139,10 +140,10 @@ class UserViewSet(ModelViewSet):
     search_fields = ["username", "name", "is_active"]
     filterset_class = UsersFilter
 
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
         return User.objects.all().exclude(pk=get_anonymous_user().pk)
 
-    @swagger_auto_schema(responses={200: SessionUserSerializer(many=False)})
+    @extend_schema(responses={200: SessionUserSerializer(many=False)})
     @action(detail=False, pagination_class=None, filter_backends=[])
     # pylint: disable=invalid-name
     def me(self, request: Request) -> Response:
@@ -158,7 +159,7 @@ class UserViewSet(ModelViewSet):
         return Response(serializer.data)
 
     @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
-    @swagger_auto_schema(responses={200: UserMetricsSerializer(many=False)})
+    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
     @action(detail=True, pagination_class=None, filter_backends=[])
     # pylint: disable=invalid-name, unused-argument
     def metrics(self, request: Request, pk: int) -> Response:
@@ -169,15 +170,19 @@ class UserViewSet(ModelViewSet):
         return Response(serializer.data)
 
     @permission_required("authentik_core.reset_user_password")
-    @swagger_auto_schema(
+    @extend_schema(
-        responses={"200": LinkSerializer(many=False), "404": "No recovery flow found."},
+        responses={
+            "200": LinkSerializer(many=False),
+            "404": OpenApiResponse(description="No recovery flow found."),
+        },
     )
     @action(detail=True, pagination_class=None, filter_backends=[])
     # pylint: disable=invalid-name, unused-argument
     def recovery(self, request: Request, pk: int) -> Response:
         """Create a temporary link that a user can use to recover their accounts"""
+        tenant: Tenant = request._request.tenant
         # Check that there is a recovery flow, if not return an error
-        flow = Flow.with_policy(request, designation=FlowDesignation.RECOVERY)
+        flow = tenant.flow_recovery
         if not flow:
             raise Http404
         user: User = self.get_object()
@@ -188,7 +193,8 @@ class UserViewSet(ModelViewSet):
         )
         querystring = urlencode({"token": token.key})
         link = request.build_absolute_uri(
-            reverse_lazy("authentik_flows:default-recovery") + f"?{querystring}"
+            reverse_lazy("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
+            + f"?{querystring}"
         )
         return Response({"link": link})
 

authentik/core/api/utils.py

@@ -28,6 +28,9 @@ class PassiveSerializer(Serializer):
     ) -> Model:  # pragma: no cover
         return Model()
 
+    class Meta:
+        model = Model
+
 
 class MetaNameSerializer(PassiveSerializer):
     """Add verbose names to response"""

authentik/core/apps.py

@@ -2,6 +2,10 @@
 from importlib import import_module
 
 from django.apps import AppConfig
+from django.db import ProgrammingError
+
+from authentik.core.signals import GAUGE_MODELS
+from authentik.lib.utils.reflection import get_apps
 
 
 class AuthentikCoreConfig(AppConfig):
@@ -15,3 +19,12 @@ class AuthentikCoreConfig(AppConfig):
     def ready(self):
         import_module("authentik.core.signals")
         import_module("authentik.core.managed")
+        try:
+            for app in get_apps():
+                for model in app.get_models():
+                    GAUGE_MODELS.labels(
+                        model_name=model._meta.model_name,
+                        app=model._meta.app_label,
+                    ).set(model.objects.count())
+        except ProgrammingError:
+            pass

authentik/core/channels.py

@@ -4,7 +4,7 @@ from channels.generic.websocket import JsonWebsocketConsumer
 from rest_framework.exceptions import AuthenticationFailed
 from structlog.stdlib import get_logger
 
-from authentik.api.auth import token_from_header
+from authentik.api.authentication import token_from_header
 from authentik.core.models import User
 
 LOGGER = get_logger()

authentik/core/expression.py

@@ -3,23 +3,33 @@ from traceback import format_tb
 from typing import Optional
 
 from django.http import HttpRequest
+from guardian.utils import get_anonymous_user
 
-from authentik.core.models import User
+from authentik.core.models import PropertyMapping, User
 from authentik.events.models import Event, EventAction
 from authentik.lib.expression.evaluator import BaseEvaluator
+from authentik.policies.types import PolicyRequest
 
 
 class PropertyMappingEvaluator(BaseEvaluator):
     """Custom Evalautor that adds some different context variables."""
 
     def set_context(
-        self, user: Optional[User], request: Optional[HttpRequest], **kwargs
+        self,
+        user: Optional[User],
+        request: Optional[HttpRequest],
+        mapping: PropertyMapping,
+        **kwargs,
     ):
         """Update context with context from PropertyMapping's evaluate"""
+        req = PolicyRequest(user=get_anonymous_user())
+        req.obj = mapping
         if user:
+            req.user = user
             self._context["user"] = user
         if request:
-            self._context["request"] = request
+            req.http_request = request
+        self._context["request"] = req
         self._context.update(**kwargs)
 
     def handle_error(self, exc: Exception, expression_source: str):
@@ -30,9 +40,8 @@ class PropertyMappingEvaluator(BaseEvaluator):
             expression=expression_source,
             message=error_string,
         )
-        if "user" in self._context:
-            event.set_user(self._context["user"])
         if "request" in self._context:
-            event.from_http(self._context["request"])
+            req: PolicyRequest = self._context["request"]
+            event.from_http(req.http_request, req.user)
             return
         event.save()

authentik/core/middleware.py

@@ -26,6 +26,8 @@ class ImpersonateMiddleware:
 
         if SESSION_IMPERSONATE_USER in request.session:
             request.user = request.session[SESSION_IMPERSONATE_USER]
+            # Ensure that the user is active, otherwise nothing will work
+            request.user.is_active = True
 
         return self.get_response(request)
 
@@ -42,10 +44,14 @@ class RequestIDMiddleware:
         if not hasattr(request, "request_id"):
             request_id = uuid4().hex
             setattr(request, "request_id", request_id)
-            LOCAL.authentik = {"request_id": request_id}
+            LOCAL.authentik = {
+                "request_id": request_id,
+                "host": request.get_host(),
+            }
         response = self.get_response(request)
         response[RESPONSE_HEADER_ID] = request.request_id
         del LOCAL.authentik["request_id"]
+        del LOCAL.authentik["host"]
         return response
 
 
@@ -54,4 +60,5 @@ def structlog_add_request_id(logger: Logger, method_name: str, event_dict):
     """If threadlocal has authentik defined, add request_id to log"""
     if hasattr(LOCAL, "authentik"):
         event_dict["request_id"] = LOCAL.authentik.get("request_id", "")
+        event_dict["host"] = LOCAL.authentik.get("host", "")
     return event_dict

authentik/core/migrations/0021_alter_application_slug.py

@@ -0,0 +1,20 @@
+# Generated by Django 3.2.3 on 2021-05-14 08:48
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0020_source_user_matching_mode"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="application",
+            name="slug",
+            field=models.SlugField(
+                help_text="Internal application name, used in URLs.", unique=True
+            ),
+        ),
+    ]

authentik/core/migrations/0022_authenticatedsession.py

@@ -0,0 +1,63 @@
+# Generated by Django 3.2.3 on 2021-05-29 22:14
+
+import uuid
+
+import django.db.models.deletion
+from django.apps.registry import Apps
+from django.conf import settings
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+import authentik.core.models
+
+
+def migrate_sessions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
+    from django.contrib.sessions.backends.cache import KEY_PREFIX
+    from django.core.cache import cache
+
+    session_keys = cache.keys(KEY_PREFIX + "*")
+    cache.delete_many(session_keys)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0021_alter_application_slug"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AuthenticatedSession",
+            fields=[
+                (
+                    "expires",
+                    models.DateTimeField(
+                        default=authentik.core.models.default_token_duration
+                    ),
+                ),
+                ("expiring", models.BooleanField(default=True)),
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4, primary_key=True, serialize=False
+                    ),
+                ),
+                ("session_key", models.CharField(max_length=40)),
+                ("last_ip", models.TextField()),
+                ("last_user_agent", models.TextField(blank=True)),
+                ("last_used", models.DateTimeField(auto_now=True)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "abstract": False,
+            },
+        ),
+        migrations.RunPython(migrate_sessions),
+    ]

authentik/core/migrations/0023_alter_application_meta_launch_url.py

@@ -0,0 +1,23 @@
+# Generated by Django 3.2.3 on 2021-06-02 21:51
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0022_authenticatedsession"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="application",
+            name="meta_launch_url",
+            field=models.TextField(
+                blank=True,
+                default="",
+                validators=[django.core.validators.URLValidator()],
+            ),
+        ),
+    ]

authentik/core/migrations/0024_alter_token_identifier.py

@@ -0,0 +1,35 @@
+# Generated by Django 3.2.3 on 2021-06-03 09:33
+
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+from django.db.models import Count
+
+
+def fix_duplicates(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
+    Token = apps.get_model("authentik_core", "token")
+    identifiers = (
+        Token.objects.using(db_alias)
+        .values("identifier")
+        .annotate(identifier_count=Count("identifier"))
+        .filter(identifier_count__gt=1)
+    )
+    for ident in identifiers:
+        Token.objects.using(db_alias).filter(identifier=ident["identifier"]).delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0023_alter_application_meta_launch_url"),
+    ]
+
+    operations = [
+        migrations.RunPython(fix_duplicates),
+        migrations.AlterField(
+            model_name="token",
+            name="identifier",
+            field=models.SlugField(max_length=255, unique=True),
+        ),
+    ]

authentik/core/migrations/0025_alter_application_meta_icon.py

@@ -0,0 +1,20 @@
+# Generated by Django 3.2.3 on 2021-06-05 19:04
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0024_alter_token_identifier"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="application",
+            name="meta_icon",
+            field=models.FileField(
+                default=None, null=True, upload_to="application-icons/"
+            ),
+        ),
+    ]

authentik/core/models.py

@@ -5,9 +5,12 @@ from typing import Any, Optional, Type
 from urllib.parse import urlencode
 from uuid import uuid4
 
+import django.db.models.options as options
+from deepmerge import always_merger
 from django.conf import settings
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
+from django.core import validators
 from django.db import models
 from django.db.models import Q, QuerySet
 from django.http import HttpRequest
@@ -23,11 +26,11 @@ from structlog.stdlib import get_logger
 
 from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.core.signals import password_changed
-from authentik.core.types import UILoginButton
+from authentik.core.types import UILoginButton, UserSettingSerializer
-from authentik.flows.challenge import Challenge
 from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
 from authentik.lib.models import CreatedUpdatedModel, SerializerModel
+from authentik.lib.utils.http import get_client_ip
 from authentik.managed.models import ManagedModel
 from authentik.policies.models import PolicyBindingModel
 
@@ -40,6 +43,9 @@ GRAVATAR_URL = "https://secure.gravatar.com"
 DEFAULT_AVATAR = static("dist/assets/images/user_default.png")
 
 
+options.DEFAULT_NAMES = options.DEFAULT_NAMES + ("authentik_used_by_shadows",)
+
+
 def default_token_duration():
     """Default duration a Token is valid"""
     return now() + timedelta(minutes=30)
@@ -109,8 +115,8 @@ class User(GuardianUserMixin, AbstractUser):
         including the users attributes"""
         final_attributes = {}
         for group in self.ak_groups.all().order_by("name"):
-            final_attributes.update(group.attributes)
+            always_merger.merge(final_attributes, group.attributes)
-        final_attributes.update(self.attributes)
+        always_merger.merge(final_attributes, self.attributes)
         return final_attributes
 
     @cached_property
@@ -137,21 +143,25 @@ class User(GuardianUserMixin, AbstractUser):
     @property
     def avatar(self) -> str:
         """Get avatar, depending on authentik.avatar setting"""
-        mode = CONFIG.raw.get("authentik").get("avatars")
+        mode: str = CONFIG.y("avatars", "none")
         if mode == "none":
             return DEFAULT_AVATAR
+        # gravatar uses md5 for their URLs, so md5 can't be avoided
+        mail_hash = md5(self.email.encode("utf-8")).hexdigest()  # nosec
         if mode == "gravatar":
             parameters = [
                 ("s", "158"),
                 ("r", "g"),
             ]
-            # gravatar uses md5 for their URLs, so md5 can't be avoided
-            mail_hash = md5(self.email.encode("utf-8")).hexdigest()  # nosec
             gravatar_url = (
                 f"{GRAVATAR_URL}/avatar/{mail_hash}?{urlencode(parameters, doseq=True)}"
             )
             return escape(gravatar_url)
-        raise ValueError(f"Invalid avatar mode {mode}")
+        return mode % {
+            "username": self.username,
+            "mail_hash": mail_hash,
+            "upn": self.attributes.get("upn", ""),
+        }
 
     class Meta:
 
@@ -207,17 +217,35 @@ class Application(PolicyBindingModel):
     add custom fields and other properties"""
 
     name = models.TextField(help_text=_("Application's display Name."))
-    slug = models.SlugField(help_text=_("Internal application name, used in URLs."))
+    slug = models.SlugField(
+        help_text=_("Internal application name, used in URLs."), unique=True
+    )
     provider = models.OneToOneField(
         "Provider", null=True, blank=True, default=None, on_delete=models.SET_DEFAULT
     )
 
-    meta_launch_url = models.URLField(default="", blank=True)
+    meta_launch_url = models.TextField(
+        default="", blank=True, validators=[validators.URLValidator()]
+    )
     # For template applications, this can be set to /static/authentik/applications/*
-    meta_icon = models.FileField(upload_to="application-icons/", default="", blank=True)
+    meta_icon = models.FileField(
+        upload_to="application-icons/", default=None, null=True
+    )
     meta_description = models.TextField(default="", blank=True)
     meta_publisher = models.TextField(default="", blank=True)
 
+    @property
+    def get_meta_icon(self) -> Optional[str]:
+        """Get the URL to the App Icon image. If the name is /static or starts with http
+        it is returned as-is"""
+        if not self.meta_icon:
+            return None
+        if self.meta_icon.name.startswith("http") or self.meta_icon.name.startswith(
+            "/static"
+        ):
+            return self.meta_icon.name
+        return self.meta_icon.url
+
     def get_launch_url(self) -> Optional[str]:
         """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
         if self.meta_launch_url:
@@ -322,9 +350,9 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
         return None
 
     @property
-    def ui_user_settings(self) -> Optional[Challenge]:
+    def ui_user_settings(self) -> Optional[UserSettingSerializer]:
         """Entrypoint to integrate with User settings. Can either return None if no
-        user settings are available, or a challenge."""
+        user settings are available, or UserSettingSerializer."""
         return None
 
     def __str__(self):
@@ -386,7 +414,7 @@ class Token(ManagedModel, ExpiringModel):
     """Token used to authenticate the User for API Access or confirm another Stage like Email."""
 
     token_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    identifier = models.SlugField(max_length=255)
+    identifier = models.SlugField(max_length=255, unique=True)
     key = models.TextField(default=default_token_key)
     intent = models.TextField(
         choices=TokenIntents.choices, default=TokenIntents.INTENT_VERIFICATION
@@ -437,7 +465,7 @@ class PropertyMapping(SerializerModel, ManagedModel):
         from authentik.core.expression import PropertyMappingEvaluator
 
         evaluator = PropertyMappingEvaluator()
-        evaluator.set_context(user, request, **kwargs)
+        evaluator.set_context(user, request, self, **kwargs)
         try:
             return evaluator.evaluate(self.expression)
         except (ValueError, SyntaxError) as exc:
@@ -450,3 +478,37 @@ class PropertyMapping(SerializerModel, ManagedModel):
 
         verbose_name = _("Property Mapping")
         verbose_name_plural = _("Property Mappings")
+
+
+class AuthenticatedSession(ExpiringModel):
+    """Additional session class for authenticated users. Augments the standard django session
+    to achieve the following:
+        - Make it queryable by user
+        - Have a direct connection to user objects
+        - Allow users to view their own sessions and terminate them
+        - Save structured and well-defined information.
+    """
+
+    uuid = models.UUIDField(default=uuid4, primary_key=True)
+
+    session_key = models.CharField(max_length=40)
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+
+    last_ip = models.TextField()
+    last_user_agent = models.TextField(blank=True)
+    last_used = models.DateTimeField(auto_now=True)
+
+    @staticmethod
+    def from_request(
+        request: HttpRequest, user: User
+    ) -> Optional["AuthenticatedSession"]:
+        """Create a new session from a http request"""
+        if not hasattr(request, "session") or not request.session.session_key:
+            return None
+        return AuthenticatedSession(
+            session_key=request.session.session_key,
+            user=user,
+            last_ip=get_client_ip(request),
+            last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
+            expires=request.session.get_expiry_date(),
+        )

authentik/core/signals.py

@@ -1,20 +1,39 @@
 """authentik core signals"""
+from typing import TYPE_CHECKING, Type
+
+from django.contrib.auth.signals import user_logged_in, user_logged_out
+from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.core.signals import Signal
-from django.db.models.signals import post_save
+from django.db.models import Model
+from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
+from django.http.request import HttpRequest
+from prometheus_client import Gauge
 
 # Arguments: user: User, password: str
 password_changed = Signal()
 
+GAUGE_MODELS = Gauge(
+    "authentik_models", "Count of various objects", ["model_name", "app"]
+)
+
+if TYPE_CHECKING:
+    from authentik.core.models import AuthenticatedSession, User
+
 
 @receiver(post_save)
 # pylint: disable=unused-argument
-def post_save_application(sender, instance, created: bool, **_):
+def post_save_application(sender: type[Model], instance, created: bool, **_):
     """Clear user's application cache upon application creation"""
     from authentik.core.api.applications import user_app_cache_key
     from authentik.core.models import Application
 
+    GAUGE_MODELS.labels(
+        model_name=sender._meta.model_name,
+        app=sender._meta.app_label,
+    ).set(sender.objects.count())
+
     if sender != Application:
         return
     if not created:  # pragma: no cover
@@ -22,3 +41,39 @@ def post_save_application(sender, instance, created: bool, **_):
     # Also delete user application cache
     keys = cache.keys(user_app_cache_key("*"))
     cache.delete_many(keys)
+
+
+@receiver(user_logged_in)
+# pylint: disable=unused-argument
+def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
+    """Create an AuthenticatedSession from request"""
+    from authentik.core.models import AuthenticatedSession
+
+    session = AuthenticatedSession.from_request(request, user)
+    if session:
+        session.save()
+
+
+@receiver(user_logged_out)
+# pylint: disable=unused-argument
+def user_logged_out_session(sender, request: HttpRequest, user: "User", **_):
+    """Delete AuthenticatedSession if it exists"""
+    from authentik.core.models import AuthenticatedSession
+
+    AuthenticatedSession.objects.filter(
+        session_key=request.session.session_key
+    ).delete()
+
+
+@receiver(pre_delete)
+def authenticated_session_delete(
+    sender: Type[Model], instance: "AuthenticatedSession", **_
+):
+    """Delete session when authenticated session is deleted"""
+    from authentik.core.models import AuthenticatedSession
+
+    if sender != AuthenticatedSession:
+        return
+
+    cache_key = f"{KEY_PREFIX}{instance.session_key}"
+    cache.delete(cache_key)

authentik/core/sources/flow_manager.py

@@ -3,6 +3,7 @@ from enum import Enum
 from typing import Any, Optional, Type
 
 from django.contrib import messages
+from django.db import IntegrityError
 from django.db.models.query_utils import Q
 from django.http import HttpRequest, HttpResponse, HttpResponseBadRequest
 from django.shortcuts import redirect
@@ -32,6 +33,7 @@ from authentik.flows.planner import (
 from authentik.flows.views import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.utils import delete_none_keys
+from authentik.stages.password import BACKEND_DJANGO
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 
@@ -149,7 +151,11 @@ class SourceFlowManager:
 
     def get_flow(self, **kwargs) -> HttpResponse:
         """Get the flow response based on user_matching_mode"""
+        try:
             action, connection = self.get_action(**kwargs)
+        except IntegrityError as exc:
+            self._logger.warning("failed to get action", exc=exc)
+            return redirect("/")
         self._logger.debug("get_action() says", action=action, connection=connection)
         if connection:
             if action == Action.LINK:
@@ -177,6 +183,8 @@ class SourceFlowManager:
     # pylint: disable=unused-argument
     def get_stages_to_append(self, flow: Flow) -> list[Stage]:
         """Hook to override stages which are appended to the flow"""
+        if not self.source.enrollment_flow:
+            return []
         if flow.slug == self.source.enrollment_flow.slug:
             return [
                 in_memory_stage(PostUserEnrollmentStage),
@@ -193,7 +201,7 @@ class SourceFlowManager:
         kwargs.update(
             {
                 # Since we authenticate the user by their token, they have no backend set
-                PLAN_CONTEXT_AUTHENTICATION_BACKEND: "django.contrib.auth.backends.ModelBackend",
+                PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_DJANGO,
                 PLAN_CONTEXT_SSO: True,
                 PLAN_CONTEXT_SOURCE: self.source,
                 PLAN_CONTEXT_REDIRECT: final_redirect,
@@ -205,7 +213,7 @@ class SourceFlowManager:
         planner = FlowPlanner(flow)
         plan = planner.plan(self.request, kwargs)
         for stage in self.get_stages_to_append(flow):
-            plan.append(stage)
+            plan.append_stage(stage=stage)
         self.request.session[SESSION_KEY_PLAN] = plan
         return redirect_with_qs(
             "authentik_core:if-flow",

authentik/core/tasks.py

@@ -75,5 +75,6 @@ def backup_database(self: MonitoredTask):  # pragma: no cover
         Boto3Error,
         PermissionError,
         CommandConnectorError,
+        ValueError,
     ) as exc:
         self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))

authentik/core/templates/base/skeleton.html

@@ -7,8 +7,7 @@
     <head>
         <meta charset="UTF-8">
         <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        <title>{% block title %}{% trans title|default:config.authentik.branding.title %}{% endblock %}</title>
+        <title>{% block title %}{% trans title|default:tenant.branding_title %}{% endblock %}</title>
-        <link rel="icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}?v={{ ak_version }}">
         <link rel="shortcut icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}?v={{ ak_version }}">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}?v={{ ak_version }}">
         <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}?v={{ ak_version }}">

authentik/core/templates/if/end_session.html

@@ -3,18 +3,8 @@
 {% load static %}
 {% load i18n %}
 
-{% block head %}
-{{ block.super }}
-<style>
-.pf-c-background-image::before {
-    background-image: url("{% static 'dist/assets/images/flow_background.jpg' %}");
-    background-position: center;
-}
-</style>
-{% endblock %}
-
 {% block title %}
-{% trans 'End session' %} - {{ config.authentik.branding.title }}
+{% trans 'End session' %} - {{ tenant.branding_title }}
 {% endblock %}
 
 {% block card_title %}

authentik/core/templates/if/flow.html

@@ -4,11 +4,18 @@
 {% load i18n %}
 
 {% block head_before %}
+{% if flow.compatibility_mode %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
+{% endif %}
 {% endblock %}
 
 {% block head %}
 <script src="{% static 'dist/FlowInterface.js' %}?v={{ ak_version }}" type="module"></script>
+<style>
+.pf-c-background-image::before {
+    --ak-flow-background: url("{{ flow.background_url }}");
+}
+</style>
 {% endblock %}
 
 {% block body %}

authentik/core/templates/login/base_full.html

@@ -7,6 +7,14 @@
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}?v={{ ak_version }}">
 {% endblock %}
 
+{% block head %}
+<style>
+.pf-c-background-image::before {
+    --ak-flow-background: url("/static/dist/assets/images/flow_background.jpg");
+}
+</style>
+{% endblock %}
+
 {% block body %}
 <div class="pf-c-background-image">
     <svg xmlns="http://www.w3.org/2000/svg" class="pf-c-background-image__filter" width="0" height="0">
@@ -26,10 +34,7 @@
     <div class="ak-login-container">
         <header class="pf-c-login__header">
             <div class="pf-c-brand ak-brand">
-                <img src="{{ config.authentik.branding.logo }}" alt="authentik icon" />
+                <img src="{{ tenant.branding_logo }}" alt="authentik icon" />
-                {% if config.authentik.branding.title_show %}
-                <p>{{ config.authentik.branding.title }}</p>
-                {% endif %}
             </div>
         </header>
         {% block main_container %}
@@ -49,12 +54,12 @@
         <footer class="pf-c-login__footer">
             <p></p>
             <ul class="pf-c-list pf-m-inline">
-                {% for link in config.authentik.footer_links %}
+                {% for link in footer_links %}
                 <li>
                     <a href="{{ link.href }}">{{ link.name }}</a>
                 </li>
                 {% endfor %}
-                {% if config.authentik.branding.title != "authentik" %}
+                {% if tenant.branding_title != "authentik" %}
                 <li>
                     <a href="https://goauthentik.io">
                         {% trans 'Powered by authentik' %}

authentik/core/tests/test_applications_api.py

@@ -32,14 +32,20 @@ class TestApplicationsAPI(APITestCase):
                 kwargs={"slug": self.allowed.slug},
             )
         )
-        self.assertEqual(response.status_code, 204)
+        self.assertEqual(response.status_code, 200)
+        self.assertJSONEqual(
+            force_str(response.content), {"messages": [], "passing": True}
+        )
         response = self.client.get(
             reverse(
                 "authentik_api:application-check-access",
                 kwargs={"slug": self.denied.slug},
             )
         )
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 200)
+        self.assertJSONEqual(
+            force_str(response.content), {"messages": ["dummy"], "passing": False}
+        )
 
     def test_list(self):
         """Test list operation without superuser_full_list"""

authentik/core/tests/test_authenticated_sessions_api.py

@@ -0,0 +1,31 @@
+"""Test AuthenticatedSessions API"""
+from json import loads
+
+from django.urls.base import reverse
+from django.utils.encoding import force_str
+from rest_framework.test import APITestCase
+
+from authentik.core.models import User
+
+
+class TestAuthenticatedSessionsAPI(APITestCase):
+    """Test AuthenticatedSessions API"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = User.objects.get(username="akadmin")
+        self.other_user = User.objects.create(username="normal-user")
+
+    def test_list(self):
+        """Test session list endpoint"""
+        self.client.force_login(self.user)
+        response = self.client.get(reverse("authentik_api:authenticatedsession-list"))
+        self.assertEqual(response.status_code, 200)
+
+    def test_non_admin_list(self):
+        """Test non-admin list"""
+        self.client.force_login(self.other_user)
+        response = self.client.get(reverse("authentik_api:authenticatedsession-list"))
+        self.assertEqual(response.status_code, 200)
+        body = loads(force_str(response.content))
+        self.assertEqual(body["pagination"]["count"], 1)

authentik/core/tests/test_impersonation.py

@@ -17,6 +17,9 @@ class TestImpersonation(TestCase):
 
     def test_impersonate_simple(self):
         """test simple impersonation and un-impersonation"""
+        # test with an inactive user to ensure that still works
+        self.other_user.is_active = False
+        self.other_user.save()
         self.client.force_login(self.akadmin)
 
         self.client.get(

authentik/core/tests/test_users_api.py

@@ -0,0 +1,29 @@
+"""Test Users API"""
+from django.urls.base import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import User
+
+
+class TestUsersAPI(APITestCase):
+    """Test Users API"""
+
+    def setUp(self) -> None:
+        self.admin = User.objects.get(username="akadmin")
+        self.user = User.objects.create(username="test-user")
+
+    def test_metrics(self):
+        """Test user's metrics"""
+        self.client.force_login(self.admin)
+        response = self.client.get(
+            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_metrics_denied(self):
+        """Test user's metrics (non-superuser)"""
+        self.client.force_login(self.user)
+        response = self.client.get(
+            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
+        )
+        self.assertEqual(response.status_code, 403)

authentik/core/types.py

@@ -2,7 +2,7 @@
 from dataclasses import dataclass
 from typing import Optional
 
-from rest_framework.fields import CharField, DictField
+from rest_framework.fields import CharField
 
 from authentik.core.api.utils import PassiveSerializer
 from authentik.flows.challenge import Challenge
@@ -22,17 +22,10 @@ class UILoginButton:
     icon_url: Optional[str] = None
 
 
-class UILoginButtonSerializer(PassiveSerializer):
-    """Serializer for Login buttons of sources"""
-
-    name = CharField()
-    challenge = DictField()
-    icon_url = CharField(required=False, allow_null=True)
-
-
 class UserSettingSerializer(PassiveSerializer):
     """Serializer for User settings for stages and sources"""
 
     object_uid = CharField()
     component = CharField()
     title = CharField()
+    configure_url = CharField(required=False)

authentik/core/urls.py

@@ -6,6 +6,8 @@ from django.views.generic import RedirectView
 from django.views.generic.base import TemplateView
 
 from authentik.core.views import impersonate
+from authentik.core.views.interface import FlowInterfaceView
+from authentik.core.views.session import EndSessionView
 
 urlpatterns = [
     path(
@@ -32,7 +34,18 @@ urlpatterns = [
     ),
     path(
         "if/flow/<slug:flow_slug>/",
-        ensure_csrf_cookie(TemplateView.as_view(template_name="if/flow.html")),
+        ensure_csrf_cookie(FlowInterfaceView.as_view()),
         name="if-flow",
     ),
+    path(
+        "if/session-end/<slug:application_slug>/",
+        ensure_csrf_cookie(EndSessionView.as_view()),
+        name="if-session-end",
+    ),
+    # Fallback for WS
+    path("ws/outpost/<uuid:pk>/", TemplateView.as_view(template_name="if/admin.html")),
+    path(
+        "ws/client/",
+        TemplateView.as_view(template_name="if/admin.html"),
+    ),
 ]

authentik/core/views/interface.py

@@ -0,0 +1,17 @@
+"""Interface views"""
+from typing import Any
+
+from django.shortcuts import get_object_or_404
+from django.views.generic.base import TemplateView
+
+from authentik.flows.models import Flow
+
+
+class FlowInterfaceView(TemplateView):
+    """Flow interface"""
+
+    template_name = "if/flow.html"
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        return super().get_context_data(**kwargs)

authentik/core/views/session.py

@@ -1,22 +1,24 @@
-"""authentik OAuth2 Session Views"""
+"""authentik Session Views"""
 from typing import Any
 
 from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView
 
 from authentik.core.models import Application
+from authentik.policies.views import PolicyAccessView
 
 
-class EndSessionView(TemplateView):
+class EndSessionView(TemplateView, PolicyAccessView):
     """Allow the client to end the Session"""
 
-    template_name = "providers/oauth2/end_session.html"
+    template_name = "if/end_session.html"
 
-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+    def resolve_provider_application(self):
-        context = super().get_context_data(**kwargs)
+        self.application = get_object_or_404(
-
-        context["application"] = get_object_or_404(
             Application, slug=self.kwargs["application_slug"]
         )
 
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        context = super().get_context_data(**kwargs)
+        context["application"] = self.application
         return context

authentik/crypto/api.py

@@ -1,10 +1,14 @@
 """Crypto API Views"""
-import django_filters
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import load_pem_x509_certificate
+from django.http.response import HttpResponse
+from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
-from drf_yasg.utils import swagger_auto_schema
+from django_filters import FilterSet
+from django_filters.filters import BooleanFilter
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import (
     CharField,
@@ -18,6 +22,7 @@ from rest_framework.serializers import ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.decorators import permission_required
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import PassiveSerializer
 from authentik.crypto.builder import CertificateBuilder
 from authentik.crypto.models import CertificateKeyPair
@@ -31,6 +36,9 @@ class CertificateKeyPairSerializer(ModelSerializer):
     cert_subject = SerializerMethodField()
     private_key_available = SerializerMethodField()
 
+    certificate_download_url = SerializerMethodField()
+    private_key_download_url = SerializerMethodField()
+
     def get_cert_subject(self, instance: CertificateKeyPair) -> str:
         """Get certificate subject as full rfc4514"""
         return instance.certificate.subject.rfc4514_string()
@@ -39,6 +47,26 @@ class CertificateKeyPairSerializer(ModelSerializer):
         """Show if this keypair has a private key configured or not"""
         return instance.key_data != "" and instance.key_data is not None
 
+    def get_certificate_download_url(self, instance: CertificateKeyPair) -> str:
+        """Get URL to download certificate"""
+        return (
+            reverse(
+                "authentik_api:certificatekeypair-view-certificate",
+                kwargs={"pk": instance.pk},
+            )
+            + "?download"
+        )
+
+    def get_private_key_download_url(self, instance: CertificateKeyPair) -> str:
+        """Get URL to download private key"""
+        return (
+            reverse(
+                "authentik_api:certificatekeypair-view-private-key",
+                kwargs={"pk": instance.pk},
+            )
+            + "?download"
+        )
+
     def validate_certificate_data(self, value: str) -> str:
         """Verify that input is a valid PEM x509 Certificate"""
         try:
@@ -75,6 +103,8 @@ class CertificateKeyPairSerializer(ModelSerializer):
             "cert_expiry",
             "cert_subject",
             "private_key_available",
+            "certificate_download_url",
+            "private_key_download_url",
         ]
         extra_kwargs = {
             "key_data": {"write_only": True},
@@ -98,10 +128,10 @@ class CertificateGenerationSerializer(PassiveSerializer):
     validity_days = IntegerField(initial=365)
 
 
-class CertificateKeyPairFilter(django_filters.FilterSet):
+class CertificateKeyPairFilter(FilterSet):
     """Filter for certificates"""
 
-    has_key = django_filters.BooleanFilter(
+    has_key = BooleanFilter(
         label="Only return certificate-key pairs with keys", method="filter_has_key"
     )
 
@@ -115,7 +145,7 @@ class CertificateKeyPairFilter(django_filters.FilterSet):
         fields = ["name"]
 
 
-class CertificateKeyPairViewSet(ModelViewSet):
+class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
     """CertificateKeyPair Viewset"""
 
     queryset = CertificateKeyPair.objects.all()
@@ -123,9 +153,12 @@ class CertificateKeyPairViewSet(ModelViewSet):
     filterset_class = CertificateKeyPairFilter
 
     @permission_required(None, ["authentik_crypto.add_certificatekeypair"])
-    @swagger_auto_schema(
+    @extend_schema(
-        request_body=CertificateGenerationSerializer(),
+        request=CertificateGenerationSerializer(),
-        responses={200: CertificateKeyPairSerializer, 400: "Bad request"},
+        responses={
+            200: CertificateKeyPairSerializer,
+            400: OpenApiResponse(description="Bad request"),
+        },
     )
     @action(detail=False, methods=["POST"])
     def generate(self, request: Request) -> Response:
@@ -145,7 +178,16 @@ class CertificateKeyPairViewSet(ModelViewSet):
         serializer = self.get_serializer(instance)
         return Response(serializer.data)
 
-    @swagger_auto_schema(responses={200: CertificateDataSerializer(many=False)})
+    @extend_schema(
+        parameters=[
+            OpenApiParameter(
+                name="download",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
+            )
+        ],
+        responses={200: CertificateDataSerializer(many=False)},
+    )
     @action(detail=True, pagination_class=None, filter_backends=[])
     # pylint: disable=invalid-name, unused-argument
     def view_certificate(self, request: Request, pk: str) -> Response:
@@ -156,11 +198,29 @@ class CertificateKeyPairViewSet(ModelViewSet):
             secret=certificate,
             type="certificate",
         ).from_http(request)
+        if "download" in request._request.GET:
+            # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
+            response = HttpResponse(
+                certificate.certificate_data, content_type="application/x-pem-file"
+            )
+            response[
+                "Content-Disposition"
+            ] = f'attachment; filename="{certificate.name}_certificate.pem"'
+            return response
         return Response(
             CertificateDataSerializer({"data": certificate.certificate_data}).data
         )
 
-    @swagger_auto_schema(responses={200: CertificateDataSerializer(many=False)})
+    @extend_schema(
+        parameters=[
+            OpenApiParameter(
+                name="download",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
+            )
+        ],
+        responses={200: CertificateDataSerializer(many=False)},
+    )
     @action(detail=True, pagination_class=None, filter_backends=[])
     # pylint: disable=invalid-name, unused-argument
     def view_private_key(self, request: Request, pk: str) -> Response:
@@ -171,4 +231,13 @@ class CertificateKeyPairViewSet(ModelViewSet):
             secret=certificate,
             type="private_key",
         ).from_http(request)
+        if "download" in request._request.GET:
+            # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
+            response = HttpResponse(
+                certificate.key_data, content_type="application/x-pem-file"
+            )
+            response[
+                "Content-Disposition"
+            ] = f'attachment; filename="{certificate.name}_private_key.pem"'
+            return response
         return Response(CertificateDataSerializer({"data": certificate.key_data}).data)

authentik/crypto/models.py

@@ -55,11 +55,16 @@ class CertificateKeyPair(CreatedUpdatedModel):
     def private_key(self) -> Optional[RSAPrivateKey]:
         """Get python cryptography PrivateKey instance"""
         if not self._private_key and self._private_key != "":
+            try:
                 self._private_key = load_pem_private_key(
-                str.encode("\n".join([x.strip() for x in self.key_data.split("\n")])),
+                    str.encode(
+                        "\n".join([x.strip() for x in self.key_data.split("\n")])
+                    ),
                     password=None,
                     backend=default_backend(),
                 )
+            except ValueError:
+                return None
         return self._private_key
 
     @property

authentik/crypto/tests.py

@@ -2,10 +2,16 @@
 import datetime
 
 from django.test import TestCase
+from django.urls import reverse
 
+from authentik.core.api.used_by import DeleteAction
+from authentik.core.models import User
 from authentik.crypto.api import CertificateKeyPairSerializer
 from authentik.crypto.builder import CertificateBuilder
 from authentik.crypto.models import CertificateKeyPair
+from authentik.flows.models import Flow
+from authentik.providers.oauth2.generators import generate_client_secret
+from authentik.providers.oauth2.models import OAuth2Provider
 
 
 class TestCrypto(TestCase):
@@ -47,3 +53,77 @@ class TestCrypto(TestCase):
         now = datetime.datetime.today()
         self.assertEqual(instance.name, "test-cert")
         self.assertEqual((instance.certificate.not_valid_after - now).days, 2)
+
+    def test_certificate_download(self):
+        """Test certificate export (download)"""
+        self.client.force_login(User.objects.get(username="akadmin"))
+        keypair = CertificateKeyPair.objects.first()
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-certificate",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(200, response.status_code)
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-certificate",
+                kwargs={"pk": keypair.pk},
+            )
+            + "?download",
+        )
+        self.assertEqual(200, response.status_code)
+        self.assertIn("Content-Disposition", response)
+
+    def test_private_key_download(self):
+        """Test private_key export (download)"""
+        self.client.force_login(User.objects.get(username="akadmin"))
+        keypair = CertificateKeyPair.objects.first()
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-private-key",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(200, response.status_code)
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-private-key",
+                kwargs={"pk": keypair.pk},
+            )
+            + "?download",
+        )
+        self.assertEqual(200, response.status_code)
+        self.assertIn("Content-Disposition", response)
+
+    def test_used_by(self):
+        """Test used_by endpoint"""
+        self.client.force_login(User.objects.get(username="akadmin"))
+        keypair = CertificateKeyPair.objects.first()
+        provider = OAuth2Provider.objects.create(
+            name="test",
+            client_id="test",
+            client_secret=generate_client_secret(),
+            authorization_flow=Flow.objects.first(),
+            redirect_uris="http://localhost",
+            rsa_key=CertificateKeyPair.objects.first(),
+        )
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-used-by",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(200, response.status_code)
+        self.assertJSONEqual(
+            response.content.decode(),
+            [
+                {
+                    "app": "authentik_providers_oauth2",
+                    "model_name": "oauth2provider",
+                    "pk": str(provider.pk),
+                    "name": str(provider),
+                    "action": DeleteAction.SET_NULL.name,
+                }
+            ],
+        )

authentik/events/api/event.py

@@ -2,14 +2,15 @@
 import django_filters
 from django.db.models.aggregates import Count
 from django.db.models.fields.json import KeyTextTransform
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, DictField, IntegerField
+from rest_framework.fields import DictField, IntegerField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import ReadOnlyModelViewSet
+from rest_framework.viewsets import ModelViewSet
 
 from authentik.core.api.utils import PassiveSerializer, TypeCreateSerializer
 from authentik.events.models import Event, EventAction
@@ -18,11 +19,6 @@ from authentik.events.models import Event, EventAction
 class EventSerializer(ModelSerializer):
     """Event Serializer"""
 
-    # Since we only use this serializer for read-only operations,
-    # no checking of the action is done here.
-    # This allows clients to check wildcards, prefixes and custom types
-    action = CharField()
-
     class Meta:
 
         model = Event
@@ -35,15 +31,10 @@ class EventSerializer(ModelSerializer):
             "client_ip",
             "created",
             "expires",
+            "tenant",
         ]
 
 
-class EventTopPerUserParams(PassiveSerializer):
-    """Query params for top_per_user"""
-
-    top_n = IntegerField(default=15)
-
-
 class EventTopPerUserSerializer(PassiveSerializer):
     """Response object of Event's top_per_user"""
 
@@ -81,6 +72,11 @@ class EventsFilter(django_filters.FilterSet):
         field_name="action",
         lookup_expr="icontains",
     )
+    tenant_name = django_filters.CharFilter(
+        field_name="tenant",
+        lookup_expr="name",
+        label="Tenant name",
+    )
 
     # pylint: disable=unused-argument
     def filter_context_model_pk(self, queryset, name, value):
@@ -95,7 +91,7 @@ class EventsFilter(django_filters.FilterSet):
         fields = ["action", "client_ip", "username"]
 
 
-class EventViewSet(ReadOnlyModelViewSet):
+class EventViewSet(ModelViewSet):
     """Event Read-Only Viewset"""
 
     queryset = Event.objects.all()
@@ -111,12 +107,19 @@ class EventViewSet(ReadOnlyModelViewSet):
     ]
     filterset_class = EventsFilter
 
-    @swagger_auto_schema(
+    @extend_schema(
-        method="GET",
+        methods=["GET"],
         responses={200: EventTopPerUserSerializer(many=True)},
-        query_serializer=EventTopPerUserParams,
+        parameters=[
+            OpenApiParameter(
+                "top_n",
+                type=OpenApiTypes.INT,
+                location=OpenApiParameter.QUERY,
+                required=False,
             )
-    @action(detail=False, methods=["GET"])
+        ],
+    )
+    @action(detail=False, methods=["GET"], pagination_class=None)
     def top_per_user(self, request: Request):
         """Get the top_n events grouped by user count"""
         filtered_action = request.query_params.get("action", EventAction.LOGIN)
@@ -134,7 +137,7 @@ class EventViewSet(ReadOnlyModelViewSet):
             .order_by("-counted_events")[:top_n]
         )
 
-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
     @action(detail=False, pagination_class=None, filter_backends=[])
     def actions(self, request: Request) -> Response:
         """Get all actions"""

authentik/events/api/notification.py

@@ -1,10 +1,13 @@
 """Notification API Views"""
-from guardian.utils import get_anonymous_user
+from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework import mixins
 from rest_framework.fields import ReadOnlyField
+from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 
+from authentik.api.authorization import OwnerFilter, OwnerPermissions
+from authentik.core.api.used_by import UsedByMixin
 from authentik.events.api.event import EventSerializer
 from authentik.events.models import Notification
 
@@ -33,6 +36,7 @@ class NotificationViewSet(
     mixins.RetrieveModelMixin,
     mixins.UpdateModelMixin,
     mixins.DestroyModelMixin,
+    UsedByMixin,
     mixins.ListModelMixin,
     GenericViewSet,
 ):
@@ -47,7 +51,5 @@ class NotificationViewSet(
         "event",
         "seen",
     ]
-
+    permission_classes = [OwnerPermissions]
-    def get_queryset(self):
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
-        user = self.request.user if self.request else get_anonymous_user()
-        return Notification.objects.filter(user=user.pk)

authentik/events/api/notification_rule.py

@@ -2,26 +2,30 @@
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.core.api.groups import GroupSerializer
+from authentik.core.api.used_by import UsedByMixin
 from authentik.events.models import NotificationRule
 
 
 class NotificationRuleSerializer(ModelSerializer):
     """NotificationRule Serializer"""
 
+    group_obj = GroupSerializer(read_only=True, source="group")
+
     class Meta:
 
         model = NotificationRule
-        depth = 2
         fields = [
             "pk",
             "name",
             "transports",
             "severity",
             "group",
+            "group_obj",
         ]
 
 
-class NotificationRuleViewSet(ModelViewSet):
+class NotificationRuleViewSet(UsedByMixin, ModelViewSet):
     """NotificationRule Viewset"""
 
     queryset = NotificationRule.objects.all()

authentik/events/api/notification_transport.py

@@ -1,5 +1,6 @@
 """NotificationTransport API Views"""
-from drf_yasg.utils import no_body, swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.request import Request
@@ -8,6 +9,7 @@ from rest_framework.serializers import ModelSerializer, Serializer
 from rest_framework.viewsets import ModelViewSet
 
 from authentik.api.decorators import permission_required
+from authentik.core.api.used_by import UsedByMixin
 from authentik.events.models import (
     Notification,
     NotificationSeverity,
@@ -22,7 +24,7 @@ class NotificationTransportSerializer(ModelSerializer):
 
     mode_verbose = SerializerMethodField()
 
-    def get_mode_verbose(self, instance: NotificationTransport):
+    def get_mode_verbose(self, instance: NotificationTransport) -> str:
         """Return selected mode with a UI Label"""
         return TransportMode(instance.mode).label
 
@@ -51,19 +53,19 @@ class NotificationTransportTestSerializer(Serializer):
         raise NotImplementedError
 
 
-class NotificationTransportViewSet(ModelViewSet):
+class NotificationTransportViewSet(UsedByMixin, ModelViewSet):
     """NotificationTransport Viewset"""
 
     queryset = NotificationTransport.objects.all()
     serializer_class = NotificationTransportSerializer
 
     @permission_required("authentik_events.change_notificationtransport")
-    @swagger_auto_schema(
+    @extend_schema(
         responses={
             200: NotificationTransportTestSerializer(many=False),
-            503: "Failed to test transport",
+            500: OpenApiResponse(description="Failed to test transport"),
         },
-        request_body=no_body,
+        request=OpenApiTypes.NONE,
     )
     @action(detail=True, pagination_class=None, filter_backends=[], methods=["post"])
     # pylint: disable=invalid-name, unused-argument
@@ -83,4 +85,4 @@ class NotificationTransportViewSet(ModelViewSet):
             response.is_valid()
             return Response(response.data)
         except NotificationTransportError as exc:
-            return Response(str(exc.__cause__ or None), status=503)
+            return Response(str(exc.__cause__ or None), status=500)

authentik/events/apps.py

@@ -1,7 +1,10 @@
 """authentik events app"""
+from datetime import timedelta
 from importlib import import_module
 
 from django.apps import AppConfig
+from django.db import ProgrammingError
+from django.utils.timezone import now
 
 
 class AuthentikEventsConfig(AppConfig):
@@ -13,3 +16,12 @@ class AuthentikEventsConfig(AppConfig):
 
     def ready(self):
         import_module("authentik.events.signals")
+        try:
+            from authentik.events.models import Event
+
+            date_from = now() - timedelta(days=1)
+
+            for event in Event.objects.filter(created__gte=date_from):
+                event._set_prom_metrics()
+        except ProgrammingError:
+            pass

authentik/events/geo.py

@@ -1,7 +1,12 @@
 """events GeoIP Reader"""
-from typing import Optional
+from datetime import datetime
+from os import stat
+from time import time
+from typing import Optional, TypedDict
 
 from geoip2.database import Reader
+from geoip2.errors import GeoIP2Error
+from geoip2.models import City
 from structlog.stdlib import get_logger
 
 from authentik.lib.config import CONFIG
@@ -9,17 +14,78 @@ from authentik.lib.config import CONFIG
 LOGGER = get_logger()
 
 
-def get_geoip_reader() -> Optional[Reader]:
+class GeoIPDict(TypedDict):
+    """GeoIP Details"""
+
+    continent: str
+    country: str
+    lat: float
+    long: float
+    city: str
+
+
+class GeoIPReader:
+    """Slim wrapper around GeoIP API"""
+
+    __reader: Optional[Reader] = None
+    __last_mtime: float = 0.0
+
+    def __init__(self):
+        self.__open()
+
+    def __open(self):
         """Get GeoIP Reader, if configured, otherwise none"""
         path = CONFIG.y("authentik.geoip")
         if path == "" or not path:
-        return None
+            return
         try:
             reader = Reader(path)
-        LOGGER.info("Enabled GeoIP support")
+            self.__reader = reader
-        return reader
+            self.__last_mtime = stat(path).st_mtime
-    except OSError:
+            LOGGER.info("Loaded GeoIP database", last_write=self.__last_mtime)
+        except OSError as exc:
+            LOGGER.warning("Failed to load GeoIP database", exc=exc)
+
+    def __check_expired(self):
+        """Check if the geoip database has been opened longer than 8 hours,
+        and re-open it, as it will probably will have been re-downloaded"""
+        now = time()
+        diff = datetime.fromtimestamp(now) - datetime.fromtimestamp(self.__last_mtime)
+        diff_hours = diff.total_seconds() // 3600
+        if diff_hours >= 8:
+            LOGGER.info("GeoIP databased loaded too long, re-opening", diff=diff)
+            self.__open()
+
+    @property
+    def enabled(self) -> bool:
+        """Check if GeoIP is enabled"""
+        return bool(self.__reader)
+
+    def city(self, ip_address: str) -> Optional[City]:
+        """Wrapper for Reader.city"""
+        if not self.enabled:
+            return None
+        self.__check_expired()
+        try:
+            return self.__reader.city(ip_address)
+        except (GeoIP2Error, ValueError):
             return None
 
+    def city_dict(self, ip_address: str) -> Optional[GeoIPDict]:
+        """Wrapper for self.city that returns a dict"""
+        city = self.city(ip_address)
+        if not city:
+            return None
+        city_dict: GeoIPDict = {
+            "continent": city.continent.code,
+            "country": city.country.iso_code,
+            "lat": city.location.latitude,
+            "long": city.location.longitude,
+            "city": "",
+        }
+        if city.city.name:
+            city_dict["city"] = city.city.name
+        return city_dict
 
-GEOIP_READER = get_geoip_reader()
+
+GEOIP_READER = GeoIPReader()

authentik/events/middleware.py

@@ -2,6 +2,7 @@
 from functools import partial
 from typing import Callable
 
+from django.conf import settings
 from django.db.models import Model
 from django.db.models.signals import post_save, pre_delete
 from django.http import HttpRequest, HttpResponse
@@ -12,6 +13,8 @@ from authentik.core.models import User
 from authentik.events.models import Event, EventAction, Notification
 from authentik.events.signals import EventNewThread
 from authentik.events.utils import model_to_dict
+from authentik.lib.sentry import before_send
+from authentik.lib.utils.errors import exception_to_string
 
 
 class AuditMiddleware:
@@ -54,10 +57,20 @@ class AuditMiddleware:
 
     # pylint: disable=unused-argument
     def process_exception(self, request: HttpRequest, exception: Exception):
-        """Unregister handlers in case of exception"""
+        """Disconnect handlers in case of exception"""
         post_save.disconnect(dispatch_uid=LOCAL.authentik["request_id"])
         pre_delete.disconnect(dispatch_uid=LOCAL.authentik["request_id"])
 
+        if settings.DEBUG:
+            return
+        if before_send({}, {"exc_info": (None, exception, None)}) is not None:
+            thread = EventNewThread(
+                EventAction.SYSTEM_EXCEPTION,
+                request,
+                message=exception_to_string(exception),
+            )
+            thread.run()
+
     @staticmethod
     # pylint: disable=unused-argument
     def post_save_handler(

authentik/events/migrations/0015_alter_event_action.py

@@ -0,0 +1,45 @@
+# Generated by Django 3.2.3 on 2021-06-09 07:58
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0014_expiry"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="event",
+            name="action",
+            field=models.TextField(
+                choices=[
+                    ("login", "Login"),
+                    ("login_failed", "Login Failed"),
+                    ("logout", "Logout"),
+                    ("user_write", "User Write"),
+                    ("suspicious_request", "Suspicious Request"),
+                    ("password_set", "Password Set"),
+                    ("secret_view", "Secret View"),
+                    ("invitation_used", "Invite Used"),
+                    ("authorize_application", "Authorize Application"),
+                    ("source_linked", "Source Linked"),
+                    ("impersonation_started", "Impersonation Started"),
+                    ("impersonation_ended", "Impersonation Ended"),
+                    ("policy_execution", "Policy Execution"),
+                    ("policy_exception", "Policy Exception"),
+                    ("property_mapping_exception", "Property Mapping Exception"),
+                    ("system_task_execution", "System Task Execution"),
+                    ("system_task_exception", "System Task Exception"),
+                    ("configuration_error", "Configuration Error"),
+                    ("model_created", "Model Created"),
+                    ("model_updated", "Model Updated"),
+                    ("model_deleted", "Model Deleted"),
+                    ("email_sent", "Email Sent"),
+                    ("update_available", "Update Available"),
+                    ("custom_", "Custom Prefix"),
+                ]
+            ),
+        ),
+    ]

authentik/events/migrations/0016_add_tenant.py

@@ -0,0 +1,55 @@
+# Generated by Django 3.2.4 on 2021-06-14 15:33
+
+from django.db import migrations, models
+
+import authentik.events.models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0015_alter_event_action"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="event",
+            name="tenant",
+            field=models.JSONField(
+                blank=True, default=authentik.events.models.default_tenant
+            ),
+        ),
+        migrations.AlterField(
+            model_name="event",
+            name="action",
+            field=models.TextField(
+                choices=[
+                    ("login", "Login"),
+                    ("login_failed", "Login Failed"),
+                    ("logout", "Logout"),
+                    ("user_write", "User Write"),
+                    ("suspicious_request", "Suspicious Request"),
+                    ("password_set", "Password Set"),
+                    ("secret_view", "Secret View"),
+                    ("invitation_used", "Invite Used"),
+                    ("authorize_application", "Authorize Application"),
+                    ("source_linked", "Source Linked"),
+                    ("impersonation_started", "Impersonation Started"),
+                    ("impersonation_ended", "Impersonation Ended"),
+                    ("policy_execution", "Policy Execution"),
+                    ("policy_exception", "Policy Exception"),
+                    ("property_mapping_exception", "Property Mapping Exception"),
+                    ("system_task_execution", "System Task Execution"),
+                    ("system_task_exception", "System Task Exception"),
+                    ("system_exception", "System Exception"),
+                    ("configuration_error", "Configuration Error"),
+                    ("model_created", "Model Created"),
+                    ("model_updated", "Model Updated"),
+                    ("model_deleted", "Model Deleted"),
+                    ("email_sent", "Email Sent"),
+                    ("update_available", "Update Available"),
+                    ("custom_", "Custom Prefix"),
+                ]
+            ),
+        ),
+    ]

authentik/events/models.py

@@ -10,7 +10,7 @@ from django.db import models
 from django.http import HttpRequest
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
-from geoip2.errors import GeoIP2Error
+from prometheus_client import Gauge
 from requests import RequestException, post
 from structlog.stdlib import get_logger
 
@@ -21,13 +21,19 @@ from authentik.core.middleware import (
 )
 from authentik.core.models import ExpiringModel, Group, User
 from authentik.events.geo import GEOIP_READER
-from authentik.events.utils import cleanse_dict, get_user, sanitize_dict
+from authentik.events.utils import cleanse_dict, get_user, model_to_dict, sanitize_dict
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.http import get_client_ip
 from authentik.policies.models import PolicyBindingModel
 from authentik.stages.email.utils import TemplateEmailMessage
+from authentik.tenants.utils import DEFAULT_TENANT
 
 LOGGER = get_logger("authentik.events")
+GAUGE_EVENTS = Gauge(
+    "authentik_events",
+    "Events in authentik",
+    ["action", "user_username", "app", "client_ip"],
+)
 
 
 def default_event_duration():
@@ -35,6 +41,11 @@ def default_event_duration():
     return now() + timedelta(days=365)
 
 
+def default_tenant():
+    """Get a default value for tenant"""
+    return sanitize_dict(model_to_dict(DEFAULT_TENANT))
+
+
 class NotificationTransportError(SentryIgnoredException):
     """Error raised when a notification fails to be delivered"""
 
@@ -66,12 +77,14 @@ class EventAction(models.TextChoices):
 
     SYSTEM_TASK_EXECUTION = "system_task_execution"
     SYSTEM_TASK_EXCEPTION = "system_task_exception"
+    SYSTEM_EXCEPTION = "system_exception"
 
     CONFIGURATION_ERROR = "configuration_error"
 
     MODEL_CREATED = "model_created"
     MODEL_UPDATED = "model_updated"
     MODEL_DELETED = "model_deleted"
+    EMAIL_SENT = "email_sent"
 
     UPDATE_AVAILABLE = "update_available"
 
@@ -88,6 +101,7 @@ class Event(ExpiringModel):
     context = models.JSONField(default=dict, blank=True)
     client_ip = models.GenericIPAddressField(null=True)
     created = models.DateTimeField(auto_now_add=True)
+    tenant = models.JSONField(default=default_tenant, blank=True)
 
     # Shadow the expires attribute from ExpiringModel to override the default duration
     expires = models.DateTimeField(default=default_event_duration)
@@ -126,6 +140,13 @@ class Event(ExpiringModel):
         """Add data from a Django-HttpRequest, allowing the creation of
         Events independently from requests.
         `user` arguments optionally overrides user from requests."""
+        if request:
+            self.context["http_request"] = {
+                "path": request.get_full_path(),
+                "method": request.method,
+            }
+        if hasattr(request, "tenant"):
+            self.tenant = sanitize_dict(model_to_dict(request.tenant))
         if hasattr(request, "user"):
             original_user = None
             if hasattr(request, "session"):
@@ -143,7 +164,7 @@ class Event(ExpiringModel):
                     request.session[SESSION_IMPERSONATE_USER]
                 )
         # User 255.255.255.255 as fallback if IP cannot be determined
-        self.client_ip = get_client_ip(request) or "255.255.255.255"
+        self.client_ip = get_client_ip(request)
         # Apply GeoIP Data, when enabled
         self.with_geoip()
         # If there's no app set, we get it from the requests too
@@ -152,22 +173,20 @@ class Event(ExpiringModel):
         self.save()
         return self
 
-    def with_geoip(self):
+    def with_geoip(self):  # pragma: no cover
         """Apply GeoIP Data, when enabled"""
-        if not GEOIP_READER:
+        city = GEOIP_READER.city_dict(self.client_ip)
+        if not city:
             return
-        try:
+        self.context["geo"] = city
-            response = GEOIP_READER.city(self.client_ip)
+
-            self.context["geo"] = {
+    def _set_prom_metrics(self):
-                "continent": response.continent.code,
+        GAUGE_EVENTS.labels(
-                "country": response.country.iso_code,
+            action=self.action,
-                "lat": response.location.latitude,
+            user_username=self.user.get("username"),
-                "long": response.location.longitude,
+            app=self.app,
-            }
+            client_ip=self.client_ip,
-            if response.city.name:
+        ).set(self.created.timestamp())
-                self.context["geo"]["city"] = response.city.name
-        except GeoIP2Error as exc:
-            LOGGER.warning("Failed to add geoIP Data to event", exc=exc)
 
     def save(self, *args, **kwargs):
         if self._state.adding:
@@ -178,7 +197,8 @@ class Event(ExpiringModel):
                 client_ip=self.client_ip,
                 user=self.user,
             )
-        return super().save(*args, **kwargs)
+        super().save(*args, **kwargs)
+        self._set_prom_metrics()
 
     @property
     def summary(self) -> str:

authentik/events/monitored_tasks.py

@@ -2,14 +2,22 @@
 from dataclasses import dataclass, field
 from datetime import datetime
 from enum import Enum
+from timeit import default_timer
 from traceback import format_tb
 from typing import Any, Optional
 
 from celery import Task
 from django.core.cache import cache
+from prometheus_client import Gauge
 
 from authentik.events.models import Event, EventAction
 
+GAUGE_TASKS = Gauge(
+    "authentik_system_tasks",
+    "System tasks and their status",
+    ["task_name", "task_uid", "status"],
+)
+
 
 class TaskResultStatus(Enum):
     """Possible states of tasks"""
@@ -43,7 +51,9 @@ class TaskInfo:
     """Info about a task run"""
 
     task_name: str
-    finish_timestamp: datetime
+    start_timestamp: float
+    finish_timestamp: float
+    finish_time: datetime
 
     result: TaskResult
 
@@ -73,12 +83,28 @@ class TaskInfo:
         """Delete task info from cache"""
         return cache.delete(f"task_{self.task_name}")
 
+    def set_prom_metrics(self):
+        """Update prometheus metrics"""
+        start = default_timer()
+        if hasattr(self, "start_timestamp"):
+            start = self.start_timestamp
+        try:
+            duration = max(self.finish_timestamp - start, 0)
+        except TypeError:
+            duration = 0
+        GAUGE_TASKS.labels(
+            task_name=self.task_name,
+            task_uid=self.result.uid or "",
+            status=self.result.status,
+        ).set(duration)
+
     def save(self, timeout_hours=6):
         """Save task into cache"""
         key = f"task_{self.task_name}"
         if self.result.uid:
             key += f"_{self.result.uid}"
             self.task_name += f"_{self.result.uid}"
+        self.set_prom_metrics()
         cache.set(key, self, timeout=timeout_hours * 60 * 60)
 
 
@@ -98,6 +124,7 @@ class MonitoredTask(Task):
         self._uid = None
         self._result = TaskResult(status=TaskResultStatus.ERROR, messages=[])
         self.result_timeout_hours = 6
+        self.start = default_timer()
 
     def set_uid(self, uid: str):
         """Set UID, so in the case of an unexpected error its saved correctly"""
@@ -117,7 +144,9 @@ class MonitoredTask(Task):
             TaskInfo(
                 task_name=self.__name__,
                 task_description=self.__doc__,
-                finish_timestamp=datetime.now(),
+                start_timestamp=self.start,
+                finish_timestamp=default_timer(),
+                finish_time=datetime.now(),
                 result=self._result,
                 task_call_module=self.__module__,
                 task_call_func=self.__name__,
@@ -133,7 +162,9 @@ class MonitoredTask(Task):
         TaskInfo(
             task_name=self.__name__,
             task_description=self.__doc__,
-            finish_timestamp=datetime.now(),
+            start_timestamp=self.start,
+            finish_timestamp=default_timer(),
+            finish_time=datetime.now(),
             result=self._result,
             task_call_module=self.__module__,
             task_call_func=self.__name__,
@@ -151,3 +182,7 @@ class MonitoredTask(Task):
 
     def run(self, *args, **kwargs):
         raise NotImplementedError
+
+
+for task in TaskInfo.all().values():
+    task.set_prom_metrics()

authentik/events/tasks.py

@@ -105,7 +105,11 @@ def notification_transport(
     """Send notification over specified transport"""
     self.save_on_success = False
     try:
-        notification: Notification = Notification.objects.get(pk=notification_pk)
+        notification: Notification = Notification.objects.filter(
+            pk=notification_pk
+        ).first()
+        if not notification:
+            return
         transport: NotificationTransport = NotificationTransport.objects.get(
             pk=transport_pk
         )

authentik/events/tests/test_geoip.py

@@ -0,0 +1,26 @@
+"""Test GeoIP Wrapper"""
+from django.test import TestCase
+
+from authentik.events.geo import GeoIPReader
+
+
+class TestGeoIP(TestCase):
+    """Test GeoIP Wrapper"""
+
+    def setUp(self) -> None:
+        self.reader = GeoIPReader()
+
+    def test_simple(self):
+        """Test simple city wrapper"""
+        # IPs from
+        # https://github.com/maxmind/MaxMind-DB/blob/main/source-data/GeoLite2-City-Test.json
+        self.assertEqual(
+            self.reader.city_dict("2.125.160.216"),
+            {
+                "city": "Boxford",
+                "continent": "EU",
+                "country": "GB",
+                "lat": 51.75,
+                "long": -1.25,
+            },
+        )

authentik/flows/api/bindings.py

@@ -2,6 +2,7 @@
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 
+from authentik.core.api.used_by import UsedByMixin
 from authentik.flows.api.stages import StageSerializer
 from authentik.flows.models import FlowStageBinding
 
@@ -24,10 +25,11 @@ class FlowStageBindingSerializer(ModelSerializer):
             "re_evaluate_policies",
             "order",
             "policy_engine_mode",
+            "invalid_response_action",
         ]
 
 
-class FlowStageBindingViewSet(ModelViewSet):
+class FlowStageBindingViewSet(UsedByMixin, ModelViewSet):
     """FlowStageBinding Viewset"""
 
     queryset = FlowStageBinding.objects.all()

authentik/flows/api/flows.py

@@ -6,10 +6,11 @@ from django.db.models import Model
 from django.http.response import HttpResponseBadRequest, JsonResponse
 from django.urls import reverse
 from django.utils.translation import gettext as _
-from drf_yasg import openapi
+from drf_spectacular.types import OpenApiTypes
-from drf_yasg.utils import no_body, swagger_auto_schema
+from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
+from rest_framework.fields import BooleanField, FileField, ReadOnlyField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -23,6 +24,7 @@ from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 
 from authentik.api.decorators import permission_required
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import CacheSerializer, LinkSerializer
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow
@@ -41,10 +43,18 @@ class FlowSerializer(ModelSerializer):
 
     cache_count = SerializerMethodField()
 
-    def get_cache_count(self, flow: Flow):
+    background = ReadOnlyField(source="background_url")
+
+    export_url = SerializerMethodField()
+
+    def get_cache_count(self, flow: Flow) -> int:
         """Get count of cached flows"""
         return len(cache.keys(f"{cache_key(flow)}*"))
 
+    def get_export_url(self, flow: Flow) -> str:
+        """Get export URL for flow"""
+        return reverse("authentik_api:flow-export", kwargs={"slug": flow.slug})
+
     class Meta:
 
         model = Flow
@@ -60,7 +70,12 @@ class FlowSerializer(ModelSerializer):
             "policies",
             "cache_count",
             "policy_engine_mode",
+            "compatibility_mode",
+            "export_url",
         ]
+        extra_kwargs = {
+            "background": {"read_only": True},
+        }
 
 
 class FlowDiagramSerializer(Serializer):
@@ -87,7 +102,7 @@ class DiagramElement:
         return f"{self.identifier}=>{self.type}: {self.rest}"
 
 
-class FlowViewSet(ModelViewSet):
+class FlowViewSet(UsedByMixin, ModelViewSet):
     """Flow Viewset"""
 
     queryset = Flow.objects.all()
@@ -97,16 +112,19 @@ class FlowViewSet(ModelViewSet):
     filterset_fields = ["flow_uuid", "name", "slug", "designation"]
 
     @permission_required(None, ["authentik_flows.view_flow_cache"])
-    @swagger_auto_schema(responses={200: CacheSerializer(many=False)})
+    @extend_schema(responses={200: CacheSerializer(many=False)})
     @action(detail=False, pagination_class=None, filter_backends=[])
     def cache_info(self, request: Request) -> Response:
         """Info about cached flows"""
         return Response(data={"count": len(cache.keys("flow_*"))})
 
     @permission_required(None, ["authentik_flows.clear_flow_cache"])
-    @swagger_auto_schema(
+    @extend_schema(
-        request_body=no_body,
+        request=OpenApiTypes.NONE,
-        responses={204: "Successfully cleared cache", 400: "Bad request"},
+        responses={
+            204: OpenApiResponse(description="Successfully cleared cache"),
+            400: OpenApiResponse(description="Bad request"),
+        },
     )
     @action(detail=False, methods=["POST"])
     def cache_clear(self, request: Request) -> Response:
@@ -133,17 +151,16 @@ class FlowViewSet(ModelViewSet):
             "authentik_stages_prompt.change_prompt",
         ],
     )
-    @swagger_auto_schema(
+    @extend_schema(
-        request_body=no_body,
+        request={
-        manual_parameters=[
+            "multipart/form-data": inline_serializer(
-            openapi.Parameter(
+                "SetIcon", fields={"file": FileField()}
-                name="file",
-                in_=openapi.IN_FORM,
-                type=openapi.TYPE_FILE,
-                required=True,
             )
-        ],
+        },
-        responses={204: "Successfully imported flow", 400: "Bad request"},
+        responses={
+            204: OpenApiResponse(description="Successfully imported flow"),
+            400: OpenApiResponse(description="Bad request"),
+        },
     )
     @action(detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
     def import_flow(self, request: Request) -> Response:
@@ -157,8 +174,8 @@ class FlowViewSet(ModelViewSet):
             return HttpResponseBadRequest()
         successful = importer.apply()
         if not successful:
-            return Response(status=204)
             return HttpResponseBadRequest()
+        return Response(status=204)
 
     @permission_required(
         "authentik_flows.export_flow",
@@ -171,11 +188,9 @@ class FlowViewSet(ModelViewSet):
             "authentik_stages_prompt.view_prompt",
         ],
     )
-    @swagger_auto_schema(
+    @extend_schema(
         responses={
-            "200": openapi.Response(
+            "200": OpenApiResponse(response=OpenApiTypes.BINARY),
-                "File Attachment", schema=openapi.Schema(type=openapi.TYPE_FILE)
-            ),
         },
     )
     @action(detail=True, pagination_class=None, filter_backends=[])
@@ -188,7 +203,7 @@ class FlowViewSet(ModelViewSet):
         response["Content-Disposition"] = f'attachment; filename="{flow.slug}.akflow"'
         return response
 
-    @swagger_auto_schema(responses={200: FlowDiagramSerializer()})
+    @extend_schema(responses={200: FlowDiagramSerializer()})
     @action(detail=True, pagination_class=None, filter_backends=[], methods=["get"])
     # pylint: disable=unused-argument
     def diagram(self, request: Request, slug: str) -> Response:
@@ -210,6 +225,7 @@ class FlowViewSet(ModelViewSet):
                     request.user, "authentik_policies.view_policybinding"
                 )
                 .filter(target=stage_binding)
+                .exclude(policy__isnull=True)
                 .order_by("order")
             ):
                 body.append(
@@ -258,17 +274,20 @@ class FlowViewSet(ModelViewSet):
         return Response({"diagram": diagram})
 
     @permission_required("authentik_flows.change_flow")
-    @swagger_auto_schema(
+    @extend_schema(
-        request_body=no_body,
+        request={
-        manual_parameters=[
+            "multipart/form-data": inline_serializer(
-            openapi.Parameter(
+                "SetIcon",
-                name="file",
+                fields={
-                in_=openapi.IN_FORM,
+                    "file": FileField(required=False),
-                type=openapi.TYPE_FILE,
+                    "clear": BooleanField(default=False),
-                required=True,
+                },
             )
-        ],
+        },
-        responses={200: "Success", 400: "Bad request"},
+        responses={
+            200: OpenApiResponse(description="Success"),
+            400: OpenApiResponse(description="Bad request"),
+        },
     )
     @action(
         detail=True,
@@ -280,16 +299,53 @@ class FlowViewSet(ModelViewSet):
     # pylint: disable=unused-argument
     def set_background(self, request: Request, slug: str):
         """Set Flow background"""
-        app: Flow = self.get_object()
+        flow: Flow = self.get_object()
-        icon = request.FILES.get("file", None)
+        background = request.FILES.get("file", None)
-        if not icon:
+        clear = request.data.get("clear", "false").lower() == "true"
+        if clear:
+            if flow.background_url.startswith("/media"):
+                # .delete() saves the model by default
+                flow.background.delete()
+            else:
+                flow.background = None
+                flow.save()
+            return Response({})
+        if background:
+            flow.background = background
+            flow.save()
+            return Response({})
         return HttpResponseBadRequest()
-        app.background = icon
+
-        app.save()
+    @permission_required("authentik_core.change_application")
+    @extend_schema(
+        request=inline_serializer("SetIconURL", fields={"url": CharField()}),
+        responses={
+            200: OpenApiResponse(description="Success"),
+            400: OpenApiResponse(description="Bad request"),
+        },
+    )
+    @action(
+        detail=True,
+        pagination_class=None,
+        filter_backends=[],
+        methods=["POST"],
+    )
+    # pylint: disable=unused-argument
+    def set_background_url(self, request: Request, slug: str):
+        """Set Flow background (as URL)"""
+        flow: Flow = self.get_object()
+        url = request.data.get("url", None)
+        if not url:
+            return HttpResponseBadRequest()
+        flow.background.name = url
+        flow.save()
         return Response({})
 
-    @swagger_auto_schema(
+    @extend_schema(
-        responses={200: LinkSerializer(many=False), 400: "Flow not applicable"},
+        responses={
+            200: LinkSerializer(many=False),
+            400: OpenApiResponse(description="Flow not applicable"),
+        },
     )
     @action(detail=True, pagination_class=None, filter_backends=[])
     # pylint: disable=unused-argument

authentik/flows/api/stages.py

@@ -1,16 +1,17 @@
 """Flow Stage API Views"""
 from typing import Iterable
 
-from drf_yasg.utils import swagger_auto_schema
+from django.urls.base import reverse
+from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
 
+from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import MetaNameSerializer, TypeCreateSerializer
 from authentik.core.types import UserSettingSerializer
 from authentik.flows.api.flows import FlowSerializer
@@ -20,12 +21,6 @@ from authentik.lib.utils.reflection import all_subclasses
 LOGGER = get_logger()
 
 
-class StageUserSettingSerializer(UserSettingSerializer):
-    """User settings but can include a configure flow"""
-
-    configure_flow = BooleanField(required=False)
-
-
 class StageSerializer(ModelSerializer, MetaNameSerializer):
     """Stage Serializer"""
 
@@ -55,6 +50,7 @@ class StageSerializer(ModelSerializer, MetaNameSerializer):
 class StageViewSet(
     mixins.RetrieveModelMixin,
     mixins.DestroyModelMixin,
+    UsedByMixin,
     mixins.ListModelMixin,
     GenericViewSet,
 ):
@@ -65,10 +61,10 @@ class StageViewSet(
     search_fields = ["name"]
     filterset_fields = ["name"]
 
-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
         return Stage.objects.select_subclasses()
 
-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
     @action(detail=False, pagination_class=None, filter_backends=[])
     def types(self, request: Request) -> Response:
         """Get all creatable stage types"""
@@ -86,7 +82,7 @@ class StageViewSet(
         data = sorted(data, key=lambda x: x["name"])
         return Response(TypeCreateSerializer(data, many=True).data)
 
-    @swagger_auto_schema(responses={200: StageUserSettingSerializer(many=True)})
+    @extend_schema(responses={200: UserSettingSerializer(many=True)})
     @action(detail=False, pagination_class=None, filter_backends=[])
     def user_settings(self, request: Request) -> Response:
         """Get all stages the user can configure"""
@@ -97,9 +93,10 @@ class StageViewSet(
             if not user_settings:
                 continue
             user_settings.initial_data["object_uid"] = str(stage.pk)
-            if hasattr(stage, "configure_flow"):
+            if hasattr(stage, "configure_flow") and stage.configure_flow:
-                user_settings.initial_data["configure_flow"] = bool(
+                user_settings.initial_data["configure_url"] = reverse(
-                    stage.configure_flow
+                    "authentik_flows:configure",
+                    kwargs={"stage_uuid": stage.pk},
                 )
             if not user_settings.is_valid():
                 LOGGER.warning(user_settings.errors)

authentik/flows/apps.py

@@ -2,6 +2,9 @@
 from importlib import import_module
 
 from django.apps import AppConfig
+from django.db.utils import ProgrammingError
+
+from authentik.lib.utils.reflection import all_subclasses
 
 
 class AuthentikFlowsConfig(AppConfig):
@@ -14,3 +17,10 @@ class AuthentikFlowsConfig(AppConfig):
 
     def ready(self):
         import_module("authentik.flows.signals")
+        try:
+            from authentik.flows.models import Stage
+
+            for stage in all_subclasses(Stage):
+                _ = stage().type
+        except ProgrammingError:
+            pass

authentik/flows/challenge.py

@@ -28,6 +28,14 @@ class ErrorDetailSerializer(PassiveSerializer):
     code = CharField()
 
 
+class ContextualFlowInfo(PassiveSerializer):
+    """Contextual flow information for a challenge"""
+
+    title = CharField(required=False, allow_blank=True)
+    background = CharField(required=False)
+    cancel_url = CharField()
+
+
 class Challenge(PassiveSerializer):
     """Challenge that gets sent to the client based on which stage
     is currently active"""
@@ -35,9 +43,8 @@ class Challenge(PassiveSerializer):
     type = ChoiceField(
         choices=[(x.value, x.name) for x in ChallengeTypes],
     )
-    component = CharField(required=False)
+    flow_info = ContextualFlowInfo(required=False)
-    title = CharField(required=False)
+    component = CharField(default="")
-    background = CharField(required=False)
 
     response_errors = DictField(
         child=ErrorDetailSerializer(many=True), allow_empty=True, required=False
@@ -48,18 +55,20 @@ class RedirectChallenge(Challenge):
     """Challenge type to redirect the client"""
 
     to = CharField()
+    component = CharField(default="xak-flow-redirect")
 
 
 class ShellChallenge(Challenge):
-    """Legacy challenge type to render HTML as-is"""
+    """challenge type to render HTML as-is"""
 
     body = CharField()
+    component = CharField(default="xak-flow-shell")
 
 
 class WithUserInfoChallenge(Challenge):
     """Challenge base which shows some user info"""
 
-    pending_user = CharField()
+    pending_user = CharField(allow_blank=True)
     pending_user_avatar = CharField()
 
 
@@ -67,6 +76,7 @@ class AccessDeniedChallenge(Challenge):
     """Challenge when a flow's active stage calls `stage_invalid()`."""
 
     error_message = CharField(required=False)
+    component = CharField(default="ak-stage-access-denied")
 
 
 class PermissionSerializer(PassiveSerializer):
@@ -80,6 +90,7 @@ class ChallengeResponse(PassiveSerializer):
     """Base class for all challenge responses"""
 
     stage: Optional["StageView"]
+    component = CharField(default="xak-flow-response-default")
 
     def __init__(self, instance=None, data=None, **kwargs):
         self.stage = kwargs.pop("stage", None)

authentik/flows/markers.py

@@ -5,8 +5,7 @@ from typing import TYPE_CHECKING, Optional
 from django.http.request import HttpRequest
 from structlog.stdlib import get_logger
 
-from authentik.core.models import User
+from authentik.flows.models import FlowStageBinding
-from authentik.flows.models import Stage
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.models import PolicyBinding
 
@@ -22,11 +21,14 @@ class StageMarker:
 
     # pylint: disable=unused-argument
     def process(
-        self, plan: "FlowPlan", stage: Stage, http_request: Optional[HttpRequest]
+        self,
-    ) -> Optional[Stage]:
+        plan: "FlowPlan",
+        binding: FlowStageBinding,
+        http_request: HttpRequest,
+    ) -> Optional[FlowStageBinding]:
         """Process callback for this marker. This should be overridden by sub-classes.
         If a stage should be removed, return None."""
-        return stage
+        return binding
 
 
 @dataclass
@@ -34,24 +36,34 @@ class ReevaluateMarker(StageMarker):
     """Reevaluate Marker, forces stage's policies to be evaluated again."""
 
     binding: PolicyBinding
-    user: User
 
     def process(
-        self, plan: "FlowPlan", stage: Stage, http_request: Optional[HttpRequest]
+        self,
-    ) -> Optional[Stage]:
+        plan: "FlowPlan",
+        binding: FlowStageBinding,
+        http_request: HttpRequest,
+    ) -> Optional[FlowStageBinding]:
         """Re-evaluate policies bound to stage, and if they fail, remove from plan"""
-        engine = PolicyEngine(self.binding, self.user)
+        from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
+
+        LOGGER.debug(
+            "f(plan_inst)[re-eval marker]: running re-evaluation",
+            binding=binding,
+            policy_binding=self.binding,
+        )
+        engine = PolicyEngine(
+            self.binding, plan.context.get(PLAN_CONTEXT_PENDING_USER, http_request.user)
+        )
         engine.use_cache = False
-        if http_request:
         engine.request.set_http_request(http_request)
         engine.request.context = plan.context
         engine.build()
         result = engine.result
         if result.passing:
-            return stage
+            return binding
         LOGGER.warning(
-            "f(plan_inst)[re-eval marker]: stage failed re-evaluation",
+            "f(plan_inst)[re-eval marker]: binding failed re-evaluation",
-            stage=stage,
+            binding=binding,
             messages=result.messages,
         )
         return None

authentik/flows/migrations/0008_default_flows.py

@@ -6,6 +6,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 
 from authentik.flows.models import FlowDesignation
 from authentik.stages.identification.models import UserFields
+from authentik.stages.password import BACKEND_DJANGO, BACKEND_LDAP
 
 
 def create_default_authentication_flow(
@@ -31,7 +32,7 @@ def create_default_authentication_flow(
 
     password_stage, _ = PasswordStage.objects.using(db_alias).update_or_create(
         name="default-authentication-password",
-        defaults={"backends": ["django.contrib.auth.backends.ModelBackend"]},
+        defaults={"backends": [BACKEND_DJANGO, BACKEND_LDAP]},
     )
 
     login_stage, _ = UserLoginStage.objects.using(db_alias).update_or_create(

authentik/flows/migrations/0018_oob_flows.py

@@ -15,13 +15,10 @@ PREFILL_POLICY_EXPRESSION = """# This policy sets the user for the currently run
 # by injecting "pending_user"
 akadmin = ak_user_by(username="akadmin")
 context["pending_user"] = akadmin
-# We're also setting the backend for the user, so we can
-# directly login without having to identify again
-context["user_backend"] = "django.contrib.auth.backends.ModelBackend"
 return True"""
 
 
-def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+def create_default_oobe_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
     from authentik.stages.prompt.models import FieldTypes
 
     User = apps.get_model("authentik_core", "User")
@@ -52,20 +49,20 @@ def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor)
 
     # Create a policy that sets the flow's user
     prefill_policy, _ = ExpressionPolicy.objects.using(db_alias).update_or_create(
-        name="default-oob-prefill-user",
+        name="default-oobe-prefill-user",
         defaults={"expression": PREFILL_POLICY_EXPRESSION},
     )
     password_usable_policy, _ = ExpressionPolicy.objects.using(
         db_alias
     ).update_or_create(
-        name="default-oob-password-usable",
+        name="default-oobe-password-usable",
         defaults={"expression": PW_USABLE_POLICY_EXPRESSION},
     )
 
     prompt_header, _ = Prompt.objects.using(db_alias).update_or_create(
-        field_key="oob-header-text",
+        field_key="oobe-header-text",
         defaults={
-            "label": "oob-header-text",
+            "label": "oobe-header-text",
             "type": FieldTypes.STATIC,
             "placeholder": "Welcome to authentik! Please set a password for the default admin user, akadmin.",
             "order": 100,
@@ -84,7 +81,7 @@ def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor)
     password_second = Prompt.objects.using(db_alias).get(field_key="password_repeat")
 
     prompt_stage, _ = PromptStage.objects.using(db_alias).update_or_create(
-        name="default-oob-password",
+        name="default-oobe-password",
     )
     prompt_stage.fields.set(
         [prompt_header, prompt_email, password_first, password_second]
@@ -102,7 +99,7 @@ def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor)
         slug="initial-setup",
         designation=FlowDesignation.STAGE_CONFIGURATION,
         defaults={
-            "name": "default-oob-setup",
+            "name": "default-oobe-setup",
             "title": "Welcome to authentik!",
         },
     )
@@ -138,7 +135,7 @@ class Migration(migrations.Migration):
 
     dependencies = [
         ("authentik_flows", "0017_auto_20210329_1334"),
-        ("authentik_stages_user_write", "__latest__"),
+        ("authentik_stages_user_write", "0002_auto_20200918_1653"),
         ("authentik_stages_user_login", "__latest__"),
         ("authentik_stages_password", "0002_passwordstage_change_flow"),
         ("authentik_policies", "0001_initial"),
@@ -146,5 +143,5 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RunPython(create_default_oob_flow),
+        migrations.RunPython(create_default_oobe_flow),
     ]

authentik/flows/migrations/0019_alter_flow_background.py

@@ -0,0 +1,23 @@
+# Generated by Django 3.2.3 on 2021-06-05 17:34
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_flows", "0018_oob_flows"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="flow",
+            name="background",
+            field=models.FileField(
+                default=None,
+                help_text="Background shown during execution",
+                null=True,
+                upload_to="flow-backgrounds/",
+            ),
+        ),
+    ]

authentik/flows/migrations/0020_flow_compatibility_mode.py

@@ -0,0 +1,21 @@
+# Generated by Django 3.2.3 on 2021-06-05 17:56
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_flows", "0019_alter_flow_background"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="flow",
+            name="compatibility_mode",
+            field=models.BooleanField(
+                default=True,
+                help_text="Enable compatibility mode, increases compatibility with password managers on mobile devices.",
+            ),
+        ),
+    ]

authentik/flows/migrations/0021_flowstagebinding_invalid_response_action.py

@@ -0,0 +1,22 @@
+# Generated by Django 3.2.4 on 2021-06-27 16:20
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_flows", "0020_flow_compatibility_mode"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="flowstagebinding",
+            name="invalid_response_action",
+            field=models.TextField(
+                choices=[("retry", "Retry"), ("continue", "Continue")],
+                default="retry",
+                help_text="Configure how the flow executor should handle an invalid response to a challenge. RETRY returns the error message and a similar challenge to the executor while CONTINUE continues with the next stage.",
+            ),
+        ),
+    ]

authentik/flows/models.py

@@ -27,6 +27,14 @@ class NotConfiguredAction(models.TextChoices):
     CONFIGURE = "configure"
 
 
+class InvalidResponseAction(models.TextChoices):
+    """Configure how the flow executor should handle invalid responses to challenges"""
+
+    RETRY = "retry"
+    RESTART = "restart"
+    RESTART_WITH_CONTEXT = "restart_with_context"
+
+
 class FlowDesignation(models.TextChoices):
     """Designation of what a Flow should be used for. At a later point, this
     should be replaced by a database entry."""
@@ -72,7 +80,7 @@ class Stage(SerializerModel):
     def __str__(self):
         if hasattr(self, "__in_memory_type"):
             return f"In-memory Stage {getattr(self, '__in_memory_type')}"
-        return self.name
+        return f"Stage {self.name}"
 
 
 def in_memory_stage(view: Type["StageView"]) -> Stage:
@@ -110,11 +118,31 @@ class Flow(SerializerModel, PolicyBindingModel):
 
     background = models.FileField(
         upload_to="flow-backgrounds/",
-        default="../static/dist/assets/images/flow_background.jpg",
+        default=None,
-        blank=True,
+        null=True,
         help_text=_("Background shown during execution"),
     )
 
+    compatibility_mode = models.BooleanField(
+        default=True,
+        help_text=_(
+            "Enable compatibility mode, increases compatibility with "
+            "password managers on mobile devices."
+        ),
+    )
+
+    @property
+    def background_url(self) -> str:
+        """Get the URL to the background image. If the name is /static or starts with http
+        it is returned as-is"""
+        if not self.background:
+            return "/static/dist/assets/images/flow_background.jpg"
+        if self.background.name.startswith("http") or self.background.name.startswith(
+            "/static"
+        ):
+            return self.background.name
+        return self.background.url
+
     stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)
 
     @property
@@ -142,11 +170,6 @@ class Flow(SerializerModel, PolicyBindingModel):
         LOGGER.debug("with_policy: no flow found", filters=flow_filter)
         return None
 
-    def related_flow(self, designation: str, request: HttpRequest) -> Optional["Flow"]:
-        """Get a related flow with `designation`. Currently this only queries
-        Flows by `designation`, but will eventually use `self` for related lookups."""
-        return Flow.with_policy(request, designation=designation)
-
     def __str__(self) -> str:
         return f"Flow {self.name} ({self.slug})"
 
@@ -186,6 +209,17 @@ class FlowStageBinding(SerializerModel, PolicyBindingModel):
         help_text=_("Evaluate policies when the Stage is present to the user."),
     )
 
+    invalid_response_action = models.TextField(
+        choices=InvalidResponseAction.choices,
+        default=InvalidResponseAction.RETRY,
+        help_text=_(
+            "Configure how the flow executor should handle an invalid response to a "
+            "challenge. RETRY returns the error message and a similar challenge to the "
+            "executor. RESTART restarts the flow from the beginning, and RESTART_WITH_CONTEXT "
+            "restarts the flow while keeping the current context."
+        ),
+    )
+
     order = models.IntegerField()
 
     objects = InheritanceManager()
@@ -197,7 +231,7 @@ class FlowStageBinding(SerializerModel, PolicyBindingModel):
         return FlowStageBindingSerializer
 
     def __str__(self) -> str:
-        return f"{self.target} #{self.order}"
+        return f"Flow-stage binding #{self.order} to {self.target}"
 
     class Meta:
 

authentik/flows/planner.py

@@ -4,6 +4,7 @@ from typing import Any, Optional
 
 from django.core.cache import cache
 from django.http import HttpRequest
+from prometheus_client import Histogram
 from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
@@ -13,7 +14,9 @@ from authentik.events.models import cleanse_dict
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.markers import ReevaluateMarker, StageMarker
 from authentik.flows.models import Flow, FlowStageBinding, Stage
+from authentik.lib.config import CONFIG
 from authentik.policies.engine import PolicyEngine
+from authentik.root.monitoring import UpdatingGauge
 
 LOGGER = get_logger()
 PLAN_CONTEXT_PENDING_USER = "pending_user"
@@ -21,6 +24,17 @@ PLAN_CONTEXT_SSO = "is_sso"
 PLAN_CONTEXT_REDIRECT = "redirect"
 PLAN_CONTEXT_APPLICATION = "application"
 PLAN_CONTEXT_SOURCE = "source"
+GAUGE_FLOWS_CACHED = UpdatingGauge(
+    "authentik_flows_cached",
+    "Cached flows",
+    update_func=lambda: len(cache.keys("flow_*") or []),
+)
+HIST_FLOWS_PLAN_TIME = Histogram(
+    "authentik_flows_plan_time",
+    "Duration to build a plan for a flow",
+    ["flow_slug"],
+)
+CACHE_TIMEOUT = int(CONFIG.y("redis.cache_timeout_flows"))
 
 
 def cache_key(flow: Flow, user: Optional[User] = None) -> str:
@@ -38,33 +52,41 @@ class FlowPlan:
 
     flow_pk: str
 
-    stages: list[Stage] = field(default_factory=list)
+    bindings: list[FlowStageBinding] = field(default_factory=list)
     context: dict[str, Any] = field(default_factory=dict)
     markers: list[StageMarker] = field(default_factory=list)
 
-    def append(self, stage: Stage, marker: Optional[StageMarker] = None):
+    def append_stage(self, stage: Stage, marker: Optional[StageMarker] = None):
         """Append `stage` to all stages, optionall with stage marker"""
-        self.stages.append(stage)
+        return self.append(FlowStageBinding(stage=stage), marker)
+
+    def append(self, binding: FlowStageBinding, marker: Optional[StageMarker] = None):
+        """Append `stage` to all stages, optionall with stage marker"""
+        self.bindings.append(binding)
         self.markers.append(marker or StageMarker())
 
-    def insert(self, stage: Stage, marker: Optional[StageMarker] = None):
+    def insert_stage(self, stage: Stage, marker: Optional[StageMarker] = None):
         """Insert stage into plan, as immediate next stage"""
-        self.stages.insert(1, stage)
+        self.bindings.insert(1, FlowStageBinding(stage=stage, order=0))
         self.markers.insert(1, marker or StageMarker())
 
-    def next(self, http_request: Optional[HttpRequest]) -> Optional[Stage]:
+    def next(self, http_request: Optional[HttpRequest]) -> Optional[FlowStageBinding]:
         """Return next pending stage from the bottom of the list"""
         if not self.has_stages:
             return None
-        stage = self.stages[0]
+        binding = self.bindings[0]
         marker = self.markers[0]
 
         if marker.__class__ is not StageMarker:
-            LOGGER.debug("f(plan_inst): stage has marker", stage=stage, marker=marker)
+            LOGGER.debug(
-        marked_stage = marker.process(self, stage, http_request)
+                "f(plan_inst): stage has marker", binding=binding, marker=marker
+            )
+        marked_stage = marker.process(self, binding, http_request)
         if not marked_stage:
-            LOGGER.debug("f(plan_inst): marker returned none, next stage", stage=stage)
+            LOGGER.debug(
-            self.stages.remove(stage)
+                "f(plan_inst): marker returned none, next stage", binding=binding
+            )
+            self.bindings.remove(binding)
             self.markers.remove(marker)
             if not self.has_stages:
                 return None
@@ -75,12 +97,12 @@ class FlowPlan:
     def pop(self):
         """Pop next pending stage from bottom of list"""
         self.markers.pop(0)
-        self.stages.pop(0)
+        self.bindings.pop(0)
 
     @property
     def has_stages(self) -> bool:
         """Check if there are any stages left in this plan"""
-        return len(self.markers) + len(self.stages) > 0
+        return len(self.markers) + len(self.bindings) > 0
 
 
 class FlowPlanner:
@@ -145,8 +167,9 @@ class FlowPlanner:
                 "f(plan): building plan",
             )
             plan = self._build_plan(user, request, default_context)
-            cache.set(cache_key(self.flow, user), plan)
+            cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT)
-            if not plan.stages and not self.allow_empty_flows:
+            GAUGE_FLOWS_CACHED.update()
+            if not plan.bindings and not self.allow_empty_flows:
                 raise EmptyFlowException()
             return plan
 
@@ -158,7 +181,9 @@ class FlowPlanner:
     ) -> FlowPlan:
         """Build flow plan by checking each stage in their respective
         order and checking the applied policies"""
-        with Hub.current.start_span(op="flow.planner.build_plan") as span:
+        with Hub.current.start_span(
+            op="flow.planner.build_plan"
+        ) as span, HIST_FLOWS_PLAN_TIME.labels(flow_slug=self.flow.slug).time():
             span: Span
             span.set_data("flow", self.flow)
             span.set_data("user", user)
@@ -199,9 +224,10 @@ class FlowPlanner:
                         "f(plan): stage has re-evaluate marker",
                         stage=binding.stage,
                     )
-                    marker = ReevaluateMarker(binding=binding, user=user)
+                    marker = ReevaluateMarker(binding=binding)
                 if stage:
-                    plan.append(stage, marker)
+                    plan.append(binding, marker)
+            HIST_FLOWS_PLAN_TIME.labels(flow_slug=self.flow.slug)
         self._logger.debug(
             "f(plan): finished building",
         )

authentik/flows/stage.py

@@ -3,6 +3,7 @@ from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.http.response import HttpResponse
+from django.urls import reverse
 from django.views.generic.base import View
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
@@ -11,32 +12,18 @@ from authentik.core.models import DEFAULT_AVATAR, User
 from authentik.flows.challenge import (
     Challenge,
     ChallengeResponse,
+    ContextualFlowInfo,
     HttpChallengeResponse,
     WithUserInfoChallenge,
 )
+from authentik.flows.models import InvalidResponseAction
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.views import FlowExecutorView
-from authentik.lib.sentry import SentryIgnoredException
 
 PLAN_CONTEXT_PENDING_USER_IDENTIFIER = "pending_user_identifier"
 LOGGER = get_logger()
 
 
-class InvalidChallengeError(SentryIgnoredException):
-    """Error raised when a challenge from a stage is not valid"""
-
-    def __init__(self, errors, stage_view: View, challenge: Challenge) -> None:
-        super().__init__()
-        self.errors = errors
-        self.stage_view = stage_view
-        self.challenge = challenge
-
-    def __str__(self) -> str:
-        return (
-            f"Invalid challenge from {self.stage_view}: {self.errors}\n{self.challenge}"
-        )
-
-
 class StageView(View):
     """Abstract Stage, inherits TemplateView but can be combined with FormView"""
 
@@ -48,14 +35,17 @@ class StageView(View):
         self.executor = executor
         super().__init__(**kwargs)
 
-    def get_pending_user(self) -> User:
+    def get_pending_user(self, for_display=False) -> User:
         """Either show the matched User object or show what the user entered,
         based on what the earlier stage (mostly IdentificationStage) set.
         _USER_IDENTIFIER overrides the first User, as PENDING_USER is used for
         other things besides the form display.
 
         If no user is pending, returns request.user"""
-        if PLAN_CONTEXT_PENDING_USER_IDENTIFIER in self.executor.plan.context:
+        if (
+            PLAN_CONTEXT_PENDING_USER_IDENTIFIER in self.executor.plan.context
+            and for_display
+        ):
             return User(
                 username=self.executor.plan.context.get(
                     PLAN_CONTEXT_PENDING_USER_IDENTIFIER
@@ -80,7 +70,13 @@ class ChallengeStageView(StageView):
         """Return a challenge for the frontend to solve"""
         challenge = self._get_challenge(*args, **kwargs)
         if not challenge.is_valid():
-            LOGGER.warning(challenge.errors, stage_view=self, challenge=challenge)
+            LOGGER.warning(
+                "f(ch): Invalid challenge",
+                binding=self.executor.current_binding,
+                errors=challenge.errors,
+                stage_view=self,
+                challenge=challenge,
+            )
         return HttpChallengeResponse(challenge)
 
     # pylint: disable=unused-argument
@@ -88,20 +84,41 @@ class ChallengeStageView(StageView):
         """Handle challenge response"""
         challenge: ChallengeResponse = self.get_response_instance(data=request.data)
         if not challenge.is_valid():
+            if self.executor.current_binding.invalid_response_action in [
+                InvalidResponseAction.RESTART,
+                InvalidResponseAction.RESTART_WITH_CONTEXT,
+            ]:
+                keep_context = (
+                    self.executor.current_binding.invalid_response_action
+                    == InvalidResponseAction.RESTART_WITH_CONTEXT
+                )
+                LOGGER.debug(
+                    "f(ch): Invalid response, restarting flow",
+                    binding=self.executor.current_binding,
+                    stage_view=self,
+                    keep_context=keep_context,
+                )
+                return self.executor.restart_flow(keep_context)
             return self.challenge_invalid(challenge)
         return self.challenge_valid(challenge)
 
     def _get_challenge(self, *args, **kwargs) -> Challenge:
         challenge = self.get_challenge(*args, **kwargs)
-        if "title" not in challenge.initial_data:
+        if "flow_info" not in challenge.initial_data:
-            challenge.initial_data["title"] = self.executor.flow.title
+            flow_info = ContextualFlowInfo(
-        if "background" not in challenge.initial_data:
+                data={
-            challenge.initial_data["background"] = self.executor.flow.background.url
+                    "title": self.executor.flow.title,
+                    "background": self.executor.flow.background_url,
+                    "cancel_url": reverse("authentik_flows:cancel"),
+                }
+            )
+            flow_info.is_valid()
+            challenge.initial_data["flow_info"] = flow_info.data
         if isinstance(challenge, WithUserInfoChallenge):
             # If there's a pending user, update the `username` field
             # this field is only used by password managers.
             # If there's no user set, an error is raised later.
-            if user := self.get_pending_user():
+            if user := self.get_pending_user(for_display=True):
                 challenge.initial_data["pending_user"] = user.username
             challenge.initial_data["pending_user_avatar"] = DEFAULT_AVATAR
             if not isinstance(user, AnonymousUser):
@@ -131,5 +148,10 @@ class ChallengeStageView(StageView):
                 )
         challenge_response.initial_data["response_errors"] = full_errors
         if not challenge_response.is_valid():
-            LOGGER.warning(challenge_response.errors)
+            LOGGER.warning(
+                "f(ch): invalid challenge response",
+                binding=self.executor.current_binding,
+                errors=challenge_response.errors,
+                stage_view=self,
+            )
         return HttpChallengeResponse(challenge_response)