release: 2021.6.1-rc1

lifecycle: fix custom port not being set for postgres healthcheck
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-06-09 11:01:14 +02:00 · 2021-06-09 10:59:48 +02:00 · 2021-06-09 10:28:32 +02:00 · 2021-06-09 09:45:14 +02:00 · 2021-06-09 09:31:30 +02:00 · 2021-06-09 09:24:05 +02:00
505 changed files with 45443 additions and 32104 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.5.1-rc7
+current_version = 2021.6.1-rc1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
@ -31,8 +31,6 @@ values =

 [bumpversion:file:web/src/constants.ts]

-[bumpversion:file:web/nginx.conf]
-
 [bumpversion:file:website/docs/outposts/manual-deploy-docker-compose.md]

 [bumpversion:file:website/docs/outposts/manual-deploy-kubernetes.md]
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -0,0 +1,27 @@
+---
+name: Question
+about: Ask a question about a feature or specific configuration
+title: ''
+labels: question
+assignees: ''
+
+---
+
+**Describe your question/**
+A clear and concise description of what you're trying to do.
+
+**Relevant infos**
+i.e. Version of other software you're using, specifics of your setup
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Logs**
+Output of docker-compose logs or kubectl logs respectively
+
+**Version and Deployment (please complete the following information):**
+ - authentik version: [e.g. 0.10.0-stable]
+ - Deployment: [e.g. docker-compose, helm]
+
+**Additional context**
+Add any other context about the problem here.
--- a/.github/stale.yml
+++ b/.github/stale.yml
@ -0,0 +1,13 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -14,7 +14,7 @@ jobs:
    steps:
      - uses: actions/checkout@v2
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.1.0
+        uses: docker/setup-qemu-action@v1.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Docker Login Registry
@ -28,17 +28,14 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: prepare ts api client
-        run: |
-          docker run --rm -v $(pwd):/local openapitools/openapi-generator-cli generate -i /local/swagger.yaml -g typescript-fetch -o /local/web/api --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
      - name: Building Docker Image
        uses: docker/build-push-action@v2
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik:2021.5.1-rc7,
+            beryju/authentik:2021.6.1-rc1,
            beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.5.1-rc7,
+            ghcr.io/goauthentik/server:2021.6.1-rc1,
            ghcr.io/goauthentik/server:latest
          platforms: linux/amd64,linux/arm64
          context: .
@ -49,14 +46,8 @@ jobs:
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.15"
-      - name: prepare go api client
-        run: |
-          cd outpost
-          go get -u github.com/go-swagger/go-swagger/cmd/swagger
-          swagger generate client -f ../swagger.yaml -A authentik -t pkg/
-          go build -v ./cmd/proxy/server.go
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.1.0
+        uses: docker/setup-qemu-action@v1.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Docker Login Registry
@ -75,11 +66,10 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik-proxy:2021.5.1-rc7,
+            beryju/authentik-proxy:2021.6.1-rc1,
            beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.5.1-rc7,
+            ghcr.io/goauthentik/proxy:2021.6.1-rc1,
            ghcr.io/goauthentik/proxy:latest
-          context: outpost/
          file: outpost/proxy.Dockerfile
          platforms: linux/amd64,linux/arm64
  build-ldap:
@ -89,14 +79,8 @@ jobs:
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.15"
-      - name: prepare go api client
-        run: |
-          cd outpost
-          go get -u github.com/go-swagger/go-swagger/cmd/swagger
-          swagger generate client -f ../swagger.yaml -A authentik -t pkg/
-          go build -v ./cmd/ldap/server.go
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.1.0
+        uses: docker/setup-qemu-action@v1.2.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Docker Login Registry
@ -115,11 +99,10 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik-ldap:2021.5.1-rc7,
+            beryju/authentik-ldap:2021.6.1-rc1,
            beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.5.1-rc7,
+            ghcr.io/goauthentik/ldap:2021.6.1-rc1,
            ghcr.io/goauthentik/ldap:latest
-          context: outpost/
          file: outpost/ldap.Dockerfile
          platforms: linux/amd64,linux/arm64
  test-release:
@ -139,7 +122,7 @@ jobs:
          docker-compose pull -q
          docker-compose up --no-start
          docker-compose start postgresql redis
-          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
+          docker-compose run -u root --entrypoint /bin/bash server -c "apt-get update && apt-get install -y --no-install-recommends git && pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
  sentry-release:
    if: ${{ github.event_name == 'release' }}
    needs:
@ -155,5 +138,5 @@ jobs:
          SENTRY_PROJECT: authentik
          SENTRY_URL: https://sentry.beryju.org
        with:
-          version: authentik@2021.5.1-rc7
+          version: authentik@2021.6.1-rc1
          environment: beryjuorg-prod
--- a/.github/workflows/tag.yml
+++ b/.github/workflows/tag.yml
@ -11,9 +11,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
-      - name: prepare ts api client
-        run: |
-          docker run --rm -v $(pwd):/local openapitools/openapi-generator-cli generate -i /local/swagger.yaml -g typescript-fetch -o /local/web/api --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
      - name: Pre-release test
        run: |
          sudo apt-get install -y pwgen
@ -27,17 +24,17 @@ jobs:
            -f Dockerfile .
          docker-compose up --no-start
          docker-compose start postgresql redis
-          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
+          docker-compose run -u root --entrypoint /bin/bash server -c "apt-get update && apt-get install -y --no-install-recommends git && pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
      - name: Extract version number
        id: get_version
-        uses: actions/github-script@0.2.0
+        uses: actions/github-script@v4.0.2
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            return context.payload.ref.replace(/\/refs\/tags\/version\//, '');
      - name: Create Release
        id: create_release
-        uses: actions/create-release@v1.0.0
+        uses: actions/create-release@v1.1.4
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/35
+++ b/35
@ -10,16 +10,28 @@ RUN pip install pipenv && \
    pipenv lock -r > requirements.txt && \
    pipenv lock -rd > requirements-dev.txt

-# Stage 2: Build webui
+# Stage 2: Build web API
+FROM openapitools/openapi-generator-cli as api-builder
+
+COPY ./schema.yml /local/schema.yml
+
+RUN	docker-entrypoint.sh generate \
+    -i /local/schema.yml \
+    -g typescript-fetch \
+    -o /local/web/api \
+    --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
+
+# Stage 3: Build webui
 FROM node as npm-builder

 COPY ./web /static/
+COPY --from=api-builder /local/web/api /static/api

 ENV NODE_ENV=production
 RUN cd /static && npm i --production=false && npm run build

-# Stage 3: Build go proxy
-FROM golang:1.16.4 AS builder
+# Stage 4: Build go proxy
+FROM golang:1.16.5 AS builder

 WORKDIR /work

@ -28,7 +40,6 @@ COPY --from=npm-builder /static/security.txt /work/web/security.txt
 COPY --from=npm-builder /static/dist/ /work/web/dist/
 COPY --from=npm-builder /static/authentik/ /work/web/authentik/

-# RUN ls /work/web/static/authentik/ && exit 1
 COPY ./cmd /work/cmd
 COPY ./web/static.go /work/web/static.go
 COPY ./internal /work/internal
@ -37,7 +48,7 @@ COPY ./go.sum /work/go.sum

 RUN go build -o /work/authentik ./cmd/server/main.go

-# Stage 4: Run
+# Stage 5: Run
 FROM python:3.9-slim-buster

 WORKDIR /
@ -48,24 +59,17 @@ ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH

 RUN apt-get update && \
-    apt-get install -y --no-install-recommends curl ca-certificates gnupg && \
+    apt-get install -y --no-install-recommends curl ca-certificates gnupg git runit && \
    curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \
    echo "deb http://apt.postgresql.org/pub/repos/apt buster-pgdg main" > /etc/apt/sources.list.d/pgdg.list && \
    apt-get update && \
-    apt-get install -y --no-install-recommends libpq-dev postgresql-client-12 postgresql-client-11 build-essential libxmlsec1-dev pkg-config libmaxminddb0 && \
+    apt-get install -y --no-install-recommends libpq-dev postgresql-client build-essential libxmlsec1-dev pkg-config libmaxminddb0 && \
    pip install -r /requirements.txt --no-cache-dir && \
-    apt-get remove --purge -y build-essential && \
+    apt-get remove --purge -y build-essential git && \
    apt-get autoremove --purge -y && \
    apt-get clean && \
    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
-    # This is quite hacky, but docker has no guaranteed Group ID
-    # we could instead check for the GID of the socket and add the user dynamically,
-    # but then we have to drop permmissions later
-    groupadd -g 998 docker_998 && \
-    groupadd -g 999 docker_999 && \
    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
-    usermod -a -G docker_998 authentik && \
-    usermod -a -G docker_999 authentik && \
    mkdir /backups && \
    chown authentik:authentik /backups

@ -77,7 +81,6 @@ COPY ./lifecycle/ /lifecycle
 COPY --from=builder /work/authentik /authentik-proxy

 USER authentik
-STOPSIGNAL SIGINT
 ENV TMPDIR /dev/shm/
 ENV PYTHONUBUFFERED 1
 ENTRYPOINT [ "/lifecycle/bootstrap.sh" ]
--- a/44
+++ b/44
@ -1,3 +1,8 @@
+.SHELLFLAGS += -x -e
+PWD = $(shell pwd)
+UID = $(shell id -u)
+GID = $(shell id -g)
+
 all: lint-fix lint test gen

 test-integration:
@ -22,14 +27,39 @@ lint:
 	bandit -r authentik tests lifecycle -x node_modules
 	pylint authentik tests lifecycle

-gen:
-	./manage.py generate_swagger -o swagger.yaml -f yaml
+gen-build:
+	./manage.py spectacular --file schema.yml

-local-stack:
-	export AUTHENTIK_TAG=testing
-	docker build -t beryju/authentik:testng .
-	docker-compose up -d
-	docker-compose run --rm server migrate
+gen-clean:
+	rm -rf web/api/src/
+	rm -rf outpost/api/
+
+gen-web:
+	docker run \
+		--rm -v ${PWD}:/local \
+		--user ${UID}:${GID} \
+		openapitools/openapi-generator-cli generate \
+		-i /local/schema.yml \
+		-g typescript-fetch \
+		-o /local/web/api \
+		--additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
+	cd web/api && npx tsc
+
+gen-outpost:
+	docker run \
+		--rm -v ${PWD}:/local \
+		--user ${UID}:${GID} \
+		openapitools/openapi-generator-cli generate \
+		--git-host goauthentik.io \
+		--git-repo-id outpost \
+		--git-user-id api \
+		-i /local/schema.yml \
+		-g go \
+		-o /local/outpost/api \
+		--additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true
+	rm -f outpost/api/go.mod outpost/api/go.sum
+
+gen: gen-build gen-clean gen-web gen-outpost

 run:
 	go run -v cmd/server/main.go
--- a/8
+++ b/8
@ -11,7 +11,7 @@ channels-redis = "*"
 dacite = "*"
 defusedxml = "*"
 django = "*"
-django-dbbackup = "*"
+django-dbbackup = { git = 'https://github.com/django-dbbackup/django-dbbackup.git', ref = '9d1909c30a3271c8c9c8450add30d6e0b996e145' }
 django-filter = "*"
 django-guardian = "*"
 django-model-utils = "*"
@ -22,7 +22,7 @@ django-storages = "*"
 djangorestframework = "*"
 djangorestframework-guardian = "*"
 docker = "*"
-drf_yasg = "*"
+drf-spectacular = "*"
 facebook-sdk = "*"
 geoip2 = "*"
 gunicorn = "*"
@ -44,13 +44,15 @@ urllib3 = {extras = ["secure"],version = "*"}
 uvicorn = {extras = ["standard"],version = "*"}
 webauthn = "*"
 xmlsec = "*"
+duo-client = "*"
+ua-parser = "*"

 [requires]
 python_version = "3.9"

 [dev-packages]
 bandit = "*"
-black = "==20.8b1"
+black = "==21.5b1"
 bump2version = "*"
 colorama = "*"
 coverage = "*"
--- a/Pipfile.lock
+++ b/Pipfile.lock
@ -1,7 +1,7 @@
 {
    "_meta": {
        "hash": {
-            "sha256": "17be2923cf8d281e430ec1467aea723806ac6f7c58fc6553ede92317e43f4d14"
+            "sha256": "4fa1ad681762c867a95410074f31ac5d00119e187e0f38982cd59fdf301cccf5"
        },
        "pipfile-spec": 6,
        "requires": {
@ -116,18 +116,18 @@
        },
        "boto3": {
            "hashes": [
-                "sha256:2f0d76660d484ff4c8c2efe9171c1281b38681e6806f87cf100e822432eda11e",
-                "sha256:cbaa8df5faf81730f117bfa0e3fcda68ec3fa9449a05847aa6140a3f4c087765"
+                "sha256:2ade860f66fa6b9a9886d7ff2e5118e5efebc4807b863ef735d358ef730234ed",
+                "sha256:bbf727d770a9844834bfbf3f811db1d3438320897f67cfb21cdca5bb8fc23c13"
            ],
            "index": "pypi",
-            "version": "==1.17.69"
+            "version": "==1.17.90"
        },
        "botocore": {
            "hashes": [
-                "sha256:7e94d3777763ece33d282b437e3b05b5567b9af816bd7819dbe4eb9bc6db6082",
-                "sha256:f755b19ddebda0f8ab7afc75ebcb5412dd802eca0a7e670f5fff8c5e58bc88b1"
+                "sha256:6ae4ff3405cc4fc69ff3673a8dd234bf869aa556ae1e0da050d7f2aa3c3edab6",
+                "sha256:b301810c4bd6cab1b6eaf6bfd9f25abb27959b586c2e1689bbce035b3fb8ae66"
            ],
-            "version": "==1.20.69"
+            "version": "==1.20.90"
        },
        "cachetools": {
            "hashes": [
@ -138,36 +138,57 @@
        },
        "cbor2": {
            "hashes": [
-                "sha256:a33aa2e5534fd74401ac95686886e655e3b2ce6383b3f958199b6e70a87c94bf"
+                "sha256:059363ae716c60f6ba29aa61b3d9c57896189c351c4119095f0542aec169e4dc",
+                "sha256:0b80a4a4fca830af3d3cf36b725c31f0a98106e9c2b02004ab73b0ec7f139446",
+                "sha256:0d22b47fb24b384200277fcfb0582c3a3551c413ad51f3bd3ee334caaf79a483",
+                "sha256:3c586a6e328ba5020802346f5e0304f81b982dcafeb51ee4109c9be9cccbc4a0",
+                "sha256:4dd142764607b1a8b5e3e3b474d2b84099e9cbb323596a15ee8db0d78901d95f",
+                "sha256:6f8a7911c2307ee8f8d4940bdcfb8bd21608f14203a83b651fcd7868bce377a5",
+                "sha256:7ecc4e9c548282a5d296d4535244efa69c7f67cda959f28e14929cf1d6af8a97",
+                "sha256:8bc9f5054650d05e6d3e90f6490dcd6ef6c01ad9c1568958a48dde2702824cb1",
+                "sha256:98410520482796a547af2d5ffe11a8a2dc3b9f2124834fa7c12db8264935ed61",
+                "sha256:a7926f7244b08c413f1a4fa71a81aa256771c75bdf1a4fd77308547a2d63dd48",
+                "sha256:ae31d3b5966807fdff6c9e6f894b0aa10474295d9ff8467a8b978a569c8fec47",
+                "sha256:ce6219986385778b1ab7f9b542f160bb4d3558f52975e914a27b774e47016fb7",
+                "sha256:d562b2773e14ee1d65ea5b85351a83a64d4f3fd011bc2b4c70a6e813e78203ce"
            ],
-            "version": "==5.2.0"
+            "version": "==5.4.0"
        },
        "celery": {
            "hashes": [
-                "sha256:5e8d364e058554e83bbb116e8377d90c79be254785f357cb2cec026e79febe13",
-                "sha256:f4efebe6f8629b0da2b8e529424de376494f5b7a743c321c8a2ddc2b1414921c"
+                "sha256:1329de1edeaf734ef859e630cb42df2c116d53e59d2f46433b13aed196e85620",
+                "sha256:65f061c04578cf189cd7352c192e1a79fdeb370b916bff792bcc769560e81184"
            ],
            "index": "pypi",
-            "version": "==5.0.5"
+            "version": "==5.1.0"
        },
        "certifi": {
            "hashes": [
-                "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c",
-                "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830"
+                "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
+                "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
            ],
-            "version": "==2020.12.5"
+            "version": "==2021.5.30"
        },
        "cffi": {
            "hashes": [
                "sha256:005a36f41773e148deac64b08f233873a4d0c18b053d37da83f6af4d9087b813",
+                "sha256:04c468b622ed31d408fea2346bec5bbffba2cc44226302a0de1ade9f5ea3d373",
+                "sha256:06d7cd1abac2ffd92e65c0609661866709b4b2d82dd15f611e602b9b188b0b69",
+                "sha256:06db6321b7a68b2bd6df96d08a5adadc1fa0e8f419226e25b2a5fbf6ccc7350f",
                "sha256:0857f0ae312d855239a55c81ef453ee8fd24136eaba8e87a2eceba644c0d4c06",
+                "sha256:0f861a89e0043afec2a51fd177a567005847973be86f709bbb044d7f42fc4e05",
                "sha256:1071534bbbf8cbb31b498d5d9db0f274f2f7a865adca4ae429e147ba40f73dea",
                "sha256:158d0d15119b4b7ff6b926536763dc0714313aa59e320ddf787502c70c4d4bee",
+                "sha256:1bf1ac1984eaa7675ca8d5745a8cb87ef7abecb5592178406e55858d411eadc0",
                "sha256:1f436816fc868b098b0d63b8920de7d208c90a67212546d02f84fe78a9c26396",
+                "sha256:24a570cd11895b60829e941f2613a4f79df1a27344cbbb82164ef2e0116f09c7",
+                "sha256:24ec4ff2c5c0c8f9c6b87d5bb53555bf267e1e6f70e52e5a9740d32861d36b6f",
                "sha256:2894f2df484ff56d717bead0a5c2abb6b9d2bf26d6960c4604d5c48bbc30ee73",
                "sha256:29314480e958fd8aab22e4a58b355b629c59bf5f2ac2492b61e3dc06d8c7a315",
+                "sha256:293e7ea41280cb28c6fcaaa0b1aa1f533b8ce060b9e701d78511e1e6c4a1de76",
                "sha256:34eff4b97f3d982fb93e2831e6750127d1355a923ebaeeb565407b3d2f8d41a1",
                "sha256:35f27e6eb43380fa080dccf676dece30bef72e4a67617ffda586641cd4508d49",
+                "sha256:3c3f39fa737542161d8b0d680df2ec249334cd70a8f420f71c9304bd83c3cbed",
                "sha256:3d3dd4c9e559eb172ecf00a2a7517e97d1e96de2a5e610bd9b68cea3925b4892",
                "sha256:43e0b9d9e2c9e5d152946b9c5fe062c151614b262fda2e7b201204de0b99e482",
                "sha256:48e1c69bbacfc3d932221851b39d49e81567a4d4aac3b21258d9c24578280058",
@ -175,6 +196,7 @@
                "sha256:58e3f59d583d413809d60779492342801d6e82fefb89c86a38e040c16883be53",
                "sha256:5de7970188bb46b7bf9858eb6890aad302577a5f6f75091fd7cdd3ef13ef3045",
                "sha256:65fa59693c62cf06e45ddbb822165394a288edce9e276647f0046e1ec26920f3",
+                "sha256:681d07b0d1e3c462dd15585ef5e33cb021321588bebd910124ef4f4fb71aef55",
                "sha256:69e395c24fc60aad6bb4fa7e583698ea6cc684648e1ffb7fe85e3c1ca131a7d5",
                "sha256:6c97d7350133666fbb5cf4abdc1178c812cb205dc6f41d174a7b0f18fb93337e",
                "sha256:6e4714cc64f474e4d6e37cfff31a814b509a35cb17de4fb1999907575684479c",
@ -192,8 +214,10 @@
                "sha256:b85eb46a81787c50650f2392b9b4ef23e1f126313b9e0e9013b35c15e4288e2e",
                "sha256:bb89f306e5da99f4d922728ddcd6f7fcebb3241fc40edebcb7284d7514741991",
                "sha256:cbde590d4faaa07c72bf979734738f328d239913ba3e043b1e98fe9a39f8b2b6",
+                "sha256:cc5a8e069b9ebfa22e26d0e6b97d6f9781302fe7f4f2b8776c3e1daea35f1adc",
                "sha256:cd2868886d547469123fadc46eac7ea5253ea7fcb139f12e1dfc2bbd406427d1",
                "sha256:d42b11d692e11b6634f7613ad8df5d6d5f8875f5d48939520d351007b3c13406",
+                "sha256:df5052c5d867c1ea0b311fb7c3cd28b19df469c056f7fdcfe88c7473aa63e333",
                "sha256:f2d45f97ab6bb54753eab54fffe75aaf3de4ff2341c9daee1987ee1837636f1d",
                "sha256:fd78e5fee591709f32ef6edb9a015b4aa1a5022598e36227500c8f4e02328d9c"
            ],
@ -244,10 +268,10 @@
        },
        "click-repl": {
            "hashes": [
-                "sha256:9c4c3d022789cae912aad8a3f5e1d7c2cdd016ee1225b5212ad3e8691563cda5",
-                "sha256:b9f29d52abc4d6059f8e276132a111ab8d94980afe6a5432b9d996544afa95d5"
+                "sha256:94b3fbbc9406a236f176e0506524b2937e4b23b6f4c0c0b2a0a83f8a64e9194b",
+                "sha256:cd12f68d745bf6151210790540b4cb064c7b13e571bc64b6957d98d120dacfd8"
            ],
-            "version": "==0.1.6"
+            "version": "==0.2.0"
        },
        "constantly": {
            "hashes": [
@ -256,20 +280,6 @@
            ],
            "version": "==15.1.0"
        },
-        "coreapi": {
-            "hashes": [
-                "sha256:46145fcc1f7017c076a2ef684969b641d18a2991051fddec9458ad3f78ffc1cb",
-                "sha256:bf39d118d6d3e171f10df9ede5666f63ad80bba9a29a8ec17726a66cf52ee6f3"
-            ],
-            "version": "==2.3.3"
-        },
-        "coreschema": {
-            "hashes": [
-                "sha256:5e6ef7bf38c1525d5e55a895934ab4273548629f16aed5c0a6caa74ebf45551f",
-                "sha256:9503506007d482ab0867ba14724b93c18a33b22b6d19fb419ef2d239dd4a1607"
-            ],
-            "version": "==0.0.4"
-        },
        "cryptography": {
            "hashes": [
                "sha256:0f1212a66329c80d68aeeb39b8a16d54ef57071bf22ff4e521657b27372e327d",
@ -312,18 +322,15 @@
        },
        "django": {
            "hashes": [
-                "sha256:0a1d195ad65c52bf275b8277b3d49680bd1137a5f55039a806f25f6b9752ce3d",
-                "sha256:18dd3145ddbd04bf189ff79b9954d08fda5171ea7b57bf705789fea766a07d50"
+                "sha256:66c9d8db8cc6fe938a28b7887c1596e42d522e27618562517cc8929eb7e7f296",
+                "sha256:ea735cbbbb3b2fba6d4da4784a0043d84c67c92f1fdf15ad6db69900e792c10f"
            ],
            "index": "pypi",
-            "version": "==3.2.2"
+            "version": "==3.2.4"
        },
        "django-dbbackup": {
-            "hashes": [
-                "sha256:bb109735cae98b64ad084e5b461b7aca2d7b39992f10c9ed9435e3ebb6fb76c8"
-            ],
-            "index": "pypi",
-            "version": "==3.3.0"
+            "git": "https://github.com/django-dbbackup/django-dbbackup.git",
+            "ref": "9d1909c30a3271c8c9c8450add30d6e0b996e145"
        },
        "django-filter": {
            "hashes": [
@ -335,11 +342,11 @@
        },
        "django-guardian": {
            "hashes": [
-                "sha256:0e70706c6cda88ddaf8849bddb525b8df49de05ba0798d4b3506049f0d95cbc8",
-                "sha256:ed2de26e4defb800919c5749fb1bbe370d72829fbd72895b6cf4f7f1a7607e1b"
+                "sha256:440ca61358427e575323648b25f8384739e54c38b3d655c81d75e0cd0d61b697",
+                "sha256:c58a68ae76922d33e6bdc0e69af1892097838de56e93e78a8361090bcd9f89a0"
            ],
            "index": "pypi",
-            "version": "==2.3.0"
+            "version": "==2.4.0"
        },
        "django-model-utils": {
            "hashes": [
@ -351,11 +358,11 @@
        },
        "django-otp": {
            "hashes": [
-                "sha256:75a815747a0542cc5442e3a6396dfd272c49a0866bee2149ac57ecc36ddd3961",
-                "sha256:cc657a0e7266cda6ab42f861bdc3840ed24f7e441bc7f249916174dd1a6375a0"
+                "sha256:01b5888f0bde5125e139433aacb947e52d5c406fa56c9db43c3e8d75b5c323c4",
+                "sha256:0d56dd2a7fbb6ee6e54557e036ca64add0bd3596f471794bad673b7637d5e935"
            ],
            "index": "pypi",
-            "version": "==1.0.5"
+            "version": "==1.0.6"
        },
        "django-prometheus": {
            "hashes": [
@ -367,11 +374,11 @@
        },
        "django-redis": {
            "hashes": [
-                "sha256:1133b26b75baa3664164c3f44b9d5d133d1b8de45d94d79f38d1adc5b1d502e5",
-                "sha256:306589c7021e6468b2656edc89f62b8ba67e8d5a1c8877e2688042263daa7a63"
+                "sha256:048f665bbe27f8ff2edebae6aa9c534ab137f1e8fa7234147ef470df3f3aa9b8",
+                "sha256:97739ca9de3f964c51412d1d7d8aecdfd86737bb197fce6e1ff12620c63c97ee"
            ],
            "index": "pypi",
-            "version": "==4.12.1"
+            "version": "==5.0.0"
        },
        "django-storages": {
            "hashes": [
@ -405,13 +412,21 @@
            "index": "pypi",
            "version": "==5.0.0"
        },
-        "drf-yasg": {
+        "drf-spectacular": {
            "hashes": [
-                "sha256:8b72e5b1875931a8d11af407be3a9a5ba8776541492947a0df5bafda6b7f8267",
-                "sha256:d50f197c7f02545d0b736df88c6d5cf874f8fea2507ad85ad7de6ae5bf2d9e5a"
+                "sha256:4d35e890b8139e1c056588c5529a2f2066615635482563f0840b96d3b879d7d2",
+                "sha256:f552476dfde647963c21615249672e7f4f9ece3788036b5ee5c6cc5ad50748ab"
            ],
            "index": "pypi",
-            "version": "==1.20.0"
+            "version": "==0.17.0"
+        },
+        "duo-client": {
+            "hashes": [
+                "sha256:038c40c86615b2c176252ec32888898807861371536ac29a39a707c71dd0e693",
+                "sha256:652548002767d27a5eaaa700b312205dfc1c252033bb0ab7f98d1d3961bceba7"
+            ],
+            "index": "pypi",
+            "version": "==4.3.2"
        },
        "facebook-sdk": {
            "hashes": [
@ -429,18 +444,18 @@
        },
        "geoip2": {
            "hashes": [
-                "sha256:57d8d15de2527e0697bbef44fc16812bba709f03a07ef99297bd56c1df3b1efd",
-                "sha256:707025542ef076bd8fd80e97138bebdb7812527b2a007d141a27ad98b0370fff"
+                "sha256:906a1dbf15a179a1af3522970e8420ab15bb3e0afc526942cc179e12146d9c1d",
+                "sha256:b97b44031fdc463e84eb1316b4f19edd978cb1d78703465fcb1e36dc5a822ba6"
            ],
            "index": "pypi",
-            "version": "==4.1.0"
+            "version": "==4.2.0"
        },
        "google-auth": {
            "hashes": [
-                "sha256:588bdb03a41ecb4978472b847881e5518b5d9ec6153d3d679aa127a55e13b39f",
-                "sha256:9ad25fba07f46a628ad4d0ca09f38dcb262830df2ac95b217f9b0129c9e42206"
+                "sha256:9b235dbc876e49454cbedc52ae0abd540ef705ebccdf4fbe93553bb13f26b1a4",
+                "sha256:eb017521276a75492282c6ca4b718f26de112ed3bcbeaeeb02c1b82de425f909"
            ],
-            "version": "==1.30.0"
+            "version": "==1.30.2"
        },
        "gunicorn": {
            "hashes": [
@ -505,23 +520,23 @@
        },
        "httptools": {
            "hashes": [
-                "sha256:07659649fe6b3948b6490825f89abe5eb1cec79ebfaaa0b4bf30f3f33f3c2ba8",
-                "sha256:08b79e09114e6ab5c3dbf560bba2cb2257ea38cdaeaf99b7cb80d8f92622fcd9",
-                "sha256:1e35aa179b67086cc600a984924a88589b90793c9c1b260152ca4908786e09df",
-                "sha256:31629e1f1b89959f8c0927bad12184dc07977dcf71e24f4772934aa490aa199b",
-                "sha256:851026bd63ec0af7e7592890d97d15c92b62d9e17094353f19a52c8e2b33710a",
-                "sha256:8fcca4b7efe353b13a24017211334c57d055a6e132c7adffed13a10d28efca57",
-                "sha256:9abd788465aa46a0f288bd3a99e53edd184177d6379e2098fd6097bb359ad9d6",
-                "sha256:aebdf0bd7bf7c90ae6b3be458692bf6e9e5b610b501f9f74c7979015a51db4c4",
-                "sha256:bda99a5723e7eab355ce57435c70853fc137a65aebf2f1cd4d15d96e2956da7b",
-                "sha256:c1c63d860749841024951b0a78e4dec6f543d23751ef061d6ab60064c7b8b524",
-                "sha256:c4111a0a8a00eff1e495d43ea5230aaf64968a48ddba8ea2d5f982efae827404",
-                "sha256:dce59ee45dd6ee6c434346a5ac527c44014326f560866b4b2f414a692ee1aca8",
-                "sha256:f759717ca1b2ef498c67ba4169c2b33eecf943a89f5329abcff8b89d153eb500",
-                "sha256:fb7199b8fb0c50a22e77260bb59017e0c075fa80cb03bb2c8692de76e7bb7fe7",
-                "sha256:fbf7ecd31c39728f251b1c095fd27c84e4d21f60a1d079a0333472ff3ae59d34"
+                "sha256:01b392a166adcc8bc2f526a939a8aabf89fe079243e1543fd0e7dc1b58d737cb",
+                "sha256:200fc1cdf733a9ff554c0bb97a4047785cfaad9875307d6087001db3eb2b417f",
+                "sha256:3ab1f390d8867f74b3b5ee2a7ecc9b8d7f53750bd45714bf1cb72a953d7dfa77",
+                "sha256:78d03dd39b09c99ec917d50189e6743adbfd18c15d5944392d2eabda688bf149",
+                "sha256:79dbc21f3612a78b28384e989b21872e2e3cf3968532601544696e4ed0007ce5",
+                "sha256:80ffa04fe8c8dfacf6e4cef8277347d35b0442c581f5814f3b0cf41b65c43c6e",
+                "sha256:813871f961edea6cb2fe312f2d9b27d12a51ba92545380126f80d0de1917ea15",
+                "sha256:94505026be56652d7a530ab03d89474dc6021019d6b8682281977163b3471ea0",
+                "sha256:a23166e5ae2775709cf4f7ad4c2048755ebfb272767d244e1a96d55ac775cca7",
+                "sha256:a289c27ccae399a70eacf32df9a44059ca2ba4ac444604b00a19a6c1f0809943",
+                "sha256:a7594f9a010cdf1e16a58b3bf26c9da39bbf663e3b8d46d39176999d71816658",
+                "sha256:b08d00d889a118f68f37f3c43e359aab24ee29eb2e3fe96d64c6a2ba8b9d6557",
+                "sha256:cc9be041e428c10f8b6ab358c6b393648f9457094e1dcc11b4906026d43cd380",
+                "sha256:d5682eeb10cca0606c4a8286a3391d4c3c5a36f0c448e71b8bd05be4e1694bfb",
+                "sha256:fd3b8905e21431ad306eeaf56644a68fdd621bf8f3097eff54d0f6bdf7262065"
            ],
-            "version": "==0.1.2"
+            "version": "==0.2.0"
        },
        "hyperlink": {
            "hashes": [
@ -551,20 +566,6 @@
            ],
            "version": "==0.5.1"
        },
-        "itypes": {
-            "hashes": [
-                "sha256:03da6872ca89d29aef62773672b2d408f490f80db48b23079a4b194c86dd04c6",
-                "sha256:af886f129dea4a2a1e3d36595a2d139589e4dd287f5cab0b40e799ee81570ff1"
-            ],
-            "version": "==1.2.0"
-        },
-        "jinja2": {
-            "hashes": [
-                "sha256:03e47ad063331dd6a3f04a43eddca8a966a26ba0c5b7207a9a9e4e08f1b29419",
-                "sha256:a6d58433de0ae800347cab1fa3043cebbabe8baa9d29e668f1c768cb87a333c6"
-            ],
-            "version": "==2.11.3"
-        },
        "jmespath": {
            "hashes": [
                "sha256:b85d0567b8666149a93172712e68920734333c0ce7e89b78b3e987f71e5ed4f9",
@ -581,18 +582,18 @@
        },
        "kombu": {
            "hashes": [
-                "sha256:6dc509178ac4269b0e66ab4881f70a2035c33d3a622e20585f965986a5182006",
-                "sha256:f4965fba0a4718d47d470beeb5d6446e3357a62402b16c510b6a2f251e05ac3c"
+                "sha256:01481d99f4606f6939cdc9b637264ed353ee9e3e4f62cfb582324142c41a572d",
+                "sha256:e2dedd8a86c9077c350555153825a31e456a0dc20c15d5751f00137ec9c75f0a"
            ],
-            "version": "==5.0.2"
+            "version": "==5.1.0"
        },
        "kubernetes": {
            "hashes": [
-                "sha256:23c85d8571df8f56e773f1a413bc081537536dc47e2b5e8dc2e6262edb2c57ca",
-                "sha256:ec52ea01d52e2ec3da255992f7e859f3a76f2bdb51cf65ba8cd71dfc309d8daa"
+                "sha256:225a95a0aadbd5b645ab389d941a7980db8cdad2a776fde64d1b43fc3299bde9",
+                "sha256:c69b318696ba797dcf63eb928a8d4370c52319f4140023c502d7dfdf2080eb79"
            ],
            "index": "pypi",
-            "version": "==12.0.1"
+            "version": "==17.17.0"
        },
        "ldap3": {
            "hashes": [
@ -654,63 +655,6 @@
            "index": "pypi",
            "version": "==4.6.3"
        },
-        "markupsafe": {
-            "hashes": [
-                "sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473",
-                "sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161",
-                "sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235",
-                "sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5",
-                "sha256:13d3144e1e340870b25e7b10b98d779608c02016d5184cfb9927a9f10c689f42",
-                "sha256:195d7d2c4fbb0ee8139a6cf67194f3973a6b3042d742ebe0a9ed36d8b6f0c07f",
-                "sha256:22c178a091fc6630d0d045bdb5992d2dfe14e3259760e713c490da5323866c39",
-                "sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff",
-                "sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b",
-                "sha256:2beec1e0de6924ea551859edb9e7679da6e4870d32cb766240ce17e0a0ba2014",
-                "sha256:3b8a6499709d29c2e2399569d96719a1b21dcd94410a586a18526b143ec8470f",
-                "sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1",
-                "sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e",
-                "sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183",
-                "sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66",
-                "sha256:596510de112c685489095da617b5bcbbac7dd6384aeebeda4df6025d0256a81b",
-                "sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1",
-                "sha256:6788b695d50a51edb699cb55e35487e430fa21f1ed838122d722e0ff0ac5ba15",
-                "sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1",
-                "sha256:6f1e273a344928347c1290119b493a1f0303c52f5a5eae5f16d74f48c15d4a85",
-                "sha256:6fffc775d90dcc9aed1b89219549b329a9250d918fd0b8fa8d93d154918422e1",
-                "sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e",
-                "sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b",
-                "sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905",
-                "sha256:7fed13866cf14bba33e7176717346713881f56d9d2bcebab207f7a036f41b850",
-                "sha256:84dee80c15f1b560d55bcfe6d47b27d070b4681c699c572af2e3c7cc90a3b8e0",
-                "sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735",
-                "sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d",
-                "sha256:98bae9582248d6cf62321dcb52aaf5d9adf0bad3b40582925ef7c7f0ed85fceb",
-                "sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e",
-                "sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d",
-                "sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c",
-                "sha256:a6a744282b7718a2a62d2ed9d993cad6f5f585605ad352c11de459f4108df0a1",
-                "sha256:acf08ac40292838b3cbbb06cfe9b2cb9ec78fce8baca31ddb87aaac2e2dc3bc2",
-                "sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21",
-                "sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2",
-                "sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5",
-                "sha256:b1dba4527182c95a0db8b6060cc98ac49b9e2f5e64320e2b56e47cb2831978c7",
-                "sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b",
-                "sha256:b7d644ddb4dbd407d31ffb699f1d140bc35478da613b441c582aeb7c43838dd8",
-                "sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6",
-                "sha256:bf5aa3cbcfdf57fa2ee9cd1822c862ef23037f5c832ad09cfea57fa846dec193",
-                "sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f",
-                "sha256:caabedc8323f1e93231b52fc32bdcde6db817623d33e100708d9a68e1f53b26b",
-                "sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f",
-                "sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2",
-                "sha256:d53bc011414228441014aa71dbec320c66468c1030aae3a6e29778a3382d96e5",
-                "sha256:d73a845f227b0bfe8a7455ee623525ee656a9e2e749e4742706d80a6065d5e2c",
-                "sha256:d9be0ba6c527163cbed5e0857c451fcd092ce83947944d6c14bc95441203f032",
-                "sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7",
-                "sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be",
-                "sha256:feb7b34d6325451ef96bc0e36e1a6c0c1c64bc1fbec4b854f4529e51887b1621"
-            ],
-            "version": "==1.1.1"
-        },
        "maxminddb": {
            "hashes": [
                "sha256:47e86a084dd814fac88c99ea34ba3278a74bc9de5a25f4b815b608798747c7dc"
@ -794,10 +738,10 @@
        },
        "oauthlib": {
            "hashes": [
-                "sha256:bee41cc35fcca6e988463cacc3bcb8a96224f470ca547e697b604cc697b2f889",
-                "sha256:df884cd6cbe20e32633f1db1072e9356f53638e4361bef4e8b03c9127c9328ea"
+                "sha256:42bf6354c2ed8c6acb54d971fce6f88193d97297e18602a3a886603f9d7730cc",
+                "sha256:8f0215fcc533dd8dd1bee6f4c412d4f0cd7297307d43ac61666389e3bc3198a3"
            ],
-            "version": "==3.1.0"
+            "version": "==3.1.1"
        },
        "packaging": {
            "hashes": [
@ -809,10 +753,10 @@
        },
        "prometheus-client": {
            "hashes": [
-                "sha256:030e4f9df5f53db2292eec37c6255957eb76168c6f974e4176c711cf91ed34aa",
-                "sha256:b6c5a9643e3545bcbfd9451766cbaa5d9c67e7303c7bc32c750b6fa70ecb107d"
+                "sha256:3a8baade6cb80bcfe43297e33e7623f3118d660d41387593758e2fb1ea173a86",
+                "sha256:b014bc76815eb1399da8ce5fc84b7717a3e63652b0c0f8804092c9363acab1b2"
            ],
-            "version": "==0.10.1"
+            "version": "==0.11.0"
        },
        "prompt-toolkit": {
            "hashes": [
@ -1040,50 +984,6 @@
            "markers": "python_version >= '3.6'",
            "version": "==4.7.2"
        },
-        "ruamel.yaml": {
-            "hashes": [
-                "sha256:44bc6b54fddd45e4bc0619059196679f9e8b79c027f4131bb072e6a22f4d5e28",
-                "sha256:ac79fb25f5476e8e9ed1c53b8a2286d2c3f5dde49eb37dbcee5c7eb6a8415a22"
-            ],
-            "version": "==0.17.4"
-        },
-        "ruamel.yaml.clib": {
-            "hashes": [
-                "sha256:058a1cc3df2a8aecc12f983a48bda99315cebf55a3b3a5463e37bb599b05727b",
-                "sha256:1236df55e0f73cd138c0eca074ee086136c3f16a97c2ac719032c050f7e0622f",
-                "sha256:1f8c0a4577c0e6c99d208de5c4d3fd8aceed9574bb154d7a2b21c16bb924154c",
-                "sha256:2602e91bd5c1b874d6f93d3086f9830f3e907c543c7672cf293a97c3fabdcd91",
-                "sha256:28116f204103cb3a108dfd37668f20abe6e3cafd0d3fd40dba126c732457b3cc",
-                "sha256:2d24bd98af676f4990c4d715bcdc2a60b19c56a3fb3a763164d2d8ca0e806ba7",
-                "sha256:2fd336a5c6415c82e2deb40d08c222087febe0aebe520f4d21910629018ab0f3",
-                "sha256:30dca9bbcbb1cc858717438218d11eafb78666759e5094dd767468c0d577a7e7",
-                "sha256:44c7b0498c39f27795224438f1a6be6c5352f82cb887bc33d962c3a3acc00df6",
-                "sha256:464e66a04e740d754170be5e740657a3b3b6d2bcc567f0c3437879a6e6087ff6",
-                "sha256:46d6d20815064e8bb023ea8628cfb7402c0f0e83de2c2227a88097e239a7dffd",
-                "sha256:4df5019e7783d14b79217ad9c56edf1ba7485d614ad5a385d1b3c768635c81c0",
-                "sha256:4e52c96ca66de04be42ea2278012a2342d89f5e82b4512fb6fb7134e377e2e62",
-                "sha256:5254af7d8bdf4d5484c089f929cb7f5bafa59b4f01d4f48adda4be41e6d29f99",
-                "sha256:52ae5739e4b5d6317b52f5b040b1b6639e8af68a5b8fd606a8b08658fbd0cab5",
-                "sha256:53b9dd1abd70e257a6e32f934ebc482dac5edb8c93e23deb663eac724c30b026",
-                "sha256:6c0a5dc52fc74eb87c67374a4e554d4761fd42a4d01390b7e868b30d21f4b8bb",
-                "sha256:73b3d43e04cc4b228fa6fa5d796409ece6fcb53a6c270eb2048109cbcbc3b9c2",
-                "sha256:74161d827407f4db9072011adcfb825b5258a5ccb3d2cd518dd6c9edea9e30f1",
-                "sha256:75f0ee6839532e52a3a53f80ce64925ed4aed697dd3fa890c4c918f3304bd4f4",
-                "sha256:839dd72545ef7ba78fd2aa1a5dd07b33696adf3e68fae7f31327161c1093001b",
-                "sha256:8be05be57dc5c7b4a0b24edcaa2f7275866d9c907725226cdde46da09367d923",
-                "sha256:8e8fd0a22c9d92af3a34f91e8a2594eeb35cba90ab643c5e0e643567dc8be43e",
-                "sha256:a873e4d4954f865dcb60bdc4914af7eaae48fb56b60ed6daa1d6251c72f5337c",
-                "sha256:ab845f1f51f7eb750a78937be9f79baea4a42c7960f5a94dde34e69f3cce1988",
-                "sha256:b1e981fe1aff1fd11627f531524826a4dcc1f26c726235a52fcb62ded27d150f",
-                "sha256:b4b0d31f2052b3f9f9b5327024dc629a253a83d8649d4734ca7f35b60ec3e9e5",
-                "sha256:c6ac7e45367b1317e56f1461719c853fd6825226f45b835df7436bb04031fd8a",
-                "sha256:daf21aa33ee9b351f66deed30a3d450ab55c14242cfdfcd377798e2c0d25c9f1",
-                "sha256:e9f7d1d8c26a6a12c23421061f9022bb62704e38211fe375c645485f38df34a2",
-                "sha256:f6061a31880c1ed6b6ce341215336e2f3d0c1deccd84957b6fa8ca474b41e89f"
-            ],
-            "markers": "platform_python_implementation == 'CPython' and python_version < '3.10'",
-            "version": "==0.2.2"
-        },
        "s3transfer": {
            "hashes": [
                "sha256:9b3752887a2880690ce628bc263d6d13a3864083aeacff4890c1c9839a5eb0bc",
@ -1184,6 +1084,14 @@
            ],
            "version": "==3.10.0.0"
        },
+        "ua-parser": {
+            "hashes": [
+                "sha256:46ab2e383c01dbd2ab284991b87d624a26a08f72da4d7d413f5bfab8b9036f8a",
+                "sha256:47b1782ed130d890018d983fac37c2a80799d9e0b9c532e734c67cf70f185033"
+            ],
+            "index": "pypi",
+            "version": "==0.10.0"
+        },
        "uritemplate": {
            "hashes": [
                "sha256:07620c3f3f8eed1f12600845892b0e036a2420acf513c53f7de0abd911a5894f",
@ -1196,22 +1104,22 @@
                "secure"
            ],
            "hashes": [
-                "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df",
-                "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937"
+                "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c",
+                "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098"
            ],
            "index": "pypi",
-            "version": "==1.26.4"
+            "version": "==1.26.5"
        },
        "uvicorn": {
            "extras": [
                "standard"
            ],
            "hashes": [
-                "sha256:3292251b3c7978e8e4a7868f4baf7f7f7bb7e40c759ecc125c37e99cdea34202",
-                "sha256:7587f7b08bd1efd2b9bad809a3d333e972f1d11af8a5e52a9371ee3a5de71524"
+                "sha256:2a76bb359171a504b3d1c853409af3adbfa5cef374a4a59e5881945a97a93eae",
+                "sha256:45ad7dfaaa7d55cab4cd1e85e03f27e9d60bc067ddc59db52a2b0aeca8870292"
            ],
            "index": "pypi",
-            "version": "==0.13.4"
+            "version": "==0.14.0"
        },
        "uvloop": {
            "hashes": [
@ -1259,54 +1167,65 @@
        },
        "websocket-client": {
            "hashes": [
-                "sha256:2e50d26ca593f70aba7b13a489435ef88b8fc3b5c5643c1ce8808ff9b40f0b32",
-                "sha256:d376bd60eace9d437ab6d7ee16f4ab4e821c9dae591e1b783c58ebd8aaf80c5c"
+                "sha256:3e2bf58191d4619b161389a95bdce84ce9e0b24eb8107e7e590db682c2d0ca81",
+                "sha256:abf306dc6351dcef07f4d40453037e51cc5d9da2ef60d0fc5d0fe3bcda255372"
            ],
-            "version": "==0.59.0"
+            "version": "==1.0.1"
        },
        "websockets": {
            "hashes": [
-                "sha256:0e4fb4de42701340bd2353bb2eee45314651caa6ccee80dbd5f5d5978888fed5",
-                "sha256:1d3f1bf059d04a4e0eb4985a887d49195e15ebabc42364f4eb564b1d065793f5",
-                "sha256:20891f0dddade307ffddf593c733a3fdb6b83e6f9eef85908113e628fa5a8308",
-                "sha256:295359a2cc78736737dd88c343cd0747546b2174b5e1adc223824bcaf3e164cb",
-                "sha256:2db62a9142e88535038a6bcfea70ef9447696ea77891aebb730a333a51ed559a",
-                "sha256:3762791ab8b38948f0c4d281c8b2ddfa99b7e510e46bd8dfa942a5fff621068c",
-                "sha256:3db87421956f1b0779a7564915875ba774295cc86e81bc671631379371af1170",
-                "sha256:3ef56fcc7b1ff90de46ccd5a687bbd13a3180132268c4254fc0fa44ecf4fc422",
-                "sha256:4f9f7d28ce1d8f1295717c2c25b732c2bc0645db3215cf757551c392177d7cb8",
-                "sha256:5c01fd846263a75bc8a2b9542606927cfad57e7282965d96b93c387622487485",
-                "sha256:5c65d2da8c6bce0fca2528f69f44b2f977e06954c8512a952222cea50dad430f",
-                "sha256:751a556205d8245ff94aeef23546a1113b1dd4f6e4d102ded66c39b99c2ce6c8",
-                "sha256:7ff46d441db78241f4c6c27b3868c9ae71473fe03341340d2dfdbe8d79310acc",
-                "sha256:965889d9f0e2a75edd81a07592d0ced54daa5b0785f57dc429c378edbcffe779",
-                "sha256:9b248ba3dd8a03b1a10b19efe7d4f7fa41d158fdaa95e2cf65af5a7b95a4f989",
-                "sha256:9bef37ee224e104a413f0780e29adb3e514a5b698aabe0d969a6ba426b8435d1",
-                "sha256:c1ec8db4fac31850286b7cd3b9c0e1b944204668b8eb721674916d4e28744092",
-                "sha256:c8a116feafdb1f84607cb3b14aa1418424ae71fee131642fc568d21423b51824",
-                "sha256:ce85b06a10fc65e6143518b96d3dca27b081a740bae261c2fb20375801a9d56d",
-                "sha256:d705f8aeecdf3262379644e4b55107a3b55860eb812b673b28d0fbc347a60c55",
-                "sha256:e898a0863421650f0bebac8ba40840fc02258ef4714cb7e1fd76b6a6354bda36",
-                "sha256:f8a7bff6e8664afc4e6c28b983845c5bc14965030e3fb98789734d416af77c4b"
+                "sha256:0dd4eb8e0bbf365d6f652711ce21b8fd2b596f873d32aabb0fbb53ec604418cc",
+                "sha256:1d0971cc7251aeff955aa742ec541ee8aaea4bb2ebf0245748fbec62f744a37e",
+                "sha256:1d6b4fddb12ab9adf87b843cd4316c4bd602db8d5efd2fb83147f0458fe85135",
+                "sha256:230a3506df6b5f446fed2398e58dcaafdff12d67fe1397dff196411a9e820d02",
+                "sha256:276d2339ebf0df4f45df453923ebd2270b87900eda5dfd4a6b0cfa15f82111c3",
+                "sha256:2cf04601633a4ec176b9cc3d3e73789c037641001dbfaf7c411f89cd3e04fcaf",
+                "sha256:3ddff38894c7857c476feb3538dd847514379d6dc844961dc99f04b0384b1b1b",
+                "sha256:48c222feb3ced18f3dc61168ca18952a22fb88e5eb8902d2bf1b50faefdc34a2",
+                "sha256:51d04df04ed9d08077d10ccbe21e6805791b78eac49d16d30a1f1fe2e44ba0af",
+                "sha256:597c28f3aa7a09e8c070a86b03107094ee5cdafcc0d55f2f2eac92faac8dc67d",
+                "sha256:5c8f0d82ea2468282e08b0cf5307f3ad022290ed50c45d5cb7767957ca782880",
+                "sha256:7189e51955f9268b2bdd6cc537e0faa06f8fffda7fb386e5922c6391de51b077",
+                "sha256:7df3596838b2a0c07c6f6d67752c53859a54993d4f062689fdf547cb56d0f84f",
+                "sha256:826ccf85d4514609219725ba4a7abd569228c2c9f1968e8be05be366f68291ec",
+                "sha256:836d14eb53b500fd92bd5db2fc5894f7c72b634f9c2a28f546f75967503d8e25",
+                "sha256:85db8090ba94e22d964498a47fdd933b8875a1add6ebc514c7ac8703eb97bbf0",
+                "sha256:85e701a6c316b7067f1e8675c638036a796fe5116783a4c932e7eb8e305a3ffe",
+                "sha256:900589e19200be76dd7cbaa95e9771605b5ce3f62512d039fb3bc5da9014912a",
+                "sha256:9147868bb0cc01e6846606cd65cbf9c58598f187b96d14dd1ca17338b08793bb",
+                "sha256:9e7fdc775fe7403dbd8bc883ba59576a6232eac96dacb56512daacf7af5d618d",
+                "sha256:ab5ee15d3462198c794c49ccd31773d8a2b8c17d622aa184f669d2b98c2f0857",
+                "sha256:ad893d889bc700a5835e0a95a3e4f2c39e91577ab232a3dc03c262a0f8fc4b5c",
+                "sha256:b2e71c4670ebe1067fa8632f0d081e47254ee2d3d409de54168b43b0ba9147e0",
+                "sha256:b43b13e5622c5a53ab12f3272e6f42f1ce37cd5b6684b2676cb365403295cd40",
+                "sha256:b4ad84b156cf50529b8ac5cc1638c2cf8680490e3fccb6121316c8c02620a2e4",
+                "sha256:be5fd35e99970518547edc906efab29afd392319f020c3c58b0e1a158e16ed20",
+                "sha256:caa68c95bc1776d3521f81eeb4d5b9438be92514ec2a79fececda814099c8314",
+                "sha256:d144b350045c53c8ff09aa1cfa955012dd32f00c7e0862c199edcabb1a8b32da",
+                "sha256:d2c2d9b24d3c65b5a02cac12cbb4e4194e590314519ed49db2f67ef561c3cf58",
+                "sha256:e9e5fd6dbdf95d99bc03732ded1fc8ef22ebbc05999ac7e0c7bf57fe6e4e5ae2",
+                "sha256:ebf459a1c069f9866d8569439c06193c586e72c9330db1390af7c6a0a32c4afd",
+                "sha256:f31722f1c033c198aa4a39a01905951c00bd1c74f922e8afc1b1c62adbcdd56a",
+                "sha256:f68c352a68e5fdf1e97288d5cec9296664c590c25932a8476224124aaf90dbcd"
            ],
-            "version": "==8.1"
+            "version": "==9.1"
        },
        "xmlsec": {
            "hashes": [
-                "sha256:17d2e66d4e3e601d210eed936b53c3eb44cddaef62f60b5c6ad5c18e948d926c",
-                "sha256:2bc1b871b49d6580779805a4a1c2d835e834a2fa614fe40cf71931d11a8279cf",
-                "sha256:52eded125c0d1ab72125105ef061370c6b06ab9bd37e29a61bc2f8a61205bae4",
-                "sha256:72af9a5a747a5fe6e425d2be10daa43d18307dbe03498df3820fc3cd93daa148",
-                "sha256:806855d505da24aeb77758a6f373b1473e5ed63bdbe346af90cc6d2b053e4716",
-                "sha256:8746dd992aaec06ed8ff1615f4a8e2a32258e8af38f9a9f8acf3ee1fb34a5da6",
-                "sha256:9d52b2b15d42292725e4f9d8a5b040e39cba0a9cd58059ac951e7310d6340bb9",
-                "sha256:b380f3ebc042f71afab057632481d06e06f1ba4f90047d91ca92612a7d3d487b",
-                "sha256:be0f475edd8e9c98f57449c97839f6a81946e79e4cccb81e4b5196a2cc40e044",
-                "sha256:bf3c62d154f2222caf56d897ddfd53fd0aef560d5a2202447d90e015301a0a10",
-                "sha256:fe6a5f05aba3ff47e105a308482b68f8b0fd80656eb1456a9c1e4de47d2c580f"
+                "sha256:23f209260b37bdc2fd96af837494c47dd1e67964f077442b63acd83c0f62e212",
+                "sha256:4fb38ab0bf3e47cbae136119674a869e09d61c939b510350f369c8ac46087373",
+                "sha256:705ab5b848afdf3a5c78b1322276054c885f44dc51601e14cb883a9c86cbe20f",
+                "sha256:843d10bba4c480609da74ee11fff1ee0fc1c12821c656979f12a7a4ecb043e03",
+                "sha256:86d54b93f8278e2f0c504d0744e39a483c1c7ce9993f2ca70184cc7770faa982",
+                "sha256:8922fba55a060ee81de4a7f5efc593c5bf121047763aecf0eead02e061c9d2db",
+                "sha256:c7b49d4fce83186b89f7ce6cec765245d36a70d0acc2f3ed0ba95c735b3667da",
+                "sha256:cd2eaaff7f31784a07dd99ce81fa767313df3ba1834faa4143ee2c07000cac7a",
+                "sha256:dea5bef9b5830c36ccb7a68a0d94d49eaea4d03fbbd04179652bf661b7e6e30f",
+                "sha256:eadff662d89c80db409c69d82eb3e695e16d4a5e8ab56b5b22670a54e9c6ff20",
+                "sha256:ee233d0bc27fb8f447ca2622b0de2ac2df45b8795f02ef263825912011fe4fe9"
            ],
            "index": "pypi",
-            "version": "==1.3.10"
+            "version": "==1.3.11"
        },
        "yarl": {
            "hashes": [
@ -1439,10 +1358,11 @@
        },
        "black": {
            "hashes": [
-                "sha256:1c02557aa099101b9d21496f8a914e9ed2222ef70336404eeeac8edba836fbea"
+                "sha256:23695358dbcb3deafe7f0a3ad89feee5999a46be5fec21f4f1d108be0bcdb3b1",
+                "sha256:8a60071a0043876a4ae96e6c69bd3a127dad2c1ca7c8083573eb82f92705d008"
            ],
            "index": "pypi",
-            "version": "==20.8b1"
+            "version": "==21.5b1"
        },
        "bump2version": {
            "hashes": [
@ -1454,10 +1374,10 @@
        },
        "certifi": {
            "hashes": [
-                "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c",
-                "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830"
+                "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
+                "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
            ],
-            "version": "==2020.12.5"
+            "version": "==2021.5.30"
        },
        "chardet": {
            "hashes": [
@ -1548,10 +1468,10 @@
        },
        "gitpython": {
            "hashes": [
-                "sha256:05af150f47a5cca3f4b0af289b73aef8cf3c4fe2385015b06220cbcdee48bb6e",
-                "sha256:a77824e516d3298b04fb36ec7845e92747df8fcfee9cacc32dd6239f9652f867"
+                "sha256:29fe82050709760081f588dd50ce83504feddbebdc4da6956d02351552b1c135",
+                "sha256:ee24bdc93dce357630764db659edaf6b8d664d4ff5447ccfeedd2dc5c253f41e"
            ],
-            "version": "==3.1.15"
+            "version": "==3.1.17"
        },
        "idna": {
            "hashes": [
@ -1653,11 +1573,11 @@
        },
        "pylint": {
            "hashes": [
-                "sha256:586d8fa9b1891f4b725f587ef267abe2a1bad89d6b184520c7f07a253dd6e217",
-                "sha256:f7e2072654a6b6afdf5e2fb38147d3e2d2d43c89f648637baab63e026481279b"
+                "sha256:0a049c5d47b629d9070c3932d13bff482b12119b6a241a93bc460b0be16953c8",
+                "sha256:792b38ff30903884e4a9eab814ee3523731abd3c463f3ba48d7b627e87013484"
            ],
            "index": "pypi",
-            "version": "==2.8.2"
+            "version": "==2.8.3"
        },
        "pylint-django": {
            "hashes": [
@ -1691,11 +1611,11 @@
        },
        "pytest-django": {
            "hashes": [
-                "sha256:80f8875226ec4dc0b205f0578072034563879d98d9b1bec143a80b9045716cb0",
-                "sha256:a51150d8962200250e850c6adcab670779b9c2aa07271471059d1fb92a843fa9"
+                "sha256:65783e78382456528bd9d79a35843adde9e6a47347b20464eb2c885cb0f1f606",
+                "sha256:b5171e3798bf7e3fc5ea7072fe87324db67a4dd9f1192b037fed4cc3c1b7f455"
            ],
            "index": "pypi",
-            "version": "==4.2.0"
+            "version": "==4.4.0"
        },
        "pyyaml": {
            "hashes": [
@ -1787,11 +1707,11 @@
        },
        "requests-mock": {
            "hashes": [
-                "sha256:33296f228d8c5df11a7988b741325422480baddfdf5dd9318fd0eb40c3ed8595",
-                "sha256:5c8ef0254c14a84744be146e9799dc13ebc4f6186058112d9aeed96b131b58e2"
+                "sha256:0a2d38a117c08bb78939ec163522976ad59a6b7fdd82b709e23bb98004a44970",
+                "sha256:8d72abe54546c1fc9696fa1516672f1031d72a55a1d66c85184f972a24ba0eba"
            ],
            "index": "pypi",
-            "version": "==1.9.2"
+            "version": "==1.9.3"
        },
        "selenium": {
            "hashes": [
@ -1829,59 +1749,16 @@
            ],
            "version": "==0.10.2"
        },
-        "typed-ast": {
-            "hashes": [
-                "sha256:01ae5f73431d21eead5015997ab41afa53aa1fbe252f9da060be5dad2c730ace",
-                "sha256:067a74454df670dcaa4e59349a2e5c81e567d8d65458d480a5b3dfecec08c5ff",
-                "sha256:0fb71b8c643187d7492c1f8352f2c15b4c4af3f6338f21681d3681b3dc31a266",
-                "sha256:1b3ead4a96c9101bef08f9f7d1217c096f31667617b58de957f690c92378b528",
-                "sha256:2068531575a125b87a41802130fa7e29f26c09a2833fea68d9a40cf33902eba6",
-                "sha256:209596a4ec71d990d71d5e0d312ac935d86930e6eecff6ccc7007fe54d703808",
-                "sha256:2c726c276d09fc5c414693a2de063f521052d9ea7c240ce553316f70656c84d4",
-                "sha256:398e44cd480f4d2b7ee8d98385ca104e35c81525dd98c519acff1b79bdaac363",
-                "sha256:52b1eb8c83f178ab787f3a4283f68258525f8d70f778a2f6dd54d3b5e5fb4341",
-                "sha256:5feca99c17af94057417d744607b82dd0a664fd5e4ca98061480fd8b14b18d04",
-                "sha256:7538e495704e2ccda9b234b82423a4038f324f3a10c43bc088a1636180f11a41",
-                "sha256:760ad187b1041a154f0e4d0f6aae3e40fdb51d6de16e5c99aedadd9246450e9e",
-                "sha256:777a26c84bea6cd934422ac2e3b78863a37017618b6e5c08f92ef69853e765d3",
-                "sha256:95431a26309a21874005845c21118c83991c63ea800dd44843e42a916aec5899",
-                "sha256:9ad2c92ec681e02baf81fdfa056fe0d818645efa9af1f1cd5fd6f1bd2bdfd805",
-                "sha256:9c6d1a54552b5330bc657b7ef0eae25d00ba7ffe85d9ea8ae6540d2197a3788c",
-                "sha256:aee0c1256be6c07bd3e1263ff920c325b59849dc95392a05f258bb9b259cf39c",
-                "sha256:af3d4a73793725138d6b334d9d247ce7e5f084d96284ed23f22ee626a7b88e39",
-                "sha256:b36b4f3920103a25e1d5d024d155c504080959582b928e91cb608a65c3a49e1a",
-                "sha256:b9574c6f03f685070d859e75c7f9eeca02d6933273b5e69572e5ff9d5e3931c3",
-                "sha256:bff6ad71c81b3bba8fa35f0f1921fb24ff4476235a6e94a26ada2e54370e6da7",
-                "sha256:c190f0899e9f9f8b6b7863debfb739abcb21a5c054f911ca3596d12b8a4c4c7f",
-                "sha256:c907f561b1e83e93fad565bac5ba9c22d96a54e7ea0267c708bffe863cbe4075",
-                "sha256:cae53c389825d3b46fb37538441f75d6aecc4174f615d048321b716df2757fb0",
-                "sha256:dd4a21253f42b8d2b48410cb31fe501d32f8b9fbeb1f55063ad102fe9c425e40",
-                "sha256:dde816ca9dac1d9c01dd504ea5967821606f02e510438120091b84e852367428",
-                "sha256:f2362f3cb0f3172c42938946dbc5b7843c2a28aec307c49100c8b38764eb6927",
-                "sha256:f328adcfebed9f11301eaedfa48e15bdece9b519fb27e6a8c01aa52a17ec31b3",
-                "sha256:f8afcf15cc511ada719a88e013cec87c11aff7b91f019295eb4530f96fe5ef2f",
-                "sha256:fb1bbeac803adea29cedd70781399c99138358c26d05fcbd23c13016b7f5ec65"
-            ],
-            "version": "==1.4.3"
-        },
-        "typing-extensions": {
-            "hashes": [
-                "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
-                "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
-                "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
-            ],
-            "version": "==3.10.0.0"
-        },
        "urllib3": {
            "extras": [
                "secure"
            ],
            "hashes": [
-                "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df",
-                "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937"
+                "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c",
+                "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098"
            ],
            "index": "pypi",
-            "version": "==1.26.4"
+            "version": "==1.26.5"
        },
        "wrapt": {
            "hashes": [
--- a/authentik/init.py
+++ b/authentik/init.py
@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.5.1-rc7"
+__version__ = "2021.6.1-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/api/meta.py
+++ b/authentik/admin/api/meta.py
@ -1,5 +1,5 @@
 """Meta API"""
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from rest_framework.fields import CharField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
@ -22,7 +22,7 @@ class AppsViewSet(ViewSet):

    permission_classes = [IsAdminUser]

-    @swagger_auto_schema(responses={200: AppSerializer(many=True)})
+    @extend_schema(responses={200: AppSerializer(many=True)})
    def list(self, request: Request) -> Response:
        """List current messages and pass into Serializer"""
        data = []
--- a/authentik/admin/api/metrics.py
+++ b/authentik/admin/api/metrics.py
@ -7,12 +7,12 @@ from django.db.models import Count, ExpressionWrapper, F
 from django.db.models.fields import DurationField
 from django.db.models.functions import ExtractHour
 from django.utils.timezone import now
-from drf_yasg.utils import swagger_auto_schema, swagger_serializer_method
+from drf_spectacular.utils import extend_schema, extend_schema_field
 from rest_framework.fields import IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.viewsets import ViewSet
+from rest_framework.views import APIView

 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import Event, EventAction
@ -58,24 +58,24 @@ class LoginMetricsSerializer(PassiveSerializer):
    logins_per_1h = SerializerMethodField()
    logins_failed_per_1h = SerializerMethodField()

-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_per_1h(self, _):
        """Get successful logins per hour for the last 24 hours"""
        return get_events_per_1h(action=EventAction.LOGIN)

-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_failed_per_1h(self, _):
        """Get failed logins per hour for the last 24 hours"""
        return get_events_per_1h(action=EventAction.LOGIN_FAILED)


-class AdministrationMetricsViewSet(ViewSet):
+class AdministrationMetricsViewSet(APIView):
    """Login Metrics per 1h"""

    permission_classes = [IsAdminUser]

-    @swagger_auto_schema(responses={200: LoginMetricsSerializer(many=False)})
-    def list(self, request: Request) -> Response:
+    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
+    def get(self, request: Request) -> Response:
        """Login Metrics per 1h"""
        serializer = LoginMetricsSerializer(True)
        return Response(serializer.data)
--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -0,0 +1,91 @@
+"""authentik administration overview"""
+import os
+import platform
+from datetime import datetime
+from sys import version as python_version
+from typing import TypedDict
+
+from django.utils.timezone import now
+from drf_spectacular.utils import extend_schema
+from gunicorn import version_info as gunicorn_version
+from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
+from rest_framework.fields import SerializerMethodField
+from rest_framework.permissions import IsAdminUser
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.views import APIView
+
+from authentik.core.api.utils import PassiveSerializer
+
+
+class RuntimeDict(TypedDict):
+    """Runtime information"""
+
+    python_version: str
+    gunicorn_version: str
+    environment: str
+    architecture: str
+    platform: str
+    uname: str
+
+
+class SystemSerializer(PassiveSerializer):
+    """Get system information."""
+
+    http_headers = SerializerMethodField()
+    http_host = SerializerMethodField()
+    http_is_secure = SerializerMethodField()
+    runtime = SerializerMethodField()
+    tenant = SerializerMethodField()
+    server_time = SerializerMethodField()
+
+    def get_http_headers(self, request: Request) -> dict[str, str]:
+        """Get HTTP Request headers"""
+        headers = {}
+        for key, value in request.META.items():
+            if not isinstance(value, str):
+                continue
+            headers[key] = value
+        return headers
+
+    def get_http_host(self, request: Request) -> str:
+        """Get HTTP host"""
+        return request._request.get_host()
+
+    def get_http_is_secure(self, request: Request) -> bool:
+        """Get HTTP Secure flag"""
+        return request._request.is_secure()
+
+    def get_runtime(self, request: Request) -> RuntimeDict:
+        """Get versions"""
+        return {
+            "python_version": python_version,
+            "gunicorn_version": ".".join(str(x) for x in gunicorn_version),
+            "environment": "kubernetes"
+            if SERVICE_HOST_ENV_NAME in os.environ
+            else "compose",
+            "architecture": platform.machine(),
+            "platform": platform.platform(),
+            "uname": " ".join(platform.uname()),
+        }
+
+    def get_tenant(self, request: Request) -> str:
+        """Currently active tenant"""
+        return str(request._request.tenant)
+
+    def get_server_time(self, request: Request) -> datetime:
+        """Current server time"""
+        return now()
+
+
+class SystemView(APIView):
+    """Get system information."""
+
+    permission_classes = [IsAdminUser]
+    pagination_class = None
+    filter_backends = []
+
+    @extend_schema(responses={200: SystemSerializer(many=False)})
+    def get(self, request: Request) -> Response:
+        """Get system information."""
+        return Response(SystemSerializer(request).data)
--- a/authentik/admin/api/tasks.py
+++ b/authentik/admin/api/tasks.py
@ -4,7 +4,8 @@ from importlib import import_module
 from django.contrib import messages
 from django.http.response import Http404
 from django.utils.translation import gettext_lazy as _
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, ChoiceField, DateTimeField, ListField
 from rest_framework.permissions import IsAdminUser
@ -21,7 +22,7 @@ class TaskSerializer(PassiveSerializer):

    task_name = CharField()
    task_description = CharField()
-    task_finish_timestamp = DateTimeField(source="finish_timestamp")
+    task_finish_timestamp = DateTimeField(source="finish_time")

    status = ChoiceField(
        source="result.status.name",
@ -29,14 +30,32 @@ class TaskSerializer(PassiveSerializer):
    )
    messages = ListField(source="result.messages")

+    def to_representation(self, instance):
+        """When a new version of authentik adds fields to TaskInfo,
+        the API will fail with an AttributeError, as the classes
+        are pickled in cache. In that case, just delete the info"""
+        try:
+            return super().to_representation(instance)
+        except AttributeError:
+            if isinstance(self.instance, list):
+                for inst in self.instance:
+                    inst.delete()
+            else:
+                self.instance.delete()
+            return {}
+

 class TaskViewSet(ViewSet):
    """Read-only view set that returns all background tasks"""

    permission_classes = [IsAdminUser]
+    serializer_class = TaskSerializer

-    @swagger_auto_schema(
-        responses={200: TaskSerializer(many=False), 404: "Task not found"}
+    @extend_schema(
+        responses={
+            200: TaskSerializer(many=False),
+            404: OpenApiResponse(description="Task not found"),
+        }
    )
    # pylint: disable=invalid-name
    def retrieve(self, request: Request, pk=None) -> Response:
@ -46,18 +65,19 @@ class TaskViewSet(ViewSet):
            raise Http404
        return Response(TaskSerializer(task, many=False).data)

-    @swagger_auto_schema(responses={200: TaskSerializer(many=True)})
+    @extend_schema(responses={200: TaskSerializer(many=True)})
    def list(self, request: Request) -> Response:
        """List system tasks"""
        tasks = sorted(TaskInfo.all().values(), key=lambda task: task.task_name)
        return Response(TaskSerializer(tasks, many=True).data)

-    @swagger_auto_schema(
+    @extend_schema(
+        request=OpenApiTypes.NONE,
        responses={
-            204: "Task retried successfully",
-            404: "Task not found",
-            500: "Failed to retry task",
-        }
+            204: OpenApiResponse(description="Task retried successfully"),
+            404: OpenApiResponse(description="Task not found"),
+            500: OpenApiResponse(description="Failed to retry task"),
+        },
    )
    @action(detail=True, methods=["post"])
    # pylint: disable=invalid-name
--- a/authentik/admin/api/version.py
+++ b/authentik/admin/api/version.py
@ -2,14 +2,13 @@
 from os import environ

 from django.core.cache import cache
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
-from rest_framework.mixins import ListModelMixin
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.viewsets import GenericViewSet
+from rest_framework.views import APIView

 from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
@ -47,17 +46,14 @@ class VersionSerializer(PassiveSerializer):
        )


-class VersionViewSet(ListModelMixin, GenericViewSet):
+class VersionView(APIView):
    """Get running and latest version."""

    permission_classes = [IsAuthenticated]
    pagination_class = None
    filter_backends = []

-    def get_queryset(self):  # pragma: no cover
-        return None
-
-    @swagger_auto_schema(responses={200: VersionSerializer(many=False)})
-    def list(self, request: Request) -> Response:
+    @extend_schema(responses={200: VersionSerializer(many=False)})
+    def get(self, request: Request) -> Response:
        """Get running and latest version."""
        return Response(VersionSerializer(True).data)
--- a/authentik/admin/api/workers.py
+++ b/authentik/admin/api/workers.py
@ -1,25 +1,26 @@
 """authentik administration overview"""
-from rest_framework.mixins import ListModelMixin
+from drf_spectacular.utils import extend_schema, inline_serializer
+from prometheus_client import Gauge
+from rest_framework.fields import IntegerField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import Serializer
-from rest_framework.viewsets import GenericViewSet
+from rest_framework.views import APIView

 from authentik.root.celery import CELERY_APP

+GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")

-class WorkerViewSet(ListModelMixin, GenericViewSet):
+
+class WorkerView(APIView):
    """Get currently connected worker count."""

-    serializer_class = Serializer
    permission_classes = [IsAdminUser]

-    def get_queryset(self):  # pragma: no cover
-        return None
-
-    def list(self, request: Request) -> Response:
+    @extend_schema(
+        responses=inline_serializer("Workers", fields={"count": IntegerField()})
+    )
+    def get(self, request: Request) -> Response:
        """Get currently connected worker count."""
-        return Response(
-            {"pagination": {"count": len(CELERY_APP.control.ping(timeout=0.5))}}
-        )
+        count = len(CELERY_APP.control.ping(timeout=0.5))
+        return Response({"count": count})
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -1,13 +1,15 @@
 """authentik admin tasks"""
 import re
+from os import environ

 from django.core.cache import cache
 from django.core.validators import URLValidator
 from packaging.version import parse
+from prometheus_client import Info
 from requests import RequestException, get
 from structlog.stdlib import get_logger

-from authentik import __version__
+from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.events.models import Event, EventAction
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.root.celery import CELERY_APP
@ -17,6 +19,18 @@ VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
 # Chop of the first ^ because we want to search the entire string
 URL_FINDER = URLValidator.regex.pattern[1:]
+PROM_INFO = Info("authentik_version", "Currently running authentik version")
+
+
+def _set_prom_info():
+    """Set prometheus info for version"""
+    PROM_INFO.info(
+        {
+            "version": __version__,
+            "latest": cache.get(VERSION_CACHE_KEY, ""),
+            "build_hash": environ.get(ENV_GIT_HASH_KEY, ""),
+        }
+    )


@CELERY_APP.task(bind=True, base=MonitoredTask)
@ -36,6 +50,7 @@ def update_latest_version(self: MonitoredTask):
                TaskResultStatus.SUCCESSFUL, ["Successfully updated latest Version"]
            )
        )
+        _set_prom_info()
        # Check if upstream version is newer than what we're running,
        # and if no event exists yet, create one.
        local_version = parse(__version__)
@ -53,3 +68,6 @@ def update_latest_version(self: MonitoredTask):
    except (RequestException, IndexError) as exc:
        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
+
+
+_set_prom_info()
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -7,6 +7,7 @@ from django.urls import reverse
 from authentik import __version__
 from authentik.core.models import Group, User
 from authentik.core.tasks import clean_expired_models
+from authentik.events.monitored_tasks import TaskResultStatus


 class TestAdminAPI(TestCase):
@ -30,6 +31,26 @@ class TestAdminAPI(TestCase):
            any(task["task_name"] == "clean_expired_models" for task in body)
        )

+    def test_tasks_single(self):
+        """Test Task API (read single)"""
+        clean_expired_models.delay()
+        response = self.client.get(
+            reverse(
+                "authentik_api:admin_system_tasks-detail",
+                kwargs={"pk": "clean_expired_models"},
+            )
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertEqual(body["status"], TaskResultStatus.SUCCESSFUL.name)
+        self.assertEqual(body["task_name"], "clean_expired_models")
+        response = self.client.get(
+            reverse(
+                "authentik_api:admin_system_tasks-detail", kwargs={"pk": "qwerqwer"}
+            )
+        )
+        self.assertEqual(response.status_code, 404)
+
    def test_tasks_retry(self):
        """Test Task API (retry)"""
        clean_expired_models.delay()
@ -53,24 +74,29 @@ class TestAdminAPI(TestCase):

    def test_version(self):
        """Test Version API"""
-        response = self.client.get(reverse("authentik_api:admin_version-list"))
+        response = self.client.get(reverse("authentik_api:admin_version"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
        self.assertEqual(body["version_current"], __version__)

    def test_workers(self):
        """Test Workers API"""
-        response = self.client.get(reverse("authentik_api:admin_workers-list"))
+        response = self.client.get(reverse("authentik_api:admin_workers"))
        self.assertEqual(response.status_code, 200)
        body = loads(response.content)
-        self.assertEqual(body["pagination"]["count"], 0)
+        self.assertEqual(body["count"], 0)

    def test_metrics(self):
        """Test metrics API"""
-        response = self.client.get(reverse("authentik_api:admin_metrics-list"))
+        response = self.client.get(reverse("authentik_api:admin_metrics"))
        self.assertEqual(response.status_code, 200)

    def test_apps(self):
        """Test apps API"""
        response = self.client.get(reverse("authentik_api:apps-list"))
        self.assertEqual(response.status_code, 200)
+
+    def test_system(self):
+        """Test system API"""
+        response = self.client.get(reverse("authentik_api:admin_system"))
+        self.assertEqual(response.status_code, 200)
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -3,6 +3,7 @@ from base64 import b64decode
 from binascii import Error
 from typing import Any, Optional, Union

+from drf_spectacular.authentication import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
 from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
@ -17,7 +18,7 @@ LOGGER = get_logger()
 def token_from_header(raw_header: bytes) -> Optional[Token]:
    """raw_header in the Format of `Bearer dGVzdDp0ZXN0`"""
    auth_credentials = raw_header.decode()
-    if auth_credentials == "":
+    if auth_credentials == "" or " " not in auth_credentials:
        return None
    auth_type, auth_credentials = auth_credentials.split()
    if auth_type.lower() not in ["basic", "bearer"]:
@ -42,7 +43,7 @@ def token_from_header(raw_header: bytes) -> Optional[Token]:
    return tokens.first()


-class AuthentikTokenAuthentication(BaseAuthentication):
+class TokenAuthentication(BaseAuthentication):
    """Token-based authentication using HTTP Bearer authentication"""

    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
@ -54,4 +55,19 @@ class AuthentikTokenAuthentication(BaseAuthentication):
        if not token:
            return None

-        return (token.user, None)
+        return (token.user, None)  # pragma: no cover
+
+
+class TokenSchema(OpenApiAuthenticationExtension):
+    """Auth schema"""
+
+    target_class = TokenAuthentication
+    name = "authentik"
+
+    def get_security_definition(self, auto_schema):
+        """Auth schema"""
+        return {
+            "type": "apiKey",
+            "in": "header",
+            "name": "Authorization",
+        }
--- a/authentik/api/authorization.py
+++ b/authentik/api/authorization.py
@ -0,0 +1,35 @@
+"""API Authorization"""
+from django.db.models import Model
+from django.db.models.query import QuerySet
+from rest_framework.filters import BaseFilterBackend
+from rest_framework.permissions import BasePermission
+from rest_framework.request import Request
+
+
+class OwnerFilter(BaseFilterBackend):
+    """Filter objects by their owner"""
+
+    owner_key = "user"
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
+        return queryset.filter(**{self.owner_key: request.user})
+
+
+class OwnerPermissions(BasePermission):
+    """Authorize requests by an object's owner matching the requesting user"""
+
+    owner_key = "user"
+
+    def has_permission(self, request: Request, view) -> bool:
+        """If the user is authenticated, we allow all requests here. For listing, the
+        object-level permissions are done by the filter backend"""
+        return request.user.is_authenticated
+
+    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
+        """Check if the object's owner matches the currently logged in user"""
+        if not hasattr(obj, self.owner_key):
+            return False
+        owner = getattr(obj, self.owner_key)
+        if owner != request.user:
+            return False
+        return True
--- a/authentik/api/pagination.py
+++ b/authentik/api/pagination.py
@ -30,3 +30,47 @@ class Pagination(pagination.PageNumberPagination):
                "results": data,
            }
        )
+
+    def get_paginated_response_schema(self, schema):
+        return {
+            "type": "object",
+            "properties": {
+                "pagination": {
+                    "type": "object",
+                    "properties": {
+                        "next": {
+                            "type": "number",
+                        },
+                        "previous": {
+                            "type": "number",
+                        },
+                        "count": {
+                            "type": "number",
+                        },
+                        "current": {
+                            "type": "number",
+                        },
+                        "total_pages": {
+                            "type": "number",
+                        },
+                        "start_index": {
+                            "type": "number",
+                        },
+                        "end_index": {
+                            "type": "number",
+                        },
+                    },
+                    "required": [
+                        "next",
+                        "previous",
+                        "count",
+                        "current",
+                        "total_pages",
+                        "start_index",
+                        "end_index",
+                    ],
+                },
+                "results": schema,
+            },
+            "required": ["pagination", "results"],
+        }
--- a/authentik/api/pagination_schema.py
+++ b/authentik/api/pagination_schema.py
@ -1,97 +0,0 @@
-"""Swagger Pagination Schema class"""
-from typing import OrderedDict
-
-from drf_yasg import openapi
-from drf_yasg.inspectors import PaginatorInspector
-
-
-class PaginationInspector(PaginatorInspector):
-    """Swagger Pagination Schema class"""
-
-    def get_paginated_response(self, paginator, response_schema):
-        """
-        :param BasePagination paginator: the paginator
-        :param openapi.Schema response_schema: the response schema that must be paged.
-        :rtype: openapi.Schema
-        """
-
-        return openapi.Schema(
-            type=openapi.TYPE_OBJECT,
-            properties=OrderedDict(
-                (
-                    (
-                        "pagination",
-                        openapi.Schema(
-                            type=openapi.TYPE_OBJECT,
-                            properties=OrderedDict(
-                                (
-                                    ("next", openapi.Schema(type=openapi.TYPE_NUMBER)),
-                                    (
-                                        "previous",
-                                        openapi.Schema(type=openapi.TYPE_NUMBER),
-                                    ),
-                                    ("count", openapi.Schema(type=openapi.TYPE_NUMBER)),
-                                    (
-                                        "current",
-                                        openapi.Schema(type=openapi.TYPE_NUMBER),
-                                    ),
-                                    (
-                                        "total_pages",
-                                        openapi.Schema(type=openapi.TYPE_NUMBER),
-                                    ),
-                                    (
-                                        "start_index",
-                                        openapi.Schema(type=openapi.TYPE_NUMBER),
-                                    ),
-                                    (
-                                        "end_index",
-                                        openapi.Schema(type=openapi.TYPE_NUMBER),
-                                    ),
-                                )
-                            ),
-                            required=[
-                                "next",
-                                "previous",
-                                "count",
-                                "current",
-                                "total_pages",
-                                "start_index",
-                                "end_index",
-                            ],
-                        ),
-                    ),
-                    ("results", response_schema),
-                )
-            ),
-            required=["results", "pagination"],
-        )
-
-    def get_paginator_parameters(self, paginator):
-        """
-        Get the pagination parameters for a single paginator **instance**.
-
-        Should return :data:`.NotHandled` if this inspector
-        does not know how to handle the given `paginator`.
-
-        :param BasePagination paginator: the paginator
-        :rtype: list[openapi.Parameter]
-        """
-
-        return [
-            openapi.Parameter(
-                "page",
-                openapi.IN_QUERY,
-                "Page Index",
-                False,
-                None,
-                openapi.TYPE_INTEGER,
-            ),
-            openapi.Parameter(
-                "page_size",
-                openapi.IN_QUERY,
-                "Page Size",
-                False,
-                None,
-                openapi.TYPE_INTEGER,
-            ),
-        ]
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -1,102 +1,77 @@
 """Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
-from drf_yasg import openapi
-from drf_yasg.inspectors.view import SwaggerAutoSchema
-from drf_yasg.utils import force_real_str, is_list_view
-from rest_framework import exceptions, status
-from rest_framework.settings import api_settings
+from django.utils.translation import gettext_lazy as _
+from drf_spectacular.plumbing import (
+    ResolvedComponent,
+    build_array_type,
+    build_basic_type,
+    build_object_type,
+)
+from drf_spectacular.settings import spectacular_settings
+from drf_spectacular.types import OpenApiTypes


-class ErrorResponseAutoSchema(SwaggerAutoSchema):
-    """Inspector which includes an error schema"""
+def build_standard_type(obj, **kwargs):
+    """Build a basic type with optional add ons."""
+    schema = build_basic_type(obj)
+    schema.update(kwargs)
+    return schema

-    def get_generic_error_schema(self):
-        """Get a generic error schema"""
-        return openapi.Schema(
-            "Generic API Error",
-            type=openapi.TYPE_OBJECT,
-            properties={
-                "detail": openapi.Schema(
-                    type=openapi.TYPE_STRING, description="Error details"
-                ),
-                "code": openapi.Schema(
-                    type=openapi.TYPE_STRING, description="Error code"
-                ),
-            },
-            required=["detail"],
+
+GENERIC_ERROR = build_object_type(
+    description=_("Generic API Error"),
+    properties={
+        "detail": build_standard_type(OpenApiTypes.STR),
+        "code": build_standard_type(OpenApiTypes.STR),
+    },
+    required=["detail"],
+)
+VALIDATION_ERROR = build_object_type(
+    description=_("Validation Error"),
+    properties={
+        "non_field_errors": build_array_type(build_standard_type(OpenApiTypes.STR)),
+        "code": build_standard_type(OpenApiTypes.STR),
+    },
+    required=["detail"],
+    additionalProperties={},
+)
+
+
+def postprocess_schema_responses(result, generator, **kwargs):  # noqa: W0613
+    """Workaround to set a default response for endpoints.
+    Workaround suggested at
+    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
+    for the missing drf-spectacular feature discussed in
+    <https://github.com/tfranzel/drf-spectacular/issues/101>.
+    """
+
+    def create_component(name, schema, type_=ResolvedComponent.SCHEMA):
+        """Register a component and return a reference to it."""
+        component = ResolvedComponent(
+            name=name,
+            type=type_,
+            schema=schema,
+            object=name,
        )
+        generator.registry.register_on_missing(component)
+        return component

-    def get_validation_error_schema(self):
-        """Get a generic validation error schema"""
-        return openapi.Schema(
-            "Validation Error",
-            type=openapi.TYPE_OBJECT,
-            properties={
-                api_settings.NON_FIELD_ERRORS_KEY: openapi.Schema(
-                    description="List of validation errors not related to any field",
-                    type=openapi.TYPE_ARRAY,
-                    items=openapi.Schema(type=openapi.TYPE_STRING),
-                ),
-            },
-            additional_properties=openapi.Schema(
-                description=(
-                    "A list of error messages for each "
-                    "field that triggered a validation error"
-                ),
-                type=openapi.TYPE_ARRAY,
-                items=openapi.Schema(type=openapi.TYPE_STRING),
-            ),
-        )
+    generic_error = create_component("GenericError", GENERIC_ERROR)
+    validation_error = create_component("ValidationError", VALIDATION_ERROR)

-    def get_response_serializers(self):
-        responses = super().get_response_serializers()
-        definitions = self.components.with_scope(
-            openapi.SCHEMA_DEFINITIONS
-        )  # type: openapi.ReferenceResolver
+    for path in result["paths"].values():
+        for method in path.values():
+            method["responses"].setdefault("400", validation_error.ref)
+            method["responses"].setdefault("403", generic_error.ref)

-        definitions.setdefault("GenericError", self.get_generic_error_schema)
-        definitions.setdefault("ValidationError", self.get_validation_error_schema)
-        definitions.setdefault("APIException", self.get_generic_error_schema)
+    result["components"] = generator.registry.build(
+        spectacular_settings.APPEND_COMPONENTS
+    )

-        if self.get_request_serializer() or self.get_query_serializer():
-            responses.setdefault(
-                exceptions.ValidationError.status_code,
-                openapi.Response(
-                    description=force_real_str(
-                        exceptions.ValidationError.default_detail
-                    ),
-                    schema=openapi.SchemaRef(definitions, "ValidationError"),
-                ),
-            )
-
-        security = self.get_security()
-        if security is None or len(security) > 0:
-            # Note: 401 error codes are coerced  into 403 see
-            # rest_framework/views.py:433:handle_exception
-            # This is b/c the API uses token auth which doesn't have WWW-Authenticate header
-            responses.setdefault(
-                status.HTTP_403_FORBIDDEN,
-                openapi.Response(
-                    description="Authentication credentials were invalid, absent or insufficient.",
-                    schema=openapi.SchemaRef(definitions, "GenericError"),
-                ),
-            )
-        if not is_list_view(self.path, self.method, self.view):
-            responses.setdefault(
-                exceptions.PermissionDenied.status_code,
-                openapi.Response(
-                    description="Permission denied.",
-                    schema=openapi.SchemaRef(definitions, "APIException"),
-                ),
-            )
-            responses.setdefault(
-                exceptions.NotFound.status_code,
-                openapi.Response(
-                    description=(
-                        "Object does not exist or caller "
-                        "has insufficient permissions to access it."
-                    ),
-                    schema=openapi.SchemaRef(definitions, "APIException"),
-                ),
-            )
-
-        return responses
+    # This is a workaround for authentik/stages/prompt/stage.py
+    # since the serializer PromptChallengeResponse
+    # accepts dynamic keys
+    for component in result["components"]["schemas"]:
+        if component == "PromptChallengeResponseRequest":
+            comp = result["components"]["schemas"][component]
+            comp["additionalProperties"] = {}
+    return result
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -3,7 +3,7 @@
 {% load static %}

 {% block title %}
-API Browser - {{ config.authentik.branding.title }}
+API Browser - {{ tenant.branding_title }}
 {% endblock %}

 {% block head %}
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@ -5,7 +5,7 @@ from django.test import TestCase
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.exceptions import AuthenticationFailed

-from authentik.api.auth import token_from_header
+from authentik.api.authentication import token_from_header
 from authentik.core.models import Token, TokenIntents


--- a/authentik/api/tests/test_config.py
+++ b/authentik/api/tests/test_config.py
@ -11,6 +11,6 @@ class TestConfig(APITestCase):
    def test_config(self):
        """Test YAML generation"""
        response = self.client.get(
-            reverse("authentik_api:configs-list"),
+            reverse("authentik_api:config"),
        )
        self.assertTrue(loads(response.content.decode()))
--- a/authentik/api/tests/test_schema.py
+++ b/authentik/api/tests/test_schema.py
@ -0,0 +1,22 @@
+"""Schema generation tests"""
+from django.urls import reverse
+from rest_framework.test import APITestCase
+from yaml import safe_load
+
+
+class TestSchemaGeneration(APITestCase):
+    """Generic admin tests"""
+
+    def test_schema(self):
+        """Test generation"""
+        response = self.client.get(
+            reverse("authentik_api:schema"),
+        )
+        self.assertTrue(safe_load(response.content.decode()))
+
+    def test_browser(self):
+        """Test API Browser"""
+        response = self.client.get(
+            reverse("authentik_api:schema-browser"),
+        )
+        self.assertEqual(response.status_code, 200)
--- a/authentik/api/tests/test_swagger.py
+++ b/authentik/api/tests/test_swagger.py
@ -1,24 +0,0 @@
-"""Swagger generation tests"""
-from json import loads
-
-from django.urls import reverse
-from rest_framework.test import APITestCase
-from yaml import safe_load
-
-
-class TestSwaggerGeneration(APITestCase):
-    """Generic admin tests"""
-
-    def test_yaml(self):
-        """Test YAML generation"""
-        response = self.client.get(
-            reverse("authentik_api:schema-json", kwargs={"format": ".yaml"}),
-        )
-        self.assertTrue(safe_load(response.content.decode()))
-
-    def test_json(self):
-        """Test JSON generation"""
-        response = self.client.get(
-            reverse("authentik_api:schema-json", kwargs={"format": ".json"}),
-        )
-        self.assertTrue(loads(response.content.decode()))
--- a/authentik/api/v2/config.py
+++ b/authentik/api/v2/config.py
@ -1,50 +1,70 @@
 """core Configs API"""
-from drf_yasg.utils import swagger_auto_schema
-from rest_framework.fields import BooleanField, CharField, ListField
+from os import environ, path
+
+from django.conf import settings
+from django.db import models
+from drf_spectacular.utils import extend_schema
+from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
+from rest_framework.fields import BooleanField, CharField, ChoiceField, ListField
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.viewsets import ViewSet
+from rest_framework.views import APIView

 from authentik.core.api.utils import PassiveSerializer
+from authentik.events.geo import GEOIP_READER
 from authentik.lib.config import CONFIG


-class FooterLinkSerializer(PassiveSerializer):
-    """Links returned in Config API"""
+class Capabilities(models.TextChoices):
+    """Define capabilities which influence which APIs can/should be used"""

-    href = CharField(read_only=True)
-    name = CharField(read_only=True)
+    CAN_SAVE_MEDIA = "can_save_media"
+    CAN_GEO_IP = "can_geo_ip"
+    CAN_BACKUP = "can_backup"


 class ConfigSerializer(PassiveSerializer):
    """Serialize authentik Config into DRF Object"""

-    branding_logo = CharField(read_only=True)
-    branding_title = CharField(read_only=True)
-    ui_footer_links = ListField(child=FooterLinkSerializer(), read_only=True)
-
    error_reporting_enabled = BooleanField(read_only=True)
    error_reporting_environment = CharField(read_only=True)
    error_reporting_send_pii = BooleanField(read_only=True)

+    capabilities = ListField(child=ChoiceField(choices=Capabilities.choices))

-class ConfigsViewSet(ViewSet):
+
+class ConfigView(APIView):
    """Read-only view set that returns the current session's Configs"""

    permission_classes = [AllowAny]

-    @swagger_auto_schema(responses={200: ConfigSerializer(many=False)})
-    def list(self, request: Request) -> Response:
+    def get_capabilities(self) -> list[Capabilities]:
+        """Get all capabilities this server instance supports"""
+        caps = []
+        deb_test = settings.DEBUG or settings.TEST
+        if path.ismount(settings.MEDIA_ROOT) or deb_test:
+            caps.append(Capabilities.CAN_SAVE_MEDIA)
+        if GEOIP_READER.enabled:
+            caps.append(Capabilities.CAN_GEO_IP)
+        if SERVICE_HOST_ENV_NAME in environ:
+            # Running in k8s, only s3 backup is supported
+            if CONFIG.y("postgresql.s3_backup"):
+                caps.append(Capabilities.CAN_BACKUP)
+        else:
+            # Running in compose, backup is always supported
+            caps.append(Capabilities.CAN_BACKUP)
+        return caps
+
+    @extend_schema(responses={200: ConfigSerializer(many=False)})
+    def get(self, request: Request) -> Response:
        """Retrive public configuration options"""
        config = ConfigSerializer(
            {
-                "branding_logo": CONFIG.y("authentik.branding.logo"),
-                "branding_title": CONFIG.y("authentik.branding.title"),
                "error_reporting_enabled": CONFIG.y("error_reporting.enabled"),
                "error_reporting_environment": CONFIG.y("error_reporting.environment"),
                "error_reporting_send_pii": CONFIG.y("error_reporting.send_pii"),
-                "ui_footer_links": CONFIG.y("authentik.footer_links"),
+                "capabilities": self.get_capabilities(),
            }
        )
        return Response(config.data)
--- a/authentik/api/v2/urls.py
+++ b/authentik/api/v2/urls.py
@ -1,18 +1,18 @@
 """api v2 urls"""
-from django.urls import path, re_path
-from drf_yasg import openapi
-from drf_yasg.views import get_schema_view
+from django.urls import path
+from drf_spectacular.views import SpectacularAPIView
 from rest_framework import routers
-from rest_framework.permissions import AllowAny

 from authentik.admin.api.meta import AppsViewSet
 from authentik.admin.api.metrics import AdministrationMetricsViewSet
+from authentik.admin.api.system import SystemView
 from authentik.admin.api.tasks import TaskViewSet
-from authentik.admin.api.version import VersionViewSet
-from authentik.admin.api.workers import WorkerViewSet
-from authentik.api.v2.config import ConfigsViewSet
-from authentik.api.views import SwaggerView
+from authentik.admin.api.version import VersionView
+from authentik.admin.api.workers import WorkerView
+from authentik.api.v2.config import ConfigView
+from authentik.api.views import APIBrowserView
 from authentik.core.api.applications import ApplicationViewSet
+from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
 from authentik.core.api.groups import GroupViewSet
 from authentik.core.api.propertymappings import PropertyMappingViewSet
 from authentik.core.api.providers import ProviderViewSet
@ -28,12 +28,12 @@ from authentik.flows.api.bindings import FlowStageBindingViewSet
 from authentik.flows.api.flows import FlowViewSet
 from authentik.flows.api.stages import StageViewSet
 from authentik.flows.views import FlowExecutorView
-from authentik.outposts.api.outpost_service_connections import (
+from authentik.outposts.api.outposts import OutpostViewSet
+from authentik.outposts.api.service_connections import (
    DockerServiceConnectionViewSet,
    KubernetesServiceConnectionViewSet,
    ServiceConnectionViewSet,
 )
-from authentik.outposts.api.outposts import OutpostViewSet
 from authentik.policies.api.bindings import PolicyBindingViewSet
 from authentik.policies.api.policies import PolicyViewSet
 from authentik.policies.dummy.api import DummyPolicyViewSet
@ -66,6 +66,11 @@ from authentik.sources.oauth.api.source_connection import (
 )
 from authentik.sources.plex.api import PlexSourceViewSet
 from authentik.sources.saml.api import SAMLSourceViewSet
+from authentik.stages.authenticator_duo.api import (
+    AuthenticatorDuoStageViewSet,
+    DuoAdminDeviceViewSet,
+    DuoDeviceViewSet,
+)
 from authentik.stages.authenticator_static.api import (
    AuthenticatorStaticStageViewSet,
    StaticAdminDeviceViewSet,
@ -97,24 +102,21 @@ from authentik.stages.user_delete.api import UserDeleteStageViewSet
 from authentik.stages.user_login.api import UserLoginStageViewSet
 from authentik.stages.user_logout.api import UserLogoutStageViewSet
 from authentik.stages.user_write.api import UserWriteStageViewSet
+from authentik.tenants.api import TenantViewSet

 router = routers.DefaultRouter()

-router.register("root/config", ConfigsViewSet, basename="configs")
-
-router.register("admin/version", VersionViewSet, basename="admin_version")
-router.register("admin/workers", WorkerViewSet, basename="admin_workers")
-router.register("admin/metrics", AdministrationMetricsViewSet, basename="admin_metrics")
 router.register("admin/system_tasks", TaskViewSet, basename="admin_system_tasks")
 router.register("admin/apps", AppsViewSet, basename="apps")

+router.register("core/authenticated_sessions", AuthenticatedSessionViewSet)
 router.register("core/applications", ApplicationViewSet)
 router.register("core/groups", GroupViewSet)
 router.register("core/users", UserViewSet)
 router.register("core/user_consent", UserConsentViewSet)
 router.register("core/tokens", TokenViewSet)
+router.register("core/tenants", TenantViewSet)

-router.register("outposts/outposts", OutpostViewSet)
 router.register("outposts/instances", OutpostViewSet)
 router.register("outposts/service_connections/all", ServiceConnectionViewSet)
 router.register("outposts/service_connections/docker", DockerServiceConnectionViewSet)
@ -166,14 +168,31 @@ router.register("propertymappings/ldap", LDAPPropertyMappingViewSet)
 router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
 router.register("propertymappings/scope", ScopeMappingViewSet)

+router.register("authenticators/duo", DuoDeviceViewSet)
 router.register("authenticators/static", StaticDeviceViewSet)
 router.register("authenticators/totp", TOTPDeviceViewSet)
 router.register("authenticators/webauthn", WebAuthnDeviceViewSet)
-router.register("authenticators/admin/static", StaticAdminDeviceViewSet)
-router.register("authenticators/admin/totp", TOTPAdminDeviceViewSet)
-router.register("authenticators/admin/webauthn", WebAuthnAdminDeviceViewSet)
+router.register(
+    "authenticators/admin/duo",
+    DuoAdminDeviceViewSet,
+    basename="admin-duodevice",
+)
+router.register(
+    "authenticators/admin/static",
+    StaticAdminDeviceViewSet,
+    basename="admin-staticdevice",
+)
+router.register(
+    "authenticators/admin/totp", TOTPAdminDeviceViewSet, basename="admin-totpdevice"
+)
+router.register(
+    "authenticators/admin/webauthn",
+    WebAuthnAdminDeviceViewSet,
+    basename="admin-webauthndevice",
+)

 router.register("stages/all", StageViewSet)
+router.register("stages/authenticator/duo", AuthenticatorDuoStageViewSet)
 router.register("stages/authenticator/static", AuthenticatorStaticStageViewSet)
 router.register("stages/authenticator/totp", AuthenticatorTOTPStageViewSet)
 router.register("stages/authenticator/validate", AuthenticatorValidateStageViewSet)
@ -196,32 +215,26 @@ router.register("stages/user_write", UserWriteStageViewSet)
 router.register("stages/dummy", DummyStageViewSet)
 router.register("policies/dummy", DummyPolicyViewSet)

-info = openapi.Info(
-    title="authentik API",
-    default_version="v2beta",
-    contact=openapi.Contact(email="hello@beryju.org"),
-    license=openapi.License(
-        name="GNU GPLv3",
-        url="https://github.com/goauthentik/authentik/blob/master/LICENSE",
-    ),
-)
-SchemaView = get_schema_view(info, public=True, permission_classes=(AllowAny,))
-
 urlpatterns = (
    [
-        path("", SwaggerView.as_view(), name="swagger"),
+        path("", APIBrowserView.as_view(), name="schema-browser"),
    ]
    + router.urls
    + [
+        path(
+            "admin/metrics/",
+            AdministrationMetricsViewSet.as_view(),
+            name="admin_metrics",
+        ),
+        path("admin/version/", VersionView.as_view(), name="admin_version"),
+        path("admin/workers/", WorkerView.as_view(), name="admin_workers"),
+        path("admin/system/", SystemView.as_view(), name="admin_system"),
+        path("root/config/", ConfigView.as_view(), name="config"),
        path(
            "flows/executor/<slug:flow_slug>/",
            FlowExecutorView.as_view(),
            name="flow-executor",
        ),
-        re_path(
-            r"^swagger(?P<format>\.json|\.yaml)$",
-            SchemaView.without_ui(cache_timeout=0),
-            name="schema-json",
-        ),
+        path("schema/", SpectacularAPIView.as_view(), name="schema"),
    ]
 )
--- a/authentik/api/views.py
+++ b/authentik/api/views.py
@ -5,18 +5,15 @@ from django.urls import reverse
 from django.views.generic import TemplateView


-class SwaggerView(TemplateView):
-    """Show swagger view based on rapi-doc"""
+class APIBrowserView(TemplateView):
+    """Show browser view based on rapi-doc"""

-    template_name = "api/swagger.html"
+    template_name = "api/browser.html"

    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        path = self.request.build_absolute_uri(
            reverse(
-                "authentik_api:schema-json",
-                kwargs={
-                    "format": ".json",
-                },
+                "authentik_api:schema",
            )
        )
        return super().get_context_data(path=path, **kwargs)
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -1,13 +1,23 @@
 """Application API Views"""
-from typing import Optional
-
 from django.core.cache import cache
 from django.db.models import QuerySet
 from django.http.response import HttpResponseBadRequest
-from drf_yasg import openapi
-from drf_yasg.utils import no_body, swagger_auto_schema
+from django.shortcuts import get_object_or_404
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import (
+    OpenApiParameter,
+    OpenApiResponse,
+    extend_schema,
+    inline_serializer,
+)
 from rest_framework.decorators import action
-from rest_framework.fields import SerializerMethodField
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    FileField,
+    IntegerField,
+    ReadOnlyField,
+)
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -19,9 +29,12 @@ from structlog.stdlib import get_logger
 from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
 from authentik.api.decorators import permission_required
 from authentik.core.api.providers import ProviderSerializer
-from authentik.core.models import Application
+from authentik.core.models import Application, User
 from authentik.events.models import EventAction
+from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
+from authentik.policies.types import PolicyResult
+from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED

 LOGGER = get_logger()

@ -34,12 +47,10 @@ def user_app_cache_key(user_pk: str) -> str:
 class ApplicationSerializer(ModelSerializer):
    """Application Serializer"""

-    launch_url = SerializerMethodField()
+    launch_url = ReadOnlyField(source="get_launch_url")
    provider_obj = ProviderSerializer(source="get_provider", required=False)

-    def get_launch_url(self, instance: Application) -> Optional[str]:
-        """Get generated launch URL"""
-        return instance.get_launch_url()
+    meta_icon = ReadOnlyField(source="get_meta_icon")

    class Meta:

@ -57,6 +68,9 @@ class ApplicationSerializer(ModelSerializer):
            "meta_publisher",
            "policy_engine_mode",
        ]
+        extra_kwargs = {
+            "meta_icon": {"read_only": True},
+        }


 class ApplicationViewSet(ModelViewSet):
@ -91,34 +105,48 @@ class ApplicationViewSet(ModelViewSet):
                applications.append(application)
        return applications

-    @swagger_auto_schema(
+    @extend_schema(
+        request=inline_serializer(
+            "CheckAccessRequest", fields={"for_user": IntegerField(required=False)}
+        ),
        responses={
-            204: "Access granted",
-            403: "Access denied",
-        }
+            200: PolicyTestResultSerializer(),
+            404: OpenApiResponse(description="for_user user not found"),
+        },
    )
-    @action(detail=True, methods=["GET"])
+    @action(detail=True, methods=["POST"])
    # pylint: disable=unused-argument
    def check_access(self, request: Request, slug: str) -> Response:
        """Check access to a single application by slug"""
-        application = self.get_object()
-        engine = PolicyEngine(application, self.request.user, self.request)
+        # Don't use self.get_object as that checks for view_application permission
+        # which the user might not have, even if they have access
+        application = get_object_or_404(Application, slug=slug)
+        # If the current user is superuser, they can set `for_user`
+        for_user = self.request.user
+        if self.request.user.is_superuser and "for_user" in request.data:
+            for_user = get_object_or_404(User, pk=request.data.get("for_user"))
+        engine = PolicyEngine(application, for_user, self.request)
        engine.build()
-        if engine.passing:
-            return Response(status=204)
-        return Response(status=403)
+        result = engine.result
+        response = PolicyTestResultSerializer(PolicyResult(False))
+        if result.passing:
+            response = PolicyTestResultSerializer(PolicyResult(True))
+        if self.request.user.is_superuser:
+            response = PolicyTestResultSerializer(result)
+        return Response(response.data)

-    @swagger_auto_schema(
-        manual_parameters=[
-            openapi.Parameter(
+    @extend_schema(
+        parameters=[
+            OpenApiParameter(
                name="superuser_full_list",
-                in_=openapi.IN_QUERY,
-                type=openapi.TYPE_BOOLEAN,
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
            )
        ]
    )
    def list(self, request: Request) -> Response:
        """Custom list method that checks Policy based access instead of guardian"""
+        self.request.session.pop(USER_LOGIN_AUTHENTICATED, None)
        queryset = self._filter_queryset_for_list(self.get_queryset())
        self.paginate_queryset(queryset)

@ -148,17 +176,20 @@ class ApplicationViewSet(ModelViewSet):
        return self.get_paginated_response(serializer.data)

    @permission_required("authentik_core.change_application")
-    @swagger_auto_schema(
-        request_body=no_body,
-        manual_parameters=[
-            openapi.Parameter(
-                name="file",
-                in_=openapi.IN_FORM,
-                type=openapi.TYPE_FILE,
-                required=True,
+    @extend_schema(
+        request={
+            "multipart/form-data": inline_serializer(
+                "SetIcon",
+                fields={
+                    "file": FileField(required=False),
+                    "clear": BooleanField(default=False),
+                },
            )
-        ],
-        responses={200: "Success", 400: "Bad request"},
+        },
+        responses={
+            200: OpenApiResponse(description="Success"),
+            400: OpenApiResponse(description="Bad request"),
+        },
    )
    @action(
        detail=True,
@ -172,16 +203,46 @@ class ApplicationViewSet(ModelViewSet):
        """Set application icon"""
        app: Application = self.get_object()
        icon = request.FILES.get("file", None)
-        if not icon:
+        clear = request.data.get("clear", False)
+        if clear:
+            # .delete() saves the model by default
+            app.meta_icon.delete()
+            return Response({})
+        if icon:
+            app.meta_icon = icon
+            app.save()
+            return Response({})
+        return HttpResponseBadRequest()
+
+    @permission_required("authentik_core.change_application")
+    @extend_schema(
+        request=inline_serializer("SetIconURL", fields={"url": CharField()}),
+        responses={
+            200: OpenApiResponse(description="Success"),
+            400: OpenApiResponse(description="Bad request"),
+        },
+    )
+    @action(
+        detail=True,
+        pagination_class=None,
+        filter_backends=[],
+        methods=["POST"],
+    )
+    # pylint: disable=unused-argument
+    def set_icon_url(self, request: Request, slug: str):
+        """Set application icon (as URL)"""
+        app: Application = self.get_object()
+        url = request.data.get("url", None)
+        if url is None:
            return HttpResponseBadRequest()
-        app.meta_icon = icon
+        app.meta_icon.name = url
        app.save()
        return Response({})

    @permission_required(
        "authentik_core.view_application", ["authentik_events.view_event"]
    )
-    @swagger_auto_schema(responses={200: CoordinateSerializer(many=True)})
+    @extend_schema(responses={200: CoordinateSerializer(many=True)})
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=unused-argument
    def metrics(self, request: Request, slug: str):
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -0,0 +1,115 @@
+"""AuthenticatedSessions API Viewset"""
+from typing import Optional, TypedDict
+
+from django_filters.rest_framework import DjangoFilterBackend
+from guardian.utils import get_anonymous_user
+from rest_framework import mixins
+from rest_framework.fields import SerializerMethodField
+from rest_framework.filters import OrderingFilter, SearchFilter
+from rest_framework.request import Request
+from rest_framework.serializers import ModelSerializer
+from rest_framework.viewsets import GenericViewSet
+from ua_parser import user_agent_parser
+
+from authentik.core.models import AuthenticatedSession
+from authentik.events.geo import GEOIP_READER, GeoIPDict
+
+
+class UserAgentDeviceDict(TypedDict):
+    """User agent device"""
+
+    brand: str
+    family: str
+    model: str
+
+
+class UserAgentOSDict(TypedDict):
+    """User agent os"""
+
+    family: str
+    major: str
+    minor: str
+    patch: str
+    patch_minor: str
+
+
+class UserAgentBrowserDict(TypedDict):
+    """User agent browser"""
+
+    family: str
+    major: str
+    minor: str
+    patch: str
+
+
+class UserAgentDict(TypedDict):
+    """User agent details"""
+
+    device: UserAgentDeviceDict
+    os: UserAgentOSDict
+    user_agent: UserAgentBrowserDict
+    string: str
+
+
+class AuthenticatedSessionSerializer(ModelSerializer):
+    """AuthenticatedSession Serializer"""
+
+    current = SerializerMethodField()
+    user_agent = SerializerMethodField()
+    geo_ip = SerializerMethodField()
+
+    def get_current(self, instance: AuthenticatedSession) -> bool:
+        """Check if session is currently active session"""
+        request: Request = self.context["request"]
+        return request._request.session.session_key == instance.session_key
+
+    def get_user_agent(self, instance: AuthenticatedSession) -> UserAgentDict:
+        """Get parsed user agent"""
+        return user_agent_parser.Parse(instance.last_user_agent)
+
+    def get_geo_ip(
+        self, instance: AuthenticatedSession
+    ) -> Optional[GeoIPDict]:  # pragma: no cover
+        """Get parsed user agent"""
+        return GEOIP_READER.city_dict(instance.last_ip)
+
+    class Meta:
+
+        model = AuthenticatedSession
+        fields = [
+            "uuid",
+            "current",
+            "user_agent",
+            "geo_ip",
+            "user",
+            "last_ip",
+            "last_user_agent",
+            "last_used",
+            "expires",
+        ]
+
+
+class AuthenticatedSessionViewSet(
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """AuthenticatedSession Viewset"""
+
+    queryset = AuthenticatedSession.objects.all()
+    serializer_class = AuthenticatedSessionSerializer
+    search_fields = ["user__username", "last_ip", "last_user_agent"]
+    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
+    ordering = ["user__username"]
+    filter_backends = [
+        DjangoFilterBackend,
+        OrderingFilter,
+        SearchFilter,
+    ]
+
+    def get_queryset(self):
+        user = self.request.user if self.request else get_anonymous_user()
+        if user.is_superuser:
+            return super().get_queryset()
+        return super().get_queryset().filter(user=user.pk)
--- a/authentik/core/api/propertymappings.py
+++ b/authentik/core/api/propertymappings.py
@ -1,8 +1,8 @@
 """PropertyMapping API Views"""
 from json import dumps

-from drf_yasg import openapi
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework import mixins
 from rest_framework.decorators import action
@ -78,10 +78,10 @@ class PropertyMappingViewSet(
    filterset_fields = {"managed": ["isnull"]}
    ordering = ["name"]

-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
        return PropertyMapping.objects.select_subclasses()

-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable property-mapping types"""
@ -100,14 +100,17 @@ class PropertyMappingViewSet(
        return Response(TypeCreateSerializer(data, many=True).data)

    @permission_required("authentik_core.view_propertymapping")
-    @swagger_auto_schema(
-        request_body=PolicyTestSerializer(),
-        responses={200: PropertyMappingTestResultSerializer, 400: "Invalid parameters"},
-        manual_parameters=[
-            openapi.Parameter(
+    @extend_schema(
+        request=PolicyTestSerializer(),
+        responses={
+            200: PropertyMappingTestResultSerializer,
+            400: OpenApiResponse(description="Invalid parameters"),
+        },
+        parameters=[
+            OpenApiParameter(
                name="format_result",
-                in_=openapi.IN_QUERY,
-                type=openapi.TYPE_BOOLEAN,
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
            )
        ],
    )
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -1,6 +1,6 @@
 """Provider API Views"""
 from django.utils.translation import gettext_lazy as _
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
@ -22,7 +22,7 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):

    component = SerializerMethodField()

-    def get_component(self, obj: Provider):  # pragma: no cover
+    def get_component(self, obj: Provider) -> str:  # pragma: no cover
        """Get object component so that we know how to edit the object"""
        # pyright: reportGeneralTypeIssues=false
        if obj.__class__ == Provider:
@ -63,10 +63,10 @@ class ProviderViewSet(
        "application__name",
    ]

-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
        return Provider.objects.select_subclasses()

-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable provider types"""
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -1,7 +1,7 @@
 """Source API Views"""
 from typing import Iterable

-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.request import Request
@ -24,7 +24,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):

    component = SerializerMethodField()

-    def get_component(self, obj: Source):
+    def get_component(self, obj: Source) -> str:
        """Get object component so that we know how to edit the object"""
        # pyright: reportGeneralTypeIssues=false
        if obj.__class__ == Source:
@ -61,10 +61,10 @@ class SourceViewSet(
    serializer_class = SourceSerializer
    lookup_field = "slug"

-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
        return Source.objects.select_subclasses()

-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable source types"""
@ -87,7 +87,7 @@ class SourceViewSet(
            )
        return Response(TypeCreateSerializer(data, many=True).data)

-    @swagger_auto_schema(responses={200: UserSettingSerializer(many=True)})
+    @extend_schema(responses={200: UserSettingSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def user_settings(self, request: Request) -> Response:
        """Get all sources the user can configure"""
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -1,6 +1,6 @@
 """Tokens API Viewset"""
 from django.http.response import Http404
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import CharField
 from rest_framework.request import Request
@ -67,10 +67,10 @@ class TokenViewSet(ModelViewSet):
        serializer.save(user=self.request.user, intent=TokenIntents.INTENT_API)

    @permission_required("authentik_core.view_token_key")
-    @swagger_auto_schema(
+    @extend_schema(
        responses={
            200: TokenViewSerializer(many=False),
-            404: "Token not found or expired",
+            404: OpenApiResponse(description="Token not found or expired"),
        }
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -7,7 +7,7 @@ from django.urls import reverse_lazy
 from django.utils.http import urlencode
 from django_filters.filters import BooleanFilter, CharFilter
 from django_filters.filterset import FilterSet
-from drf_yasg.utils import swagger_auto_schema, swagger_serializer_method
+from drf_spectacular.utils import OpenApiResponse, extend_schema, extend_schema_field
 from guardian.utils import get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, JSONField, SerializerMethodField
@ -32,7 +32,7 @@ from authentik.core.middleware import (
 )
 from authentik.core.models import Token, TokenIntents, User
 from authentik.events.models import EventAction
-from authentik.flows.models import Flow, FlowDesignation
+from authentik.tenants.models import Tenant


 class UserSerializer(ModelSerializer):
@ -77,13 +77,13 @@ class UserMetricsSerializer(PassiveSerializer):
    logins_failed_per_1h = SerializerMethodField()
    authorizations_per_1h = SerializerMethodField()

-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_per_1h(self, _):
        """Get successful logins per hour for the last 24 hours"""
        user = self.context["user"]
        return get_events_per_1h(action=EventAction.LOGIN, user__pk=user.pk)

-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
    def get_logins_failed_per_1h(self, _):
        """Get failed logins per hour for the last 24 hours"""
        user = self.context["user"]
@ -91,7 +91,7 @@ class UserMetricsSerializer(PassiveSerializer):
            action=EventAction.LOGIN_FAILED, context__username=user.username
        )

-    @swagger_serializer_method(serializer_or_field=CoordinateSerializer(many=True))
+    @extend_schema_field(CoordinateSerializer(many=True))
    def get_authorizations_per_1h(self, _):
        """Get failed logins per hour for the last 24 hours"""
        user = self.context["user"]
@ -139,10 +139,10 @@ class UserViewSet(ModelViewSet):
    search_fields = ["username", "name", "is_active"]
    filterset_class = UsersFilter

-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
        return User.objects.all().exclude(pk=get_anonymous_user().pk)

-    @swagger_auto_schema(responses={200: SessionUserSerializer(many=False)})
+    @extend_schema(responses={200: SessionUserSerializer(many=False)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    # pylint: disable=invalid-name
    def me(self, request: Request) -> Response:
@ -158,7 +158,7 @@ class UserViewSet(ModelViewSet):
        return Response(serializer.data)

    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
-    @swagger_auto_schema(responses={200: UserMetricsSerializer(many=False)})
+    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=invalid-name, unused-argument
    def metrics(self, request: Request, pk: int) -> Response:
@ -169,15 +169,19 @@ class UserViewSet(ModelViewSet):
        return Response(serializer.data)

    @permission_required("authentik_core.reset_user_password")
-    @swagger_auto_schema(
-        responses={"200": LinkSerializer(many=False), "404": "No recovery flow found."},
+    @extend_schema(
+        responses={
+            "200": LinkSerializer(many=False),
+            "404": OpenApiResponse(description="No recovery flow found."),
+        },
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=invalid-name, unused-argument
    def recovery(self, request: Request, pk: int) -> Response:
        """Create a temporary link that a user can use to recover their accounts"""
+        tenant: Tenant = request._request.tenant
        # Check that there is a recovery flow, if not return an error
-        flow = Flow.with_policy(request, designation=FlowDesignation.RECOVERY)
+        flow = tenant.flow_recovery
        if not flow:
            raise Http404
        user: User = self.get_object()
@ -188,7 +192,8 @@ class UserViewSet(ModelViewSet):
        )
        querystring = urlencode({"token": token.key})
        link = request.build_absolute_uri(
-            reverse_lazy("authentik_flows:default-recovery") + f"?{querystring}"
+            reverse_lazy("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
+            + f"?{querystring}"
        )
        return Response({"link": link})

--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -28,6 +28,9 @@ class PassiveSerializer(Serializer):
    ) -> Model:  # pragma: no cover
        return Model()

+    class Meta:
+        model = Model
+

 class MetaNameSerializer(PassiveSerializer):
    """Add verbose names to response"""
--- a/authentik/core/apps.py
+++ b/authentik/core/apps.py
@ -2,6 +2,10 @@
 from importlib import import_module

 from django.apps import AppConfig
+from django.db import ProgrammingError
+
+from authentik.core.signals import GAUGE_MODELS
+from authentik.lib.utils.reflection import get_apps


 class AuthentikCoreConfig(AppConfig):
@ -15,3 +19,12 @@ class AuthentikCoreConfig(AppConfig):
    def ready(self):
        import_module("authentik.core.signals")
        import_module("authentik.core.managed")
+        try:
+            for app in get_apps():
+                for model in app.get_models():
+                    GAUGE_MODELS.labels(
+                        model_name=model._meta.model_name,
+                        app=model._meta.app_label,
+                    ).set(model.objects.count())
+        except ProgrammingError:
+            pass
--- a/authentik/core/channels.py
+++ b/authentik/core/channels.py
@ -4,7 +4,7 @@ from channels.generic.websocket import JsonWebsocketConsumer
 from rest_framework.exceptions import AuthenticationFailed
 from structlog.stdlib import get_logger

-from authentik.api.auth import token_from_header
+from authentik.api.authentication import token_from_header
 from authentik.core.models import User

 LOGGER = get_logger()
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -42,10 +42,14 @@ class RequestIDMiddleware:
        if not hasattr(request, "request_id"):
            request_id = uuid4().hex
            setattr(request, "request_id", request_id)
-            LOCAL.authentik = {"request_id": request_id}
+            LOCAL.authentik = {
+                "request_id": request_id,
+                "host": request.get_host(),
+            }
        response = self.get_response(request)
        response[RESPONSE_HEADER_ID] = request.request_id
        del LOCAL.authentik["request_id"]
+        del LOCAL.authentik["host"]
        return response


@ -54,4 +58,5 @@ def structlog_add_request_id(logger: Logger, method_name: str, event_dict):
    """If threadlocal has authentik defined, add request_id to log"""
    if hasattr(LOCAL, "authentik"):
        event_dict["request_id"] = LOCAL.authentik.get("request_id", "")
+        event_dict["host"] = LOCAL.authentik.get("host", "")
    return event_dict
--- a/authentik/core/migrations/0021_alter_application_slug.py
+++ b/authentik/core/migrations/0021_alter_application_slug.py
@ -0,0 +1,20 @@
+# Generated by Django 3.2.3 on 2021-05-14 08:48
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0020_source_user_matching_mode"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="application",
+            name="slug",
+            field=models.SlugField(
+                help_text="Internal application name, used in URLs.", unique=True
+            ),
+        ),
+    ]
--- a/authentik/core/migrations/0022_authenticatedsession.py
+++ b/authentik/core/migrations/0022_authenticatedsession.py
@ -0,0 +1,63 @@
+# Generated by Django 3.2.3 on 2021-05-29 22:14
+
+import uuid
+
+import django.db.models.deletion
+from django.apps.registry import Apps
+from django.conf import settings
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+import authentik.core.models
+
+
+def migrate_sessions(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
+    from django.contrib.sessions.backends.cache import KEY_PREFIX
+    from django.core.cache import cache
+
+    session_keys = cache.keys(KEY_PREFIX + "*")
+    cache.delete_many(session_keys)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0021_alter_application_slug"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="AuthenticatedSession",
+            fields=[
+                (
+                    "expires",
+                    models.DateTimeField(
+                        default=authentik.core.models.default_token_duration
+                    ),
+                ),
+                ("expiring", models.BooleanField(default=True)),
+                (
+                    "uuid",
+                    models.UUIDField(
+                        default=uuid.uuid4, primary_key=True, serialize=False
+                    ),
+                ),
+                ("session_key", models.CharField(max_length=40)),
+                ("last_ip", models.TextField()),
+                ("last_user_agent", models.TextField(blank=True)),
+                ("last_used", models.DateTimeField(auto_now=True)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "abstract": False,
+            },
+        ),
+        migrations.RunPython(migrate_sessions),
+    ]
--- a/authentik/core/migrations/0023_alter_application_meta_launch_url.py
+++ b/authentik/core/migrations/0023_alter_application_meta_launch_url.py
@ -0,0 +1,23 @@
+# Generated by Django 3.2.3 on 2021-06-02 21:51
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0022_authenticatedsession"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="application",
+            name="meta_launch_url",
+            field=models.TextField(
+                blank=True,
+                default="",
+                validators=[django.core.validators.URLValidator()],
+            ),
+        ),
+    ]
--- a/authentik/core/migrations/0024_alter_token_identifier.py
+++ b/authentik/core/migrations/0024_alter_token_identifier.py
@ -0,0 +1,35 @@
+# Generated by Django 3.2.3 on 2021-06-03 09:33
+
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+from django.db.models import Count
+
+
+def fix_duplicates(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
+    Token = apps.get_model("authentik_core", "token")
+    identifiers = (
+        Token.objects.using(db_alias)
+        .values("identifier")
+        .annotate(identifier_count=Count("identifier"))
+        .filter(identifier_count__gt=1)
+    )
+    for ident in identifiers:
+        Token.objects.using(db_alias).filter(identifier=ident["identifier"]).delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0023_alter_application_meta_launch_url"),
+    ]
+
+    operations = [
+        migrations.RunPython(fix_duplicates),
+        migrations.AlterField(
+            model_name="token",
+            name="identifier",
+            field=models.SlugField(max_length=255, unique=True),
+        ),
+    ]
--- a/authentik/core/migrations/0025_alter_application_meta_icon.py
+++ b/authentik/core/migrations/0025_alter_application_meta_icon.py
@ -0,0 +1,20 @@
+# Generated by Django 3.2.3 on 2021-06-05 19:04
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0024_alter_token_identifier"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="application",
+            name="meta_icon",
+            field=models.FileField(
+                default=None, null=True, upload_to="application-icons/"
+            ),
+        ),
+    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -8,6 +8,7 @@ from uuid import uuid4
 from django.conf import settings
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
+from django.core import validators
 from django.db import models
 from django.db.models import Q, QuerySet
 from django.http import HttpRequest
@ -23,11 +24,11 @@ from structlog.stdlib import get_logger

 from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.core.signals import password_changed
-from authentik.core.types import UILoginButton
-from authentik.flows.challenge import Challenge
+from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
 from authentik.lib.models import CreatedUpdatedModel, SerializerModel
+from authentik.lib.utils.http import get_client_ip
 from authentik.managed.models import ManagedModel
 from authentik.policies.models import PolicyBindingModel

@ -207,17 +208,35 @@ class Application(PolicyBindingModel):
    add custom fields and other properties"""

    name = models.TextField(help_text=_("Application's display Name."))
-    slug = models.SlugField(help_text=_("Internal application name, used in URLs."))
+    slug = models.SlugField(
+        help_text=_("Internal application name, used in URLs."), unique=True
+    )
    provider = models.OneToOneField(
        "Provider", null=True, blank=True, default=None, on_delete=models.SET_DEFAULT
    )

-    meta_launch_url = models.URLField(default="", blank=True)
+    meta_launch_url = models.TextField(
+        default="", blank=True, validators=[validators.URLValidator()]
+    )
    # For template applications, this can be set to /static/authentik/applications/*
-    meta_icon = models.FileField(upload_to="application-icons/", default="", blank=True)
+    meta_icon = models.FileField(
+        upload_to="application-icons/", default=None, null=True
+    )
    meta_description = models.TextField(default="", blank=True)
    meta_publisher = models.TextField(default="", blank=True)

+    @property
+    def get_meta_icon(self) -> Optional[str]:
+        """Get the URL to the App Icon image. If the name is /static or starts with http
+        it is returned as-is"""
+        if not self.meta_icon:
+            return None
+        if self.meta_icon.name.startswith("http") or self.meta_icon.name.startswith(
+            "/static"
+        ):
+            return self.meta_icon.name
+        return self.meta_icon.url
+
    def get_launch_url(self) -> Optional[str]:
        """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
        if self.meta_launch_url:
@ -322,9 +341,9 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
        return None

    @property
-    def ui_user_settings(self) -> Optional[Challenge]:
+    def ui_user_settings(self) -> Optional[UserSettingSerializer]:
        """Entrypoint to integrate with User settings. Can either return None if no
-        user settings are available, or a challenge."""
+        user settings are available, or UserSettingSerializer."""
        return None

    def __str__(self):
@ -386,7 +405,7 @@ class Token(ManagedModel, ExpiringModel):
    """Token used to authenticate the User for API Access or confirm another Stage like Email."""

    token_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    identifier = models.SlugField(max_length=255)
+    identifier = models.SlugField(max_length=255, unique=True)
    key = models.TextField(default=default_token_key)
    intent = models.TextField(
        choices=TokenIntents.choices, default=TokenIntents.INTENT_VERIFICATION
@ -450,3 +469,33 @@ class PropertyMapping(SerializerModel, ManagedModel):

        verbose_name = _("Property Mapping")
        verbose_name_plural = _("Property Mappings")
+
+
+class AuthenticatedSession(ExpiringModel):
+    """Additional session class for authenticated users. Augments the standard django session
+    to achieve the following:
+        - Make it queryable by user
+        - Have a direct connection to user objects
+        - Allow users to view their own sessions and terminate them
+        - Save structured and well-defined information.
+    """
+
+    uuid = models.UUIDField(default=uuid4, primary_key=True)
+
+    session_key = models.CharField(max_length=40)
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+
+    last_ip = models.TextField()
+    last_user_agent = models.TextField(blank=True)
+    last_used = models.DateTimeField(auto_now=True)
+
+    @staticmethod
+    def from_request(request: HttpRequest, user: User) -> "AuthenticatedSession":
+        """Create a new session from a http request"""
+        return AuthenticatedSession(
+            session_key=request.session.session_key,
+            user=user,
+            last_ip=get_client_ip(request),
+            last_user_agent=request.META.get("HTTP_USER_AGENT", ""),
+            expires=request.session.get_expiry_date(),
+        )
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,20 +1,38 @@
 """authentik core signals"""
+from typing import TYPE_CHECKING
+
+from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.core.cache import cache
 from django.core.signals import Signal
+from django.db.models import Model
 from django.db.models.signals import post_save
 from django.dispatch import receiver
+from django.http.request import HttpRequest
+from prometheus_client import Gauge

 # Arguments: user: User, password: str
 password_changed = Signal()

+GAUGE_MODELS = Gauge(
+    "authentik_models", "Count of various objects", ["model_name", "app"]
+)
+
+if TYPE_CHECKING:
+    from authentik.core.models import User
+

@receiver(post_save)
 # pylint: disable=unused-argument
-def post_save_application(sender, instance, created: bool, **_):
+def post_save_application(sender: type[Model], instance, created: bool, **_):
    """Clear user's application cache upon application creation"""
    from authentik.core.api.applications import user_app_cache_key
    from authentik.core.models import Application

+    GAUGE_MODELS.labels(
+        model_name=sender._meta.model_name,
+        app=sender._meta.app_label,
+    ).set(sender.objects.count())
+
    if sender != Application:
        return
    if not created:  # pragma: no cover
@ -22,3 +40,23 @@ def post_save_application(sender, instance, created: bool, **_):
    # Also delete user application cache
    keys = cache.keys(user_app_cache_key("*"))
    cache.delete_many(keys)
+
+
+@receiver(user_logged_in)
+# pylint: disable=unused-argument
+def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
+    """Create an AuthenticatedSession from request"""
+    from authentik.core.models import AuthenticatedSession
+
+    AuthenticatedSession.from_request(request, user).save()
+
+
+@receiver(user_logged_out)
+# pylint: disable=unused-argument
+def user_logged_out_session(sender, request: HttpRequest, user: "User", **_):
+    """Delete AuthenticatedSession if it exists"""
+    from authentik.core.models import AuthenticatedSession
+
+    AuthenticatedSession.objects.filter(
+        session_key=request.session.session_key
+    ).delete()
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -75,5 +75,6 @@ def backup_database(self: MonitoredTask):  # pragma: no cover
        Boto3Error,
        PermissionError,
        CommandConnectorError,
+        ValueError,
    ) as exc:
        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -7,8 +7,7 @@
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
-        <title>{% block title %}{% trans title|default:config.authentik.branding.title %}{% endblock %}</title>
-        <link rel="icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}?v={{ ak_version }}">
+        <title>{% block title %}{% trans title|default:tenant.branding_title %}{% endblock %}</title>
        <link rel="shortcut icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}?v={{ ak_version }}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}?v={{ ak_version }}">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}?v={{ ak_version }}">
--- a/authentik/providers/oauth2/templates/providers/oauth2/end_session.html
+++ b/authentik/providers/oauth2/templates/providers/oauth2/end_session.html
@ -14,7 +14,7 @@
 {% endblock %}

 {% block title %}
-{% trans 'End session' %} - {{ config.authentik.branding.title }}
+{% trans 'End session' %} - {{ tenant.branding_title }}
 {% endblock %}

 {% block card_title %}
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@ -4,7 +4,9 @@
 {% load i18n %}

 {% block head_before %}
+{% if flow.compatibility_mode %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
+{% endif %}
 {% endblock %}

 {% block head %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -26,10 +26,7 @@
    <div class="ak-login-container">
        <header class="pf-c-login__header">
            <div class="pf-c-brand ak-brand">
-                <img src="{{ config.authentik.branding.logo }}" alt="authentik icon" />
-                {% if config.authentik.branding.title_show %}
-                <p>{{ config.authentik.branding.title }}</p>
-                {% endif %}
+                <img src="{{ tenant.branding_logo }}" alt="authentik icon" />
            </div>
        </header>
        {% block main_container %}
@ -49,12 +46,12 @@
        <footer class="pf-c-login__footer">
            <p></p>
            <ul class="pf-c-list pf-m-inline">
-                {% for link in config.authentik.footer_links %}
+                {% for link in footer_links %}
                <li>
                    <a href="{{ link.href }}">{{ link.name }}</a>
                </li>
                {% endfor %}
-                {% if config.authentik.branding.title != "authentik" %}
+                {% if tenant.branding_title != "authentik" %}
                <li>
                    <a href="https://goauthentik.io">
                        {% trans 'Powered by authentik' %}
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -24,22 +24,28 @@ class TestApplicationsAPI(APITestCase):
        )

    def test_check_access(self):
-        """Test check_access operation """
+        """Test check_access operation"""
        self.client.force_login(self.user)
-        response = self.client.get(
+        response = self.client.post(
            reverse(
                "authentik_api:application-check-access",
                kwargs={"slug": self.allowed.slug},
            )
        )
-        self.assertEqual(response.status_code, 204)
-        response = self.client.get(
+        self.assertEqual(response.status_code, 200)
+        self.assertJSONEqual(
+            force_str(response.content), {"messages": [], "passing": True}
+        )
+        response = self.client.post(
            reverse(
                "authentik_api:application-check-access",
                kwargs={"slug": self.denied.slug},
            )
        )
-        self.assertEqual(response.status_code, 403)
+        self.assertEqual(response.status_code, 200)
+        self.assertJSONEqual(
+            force_str(response.content), {"messages": ["dummy"], "passing": False}
+        )

    def test_list(self):
        """Test list operation without superuser_full_list"""
--- a/authentik/core/tests/test_authenticated_sessions_api.py
+++ b/authentik/core/tests/test_authenticated_sessions_api.py
@ -0,0 +1,31 @@
+"""Test AuthenticatedSessions API"""
+from json import loads
+
+from django.urls.base import reverse
+from django.utils.encoding import force_str
+from rest_framework.test import APITestCase
+
+from authentik.core.models import User
+
+
+class TestAuthenticatedSessionsAPI(APITestCase):
+    """Test AuthenticatedSessions API"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = User.objects.get(username="akadmin")
+        self.other_user = User.objects.create(username="normal-user")
+
+    def test_list(self):
+        """Test session list endpoint"""
+        self.client.force_login(self.user)
+        response = self.client.get(reverse("authentik_api:authenticatedsession-list"))
+        self.assertEqual(response.status_code, 200)
+
+    def test_non_admin_list(self):
+        """Test non-admin list"""
+        self.client.force_login(self.other_user)
+        response = self.client.get(reverse("authentik_api:authenticatedsession-list"))
+        self.assertEqual(response.status_code, 200)
+        body = loads(force_str(response.content))
+        self.assertEqual(body["pagination"]["count"], 1)
--- a/authentik/core/tests/test_models.py
+++ b/authentik/core/tests/test_models.py
@ -21,7 +21,7 @@ class TestModels(TestCase):
        self.assertTrue(token.is_expired)

    def test_token_expire_no_expire(self):
-        """Test token expiring with "expiring" set """
+        """Test token expiring with "expiring" set"""
        token = Token.objects.create(
            expires=now(), user=get_anonymous_user(), expiring=False
        )
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -0,0 +1,29 @@
+"""Test Users API"""
+from django.urls.base import reverse
+from rest_framework.test import APITestCase
+
+from authentik.core.models import User
+
+
+class TestUsersAPI(APITestCase):
+    """Test Users API"""
+
+    def setUp(self) -> None:
+        self.admin = User.objects.get(username="akadmin")
+        self.user = User.objects.create(username="test-user")
+
+    def test_metrics(self):
+        """Test user's metrics"""
+        self.client.force_login(self.admin)
+        response = self.client.get(
+            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def test_metrics_denied(self):
+        """Test user's metrics (non-superuser)"""
+        self.client.force_login(self.user)
+        response = self.client.get(
+            reverse("authentik_api:user-metrics", kwargs={"pk": self.user.pk})
+        )
+        self.assertEqual(response.status_code, 403)
--- a/authentik/core/types.py
+++ b/authentik/core/types.py
@ -36,3 +36,4 @@ class UserSettingSerializer(PassiveSerializer):
    object_uid = CharField()
    component = CharField()
    title = CharField()
+    configure_url = CharField()
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -6,6 +6,8 @@ from django.views.generic import RedirectView
 from django.views.generic.base import TemplateView

 from authentik.core.views import impersonate
+from authentik.core.views.interface import FlowInterfaceView
+from authentik.core.views.session import EndSessionView

 urlpatterns = [
    path(
@ -32,7 +34,18 @@ urlpatterns = [
    ),
    path(
        "if/flow/<slug:flow_slug>/",
-        ensure_csrf_cookie(TemplateView.as_view(template_name="if/flow.html")),
+        ensure_csrf_cookie(FlowInterfaceView.as_view()),
        name="if-flow",
    ),
+    path(
+        "if/session-end/<slug:application_slug>/",
+        ensure_csrf_cookie(EndSessionView.as_view()),
+        name="if-session-end",
+    ),
+    # Fallback for WS
+    path("ws/outpost/<uuid:pk>/", TemplateView.as_view(template_name="if/admin.html")),
+    path(
+        "ws/client/",
+        TemplateView.as_view(template_name="if/admin.html"),
+    ),
 ]
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -0,0 +1,17 @@
+"""Interface views"""
+from typing import Any
+
+from django.shortcuts import get_object_or_404
+from django.views.generic.base import TemplateView
+
+from authentik.flows.models import Flow
+
+
+class FlowInterfaceView(TemplateView):
+    """Flow interface"""
+
+    template_name = "if/flow.html"
+
+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        kwargs["flow"] = get_object_or_404(Flow, slug=self.kwargs.get("flow_slug"))
+        return super().get_context_data(**kwargs)
--- a/authentik/providers/oauth2/views/session.py
+++ b/authentik/providers/oauth2/views/session.py
@ -1,22 +1,24 @@
-"""authentik OAuth2 Session Views"""
+"""authentik Session Views"""
 from typing import Any

 from django.shortcuts import get_object_or_404
 from django.views.generic.base import TemplateView

 from authentik.core.models import Application
+from authentik.policies.views import PolicyAccessView


-class EndSessionView(TemplateView):
+class EndSessionView(TemplateView, PolicyAccessView):
    """Allow the client to end the Session"""

-    template_name = "providers/oauth2/end_session.html"
+    template_name = "if/end_session.html"

-    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
-        context = super().get_context_data(**kwargs)
-
-        context["application"] = get_object_or_404(
+    def resolve_provider_application(self):
+        self.application = get_object_or_404(
            Application, slug=self.kwargs["application_slug"]
        )

+    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
+        context = super().get_context_data(**kwargs)
+        context["application"] = self.application
        return context
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@ -3,8 +3,10 @@ import django_filters
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import load_pem_x509_certificate
+from django.http.response import HttpResponse
 from django.utils.translation import gettext_lazy as _
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import (
    CharField,
@ -123,9 +125,12 @@ class CertificateKeyPairViewSet(ModelViewSet):
    filterset_class = CertificateKeyPairFilter

    @permission_required(None, ["authentik_crypto.add_certificatekeypair"])
-    @swagger_auto_schema(
-        request_body=CertificateGenerationSerializer(),
-        responses={200: CertificateKeyPairSerializer, 400: "Bad request"},
+    @extend_schema(
+        request=CertificateGenerationSerializer(),
+        responses={
+            200: CertificateKeyPairSerializer,
+            400: OpenApiResponse(description="Bad request"),
+        },
    )
    @action(detail=False, methods=["POST"])
    def generate(self, request: Request) -> Response:
@ -145,7 +150,16 @@ class CertificateKeyPairViewSet(ModelViewSet):
        serializer = self.get_serializer(instance)
        return Response(serializer.data)

-    @swagger_auto_schema(responses={200: CertificateDataSerializer(many=False)})
+    @extend_schema(
+        parameters=[
+            OpenApiParameter(
+                name="download",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
+            )
+        ],
+        responses={200: CertificateDataSerializer(many=False)},
+    )
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=invalid-name, unused-argument
    def view_certificate(self, request: Request, pk: str) -> Response:
@ -156,11 +170,29 @@ class CertificateKeyPairViewSet(ModelViewSet):
            secret=certificate,
            type="certificate",
        ).from_http(request)
+        if "download" in request._request.GET:
+            # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
+            response = HttpResponse(
+                certificate.certificate_data, content_type="application/x-pem-file"
+            )
+            response[
+                "Content-Disposition"
+            ] = f'attachment; filename="{certificate.name}_certificate.pem"'
+            return response
        return Response(
            CertificateDataSerializer({"data": certificate.certificate_data}).data
        )

-    @swagger_auto_schema(responses={200: CertificateDataSerializer(many=False)})
+    @extend_schema(
+        parameters=[
+            OpenApiParameter(
+                name="download",
+                location=OpenApiParameter.QUERY,
+                type=OpenApiTypes.BOOL,
+            )
+        ],
+        responses={200: CertificateDataSerializer(many=False)},
+    )
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=invalid-name, unused-argument
    def view_private_key(self, request: Request, pk: str) -> Response:
@ -171,4 +203,13 @@ class CertificateKeyPairViewSet(ModelViewSet):
            secret=certificate,
            type="private_key",
        ).from_http(request)
+        if "download" in request._request.GET:
+            # Mime type from https://pki-tutorial.readthedocs.io/en/latest/mime.html
+            response = HttpResponse(
+                certificate.key_data, content_type="application/x-pem-file"
+            )
+            response[
+                "Content-Disposition"
+            ] = f'attachment; filename="{certificate.name}_private_key.pem"'
+            return response
        return Response(CertificateDataSerializer({"data": certificate.key_data}).data)
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -2,7 +2,9 @@
 import datetime

 from django.test import TestCase
+from django.urls import reverse

+from authentik.core.models import User
 from authentik.crypto.api import CertificateKeyPairSerializer
 from authentik.crypto.builder import CertificateBuilder
 from authentik.crypto.models import CertificateKeyPair
@ -47,3 +49,45 @@ class TestCrypto(TestCase):
        now = datetime.datetime.today()
        self.assertEqual(instance.name, "test-cert")
        self.assertEqual((instance.certificate.not_valid_after - now).days, 2)
+
+    def test_certificate_download(self):
+        """Test certificate export (download)"""
+        self.client.force_login(User.objects.get(username="akadmin"))
+        keypair = CertificateKeyPair.objects.first()
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-certificate",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(200, response.status_code)
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-certificate",
+                kwargs={"pk": keypair.pk},
+            )
+            + "?download",
+        )
+        self.assertEqual(200, response.status_code)
+        self.assertIn("Content-Disposition", response)
+
+    def test_private_key_download(self):
+        """Test private_key export (download)"""
+        self.client.force_login(User.objects.get(username="akadmin"))
+        keypair = CertificateKeyPair.objects.first()
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-private-key",
+                kwargs={"pk": keypair.pk},
+            )
+        )
+        self.assertEqual(200, response.status_code)
+        response = self.client.get(
+            reverse(
+                "authentik_api:certificatekeypair-view-private-key",
+                kwargs={"pk": keypair.pk},
+            )
+            + "?download",
+        )
+        self.assertEqual(200, response.status_code)
+        self.assertIn("Content-Disposition", response)
--- a/authentik/events/api/event.py
+++ b/authentik/events/api/event.py
@ -2,7 +2,8 @@
 import django_filters
 from django.db.models.aggregates import Count
 from django.db.models.fields.json import KeyTextTransform
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiParameter, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, DictField, IntegerField
@ -38,12 +39,6 @@ class EventSerializer(ModelSerializer):
        ]


-class EventTopPerUserParams(PassiveSerializer):
-    """Query params for top_per_user"""
-
-    top_n = IntegerField(default=15)
-
-
 class EventTopPerUserSerializer(PassiveSerializer):
    """Response object of Event's top_per_user"""

@ -111,12 +106,19 @@ class EventViewSet(ReadOnlyModelViewSet):
    ]
    filterset_class = EventsFilter

-    @swagger_auto_schema(
-        method="GET",
+    @extend_schema(
+        methods=["GET"],
        responses={200: EventTopPerUserSerializer(many=True)},
-        query_serializer=EventTopPerUserParams,
+        parameters=[
+            OpenApiParameter(
+                "top_n",
+                type=OpenApiTypes.INT,
+                location=OpenApiParameter.QUERY,
+                required=False,
+            )
+        ],
    )
-    @action(detail=False, methods=["GET"])
+    @action(detail=False, methods=["GET"], pagination_class=None)
    def top_per_user(self, request: Request):
        """Get the top_n events grouped by user count"""
        filtered_action = request.query_params.get("action", EventAction.LOGIN)
@ -134,7 +136,7 @@ class EventViewSet(ReadOnlyModelViewSet):
            .order_by("-counted_events")[:top_n]
        )

-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def actions(self, request: Request) -> Response:
        """Get all actions"""
--- a/authentik/events/api/notification.py
+++ b/authentik/events/api/notification.py
@ -1,12 +1,12 @@
 """Notification API Views"""
 from django_filters.rest_framework import DjangoFilterBackend
-from guardian.utils import get_anonymous_user
 from rest_framework import mixins
 from rest_framework.fields import ReadOnlyField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet

+from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.events.api.event import EventSerializer
 from authentik.events.models import Notification

@ -49,12 +49,5 @@ class NotificationViewSet(
        "event",
        "seen",
    ]
-    filter_backends = [
-        DjangoFilterBackend,
-        OrderingFilter,
-        SearchFilter,
-    ]
-
-    def get_queryset(self):
-        user = self.request.user if self.request else get_anonymous_user()
-        return Notification.objects.filter(user=user.pk)
+    permission_classes = [OwnerPermissions]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
--- a/authentik/events/api/notification_rule.py
+++ b/authentik/events/api/notification_rule.py
@ -2,22 +2,25 @@
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet

+from authentik.core.api.groups import GroupSerializer
 from authentik.events.models import NotificationRule


 class NotificationRuleSerializer(ModelSerializer):
    """NotificationRule Serializer"""

+    group_obj = GroupSerializer(read_only=True, source="group")
+
    class Meta:

        model = NotificationRule
-        depth = 2
        fields = [
            "pk",
            "name",
            "transports",
            "severity",
            "group",
+            "group_obj",
        ]


--- a/authentik/events/api/notification_transport.py
+++ b/authentik/events/api/notification_transport.py
@ -1,5 +1,6 @@
 """NotificationTransport API Views"""
-from drf_yasg.utils import no_body, swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.request import Request
@ -22,7 +23,7 @@ class NotificationTransportSerializer(ModelSerializer):

    mode_verbose = SerializerMethodField()

-    def get_mode_verbose(self, instance: NotificationTransport):
+    def get_mode_verbose(self, instance: NotificationTransport) -> str:
        """Return selected mode with a UI Label"""
        return TransportMode(instance.mode).label

@ -58,12 +59,12 @@ class NotificationTransportViewSet(ModelViewSet):
    serializer_class = NotificationTransportSerializer

    @permission_required("authentik_events.change_notificationtransport")
-    @swagger_auto_schema(
+    @extend_schema(
        responses={
            200: NotificationTransportTestSerializer(many=False),
-            503: "Failed to test transport",
+            500: OpenApiResponse(description="Failed to test transport"),
        },
-        request_body=no_body,
+        request=OpenApiTypes.NONE,
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["post"])
    # pylint: disable=invalid-name, unused-argument
@ -83,4 +84,4 @@ class NotificationTransportViewSet(ModelViewSet):
            response.is_valid()
            return Response(response.data)
        except NotificationTransportError as exc:
-            return Response(str(exc.__cause__ or None), status=503)
+            return Response(str(exc.__cause__ or None), status=500)
--- a/authentik/events/apps.py
+++ b/authentik/events/apps.py
@ -1,7 +1,10 @@
 """authentik events app"""
+from datetime import timedelta
 from importlib import import_module

 from django.apps import AppConfig
+from django.db import ProgrammingError
+from django.utils.timezone import now


 class AuthentikEventsConfig(AppConfig):
@ -13,3 +16,12 @@ class AuthentikEventsConfig(AppConfig):

    def ready(self):
        import_module("authentik.events.signals")
+        try:
+            from authentik.events.models import Event
+
+            date_from = now() - timedelta(days=1)
+
+            for event in Event.objects.filter(created__gte=date_from):
+                event._set_prom_metrics()
+        except ProgrammingError:
+            pass
--- a/authentik/events/geo.py
+++ b/authentik/events/geo.py
@ -1,7 +1,12 @@
 """events GeoIP Reader"""
-from typing import Optional
+from datetime import datetime
+from os import stat
+from time import time
+from typing import Optional, TypedDict

 from geoip2.database import Reader
+from geoip2.errors import GeoIP2Error
+from geoip2.models import City
 from structlog.stdlib import get_logger

 from authentik.lib.config import CONFIG
@ -9,17 +14,78 @@ from authentik.lib.config import CONFIG
 LOGGER = get_logger()


-def get_geoip_reader() -> Optional[Reader]:
-    """Get GeoIP Reader, if configured, otherwise none"""
-    path = CONFIG.y("authentik.geoip")
-    if path == "" or not path:
-        return None
-    try:
-        reader = Reader(path)
-        LOGGER.info("Enabled GeoIP support")
-        return reader
-    except OSError:
-        return None
+class GeoIPDict(TypedDict):
+    """GeoIP Details"""
+
+    continent: str
+    country: str
+    lat: float
+    long: float
+    city: str


-GEOIP_READER = get_geoip_reader()
+class GeoIPReader:
+    """Slim wrapper around GeoIP API"""
+
+    __reader: Optional[Reader] = None
+    __last_mtime: float = 0.0
+
+    def __init__(self):
+        self.__open()
+
+    def __open(self):
+        """Get GeoIP Reader, if configured, otherwise none"""
+        path = CONFIG.y("authentik.geoip")
+        if path == "" or not path:
+            return
+        try:
+            reader = Reader(path)
+            LOGGER.info("Loaded GeoIP database")
+            self.__reader = reader
+            self.__last_mtime = stat(path).st_mtime
+        except OSError as exc:
+            LOGGER.warning("Failed to load GeoIP database", exc=exc)
+
+    def __check_expired(self):
+        """Check if the geoip database has been opened longer than 8 hours,
+        and re-open it, as it will probably will have been re-downloaded"""
+        now = time()
+        diff = datetime.fromtimestamp(now) - datetime.fromtimestamp(self.__last_mtime)
+        diff_hours = diff.total_seconds() // 3600
+        if diff_hours >= 8:
+            LOGGER.info("GeoIP databased loaded too long, re-opening", diff=diff)
+            self.__open()
+
+    @property
+    def enabled(self) -> bool:
+        """Check if GeoIP is enabled"""
+        return bool(self.__reader)
+
+    def city(self, ip_address: str) -> Optional[City]:
+        """Wrapper for Reader.city"""
+        if not self.enabled:
+            return None
+        self.__check_expired()
+        try:
+            return self.__reader.city(ip_address)
+        except (GeoIP2Error, ValueError):
+            return None
+
+    def city_dict(self, ip_address: str) -> Optional[GeoIPDict]:
+        """Wrapper for self.city that returns a dict"""
+        city = self.city(ip_address)
+        if not city:
+            return None
+        city_dict: GeoIPDict = {
+            "continent": city.continent.code,
+            "country": city.country.iso_code,
+            "lat": city.location.latitude,
+            "long": city.location.longitude,
+            "city": "",
+        }
+        if city.city.name:
+            city_dict["city"] = city.city.name
+        return city_dict
+
+
+GEOIP_READER = GeoIPReader()
--- a/authentik/events/migrations/0015_alter_event_action.py
+++ b/authentik/events/migrations/0015_alter_event_action.py
@ -0,0 +1,45 @@
+# Generated by Django 3.2.3 on 2021-06-09 07:58
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_events", "0014_expiry"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="event",
+            name="action",
+            field=models.TextField(
+                choices=[
+                    ("login", "Login"),
+                    ("login_failed", "Login Failed"),
+                    ("logout", "Logout"),
+                    ("user_write", "User Write"),
+                    ("suspicious_request", "Suspicious Request"),
+                    ("password_set", "Password Set"),
+                    ("secret_view", "Secret View"),
+                    ("invitation_used", "Invite Used"),
+                    ("authorize_application", "Authorize Application"),
+                    ("source_linked", "Source Linked"),
+                    ("impersonation_started", "Impersonation Started"),
+                    ("impersonation_ended", "Impersonation Ended"),
+                    ("policy_execution", "Policy Execution"),
+                    ("policy_exception", "Policy Exception"),
+                    ("property_mapping_exception", "Property Mapping Exception"),
+                    ("system_task_execution", "System Task Execution"),
+                    ("system_task_exception", "System Task Exception"),
+                    ("configuration_error", "Configuration Error"),
+                    ("model_created", "Model Created"),
+                    ("model_updated", "Model Updated"),
+                    ("model_deleted", "Model Deleted"),
+                    ("email_sent", "Email Sent"),
+                    ("update_available", "Update Available"),
+                    ("custom_", "Custom Prefix"),
+                ]
+            ),
+        ),
+    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -10,7 +10,7 @@ from django.db import models
 from django.http import HttpRequest
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
-from geoip2.errors import GeoIP2Error
+from prometheus_client import Gauge
 from requests import RequestException, post
 from structlog.stdlib import get_logger

@ -28,6 +28,11 @@ from authentik.policies.models import PolicyBindingModel
 from authentik.stages.email.utils import TemplateEmailMessage

 LOGGER = get_logger("authentik.events")
+GAUGE_EVENTS = Gauge(
+    "authentik_events",
+    "Events in authentik",
+    ["action", "user_username", "app", "client_ip"],
+)


 def default_event_duration():
@ -72,6 +77,7 @@ class EventAction(models.TextChoices):
    MODEL_CREATED = "model_created"
    MODEL_UPDATED = "model_updated"
    MODEL_DELETED = "model_deleted"
+    EMAIL_SENT = "email_sent"

    UPDATE_AVAILABLE = "update_available"

@ -143,7 +149,7 @@ class Event(ExpiringModel):
                    request.session[SESSION_IMPERSONATE_USER]
                )
        # User 255.255.255.255 as fallback if IP cannot be determined
-        self.client_ip = get_client_ip(request) or "255.255.255.255"
+        self.client_ip = get_client_ip(request)
        # Apply GeoIP Data, when enabled
        self.with_geoip()
        # If there's no app set, we get it from the requests too
@ -152,22 +158,20 @@ class Event(ExpiringModel):
        self.save()
        return self

-    def with_geoip(self):
+    def with_geoip(self):  # pragma: no cover
        """Apply GeoIP Data, when enabled"""
-        if not GEOIP_READER:
+        city = GEOIP_READER.city_dict(self.client_ip)
+        if not city:
            return
-        try:
-            response = GEOIP_READER.city(self.client_ip)
-            self.context["geo"] = {
-                "continent": response.continent.code,
-                "country": response.country.iso_code,
-                "lat": response.location.latitude,
-                "long": response.location.longitude,
-            }
-            if response.city.name:
-                self.context["geo"]["city"] = response.city.name
-        except GeoIP2Error as exc:
-            LOGGER.warning("Failed to add geoIP Data to event", exc=exc)
+        self.context["geo"] = city
+
+    def _set_prom_metrics(self):
+        GAUGE_EVENTS.labels(
+            action=self.action,
+            user_username=self.user.get("username"),
+            app=self.app,
+            client_ip=self.client_ip,
+        ).set(self.created.timestamp())

    def save(self, *args, **kwargs):
        if self._state.adding:
@ -178,7 +182,8 @@ class Event(ExpiringModel):
                client_ip=self.client_ip,
                user=self.user,
            )
-        return super().save(*args, **kwargs)
+        super().save(*args, **kwargs)
+        self._set_prom_metrics()

    @property
    def summary(self) -> str:
--- a/authentik/events/monitored_tasks.py
+++ b/authentik/events/monitored_tasks.py
@ -2,14 +2,22 @@
 from dataclasses import dataclass, field
 from datetime import datetime
 from enum import Enum
+from timeit import default_timer
 from traceback import format_tb
 from typing import Any, Optional

 from celery import Task
 from django.core.cache import cache
+from prometheus_client import Gauge

 from authentik.events.models import Event, EventAction

+GAUGE_TASKS = Gauge(
+    "authentik_system_tasks",
+    "System tasks and their status",
+    ["task_name", "task_uid", "status"],
+)
+

 class TaskResultStatus(Enum):
    """Possible states of tasks"""
@ -43,7 +51,9 @@ class TaskInfo:
    """Info about a task run"""

    task_name: str
-    finish_timestamp: datetime
+    start_timestamp: float
+    finish_timestamp: float
+    finish_time: datetime

    result: TaskResult

@ -73,12 +83,28 @@ class TaskInfo:
        """Delete task info from cache"""
        return cache.delete(f"task_{self.task_name}")

+    def set_prom_metrics(self):
+        """Update prometheus metrics"""
+        start = default_timer()
+        if hasattr(self, "start_timestamp"):
+            start = self.start_timestamp
+        try:
+            duration = max(self.finish_timestamp - start, 0)
+        except TypeError:
+            duration = 0
+        GAUGE_TASKS.labels(
+            task_name=self.task_name,
+            task_uid=self.result.uid or "",
+            status=self.result.status,
+        ).set(duration)
+
    def save(self, timeout_hours=6):
        """Save task into cache"""
        key = f"task_{self.task_name}"
        if self.result.uid:
            key += f"_{self.result.uid}"
            self.task_name += f"_{self.result.uid}"
+        self.set_prom_metrics()
        cache.set(key, self, timeout=timeout_hours * 60 * 60)


@ -98,6 +124,7 @@ class MonitoredTask(Task):
        self._uid = None
        self._result = TaskResult(status=TaskResultStatus.ERROR, messages=[])
        self.result_timeout_hours = 6
+        self.start = default_timer()

    def set_uid(self, uid: str):
        """Set UID, so in the case of an unexpected error its saved correctly"""
@ -117,7 +144,9 @@ class MonitoredTask(Task):
            TaskInfo(
                task_name=self.__name__,
                task_description=self.__doc__,
-                finish_timestamp=datetime.now(),
+                start_timestamp=self.start,
+                finish_timestamp=default_timer(),
+                finish_time=datetime.now(),
                result=self._result,
                task_call_module=self.__module__,
                task_call_func=self.__name__,
@ -133,7 +162,9 @@ class MonitoredTask(Task):
        TaskInfo(
            task_name=self.__name__,
            task_description=self.__doc__,
-            finish_timestamp=datetime.now(),
+            start_timestamp=self.start,
+            finish_timestamp=default_timer(),
+            finish_time=datetime.now(),
            result=self._result,
            task_call_module=self.__module__,
            task_call_func=self.__name__,
@ -151,3 +182,7 @@ class MonitoredTask(Task):

    def run(self, *args, **kwargs):
        raise NotImplementedError
+
+
+for task in TaskInfo.all().values():
+    task.set_prom_metrics()
--- a/authentik/events/tests/test_geoip.py
+++ b/authentik/events/tests/test_geoip.py
@ -0,0 +1,26 @@
+"""Test GeoIP Wrapper"""
+from django.test import TestCase
+
+from authentik.events.geo import GeoIPReader
+
+
+class TestGeoIP(TestCase):
+    """Test GeoIP Wrapper"""
+
+    def setUp(self) -> None:
+        self.reader = GeoIPReader()
+
+    def test_simple(self):
+        """Test simple city wrapper"""
+        # IPs from
+        # https://github.com/maxmind/MaxMind-DB/blob/main/source-data/GeoLite2-City-Test.json
+        self.assertEqual(
+            self.reader.city_dict("2.125.160.216"),
+            {
+                "city": "Boxford",
+                "continent": "EU",
+                "country": "GB",
+                "lat": 51.75,
+                "long": -1.25,
+            },
+        )
--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@ -6,10 +6,11 @@ from django.db.models import Model
 from django.http.response import HttpResponseBadRequest, JsonResponse
 from django.urls import reverse
 from django.utils.translation import gettext as _
-from drf_yasg import openapi
-from drf_yasg.utils import no_body, swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
+from rest_framework.fields import BooleanField, FileField, ReadOnlyField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -41,7 +42,9 @@ class FlowSerializer(ModelSerializer):

    cache_count = SerializerMethodField()

-    def get_cache_count(self, flow: Flow):
+    background = ReadOnlyField(source="background_url")
+
+    def get_cache_count(self, flow: Flow) -> int:
        """Get count of cached flows"""
        return len(cache.keys(f"{cache_key(flow)}*"))

@ -60,7 +63,11 @@ class FlowSerializer(ModelSerializer):
            "policies",
            "cache_count",
            "policy_engine_mode",
+            "compatibility_mode",
        ]
+        extra_kwargs = {
+            "background": {"read_only": True},
+        }


 class FlowDiagramSerializer(Serializer):
@ -97,16 +104,19 @@ class FlowViewSet(ModelViewSet):
    filterset_fields = ["flow_uuid", "name", "slug", "designation"]

    @permission_required(None, ["authentik_flows.view_flow_cache"])
-    @swagger_auto_schema(responses={200: CacheSerializer(many=False)})
+    @extend_schema(responses={200: CacheSerializer(many=False)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def cache_info(self, request: Request) -> Response:
        """Info about cached flows"""
        return Response(data={"count": len(cache.keys("flow_*"))})

    @permission_required(None, ["authentik_flows.clear_flow_cache"])
-    @swagger_auto_schema(
-        request_body=no_body,
-        responses={204: "Successfully cleared cache", 400: "Bad request"},
+    @extend_schema(
+        request=OpenApiTypes.NONE,
+        responses={
+            204: OpenApiResponse(description="Successfully cleared cache"),
+            400: OpenApiResponse(description="Bad request"),
+        },
    )
    @action(detail=False, methods=["POST"])
    def cache_clear(self, request: Request) -> Response:
@ -133,17 +143,16 @@ class FlowViewSet(ModelViewSet):
            "authentik_stages_prompt.change_prompt",
        ],
    )
-    @swagger_auto_schema(
-        request_body=no_body,
-        manual_parameters=[
-            openapi.Parameter(
-                name="file",
-                in_=openapi.IN_FORM,
-                type=openapi.TYPE_FILE,
-                required=True,
+    @extend_schema(
+        request={
+            "multipart/form-data": inline_serializer(
+                "SetIcon", fields={"file": FileField()}
            )
-        ],
-        responses={204: "Successfully imported flow", 400: "Bad request"},
+        },
+        responses={
+            204: OpenApiResponse(description="Successfully imported flow"),
+            400: OpenApiResponse(description="Bad request"),
+        },
    )
    @action(detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
    def import_flow(self, request: Request) -> Response:
@ -157,8 +166,8 @@ class FlowViewSet(ModelViewSet):
            return HttpResponseBadRequest()
        successful = importer.apply()
        if not successful:
-            return Response(status=204)
-        return HttpResponseBadRequest()
+            return HttpResponseBadRequest()
+        return Response(status=204)

    @permission_required(
        "authentik_flows.export_flow",
@ -171,11 +180,9 @@ class FlowViewSet(ModelViewSet):
            "authentik_stages_prompt.view_prompt",
        ],
    )
-    @swagger_auto_schema(
+    @extend_schema(
        responses={
-            "200": openapi.Response(
-                "File Attachment", schema=openapi.Schema(type=openapi.TYPE_FILE)
-            ),
+            "200": OpenApiResponse(response=OpenApiTypes.BINARY),
        },
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
@ -188,7 +195,7 @@ class FlowViewSet(ModelViewSet):
        response["Content-Disposition"] = f'attachment; filename="{flow.slug}.akflow"'
        return response

-    @swagger_auto_schema(responses={200: FlowDiagramSerializer()})
+    @extend_schema(responses={200: FlowDiagramSerializer()})
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["get"])
    # pylint: disable=unused-argument
    def diagram(self, request: Request, slug: str) -> Response:
@ -210,6 +217,7 @@ class FlowViewSet(ModelViewSet):
                    request.user, "authentik_policies.view_policybinding"
                )
                .filter(target=stage_binding)
+                .exclude(policy__isnull=True)
                .order_by("order")
            ):
                body.append(
@ -258,17 +266,20 @@ class FlowViewSet(ModelViewSet):
        return Response({"diagram": diagram})

    @permission_required("authentik_flows.change_flow")
-    @swagger_auto_schema(
-        request_body=no_body,
-        manual_parameters=[
-            openapi.Parameter(
-                name="file",
-                in_=openapi.IN_FORM,
-                type=openapi.TYPE_FILE,
-                required=True,
+    @extend_schema(
+        request={
+            "multipart/form-data": inline_serializer(
+                "SetIcon",
+                fields={
+                    "file": FileField(required=False),
+                    "clear": BooleanField(default=False),
+                },
            )
-        ],
-        responses={200: "Success", 400: "Bad request"},
+        },
+        responses={
+            200: OpenApiResponse(description="Success"),
+            400: OpenApiResponse(description="Bad request"),
+        },
    )
    @action(
        detail=True,
@ -280,16 +291,49 @@ class FlowViewSet(ModelViewSet):
    # pylint: disable=unused-argument
    def set_background(self, request: Request, slug: str):
        """Set Flow background"""
-        app: Flow = self.get_object()
-        icon = request.FILES.get("file", None)
-        if not icon:
+        flow: Flow = self.get_object()
+        background = request.FILES.get("file", None)
+        clear = request.data.get("clear", False)
+        if clear:
+            # .delete() saves the model by default
+            flow.background.delete()
+            return Response({})
+        if background:
+            flow.background = background
+            flow.save()
+            return Response({})
+        return HttpResponseBadRequest()
+
+    @permission_required("authentik_core.change_application")
+    @extend_schema(
+        request=inline_serializer("SetIconURL", fields={"url": CharField()}),
+        responses={
+            200: OpenApiResponse(description="Success"),
+            400: OpenApiResponse(description="Bad request"),
+        },
+    )
+    @action(
+        detail=True,
+        pagination_class=None,
+        filter_backends=[],
+        methods=["POST"],
+    )
+    # pylint: disable=unused-argument
+    def set_background_url(self, request: Request, slug: str):
+        """Set Flow background (as URL)"""
+        flow: Flow = self.get_object()
+        url = request.data.get("url", None)
+        if not url:
            return HttpResponseBadRequest()
-        app.background = icon
-        app.save()
+        flow.background.name = url
+        flow.save()
        return Response({})

-    @swagger_auto_schema(
-        responses={200: LinkSerializer(many=False), 400: "Flow not applicable"},
+    @extend_schema(
+        responses={
+            200: LinkSerializer(many=False),
+            400: OpenApiResponse(description="Flow not applicable"),
+        },
    )
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=unused-argument
--- a/authentik/flows/api/stages.py
+++ b/authentik/flows/api/stages.py
@ -1,10 +1,10 @@
 """Flow Stage API Views"""
 from typing import Iterable

-from drf_yasg.utils import swagger_auto_schema
+from django.urls.base import reverse
+from drf_spectacular.utils import extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer, SerializerMethodField
@ -20,12 +20,6 @@ from authentik.lib.utils.reflection import all_subclasses
 LOGGER = get_logger()


-class StageUserSettingSerializer(UserSettingSerializer):
-    """User settings but can include a configure flow"""
-
-    configure_flow = BooleanField(required=False)
-
-
 class StageSerializer(ModelSerializer, MetaNameSerializer):
    """Stage Serializer"""

@ -65,10 +59,10 @@ class StageViewSet(
    search_fields = ["name"]
    filterset_fields = ["name"]

-    def get_queryset(self):
+    def get_queryset(self):  # pragma: no cover
        return Stage.objects.select_subclasses()

-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable stage types"""
@ -86,7 +80,7 @@ class StageViewSet(
        data = sorted(data, key=lambda x: x["name"])
        return Response(TypeCreateSerializer(data, many=True).data)

-    @swagger_auto_schema(responses={200: StageUserSettingSerializer(many=True)})
+    @extend_schema(responses={200: UserSettingSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def user_settings(self, request: Request) -> Response:
        """Get all stages the user can configure"""
@ -97,9 +91,10 @@ class StageViewSet(
            if not user_settings:
                continue
            user_settings.initial_data["object_uid"] = str(stage.pk)
-            if hasattr(stage, "configure_flow"):
-                user_settings.initial_data["configure_flow"] = bool(
-                    stage.configure_flow
+            if hasattr(stage, "configure_url"):
+                user_settings.initial_data["configure_url"] = reverse(
+                    "authentik_flows:configure",
+                    kwargs={"stage_uuid": stage.uuid.hex},
                )
            if not user_settings.is_valid():
                LOGGER.warning(user_settings.errors)
--- a/authentik/flows/apps.py
+++ b/authentik/flows/apps.py
@ -2,6 +2,9 @@
 from importlib import import_module

 from django.apps import AppConfig
+from django.db.utils import ProgrammingError
+
+from authentik.lib.utils.reflection import all_subclasses


 class AuthentikFlowsConfig(AppConfig):
@ -14,3 +17,10 @@ class AuthentikFlowsConfig(AppConfig):

    def ready(self):
        import_module("authentik.flows.signals")
+        try:
+            from authentik.flows.models import Stage
+
+            for stage in all_subclasses(Stage):
+                _ = stage().type
+        except ProgrammingError:
+            pass
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -28,6 +28,14 @@ class ErrorDetailSerializer(PassiveSerializer):
    code = CharField()


+class ContextualFlowInfo(PassiveSerializer):
+    """Contextual flow information for a challenge"""
+
+    title = CharField(required=False, allow_blank=True)
+    background = CharField(required=False)
+    cancel_url = CharField()
+
+
 class Challenge(PassiveSerializer):
    """Challenge that gets sent to the client based on which stage
    is currently active"""
@ -35,9 +43,8 @@ class Challenge(PassiveSerializer):
    type = ChoiceField(
        choices=[(x.value, x.name) for x in ChallengeTypes],
    )
-    component = CharField(required=False)
-    title = CharField(required=False)
-    background = CharField(required=False)
+    flow_info = ContextualFlowInfo(required=False)
+    component = CharField(default="")

    response_errors = DictField(
        child=ErrorDetailSerializer(many=True), allow_empty=True, required=False
@ -48,18 +55,20 @@ class RedirectChallenge(Challenge):
    """Challenge type to redirect the client"""

    to = CharField()
+    component = CharField(default="xak-flow-redirect")


 class ShellChallenge(Challenge):
-    """Legacy challenge type to render HTML as-is"""
+    """challenge type to render HTML as-is"""

    body = CharField()
+    component = CharField(default="xak-flow-shell")


 class WithUserInfoChallenge(Challenge):
    """Challenge base which shows some user info"""

-    pending_user = CharField()
+    pending_user = CharField(allow_blank=True)
    pending_user_avatar = CharField()


@ -67,6 +76,7 @@ class AccessDeniedChallenge(Challenge):
    """Challenge when a flow's active stage calls `stage_invalid()`."""

    error_message = CharField(required=False)
+    component = CharField(default="ak-stage-access-denied")


 class PermissionSerializer(PassiveSerializer):
@ -80,6 +90,7 @@ class ChallengeResponse(PassiveSerializer):
    """Base class for all challenge responses"""

    stage: Optional["StageView"]
+    component = CharField(default="xak-flow-response-default")

    def __init__(self, instance=None, data=None, **kwargs):
        self.stage = kwargs.pop("stage", None)
--- a/authentik/flows/migrations/0018_oob_flows.py
+++ b/authentik/flows/migrations/0018_oob_flows.py
@ -21,7 +21,7 @@ context["user_backend"] = "django.contrib.auth.backends.ModelBackend"
 return True"""


-def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+def create_default_oobe_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    from authentik.stages.prompt.models import FieldTypes

    User = apps.get_model("authentik_core", "User")
@ -52,20 +52,20 @@ def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor)

    # Create a policy that sets the flow's user
    prefill_policy, _ = ExpressionPolicy.objects.using(db_alias).update_or_create(
-        name="default-oob-prefill-user",
+        name="default-oobe-prefill-user",
        defaults={"expression": PREFILL_POLICY_EXPRESSION},
    )
    password_usable_policy, _ = ExpressionPolicy.objects.using(
        db_alias
    ).update_or_create(
-        name="default-oob-password-usable",
+        name="default-oobe-password-usable",
        defaults={"expression": PW_USABLE_POLICY_EXPRESSION},
    )

    prompt_header, _ = Prompt.objects.using(db_alias).update_or_create(
-        field_key="oob-header-text",
+        field_key="oobe-header-text",
        defaults={
-            "label": "oob-header-text",
+            "label": "oobe-header-text",
            "type": FieldTypes.STATIC,
            "placeholder": "Welcome to authentik! Please set a password for the default admin user, akadmin.",
            "order": 100,
@ -84,7 +84,7 @@ def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor)
    password_second = Prompt.objects.using(db_alias).get(field_key="password_repeat")

    prompt_stage, _ = PromptStage.objects.using(db_alias).update_or_create(
-        name="default-oob-password",
+        name="default-oobe-password",
    )
    prompt_stage.fields.set(
        [prompt_header, prompt_email, password_first, password_second]
@ -102,7 +102,7 @@ def create_default_oob_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor)
        slug="initial-setup",
        designation=FlowDesignation.STAGE_CONFIGURATION,
        defaults={
-            "name": "default-oob-setup",
+            "name": "default-oobe-setup",
            "title": "Welcome to authentik!",
        },
    )
@ -146,5 +146,5 @@ class Migration(migrations.Migration):
    ]

    operations = [
-        migrations.RunPython(create_default_oob_flow),
+        migrations.RunPython(create_default_oobe_flow),
    ]
--- a/authentik/flows/migrations/0019_alter_flow_background.py
+++ b/authentik/flows/migrations/0019_alter_flow_background.py
@ -0,0 +1,23 @@
+# Generated by Django 3.2.3 on 2021-06-05 17:34
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_flows", "0018_oob_flows"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="flow",
+            name="background",
+            field=models.FileField(
+                default=None,
+                help_text="Background shown during execution",
+                null=True,
+                upload_to="flow-backgrounds/",
+            ),
+        ),
+    ]
--- a/authentik/flows/migrations/0020_flow_compatibility_mode.py
+++ b/authentik/flows/migrations/0020_flow_compatibility_mode.py
@ -0,0 +1,21 @@
+# Generated by Django 3.2.3 on 2021-06-05 17:56
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_flows", "0019_alter_flow_background"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="flow",
+            name="compatibility_mode",
+            field=models.BooleanField(
+                default=True,
+                help_text="Enable compatibility mode, increases compatibility with password managers on mobile devices.",
+            ),
+        ),
+    ]
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -110,11 +110,31 @@ class Flow(SerializerModel, PolicyBindingModel):

    background = models.FileField(
        upload_to="flow-backgrounds/",
-        default="../static/dist/assets/images/flow_background.jpg",
-        blank=True,
+        default=None,
+        null=True,
        help_text=_("Background shown during execution"),
    )

+    compatibility_mode = models.BooleanField(
+        default=True,
+        help_text=_(
+            "Enable compatibility mode, increases compatibility with "
+            "password managers on mobile devices."
+        ),
+    )
+
+    @property
+    def background_url(self) -> str:
+        """Get the URL to the background image. If the name is /static or starts with http
+        it is returned as-is"""
+        if not self.background:
+            return "/static/dist/assets/images/flow_background.jpg"
+        if self.background.name.startswith("http") or self.background.name.startswith(
+            "/static"
+        ):
+            return self.background.name
+        return self.background.url
+
    stages = models.ManyToManyField(Stage, through="FlowStageBinding", blank=True)

    @property
@ -142,11 +162,6 @@ class Flow(SerializerModel, PolicyBindingModel):
        LOGGER.debug("with_policy: no flow found", filters=flow_filter)
        return None

-    def related_flow(self, designation: str, request: HttpRequest) -> Optional["Flow"]:
-        """Get a related flow with `designation`. Currently this only queries
-        Flows by `designation`, but will eventually use `self` for related lookups."""
-        return Flow.with_policy(request, designation=designation)
-
    def __str__(self) -> str:
        return f"Flow {self.name} ({self.slug})"

--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -4,6 +4,7 @@ from typing import Any, Optional

 from django.core.cache import cache
 from django.http import HttpRequest
+from prometheus_client import Histogram
 from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
@ -14,6 +15,7 @@ from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableExce
 from authentik.flows.markers import ReevaluateMarker, StageMarker
 from authentik.flows.models import Flow, FlowStageBinding, Stage
 from authentik.policies.engine import PolicyEngine
+from authentik.root.monitoring import UpdatingGauge

 LOGGER = get_logger()
 PLAN_CONTEXT_PENDING_USER = "pending_user"
@ -21,6 +23,16 @@ PLAN_CONTEXT_SSO = "is_sso"
 PLAN_CONTEXT_REDIRECT = "redirect"
 PLAN_CONTEXT_APPLICATION = "application"
 PLAN_CONTEXT_SOURCE = "source"
+GAUGE_FLOWS_CACHED = UpdatingGauge(
+    "authentik_flows_cached",
+    "Cached flows",
+    update_func=lambda: len(cache.keys("flow_*") or []),
+)
+HIST_FLOWS_PLAN_TIME = Histogram(
+    "authentik_flows_plan_time",
+    "Duration to build a plan for a flow",
+    ["flow_slug"],
+)


 def cache_key(flow: Flow, user: Optional[User] = None) -> str:
@ -146,6 +158,7 @@ class FlowPlanner:
            )
            plan = self._build_plan(user, request, default_context)
            cache.set(cache_key(self.flow, user), plan)
+            GAUGE_FLOWS_CACHED.update()
            if not plan.stages and not self.allow_empty_flows:
                raise EmptyFlowException()
            return plan
@ -158,7 +171,9 @@ class FlowPlanner:
    ) -> FlowPlan:
        """Build flow plan by checking each stage in their respective
        order and checking the applied policies"""
-        with Hub.current.start_span(op="flow.planner.build_plan") as span:
+        with Hub.current.start_span(
+            op="flow.planner.build_plan"
+        ) as span, HIST_FLOWS_PLAN_TIME.labels(flow_slug=self.flow.slug).time():
            span: Span
            span.set_data("flow", self.flow)
            span.set_data("user", user)
@ -202,6 +217,7 @@ class FlowPlanner:
                    marker = ReevaluateMarker(binding=binding, user=user)
                if stage:
                    plan.append(stage, marker)
+            HIST_FLOWS_PLAN_TIME.labels(flow_slug=self.flow.slug)
        self._logger.debug(
            "f(plan): finished building",
        )
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -3,6 +3,7 @@ from django.contrib.auth.models import AnonymousUser
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.http.response import HttpResponse
+from django.urls import reverse
 from django.views.generic.base import View
 from rest_framework.request import Request
 from structlog.stdlib import get_logger
@ -11,6 +12,7 @@ from authentik.core.models import DEFAULT_AVATAR, User
 from authentik.flows.challenge import (
    Challenge,
    ChallengeResponse,
+    ContextualFlowInfo,
    HttpChallengeResponse,
    WithUserInfoChallenge,
 )
@ -93,10 +95,16 @@ class ChallengeStageView(StageView):

    def _get_challenge(self, *args, **kwargs) -> Challenge:
        challenge = self.get_challenge(*args, **kwargs)
-        if "title" not in challenge.initial_data:
-            challenge.initial_data["title"] = self.executor.flow.title
-        if "background" not in challenge.initial_data:
-            challenge.initial_data["background"] = self.executor.flow.background.url
+        if "flow_info" not in challenge.initial_data:
+            flow_info = ContextualFlowInfo(
+                data={
+                    "title": self.executor.flow.title,
+                    "background": self.executor.flow.background_url,
+                    "cancel_url": reverse("authentik_flows:cancel"),
+                }
+            )
+            flow_info.is_valid()
+            challenge.initial_data["flow_info"] = flow_info.data
        if isinstance(challenge, WithUserInfoChallenge):
            # If there's a pending user, update the `username` field
            # this field is only used by password managers.
--- a/authentik/flows/tests/test_views.py
+++ b/authentik/flows/tests/test_views.py
@ -93,7 +93,11 @@ class TestFlowExecutor(TestCase):
            {
                "component": "ak-stage-access-denied",
                "error_message": FlowNonApplicableException.__doc__,
-                "title": "",
+                "flow_info": {
+                    "background": flow.background_url,
+                    "cancel_url": reverse("authentik_flows:cancel"),
+                    "title": "",
+                },
                "type": ChallengeTypes.NATIVE.value,
            },
        )
@ -289,7 +293,11 @@ class TestFlowExecutor(TestCase):
        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(
            force_str(response.content),
-            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
+            {
+                "component": "xak-flow-redirect",
+                "to": reverse("authentik_core:root-redirect"),
+                "type": ChallengeTypes.REDIRECT.value,
+            },
        )

    def test_reevaluate_keep(self):
@ -366,7 +374,11 @@ class TestFlowExecutor(TestCase):
        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(
            force_str(response.content),
-            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
+            {
+                "component": "xak-flow-redirect",
+                "to": reverse("authentik_core:root-redirect"),
+                "type": ChallengeTypes.REDIRECT.value,
+            },
        )

    def test_reevaluate_remove_consecutive(self):
@ -414,10 +426,13 @@ class TestFlowExecutor(TestCase):
            self.assertJSONEqual(
                force_str(response.content),
                {
-                    "background": flow.background.url,
                    "type": ChallengeTypes.NATIVE.value,
                    "component": "ak-stage-dummy",
-                    "title": binding.stage.name,
+                    "flow_info": {
+                        "background": flow.background_url,
+                        "cancel_url": reverse("authentik_flows:cancel"),
+                        "title": "",
+                    },
                },
            )

@ -445,10 +460,13 @@ class TestFlowExecutor(TestCase):
        self.assertJSONEqual(
            force_str(response.content),
            {
-                "background": flow.background.url,
                "type": ChallengeTypes.NATIVE.value,
                "component": "ak-stage-dummy",
-                "title": binding4.stage.name,
+                "flow_info": {
+                    "background": flow.background_url,
+                    "cancel_url": reverse("authentik_flows:cancel"),
+                    "title": "",
+                },
            },
        )

@ -458,7 +476,11 @@ class TestFlowExecutor(TestCase):
        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(
            force_str(response.content),
-            {"to": reverse("authentik_core:root-redirect"), "type": "redirect"},
+            {
+                "component": "xak-flow-redirect",
+                "to": reverse("authentik_core:root-redirect"),
+                "type": ChallengeTypes.REDIRECT.value,
+            },
        )

    def test_stageview_user_identifier(self):
--- a/authentik/flows/urls.py
+++ b/authentik/flows/urls.py
@ -1,6 +1,5 @@
 """flow urls"""
 from django.urls import path
-from django.views.generic import RedirectView

 from authentik.flows.models import FlowDesignation
 from authentik.flows.views import CancelView, ConfigureFlowInitView, ToDefaultFlow
@ -16,30 +15,10 @@ urlpatterns = [
        ToDefaultFlow.as_view(designation=FlowDesignation.INVALIDATION),
        name="default-invalidation",
    ),
-    path(
-        "-/default/recovery/",
-        ToDefaultFlow.as_view(designation=FlowDesignation.RECOVERY),
-        name="default-recovery",
-    ),
-    path(
-        "-/default/enrollment/",
-        ToDefaultFlow.as_view(designation=FlowDesignation.ENROLLMENT),
-        name="default-enrollment",
-    ),
-    path(
-        "-/default/unenrollment/",
-        ToDefaultFlow.as_view(designation=FlowDesignation.UNRENOLLMENT),
-        name="default-unenrollment",
-    ),
    path("-/cancel/", CancelView.as_view(), name="cancel"),
    path(
        "-/configure/<uuid:stage_uuid>/",
        ConfigureFlowInitView.as_view(),
        name="configure",
    ),
-    path(
-        "<slug:flow_slug>/",
-        RedirectView.as_view(pattern_name="authentik_core:if-flow"),
-        name="flow-executor-shell",
-    ),
 ]
--- a/authentik/flows/views.py
+++ b/authentik/flows/views.py
@ -2,16 +2,23 @@
 from traceback import format_tb
 from typing import Any, Optional

+from django.conf import settings
 from django.contrib.auth.mixins import LoginRequiredMixin
 from django.http import Http404, HttpRequest, HttpResponse, HttpResponseRedirect
 from django.http.request import QueryDict
 from django.shortcuts import get_object_or_404, redirect
 from django.template.response import TemplateResponse
+from django.urls.base import reverse
 from django.utils.decorators import method_decorator
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.generic import View
-from drf_yasg import openapi
-from drf_yasg.utils import no_body, swagger_auto_schema
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import (
+    OpenApiParameter,
+    OpenApiResponse,
+    PolymorphicProxySerializer,
+    extend_schema,
+)
 from rest_framework.permissions import AllowAny
 from rest_framework.views import APIView
 from sentry_sdk import capture_exception
@ -27,6 +34,7 @@ from authentik.flows.challenge import (
    HttpChallengeResponse,
    RedirectChallenge,
    ShellChallenge,
+    WithUserInfoChallenge,
 )
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.models import ConfigurableStage, Flow, FlowDesignation, Stage
@ -36,8 +44,9 @@ from authentik.flows.planner import (
    FlowPlan,
    FlowPlanner,
 )
-from authentik.lib.utils.reflection import class_to_path
+from authentik.lib.utils.reflection import all_subclasses, class_to_path
 from authentik.lib.utils.urls import is_url_absolute, redirect_with_qs
+from authentik.tenants.models import Tenant

 LOGGER = get_logger()
 # Argument used to redirect user after login
@ -47,6 +56,43 @@ SESSION_KEY_APPLICATION_PRE = "authentik_flows_application_pre"
 SESSION_KEY_GET = "authentik_flows_get"


+def challenge_types():
+    """This is a workaround for PolymorphicProxySerializer not accepting a callable for
+    `serializers`. This function returns a class which is an iterator, which returns the
+    subclasses of Challenge, and Challenge itself."""
+
+    class Inner(dict):
+        """dummy class with custom callback on .items()"""
+
+        def items(self):
+            mapping = {}
+            classes = all_subclasses(Challenge)
+            classes.remove(WithUserInfoChallenge)
+            for cls in classes:
+                mapping[cls().fields["component"].default] = cls
+            return mapping.items()
+
+    return Inner()
+
+
+def challenge_response_types():
+    """This is a workaround for PolymorphicProxySerializer not accepting a callable for
+    `serializers`. This function returns a class which is an iterator, which returns the
+    subclasses of Challenge, and Challenge itself."""
+
+    class Inner(dict):
+        """dummy class with custom callback on .items()"""
+
+        def items(self):
+            mapping = {}
+            classes = all_subclasses(ChallengeResponse)
+            for cls in classes:
+                mapping[cls(stage=None).fields["component"].default] = cls
+            return mapping.items()
+
+    return Inner()
+
+
@method_decorator(xframe_options_sameorigin, name="dispatch")
 class FlowExecutorView(APIView):
    """Stage 1 Flow executor, passing requests to Stage Views"""
@ -125,19 +171,25 @@ class FlowExecutorView(APIView):
        self.current_stage_view.request = request
        return super().dispatch(request)

-    @swagger_auto_schema(
+    @extend_schema(
        responses={
-            200: Challenge(),
-            404: "No Token found",  # This error can be raised by the email stage
+            200: PolymorphicProxySerializer(
+                component_name="FlowChallengeRequest",
+                serializers=challenge_types(),
+                resource_type_field_name="component",
+            ),
+            404: OpenApiResponse(
+                description="No Token found"
+            ),  # This error can be raised by the email stage
        },
-        request_body=no_body,
-        manual_parameters=[
-            openapi.Parameter(
-                "query",
-                openapi.IN_QUERY,
+        request=OpenApiTypes.NONE,
+        parameters=[
+            OpenApiParameter(
+                name="query",
+                location=OpenApiParameter.QUERY,
                required=True,
                description="Querystring as received",
-                type=openapi.TYPE_STRING,
+                type=OpenApiTypes.STR,
            )
        ],
        operation_id="flows_executor_get",
@ -153,20 +205,32 @@ class FlowExecutorView(APIView):
            stage_response = self.current_stage_view.get(request, *args, **kwargs)
            return to_stage_response(request, stage_response)
        except Exception as exc:  # pylint: disable=broad-except
+            if settings.DEBUG or settings.TEST:
+                raise exc
            capture_exception(exc)
            self._logger.warning(exc)
            return to_stage_response(request, FlowErrorResponse(request, exc))

-    @swagger_auto_schema(
-        responses={200: Challenge()},
-        request_body=ChallengeResponse(),
-        manual_parameters=[
-            openapi.Parameter(
-                "query",
-                openapi.IN_QUERY,
+    @extend_schema(
+        responses={
+            200: PolymorphicProxySerializer(
+                component_name="FlowChallengeRequest",
+                serializers=challenge_types(),
+                resource_type_field_name="component",
+            ),
+        },
+        request=PolymorphicProxySerializer(
+            component_name="FlowChallengeResponse",
+            serializers=challenge_response_types(),
+            resource_type_field_name="component",
+        ),
+        parameters=[
+            OpenApiParameter(
+                name="query",
+                location=OpenApiParameter.QUERY,
                required=True,
                description="Querystring as received",
-                type=openapi.TYPE_STRING,
+                type=OpenApiTypes.STR,
            )
        ],
        operation_id="flows_executor_solve",
@ -182,6 +246,8 @@ class FlowExecutorView(APIView):
            stage_response = self.current_stage_view.post(request, *args, **kwargs)
            return to_stage_response(request, stage_response)
        except Exception as exc:  # pylint: disable=broad-except
+            if settings.DEBUG or settings.TEST:
+                raise exc
            capture_exception(exc)
            self._logger.warning(exc)
            return to_stage_response(request, FlowErrorResponse(request, exc))
@ -218,7 +284,7 @@ class FlowExecutorView(APIView):
        if self.plan.stages:
            self._logger.debug(
                "f(exec): Continuing with next stage",
-                reamining=len(self.plan.stages),
+                remaining=len(self.plan.stages),
            )
            kwargs = self.kwargs
            kwargs.update({"flow_slug": self.flow.slug})
@ -244,9 +310,13 @@ class FlowExecutorView(APIView):
            AccessDeniedChallenge(
                {
                    "error_message": error_message,
-                    "title": self.flow.title,
                    "type": ChallengeTypes.NATIVE.value,
                    "component": "ak-stage-access-denied",
+                    "flow_info": {
+                        "title": self.flow.title,
+                        "background": self.flow.background_url,
+                        "cancel_url": reverse("authentik_flows:cancel"),
+                    },
                }
            )
        )
@ -298,7 +368,7 @@ class CancelView(View):
        if SESSION_KEY_PLAN in request.session:
            del request.session[SESSION_KEY_PLAN]
            LOGGER.debug("Canceled current plan")
-        return redirect("authentik_core:root-redirect")
+        return redirect("authentik_flows:default-invalidation")


 class ToDefaultFlow(View):
@ -307,7 +377,17 @@ class ToDefaultFlow(View):
    designation: Optional[FlowDesignation] = None

    def dispatch(self, request: HttpRequest) -> HttpResponse:
-        flow = Flow.with_policy(request, designation=self.designation)
+        tenant: Tenant = request.tenant
+        flow = None
+        # First, attempt to get default flow from tenant
+        if self.designation == FlowDesignation.AUTHENTICATION:
+            flow = tenant.flow_authentication
+        if self.designation == FlowDesignation.INVALIDATION:
+            flow = tenant.flow_invalidation
+        # If no flow was set, get the first based on slug and policy
+        if not flow:
+            flow = Flow.with_policy(request, designation=self.designation)
+        # If we still don't have a flow, 404
        if not flow:
            raise Http404
        # If user already has a pending plan, clear it so we don't have to later.
@ -338,7 +418,10 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
        )
        return HttpChallengeResponse(
            RedirectChallenge(
-                {"type": ChallengeTypes.REDIRECT, "to": str(redirect_url)}
+                {
+                    "type": ChallengeTypes.REDIRECT,
+                    "to": str(redirect_url),
+                }
            )
        )
    if isinstance(source, TemplateResponse):
@ -350,7 +433,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse) -> HttpRespons
                }
            )
        )
-    # Check for actual HttpResponse (without isinstance as we dont want to check inheritance)
+    # Check for actual HttpResponse (without isinstance as we don't want to check inheritance)
    if source.__class__ == HttpResponse:
        return HttpChallengeResponse(
            ShellChallenge(
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -10,9 +10,6 @@ from urllib.parse import urlparse

 import yaml
 from django.conf import ImproperlyConfigured
-from django.http import HttpRequest
-
-from authentik import __version__

 SEARCH_PATHS = ["authentik/lib/default.yml", "/etc/authentik/config.yml", ""] + glob(
    "/etc/authentik/config.d/*.yml", recursive=True
@ -21,11 +18,6 @@ ENV_PREFIX = "AUTHENTIK"
 ENVIRONMENT = os.getenv(f"{ENV_PREFIX}_ENV", "local")


-def context_processor(request: HttpRequest) -> dict[str, Any]:
-    """Context Processor that injects config object into every template"""
-    return {"config": CONFIG.raw, "ak_version": __version__}
-
-
 class ConfigLoader:
    """Search through SEARCH_PATHS and load configuration. Environment variables starting with
    `ENV_PREFIX` are also applied.
@ -88,10 +80,10 @@ class ConfigLoader:
            value = os.getenv(url.netloc, url.query)
        if url.scheme == "file":
            try:
-                with open(url.netloc, "r") as _file:
+                with open(url.path, "r") as _file:
                    value = _file.read()
            except OSError:
-                self._log("error", f"Failed to read config value from {url.netloc}")
+                self._log("error", f"Failed to read config value from {url.path}")
                value = url.query
        return value

--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -3,6 +3,7 @@ postgresql:
  host: localhost
  name: authentik
  user: authentik
+  port: 5432
  password: 'env://POSTGRES_PASSWORD'

 web:
@ -41,14 +42,12 @@ outposts:
  # Placeholders:
  # %(type)s: Outpost type; proxy, ldap, etc
  # %(version)s: Current version; 2021.4.1
-  docker_image_base: "beryju/authentik-%(type)s:%(version)s"
+  # %(build_hash)s: Build hash if you're running a beta version
+  docker_image_base: "ghcr.io/goauthentik/%(type)s:%(version)s"

 authentik:
  avatars: gravatar  # gravatar or none
-  geoip: ""
-  branding:
-    title: authentik
-    logo: /static/dist/assets/icons/icon_left_brand.svg
+  geoip: "./GeoLite2-City.mmdb"
  # Optionally add links to the footer on the login page
  footer_links:
    - name: Documentation
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -26,8 +26,8 @@ class BaseEvaluator:
    _filename: str

    def __init__(self):
-        # update authentik/policies/expression/templates/policy/expression/form.html
-        # update website/docs/policies/expression.md
+        # update website/docs/expressions/_objects.md
+        # update website/docs/expressions/_functions.md
        self._globals = {
            "regex_match": BaseEvaluator.expr_filter_regex_match,
            "regex_replace": BaseEvaluator.expr_filter_regex_replace,
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -4,10 +4,15 @@ from typing import Optional
 from aioredis.errors import ConnectionClosedError, ReplyError
 from billiard.exceptions import WorkerLostError
 from botocore.client import ClientError
+from botocore.exceptions import BotoCoreError
 from celery.exceptions import CeleryError
 from channels.middleware import BaseMiddleware
 from channels_redis.core import ChannelFull
-from django.core.exceptions import SuspiciousOperation, ValidationError
+from django.core.exceptions import (
+    ImproperlyConfigured,
+    SuspiciousOperation,
+    ValidationError,
+)
 from django.db import InternalError, OperationalError, ProgrammingError
 from django.http.response import Http404
 from django_redis.exceptions import ConnectionInterrupted
@ -50,7 +55,8 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        ConnectionResetError,
        OSError,
        PermissionError,
-        # Django DB Errors
+        # Django Errors
+        ImproperlyConfigured,
        OperationalError,
        InternalError,
        ProgrammingError,
@ -72,6 +78,7 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        WorkerLostError,
        CeleryError,
        # S3 errors
+        BotoCoreError,
        ClientError,
        # custom baseclass
        SentryIgnoredException,
@ -87,6 +94,13 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        if isinstance(exc_value, ignored_classes):
            return None
    if "logger" in event:
-        if event["logger"] in ["dbbackup"]:
+        if event["logger"] in [
+            "dbbackup",
+            "botocore",
+            "kombu",
+            "asyncio",
+            "multiprocessing",
+            "django_redis",
+        ]:
            return None
    return event
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -5,9 +5,10 @@ from django.http import HttpRequest

 OUTPOST_REMOTE_IP_HEADER = "HTTP_X_AUTHENTIK_REMOTE_IP"
 USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
+DEFAULT_IP = "255.255.255.255"


-def _get_client_ip_from_meta(meta: dict[str, Any]) -> Optional[str]:
+def _get_client_ip_from_meta(meta: dict[str, Any]) -> str:
    """Attempt to get the client's IP by checking common HTTP Headers.
    Returns none if no IP Could be found"""
    headers = (
@ -17,8 +18,9 @@ def _get_client_ip_from_meta(meta: dict[str, Any]) -> Optional[str]:
    )
    for _header in headers:
        if _header in meta:
-            return meta.get(_header).split(", ")[0]
-    return None
+            ips: list[str] = meta.get(_header).split(",")
+            return ips[0].strip()
+    return DEFAULT_IP


 def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
@ -36,7 +38,7 @@ def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
    return request.META[OUTPOST_REMOTE_IP_HEADER]


-def get_client_ip(request: Optional[HttpRequest]) -> Optional[str]:
+def get_client_ip(request: Optional[HttpRequest]) -> str:
    """Attempt to get the client's IP by checking common HTTP Headers.
    Returns none if no IP Could be found"""
    if request:
@ -44,4 +46,4 @@ def get_client_ip(request: Optional[HttpRequest]) -> Optional[str]:
        if override:
            return override
        return _get_client_ip_from_meta(request.META)
-    return None
+    return DEFAULT_IP
--- a/authentik/lib/views.py
+++ b/authentik/lib/views.py
@ -2,28 +2,6 @@
 from django.http import HttpRequest
 from django.template.response import TemplateResponse
 from django.utils.translation import gettext_lazy as _
-from django.views.generic import CreateView
-from guardian.shortcuts import assign_perm
-
-
-class CreateAssignPermView(CreateView):
-    """Assign permissions to object after creation"""
-
-    permissions = [
-        "%s.view_%s",
-        "%s.change_%s",
-        "%s.delete_%s",
-    ]
-
-    def form_valid(self, form):
-        response = super().form_valid(form)
-        for permission in self.permissions:
-            full_permission = permission % (
-                self.object._meta.app_label,
-                self.object._meta.model_name,
-            )
-            assign_perm(full_permission, self.request.user, self.object)
-        return response


 def bad_request_message(
--- a/authentik/managed/apps.py
+++ b/authentik/managed/apps.py
@ -6,7 +6,7 @@ class AuthentikManagedConfig(AppConfig):
    """authentik Managed app"""

    name = "authentik.managed"
-    label = "authentik_Managed"
+    label = "authentik_managed"
    verbose_name = "authentik Managed"

    def ready(self) -> None:
--- a/authentik/outposts/api/outposts.py
+++ b/authentik/outposts/api/outposts.py
@ -1,22 +1,67 @@
 """Outpost API Views"""
-from drf_yasg.utils import swagger_auto_schema
+from dacite.core import from_dict
+from dacite.exceptions import DaciteError
+from drf_spectacular.utils import extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import BooleanField, CharField, DateTimeField
+from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import JSONField, ModelSerializer
+from rest_framework.serializers import JSONField, ModelSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet

 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.utils import PassiveSerializer, is_dict
-from authentik.outposts.models import Outpost, default_outpost_config
+from authentik.core.models import Provider
+from authentik.outposts.api.service_connections import ServiceConnectionSerializer
+from authentik.outposts.models import (
+    Outpost,
+    OutpostConfig,
+    OutpostType,
+    default_outpost_config,
+)
+from authentik.providers.ldap.models import LDAPProvider
+from authentik.providers.proxy.models import ProxyProvider


 class OutpostSerializer(ModelSerializer):
    """Outpost Serializer"""

-    _config = JSONField(validators=[is_dict])
+    config = JSONField(validators=[is_dict], source="_config")
+    providers = PrimaryKeyRelatedField(
+        allow_empty=False,
+        many=True,
+        queryset=Provider.objects.select_subclasses().all(),
+    )
    providers_obj = ProviderSerializer(source="providers", many=True, read_only=True)
+    service_connection_obj = ServiceConnectionSerializer(
+        source="service_connection", read_only=True
+    )
+
+    def validate_providers(self, providers: list[Provider]) -> list[Provider]:
+        """Check that all providers match the type of the outpost"""
+        type_map = {
+            OutpostType.LDAP: LDAPProvider,
+            OutpostType.PROXY: ProxyProvider,
+            None: Provider,
+        }
+        for provider in providers:
+            if not isinstance(provider, type_map[self.initial_data.get("type")]):
+                raise ValidationError(
+                    (
+                        f"Outpost type {self.initial_data['type']} can't be used with "
+                        f"{type(provider)} providers."
+                    )
+                )
+        return providers
+
+    def validate_config(self, config) -> dict:
+        """Check that the config has all required fields"""
+        try:
+            from_dict(OutpostConfig, config)
+        except DaciteError as exc:
+            raise ValidationError(f"Failed to validate config: {str(exc)}") from exc
+        return config

    class Meta:

@ -28,9 +73,11 @@ class OutpostSerializer(ModelSerializer):
            "providers",
            "providers_obj",
            "service_connection",
+            "service_connection_obj",
            "token_identifier",
-            "_config",
+            "config",
        ]
+        extra_kwargs = {"type": {"required": True}}


 class OutpostDefaultConfigSerializer(PassiveSerializer):
@ -60,10 +107,10 @@ class OutpostViewSet(ModelViewSet):
        "name",
        "providers__name",
    ]
-    ordering = ["name"]
+    ordering = ["name", "service_connection__name"]

-    @swagger_auto_schema(responses={200: OutpostHealthSerializer(many=True)})
-    @action(methods=["GET"], detail=True)
+    @extend_schema(responses={200: OutpostHealthSerializer(many=True)})
+    @action(methods=["GET"], detail=True, pagination_class=None)
    # pylint: disable=invalid-name, unused-argument
    def health(self, request: Request, pk: int) -> Response:
        """Get outposts current health"""
@ -80,7 +127,7 @@ class OutpostViewSet(ModelViewSet):
            )
        return Response(OutpostHealthSerializer(states, many=True).data)

-    @swagger_auto_schema(responses={200: OutpostDefaultConfigSerializer(many=False)})
+    @extend_schema(responses={200: OutpostDefaultConfigSerializer(many=False)})
    @action(detail=False, methods=["GET"])
    def default_settings(self, request: Request) -> Response:
        """Global default outpost config"""
--- a/authentik/outposts/api/outpost_service_connections.py
+++ b/authentik/outposts/api/outpost_service_connections.py
@ -2,13 +2,13 @@
 from dataclasses import asdict

 from django.utils.translation import gettext_lazy as _
-from drf_yasg.utils import swagger_auto_schema
+from drf_spectacular.utils import extend_schema
 from kubernetes.client.configuration import Configuration
 from kubernetes.config.config_exception import ConfigException
 from kubernetes.config.kube_config import load_kube_config_from_dict
 from rest_framework import mixins, serializers
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, CharField, SerializerMethodField
+from rest_framework.fields import BooleanField, CharField, ReadOnlyField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
@ -30,11 +30,7 @@ from authentik.outposts.models import (
 class ServiceConnectionSerializer(ModelSerializer, MetaNameSerializer):
    """ServiceConnection Serializer"""

-    component = SerializerMethodField()
-
-    def get_component(self, obj: OutpostServiceConnection) -> str:
-        """Get object component so that we know how to edit the object"""
-        return obj.component
+    component = ReadOnlyField()

    class Meta:

@ -69,7 +65,7 @@ class ServiceConnectionViewSet(
    search_fields = ["name"]
    filterset_fields = ["name"]

-    @swagger_auto_schema(responses={200: TypeCreateSerializer(many=True)})
+    @extend_schema(responses={200: TypeCreateSerializer(many=True)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    def types(self, request: Request) -> Response:
        """Get all creatable service connection types"""
@ -87,7 +83,7 @@ class ServiceConnectionViewSet(
            )
        return Response(TypeCreateSerializer(data, many=True).data)

-    @swagger_auto_schema(responses={200: ServiceConnectionStateSerializer(many=False)})
+    @extend_schema(responses={200: ServiceConnectionStateSerializer(many=False)})
    @action(detail=True, pagination_class=None, filter_backends=[])
    # pylint: disable=unused-argument, invalid-name
    def state(self, request: Request, pk: str) -> Response:
@ -122,7 +118,7 @@ class KubernetesServiceConnectionSerializer(ServiceConnectionSerializer):
    def validate_kubeconfig(self, kubeconfig):
        """Validate kubeconfig by attempting to load it"""
        if kubeconfig == {}:
-            if not self.validated_data["local"]:
+            if not self.initial_data["local"]:
                raise serializers.ValidationError(
                    _(
                        "You can only use an empty kubeconfig when connecting to a local cluster."
--- a/authentik/outposts/channels.py
+++ b/authentik/outposts/channels.py
@ -8,11 +8,21 @@ from channels.exceptions import DenyConnection
 from dacite import from_dict
 from dacite.data import Data
 from guardian.shortcuts import get_objects_for_user
+from prometheus_client import Gauge
 from structlog.stdlib import get_logger

 from authentik.core.channels import AuthJsonConsumer
 from authentik.outposts.models import OUTPOST_HELLO_INTERVAL, Outpost, OutpostState

+GAUGE_OUTPOSTS_CONNECTED = Gauge(
+    "authentik_outposts_connected", "Currently connected outposts", ["outpost", "uid"]
+)
+GAUGE_OUTPOSTS_LAST_UPDATE = Gauge(
+    "authentik_outposts_last_update",
+    "Last update from any outpost",
+    ["outpost", "uid", "version"],
+)
+
 LOGGER = get_logger()


@ -42,6 +52,10 @@ class OutpostConsumer(AuthJsonConsumer):

    outpost: Optional[Outpost] = None

+    last_uid: Optional[str] = None
+
+    first_msg = False
+
    def connect(self):
        super().connect()
        uuid = self.scope["url_route"]["kwargs"]["pk"]
@ -52,9 +66,7 @@ class OutpostConsumer(AuthJsonConsumer):
            raise DenyConnection()
        self.accept()
        self.outpost = outpost.first()
-        OutpostState(
-            uid=self.channel_name, last_seen=datetime.now(), _outpost=self.outpost
-        ).save(timeout=OUTPOST_HELLO_INTERVAL * 1.5)
+        self.last_uid = self.channel_name
        LOGGER.debug(
            "added outpost instace to cache",
            outpost=self.outpost,
@ -63,27 +75,52 @@ class OutpostConsumer(AuthJsonConsumer):

    # pylint: disable=unused-argument
    def disconnect(self, close_code):
-        if self.outpost:
-            OutpostState.for_channel(self.outpost, self.channel_name).delete()
+        if self.outpost and self.last_uid:
+            state = OutpostState.for_instance_uid(self.outpost, self.last_uid)
+            if self.channel_name in state.channel_ids:
+                state.channel_ids.remove(self.channel_name)
+                state.save()
+            GAUGE_OUTPOSTS_CONNECTED.labels(
+                outpost=self.outpost.name,
+                uid=self.last_uid,
+            ).dec()
        LOGGER.debug(
            "removed outpost instance from cache",
            outpost=self.outpost,
-            channel_name=self.channel_name,
+            instance_uuid=self.last_uid,
        )

    def receive_json(self, content: Data):
        msg = from_dict(WebsocketMessage, content)
-        state = OutpostState(
-            uid=self.channel_name,
-            last_seen=datetime.now(),
-            _outpost=self.outpost,
-        )
+        uid = msg.args.get("uuid", self.channel_name)
+        self.last_uid = uid
+
+        if not self.outpost:
+            raise DenyConnection()
+
+        state = OutpostState.for_instance_uid(self.outpost, uid)
+        if self.channel_name not in state.channel_ids:
+            state.channel_ids.append(self.channel_name)
+        state.last_seen = datetime.now()
+
+        if not self.first_msg:
+            GAUGE_OUTPOSTS_CONNECTED.labels(
+                outpost=self.outpost.name,
+                uid=self.last_uid,
+            ).inc()
+            self.first_msg = True
+
        if msg.instruction == WebsocketMessageInstruction.HELLO:
            state.version = msg.args.get("version", None)
+            state.build_hash = msg.args.get("buildHash", "")
        elif msg.instruction == WebsocketMessageInstruction.ACK:
            return
-        if state.version:
-            state.save(timeout=OUTPOST_HELLO_INTERVAL * 1.5)
+        GAUGE_OUTPOSTS_LAST_UPDATE.labels(
+            outpost=self.outpost.name,
+            uid=self.last_uid or "",
+            version=state.version or "",
+        ).set_to_current_time()
+        state.save(timeout=OUTPOST_HELLO_INTERVAL * 1.5)

        response = WebsocketMessage(instruction=WebsocketMessageInstruction.ACK)
        self.send_json(asdict(response))
--- a/authentik/outposts/controllers/base.py
+++ b/authentik/outposts/controllers/base.py
@ -1,11 +1,12 @@
 """Base Controller"""
 from dataclasses import dataclass
+from os import environ
 from typing import Optional

 from structlog.stdlib import get_logger
 from structlog.testing import capture_logs

-from authentik import __version__
+from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.outposts.models import Outpost, OutpostServiceConnection
@ -56,6 +57,12 @@ class BaseController:
        """Handler to delete everything we've created"""
        raise NotImplementedError

+    def down_with_logs(self) -> list[str]:
+        """Call .down() but capture all log output and return it."""
+        with capture_logs() as logs:
+            self.down()
+        return [x["event"] for x in logs]
+
    def get_static_deployment(self) -> str:
        """Return a static deployment configuration"""
        raise NotImplementedError
@ -63,4 +70,8 @@ class BaseController:
    def get_container_image(self) -> str:
        """Get container image to use for this outpost"""
        image_name_template: str = CONFIG.y("outposts.docker_image_base")
-        return image_name_template % {"type": self.outpost.type, "version": __version__}
+        return image_name_template % {
+            "type": self.outpost.type,
+            "version": __version__,
+            "build_hash": environ.get(ENV_GIT_HASH_KEY, ""),
+        }
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@ -71,6 +71,7 @@ class DockerController(BaseController):
                },
                "environment": self._get_env(),
                "labels": self._get_labels(),
+                "restart_policy": {"Name": "unless-stopped"},
            }
            if settings.TEST:
                del container_args["ports"]
@ -80,27 +81,39 @@ class DockerController(BaseController):
                True,
            )

+    # pylint: disable=too-many-return-statements
    def up(self):
        try:
            container, has_been_created = self._get_container()
+            if has_been_created:
+                return None
            # Check if the container is out of date, delete it and retry
            if len(container.image.tags) > 0:
                tag: str = container.image.tags[0]
-                _, _, version = tag.partition(":")
-                if version != __version__:
+                if tag != self.get_container_image():
                    self.logger.info(
-                        "Container has mismatched version, re-creating...",
-                        has=version,
-                        should=__version__,
+                        "Container has mismatched image, re-creating...",
+                        has=tag,
+                        should=self.get_container_image(),
                    )
-                    container.kill()
-                    container.remove(force=True)
+                    self.down()
                    return self.up()
            # Check that container values match our values
            if self._comp_env(container):
                self.logger.info("Container has outdated config, re-creating...")
-                container.kill()
-                container.remove(force=True)
+                self.down()
+                return self.up()
+            if (
+                container.attrs.get("HostConfig", {})
+                .get("RestartPolicy", {})
+                .get("Name", "")
+                .lower()
+                != "unless-stopped"
+            ):
+                self.logger.info(
+                    "Container has mis-matched restart policy, re-creating..."
+                )
+                self.down()
                return self.up()
            # Check that container is healthy
            if (
@ -127,16 +140,16 @@ class DockerController(BaseController):
                return None
            return None
        except DockerException as exc:
-            raise ControllerException from exc
+            raise ControllerException(str(exc)) from exc

    def down(self):
        try:
            container, _ = self._get_container()
            if container.status == "running":
                container.kill()
-            container.remove()
+            container.remove(force=True)
        except DockerException as exc:
-            raise ControllerException from exc
+            raise ControllerException(str(exc)) from exc

    def get_static_deployment(self) -> str:
        """Generate docker-compose yaml for proxy, version 3.5"""
--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@ -30,11 +30,6 @@ class NeedsUpdate(ReconcileTrigger):
    """Exception to trigger an update to the Kubernetes Object"""


-class Disabled(SentryIgnoredException):
-    """Exception which can be thrown in a reconciler to signal than an
-    object should not be created."""
-
-
 class KubernetesObjectReconciler(Generic[T]):
    """Base Kubernetes Reconciler, handles the basic logic."""

@ -45,6 +40,11 @@ class KubernetesObjectReconciler(Generic[T]):
        self.namespace = controller.outpost.config.kubernetes_namespace
        self.logger = get_logger().bind(type=self.__class__.__name__)

+    @property
+    def noop(self) -> bool:
+        """Return true if this object should not be created/updated/deleted in this cluster"""
+        return False
+
    @property
    def name(self) -> str:
        """Get the name of the object this reconciler manages"""
@ -59,11 +59,10 @@ class KubernetesObjectReconciler(Generic[T]):
    def up(self):
        """Create object if it doesn't exist, update if needed or recreate if needed."""
        current = None
-        try:
-            reference = self.get_reference_object()
-        except Disabled:
-            self.logger.debug("Object not required")
+        if self.noop:
+            self.logger.debug("Object is noop")
            return
+        reference = self.get_reference_object()
        try:
            try:
                current = self.retrieve()
@ -92,11 +91,8 @@ class KubernetesObjectReconciler(Generic[T]):

    def down(self):
        """Delete object if found"""
-        # Call self.get_reference_object to check if we even need to do anything
-        try:
-            self.get_reference_object()
-        except Disabled:
-            self.logger.debug("Object not required")
+        if self.noop:
+            self.logger.debug("Object is noop")
            return
        try:
            current = self.retrieve()
--- a/Show More
+++ b/Show More