release: 0.14.2-stable

.bumpversion.cfg

@@ -1,11 +1,9 @@
 [bumpversion]
-current_version = 2021.6.1-rc2
+current_version = 0.14.2-stable
 tag = True
 commit = True
-parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
-serialize = 
-	{major}.{minor}.{patch}-{release}
-	{major}.{minor}.{patch}
+parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)
+serialize = {major}.{minor}.{patch}-{release}
 message = release: {new_version}
 tag_name = version/{new_version}
 
@@ -19,18 +17,20 @@ values =
 
 [bumpversion:file:website/docs/installation/docker-compose.md]
 
+[bumpversion:file:website/docs/installation/kubernetes.md]
+
 [bumpversion:file:docker-compose.yml]
 
+[bumpversion:file:helm/values.yaml]
+
+[bumpversion:file:helm/README.md]
+
+[bumpversion:file:helm/Chart.yaml]
+
 [bumpversion:file:.github/workflows/release.yml]
 
 [bumpversion:file:authentik/__init__.py]
 
-[bumpversion:file:internal/constants/constants.go]
-
-[bumpversion:file:outpost/pkg/version.go]
+[bumpversion:file:proxy/pkg/version.go]
 
 [bumpversion:file:web/src/constants.ts]
-
-[bumpversion:file:website/docs/outposts/manual-deploy-docker-compose.md]
-
-[bumpversion:file:website/docs/outposts/manual-deploy-kubernetes.md]

.github/ISSUE_TEMPLATE/question.md

@@ -1,27 +0,0 @@
----
-name: Question
-about: Ask a question about a feature or specific configuration
-title: ''
-labels: question
-assignees: ''
-
----
-
-**Describe your question/**
-A clear and concise description of what you're trying to do.
-
-**Relevant infos**
-i.e. Version of other software you're using, specifics of your setup
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Logs**
-Output of docker-compose logs or kubectl logs respectively
-
-**Version and Deployment (please complete the following information):**
- - authentik version: [e.g. 0.10.0-stable]
- - Deployment: [e.g. docker-compose, helm]
-
-**Additional context**
-Add any other context about the problem here.

.github/codecov.yml

@@ -1,3 +0,0 @@
-coverage:
-  precision: 2
-  round: up

.github/dependabot.yml

@@ -1,15 +1,7 @@
 version: 2
 updates:
-- package-ecosystem: "github-actions"
-  directory: "/"
-  schedule:
-    interval: daily
-    time: "04:00"
-  open-pull-requests-limit: 10
-  assignees:
-  - BeryJu
 - package-ecosystem: gomod
-  directory: "/outpost"
+  directory: "/proxy"
   schedule:
     interval: daily
     time: "04:00"
@@ -24,14 +16,6 @@ updates:
   open-pull-requests-limit: 10
   assignees:
   - BeryJu
-- package-ecosystem: npm
-  directory: "/website"
-  schedule:
-    interval: daily
-    time: "04:00"
-  open-pull-requests-limit: 10
-  assignees:
-  - BeryJu
 - package-ecosystem: pip
   directory: "/"
   schedule:
@@ -49,7 +33,7 @@ updates:
   assignees:
   - BeryJu
 - package-ecosystem: docker
-  directory: "/outpost"
+  directory: "/proxy"
   schedule:
     interval: daily
     time: "04:00"

.github/stale.yml

@@ -1,13 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 60
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 7
-# Issues with these labels will never be considered stale
-exemptLabels:
-  - pinned
-  - security
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no further activity occurs. Thank you
-  for your contributions.

.github/workflows/release.yml

@@ -3,117 +3,87 @@ name: authentik-on-release
 on:
   release:
     types: [published, created]
-  push:
-    branches:
-      - version-*
 
 jobs:
   # Build
   build-server:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.2.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+      - uses: actions/checkout@v1
       - name: Docker Login Registry
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
       - name: Building Docker Image
-        uses: docker/build-push-action@v2
-        with:
-          push: ${{ github.event_name == 'release' }}
-          tags: |
-            beryju/authentik:2021.6.1-rc2,
-            beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.6.1-rc2,
-            ghcr.io/goauthentik/server:latest
-          platforms: linux/amd64,linux/arm64
-          context: .
+        run: docker build
+          --no-cache
+          -t beryju/authentik:0.14.2-stable
+          -t beryju/authentik:latest
+          -f Dockerfile .
+      - name: Push Docker Container to Registry (versioned)
+        run: docker push beryju/authentik:0.14.2-stable
+      - name: Push Docker Container to Registry (latest)
+        run: docker push beryju/authentik:latest
   build-proxy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v1
       - uses: actions/setup-go@v2
         with:
           go-version: "^1.15"
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.2.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+      - name: prepare go api client
+        run: |
+          cd proxy
+          go get -u github.com/go-swagger/go-swagger/cmd/swagger
+          swagger generate client -f ../swagger.yaml -A authentik -t pkg/
+          go build -v .
       - name: Docker Login Registry
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
       - name: Building Docker Image
-        uses: docker/build-push-action@v2
-        with:
-          push: ${{ github.event_name == 'release' }}
-          tags: |
-            beryju/authentik-proxy:2021.6.1-rc2,
-            beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.6.1-rc2,
-            ghcr.io/goauthentik/proxy:latest
-          file: outpost/proxy.Dockerfile
-          platforms: linux/amd64,linux/arm64
-  build-ldap:
+        run: |
+          cd proxy/
+          docker build \
+          --no-cache \
+          -t beryju/authentik-proxy:0.14.2-stable \
+          -t beryju/authentik-proxy:latest \
+          -f Dockerfile .
+      - name: Push Docker Container to Registry (versioned)
+        run: docker push beryju/authentik-proxy:0.14.2-stable
+      - name: Push Docker Container to Registry (latest)
+        run: docker push beryju/authentik-proxy:latest
+  build-static:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-go@v2
-        with:
-          go-version: "^1.15"
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1.2.0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+      - uses: actions/checkout@v1
       - name: Docker Login Registry
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+        run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
       - name: Building Docker Image
-        uses: docker/build-push-action@v2
-        with:
-          push: ${{ github.event_name == 'release' }}
-          tags: |
-            beryju/authentik-ldap:2021.6.1-rc2,
-            beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.6.1-rc2,
-            ghcr.io/goauthentik/ldap:latest
-          file: outpost/ldap.Dockerfile
-          platforms: linux/amd64,linux/arm64
+        run: |
+          cd web/
+          docker build \
+          --no-cache \
+          -t beryju/authentik-static:0.14.2-stable \
+          -t beryju/authentik-static:latest \
+          -f Dockerfile .
+      - name: Push Docker Container to Registry (versioned)
+        run: docker push beryju/authentik-static:0.14.2-stable
+      - name: Push Docker Container to Registry (latest)
+        run: docker push beryju/authentik-static:latest
   test-release:
-    if: ${{ github.event_name == 'release' }}
     needs:
       - build-server
+      - build-static
       - build-proxy
-      - build-ldap
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v1
       - name: Run test suite in final docker images
         run: |
           sudo apt-get install -y pwgen
@@ -122,21 +92,20 @@ jobs:
           docker-compose pull -q
           docker-compose up --no-start
           docker-compose start postgresql redis
-          docker-compose run -u root server test
+          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
   sentry-release:
-    if: ${{ github.event_name == 'release' }}
     needs:
       - test-release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v1
       - name: Create a Sentry.io release
-        uses: getsentry/action-release@v1
+        uses: tclindner/sentry-releases-action@v1.2.0
         env:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           SENTRY_ORG: beryjuorg
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          version: authentik@2021.6.1-rc2
+          tagName: 0.14.2-stable
           environment: beryjuorg-prod

.github/workflows/tag.yml

@@ -10,7 +10,7 @@ jobs:
     name: Create Release from Tag
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@master
       - name: Pre-release test
         run: |
           sudo apt-get install -y pwgen
@@ -24,17 +24,26 @@ jobs:
             -f Dockerfile .
           docker-compose up --no-start
           docker-compose start postgresql redis
-          docker-compose run -u root --entrypoint /bin/bash server -c "apt-get update && apt-get install -y --no-install-recommends git && pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
+          docker-compose run -u root --entrypoint /bin/bash server -c "pip install --no-cache -r requirements-dev.txt && ./manage.py test authentik"
+      - name: Install Helm
+        run: |
+          apt update && apt install -y curl
+          curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
+      - name: Helm package
+        run: |
+          helm dependency update helm/
+          helm package helm/
+          mv authentik-*.tgz authentik-chart.tgz
       - name: Extract version number
         id: get_version
-        uses: actions/github-script@v4.0.2
+        uses: actions/github-script@0.2.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             return context.payload.ref.replace(/\/refs\/tags\/version\//, '');
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1.1.4
+        uses: actions/create-release@v1.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -42,3 +51,13 @@ jobs:
           release_name: Release ${{ steps.get_version.outputs.result }}
           draft: true
           prerelease: false
+      - name: Upload packaged Helm Chart
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1.0.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./authentik-chart.tgz
+          asset_name: authentik-chart.tgz
+          asset_content_type: application/gzip

.gitignore

@@ -201,6 +201,3 @@ local.env.yml
 selenium_screenshots/
 backups/
 media/
-*mmdb
-
-.idea/

.prospector.yaml

@@ -0,0 +1,12 @@
+strictness: medium
+test-warnings: true
+doc-warnings: false
+
+ignore-paths:
+  - migrations
+  - docs
+  - node_modules
+
+uses:
+  - django
+  - celery

.pylintrc

@@ -0,0 +1,29 @@
+[MASTER]
+
+disable =
+    arguments-differ,
+    no-self-use,
+    fixme,
+    locally-disabled,
+    too-many-ancestors,
+    too-few-public-methods,
+    import-outside-toplevel,
+    bad-continuation,
+    signature-differs,
+    similarities,
+    cyclic-import,
+    protected-access,
+    unsubscriptable-object # remove when pylint is upgraded to 2.6
+
+load-plugins=pylint_django,pylint.extensions.bad_builtin
+
+extension-pkg-whitelist=lxml,xmlsec
+
+# Allow constants to be shorter than normal (and lowercase, for settings.py)
+const-rgx=[a-zA-Z0-9_]{1,40}$
+
+ignored-modules=django-otp
+generated-members=xmlsec.constants.*,xmlsec.tree.*,xmlsec.template.*
+ignore=migrations
+max-attributes=12
+max-branches=20

Dockerfile

@@ -1,4 +1,3 @@
-# Stage 1: Lock python dependencies
 FROM python:3.9-slim-buster as locker
 
 COPY ./Pipfile /app/
@@ -8,80 +7,42 @@ WORKDIR /app/
 
 RUN pip install pipenv && \
     pipenv lock -r > requirements.txt && \
-    pipenv lock -r --dev-only > requirements-dev.txt
+    pipenv lock -rd > requirements-dev.txt
 
-# Stage 2: Build web API
-FROM openapitools/openapi-generator-cli as api-builder
-
-COPY ./schema.yml /local/schema.yml
-
-RUN	docker-entrypoint.sh generate \
-    -i /local/schema.yml \
-    -g typescript-fetch \
-    -o /local/web/api \
-    --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
-
-# Stage 3: Build webui
-FROM node as npm-builder
-
-COPY ./web /static/
-COPY --from=api-builder /local/web/api /static/api
-
-ENV NODE_ENV=production
-RUN cd /static && npm i && npm run build
-
-# Stage 4: Build go proxy
-FROM golang:1.16.5 AS builder
-
-WORKDIR /work
-
-COPY --from=npm-builder /static/robots.txt /work/web/robots.txt
-COPY --from=npm-builder /static/security.txt /work/web/security.txt
-COPY --from=npm-builder /static/dist/ /work/web/dist/
-COPY --from=npm-builder /static/authentik/ /work/web/authentik/
-
-COPY ./cmd /work/cmd
-COPY ./web/static.go /work/web/static.go
-COPY ./internal /work/internal
-COPY ./go.mod /work/go.mod
-COPY ./go.sum /work/go.sum
-
-RUN go build -o /work/authentik ./cmd/server/main.go
-
-# Stage 5: Run
 FROM python:3.9-slim-buster
 
 WORKDIR /
 COPY --from=locker /app/requirements.txt /
 COPY --from=locker /app/requirements-dev.txt /
 
-ARG GIT_BUILD_HASH
-ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
-
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends curl ca-certificates gnupg git runit && \
+    apt-get install -y --no-install-recommends curl ca-certificates gnupg && \
     curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \
     echo "deb http://apt.postgresql.org/pub/repos/apt buster-pgdg main" > /etc/apt/sources.list.d/pgdg.list && \
     apt-get update && \
-    apt-get install -y --no-install-recommends libpq-dev postgresql-client build-essential libxmlsec1-dev pkg-config libmaxminddb0 && \
-    pip install -r /requirements.txt --no-cache-dir && \
-    apt-get remove --purge -y build-essential git && \
-    apt-get autoremove --purge -y && \
+    apt-get install -y --no-install-recommends postgresql-client-12 postgresql-client-11 build-essential libxmlsec1-dev pkg-config && \
     apt-get clean && \
-    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
+    pip install -r /requirements.txt --no-cache-dir && \
+    apt-get remove --purge -y build-essential && \
+    apt-get autoremove --purge -y && \
+    # This is quite hacky, but docker has no guaranteed Group ID
+    # we could instead check for the GID of the socket and add the user dynamically,
+    # but then we have to drop permmissions later
+    groupadd -g 998 docker_998 && \
+    groupadd -g 999 docker_999 && \
     adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
+    usermod -a -G docker_998 authentik && \
+    usermod -a -G docker_999 authentik && \
     mkdir /backups && \
     chown authentik:authentik /backups
 
 COPY ./authentik/ /authentik
-COPY ./pyproject.toml /
+COPY ./pytest.ini /
 COPY ./xml /xml
-COPY ./tests /tests
 COPY ./manage.py /
 COPY ./lifecycle/ /lifecycle
-COPY --from=builder /work/authentik /authentik-proxy
 
 USER authentik
+STOPSIGNAL SIGINT
 ENV TMPDIR /dev/shm/
-ENV PYTHONUBUFFERED 1
 ENTRYPOINT [ "/lifecycle/bootstrap.sh" ]

Makefile

@@ -1,65 +1,43 @@
-.SHELLFLAGS += -x -e
-PWD = $(shell pwd)
-UID = $(shell id -u)
-GID = $(shell id -g)
+all: lint-fix lint coverage gen
 
-all: lint-fix lint test gen
+test-full:
+	coverage run manage.py test --failfast -v 3 .
+	coverage html
+	coverage report
 
 test-integration:
 	k3d cluster create || exit 0
 	k3d kubeconfig write -o ~/.kube/config --overwrite
-	coverage run manage.py test -v 3 tests/integration
+	coverage run manage.py test --failfast -v 3 tests/integration
 
 test-e2e:
 	coverage run manage.py test --failfast -v 3 tests/e2e
 
-test:
-	coverage run manage.py test -v 3 authentik
+coverage:
+	coverage run manage.py test --failfast -v 3 authentik
 	coverage html
 	coverage report
 
 lint-fix:
-	isort authentik tests lifecycle
+	isort -rc authentik tests lifecycle
 	black authentik tests lifecycle
 
 lint:
 	pyright authentik tests lifecycle
 	bandit -r authentik tests lifecycle -x node_modules
 	pylint authentik tests lifecycle
+	prospector
 
-gen-build:
-	./manage.py spectacular --file schema.yml
+gen: coverage
+	./manage.py generate_swagger -o swagger.yaml -f yaml
 
-gen-clean:
-	rm -rf web/api/src/
-	rm -rf outpost/api/
+local-stack:
+	export AUTHENTIK_TAG=testing
+	docker build -t beryju/authentik:testng .
+	docker-compose up -d
+	docker-compose run --rm server migrate
 
-gen-web:
-	docker run \
-		--rm -v ${PWD}:/local \
-		--user ${UID}:${GID} \
-		openapitools/openapi-generator-cli generate \
-		-i /local/schema.yml \
-		-g typescript-fetch \
-		-o /local/web/api \
-		--additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
-	cd web/api && npx tsc
-
-gen-outpost:
-	docker run \
-		--rm -v ${PWD}:/local \
-		--user ${UID}:${GID} \
-		openapitools/openapi-generator-cli generate \
-		--git-host goauthentik.io \
-		--git-repo-id outpost \
-		--git-user-id api \
-		-i /local/schema.yml \
-		-g go \
-		-o /local/outpost/api \
-		--additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true
-	rm -f outpost/api/go.mod outpost/api/go.sum
-
-gen: gen-build gen-clean gen-web gen-outpost
-
-run:
-	go run -v cmd/server/main.go
+build-static:
+	docker-compose -f scripts/ci.docker-compose.yml up -d
+	docker build -t beryju/authentik-static -f static.Dockerfile --network=scripts_default .
+	docker-compose -f scripts/ci.docker-compose.yml down -v

Pipfile

@@ -6,59 +6,59 @@ verify_ssl = true
 [packages]
 boto3 = "*"
 celery = "*"
-channels = "*"
-channels-redis = "*"
-dacite = "*"
 defusedxml = "*"
 django = "*"
-django-dbbackup = { git = 'https://github.com/django-dbbackup/django-dbbackup.git', ref = '9d1909c30a3271c8c9c8450add30d6e0b996e145' }
+django-cors-middleware = "*"
+django-dbbackup = "*"
 django-filter = "*"
 django-guardian = "*"
 django-model-utils = "*"
 django-otp = "*"
 django-prometheus = "*"
+django-recaptcha = "*"
 django-redis = "*"
-django-storages = "*"
 djangorestframework = "*"
+django-storages = "*"
 djangorestframework-guardian = "*"
-docker = "*"
-drf-spectacular = "*"
+drf_yasg2 = "*"
 facebook-sdk = "*"
-geoip2 = "*"
-gunicorn = "*"
-kubernetes = "*"
 ldap3 = "*"
-lxml = ">=4.6.3"
+lxml = "*"
 packaging = "*"
 psycopg2-binary = "*"
 pycryptodome = "*"
-pyjwt = "*"
+pyjwkest = "*"
+uvicorn = {extras = ["standard"],version = "*"}
+gunicorn = "*"
 pyyaml = "*"
+qrcode = "*"
 requests-oauthlib = "*"
 sentry-sdk = "*"
 service_identity = "*"
 structlog = "*"
 swagger-spec-validator = "*"
-twisted = "==20.3.0"
 urllib3 = {extras = ["secure"],version = "*"}
-uvicorn = {extras = ["standard"],version = "*"}
-webauthn = "*"
+dacite = "*"
+channels = "*"
+channels-redis = "*"
+kubernetes = "*"
+docker = "*"
 xmlsec = "*"
-duo-client = "*"
-ua-parser = "*"
 
 [requires]
 python_version = "3.9"
 
 [dev-packages]
+autopep8 = "*"
 bandit = "*"
-black = "==21.5b1"
-bump2version = "*"
+black = "==20.8b1"
+bumpversion = "*"
 colorama = "*"
 coverage = "*"
+django-debug-toolbar = "*"
 pylint = "*"
 pylint-django = "*"
+selenium = "*"
+prospector = "*"
 pytest = "*"
 pytest-django = "*"
-selenium = "*"
-requests-mock = "*"

README.md

@@ -1,17 +1,13 @@
-<p align="center">
-    <img src="https://goauthentik.io/img/icon_top_brand_colour.svg" height="150" alt="authentik logo">
-</p>
+<img src="https://goauthentik.io/img/icon_top_brand_colour.svg" height="250" alt="authentik logo">
 
 ---
 
-[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=flat-square)](https://discord.gg/jg33eMhnj6)
-[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/6?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
-[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/6?compact_message&style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
-[![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=flat-square)](https://codecov.io/gh/goauthentik/authentik)
+[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/1?style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=1)
+[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/1?compact_message&style=flat-square)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=1)
+[![Code Coverage](https://img.shields.io/codecov/c/gh/beryju/authentik?style=flat-square)](https://codecov.io/gh/BeryJu/authentik)
 ![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=flat-square)
 ![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=flat-square)
-![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/goauthentik/authentik?style=flat-square)
-[Transifex](https://www.transifex.com/beryjuorg/authentik/)
+![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/BeryJu/authentik?style=flat-square)
 
 ## What is authentik?
 
@@ -25,14 +21,12 @@ For bigger setups, there is a Helm Chart in the `helm/` directory. This is docum
 
 ## Screenshots
 
-Light | Dark
---- | ---
-![](https://goauthentik.io/img/screen_apps_light.jpg) | ![](https://goauthentik.io/img/screen_apps_dark.jpg)
-![](https://goauthentik.io/img/screen_admin_light.jpg) | ![](https://goauthentik.io/img/screen_admin_dark.jpg)
+![](https://goauthentik.io/img/screen_apps.png)
+![](https://goauthentik.io/img/screen_admin.png)
 
 ## Development
 
-See [Development Documentation](https://goauthentik.io/developer-docs/)
+See [Development Documentation](https://goauthentik.io/docs/development/local-dev-environment)
 
 ## Security
 

SECURITY.md

@@ -2,10 +2,13 @@
 
 ## Supported Versions
 
-| Version    | Supported          |
-| ---------- | ------------------ |
-| 2021.4.x   | :white_check_mark: |
-| 2021.5.x   | :white_check_mark: |
+As authentik is currently in a pre-stable, only the latest "stable" version is supported. After authentik 1.0, this will change.
+
+| Version  | Supported          |
+| -------- | ------------------ |
+| 0.12.x   | :white_check_mark: |
+| 0.13.x   | :white_check_mark: |
+| 0.14.x   | :white_check_mark: |
 
 ## Reporting a Vulnerability
 

authentik/__init__.py

@@ -1,3 +1,2 @@
 """authentik"""
-__version__ = "2021.6.1-rc2"
-ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
+__version__ = "0.14.2-stable"

authentik/admin/api/meta.py

@@ -1,31 +0,0 @@
-"""Meta API"""
-from drf_spectacular.utils import extend_schema
-from rest_framework.fields import CharField
-from rest_framework.permissions import IsAdminUser
-from rest_framework.request import Request
-from rest_framework.response import Response
-from rest_framework.viewsets import ViewSet
-
-from authentik.core.api.utils import PassiveSerializer
-from authentik.lib.utils.reflection import get_apps
-
-
-class AppSerializer(PassiveSerializer):
-    """Serialize Application info"""
-
-    name = CharField()
-    label = CharField()
-
-
-class AppsViewSet(ViewSet):
-    """Read-only view set list all installed apps"""
-
-    permission_classes = [IsAdminUser]
-
-    @extend_schema(responses={200: AppSerializer(many=True)})
-    def list(self, request: Request) -> Response:
-        """List current messages and pass into Serializer"""
-        data = []
-        for app in sorted(get_apps(), key=lambda app: app.name):
-            data.append({"name": app.name, "label": app.verbose_name})
-        return Response(AppSerializer(data, many=True).data)

authentik/admin/api/metrics.py

@@ -2,23 +2,24 @@
 import time
 from collections import Counter
 from datetime import timedelta
+from typing import Dict, List
 
-from django.db.models import Count, ExpressionWrapper, F
+from django.db.models import Count, ExpressionWrapper, F, Model
 from django.db.models.fields import DurationField
 from django.db.models.functions import ExtractHour
 from django.utils.timezone import now
-from drf_spectacular.utils import extend_schema, extend_schema_field
-from rest_framework.fields import IntegerField, SerializerMethodField
+from drf_yasg2.utils import swagger_auto_schema
+from rest_framework.fields import SerializerMethodField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.views import APIView
+from rest_framework.serializers import Serializer
+from rest_framework.viewsets import ViewSet
 
-from authentik.core.api.utils import PassiveSerializer
 from authentik.events.models import Event, EventAction
 
 
-def get_events_per_1h(**filter_kwargs) -> list[dict[str, int]]:
+def get_events_per_1h(**filter_kwargs) -> List[Dict[str, int]]:
     """Get event count by hour in the last day, fill with zeros"""
     date_from = now() - timedelta(days=1)
     result = (
@@ -31,51 +32,47 @@ def get_events_per_1h(**filter_kwargs) -> list[dict[str, int]]:
         .annotate(count=Count("pk"))
         .order_by("age_hours")
     )
-    data = Counter({int(d["age_hours"]): d["count"] for d in result})
+    data = Counter({d["age_hours"]: d["count"] for d in result})
     results = []
     _now = now()
     for hour in range(0, -24, -1):
         results.append(
             {
-                "x_cord": time.mktime((_now + timedelta(hours=hour)).timetuple())
-                * 1000,
-                "y_cord": data[hour * -1],
+                "x": time.mktime((_now + timedelta(hours=hour)).timetuple()) * 1000,
+                "y": data[hour * -1],
             }
         )
     return results
 
 
-class CoordinateSerializer(PassiveSerializer):
-    """Coordinates for diagrams"""
-
-    x_cord = IntegerField(read_only=True)
-    y_cord = IntegerField(read_only=True)
-
-
-class LoginMetricsSerializer(PassiveSerializer):
+class AdministrationMetricsSerializer(Serializer):
     """Login Metrics per 1h"""
 
     logins_per_1h = SerializerMethodField()
     logins_failed_per_1h = SerializerMethodField()
 
-    @extend_schema_field(CoordinateSerializer(many=True))
     def get_logins_per_1h(self, _):
         """Get successful logins per hour for the last 24 hours"""
         return get_events_per_1h(action=EventAction.LOGIN)
 
-    @extend_schema_field(CoordinateSerializer(many=True))
     def get_logins_failed_per_1h(self, _):
         """Get failed logins per hour for the last 24 hours"""
         return get_events_per_1h(action=EventAction.LOGIN_FAILED)
 
+    def create(self, validated_data: dict) -> Model:
+        raise NotImplementedError
 
-class AdministrationMetricsViewSet(APIView):
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+
+class AdministrationMetricsViewSet(ViewSet):
     """Login Metrics per 1h"""
 
     permission_classes = [IsAdminUser]
 
-    @extend_schema(responses={200: LoginMetricsSerializer(many=False)})
-    def get(self, request: Request) -> Response:
+    @swagger_auto_schema(responses={200: AdministrationMetricsSerializer(many=True)})
+    def list(self, request: Request) -> Response:
         """Login Metrics per 1h"""
-        serializer = LoginMetricsSerializer(True)
+        serializer = AdministrationMetricsSerializer(True)
         return Response(serializer.data)

authentik/admin/api/system.py

@@ -1,91 +0,0 @@
-"""authentik administration overview"""
-import os
-import platform
-from datetime import datetime
-from sys import version as python_version
-from typing import TypedDict
-
-from django.utils.timezone import now
-from drf_spectacular.utils import extend_schema
-from gunicorn import version_info as gunicorn_version
-from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
-from rest_framework.fields import SerializerMethodField
-from rest_framework.permissions import IsAdminUser
-from rest_framework.request import Request
-from rest_framework.response import Response
-from rest_framework.views import APIView
-
-from authentik.core.api.utils import PassiveSerializer
-
-
-class RuntimeDict(TypedDict):
-    """Runtime information"""
-
-    python_version: str
-    gunicorn_version: str
-    environment: str
-    architecture: str
-    platform: str
-    uname: str
-
-
-class SystemSerializer(PassiveSerializer):
-    """Get system information."""
-
-    http_headers = SerializerMethodField()
-    http_host = SerializerMethodField()
-    http_is_secure = SerializerMethodField()
-    runtime = SerializerMethodField()
-    tenant = SerializerMethodField()
-    server_time = SerializerMethodField()
-
-    def get_http_headers(self, request: Request) -> dict[str, str]:
-        """Get HTTP Request headers"""
-        headers = {}
-        for key, value in request.META.items():
-            if not isinstance(value, str):
-                continue
-            headers[key] = value
-        return headers
-
-    def get_http_host(self, request: Request) -> str:
-        """Get HTTP host"""
-        return request._request.get_host()
-
-    def get_http_is_secure(self, request: Request) -> bool:
-        """Get HTTP Secure flag"""
-        return request._request.is_secure()
-
-    def get_runtime(self, request: Request) -> RuntimeDict:
-        """Get versions"""
-        return {
-            "python_version": python_version,
-            "gunicorn_version": ".".join(str(x) for x in gunicorn_version),
-            "environment": "kubernetes"
-            if SERVICE_HOST_ENV_NAME in os.environ
-            else "compose",
-            "architecture": platform.machine(),
-            "platform": platform.platform(),
-            "uname": " ".join(platform.uname()),
-        }
-
-    def get_tenant(self, request: Request) -> str:
-        """Currently active tenant"""
-        return str(request._request.tenant)
-
-    def get_server_time(self, request: Request) -> datetime:
-        """Current server time"""
-        return now()
-
-
-class SystemView(APIView):
-    """Get system information."""
-
-    permission_classes = [IsAdminUser]
-    pagination_class = None
-    filter_backends = []
-
-    @extend_schema(responses={200: SystemSerializer(many=False)})
-    def get(self, request: Request) -> Response:
-        """Get system information."""
-        return Response(SystemSerializer(request).data)

authentik/admin/api/tasks.py

@@ -2,83 +2,48 @@
 from importlib import import_module
 
 from django.contrib import messages
+from django.db.models import Model
 from django.http.response import Http404
 from django.utils.translation import gettext_lazy as _
-from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiResponse, extend_schema
+from drf_yasg2.utils import swagger_auto_schema
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, ChoiceField, DateTimeField, ListField
+from rest_framework.fields import CharField, DateTimeField, IntegerField, ListField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
+from rest_framework.serializers import Serializer
 from rest_framework.viewsets import ViewSet
 
-from authentik.core.api.utils import PassiveSerializer
-from authentik.events.monitored_tasks import TaskInfo, TaskResultStatus
+from authentik.lib.tasks import TaskInfo
 
 
-class TaskSerializer(PassiveSerializer):
+class TaskSerializer(Serializer):
     """Serialize TaskInfo and TaskResult"""
 
     task_name = CharField()
     task_description = CharField()
-    task_finish_timestamp = DateTimeField(source="finish_time")
+    task_finish_timestamp = DateTimeField(source="finish_timestamp")
 
-    status = ChoiceField(
-        source="result.status.name",
-        choices=[(x.name, x.name) for x in TaskResultStatus],
-    )
+    status = IntegerField(source="result.status.value")
     messages = ListField(source="result.messages")
 
-    def to_representation(self, instance):
-        """When a new version of authentik adds fields to TaskInfo,
-        the API will fail with an AttributeError, as the classes
-        are pickled in cache. In that case, just delete the info"""
-        try:
-            return super().to_representation(instance)
-        except AttributeError:
-            if isinstance(self.instance, list):
-                for inst in self.instance:
-                    inst.delete()
-            else:
-                self.instance.delete()
-            return {}
+    def create(self, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        raise NotImplementedError
 
 
 class TaskViewSet(ViewSet):
     """Read-only view set that returns all background tasks"""
 
     permission_classes = [IsAdminUser]
-    serializer_class = TaskSerializer
 
-    @extend_schema(
-        responses={
-            200: TaskSerializer(many=False),
-            404: OpenApiResponse(description="Task not found"),
-        }
-    )
-    # pylint: disable=invalid-name
-    def retrieve(self, request: Request, pk=None) -> Response:
-        """Get a single system task"""
-        task = TaskInfo.by_name(pk)
-        if not task:
-            raise Http404
-        return Response(TaskSerializer(task, many=False).data)
-
-    @extend_schema(responses={200: TaskSerializer(many=True)})
+    @swagger_auto_schema(responses={200: TaskSerializer(many=True)})
     def list(self, request: Request) -> Response:
-        """List system tasks"""
-        tasks = sorted(TaskInfo.all().values(), key=lambda task: task.task_name)
-        return Response(TaskSerializer(tasks, many=True).data)
+        """List current messages and pass into Serializer"""
+        return Response(TaskSerializer(TaskInfo.all().values(), many=True).data)
 
-    @extend_schema(
-        request=OpenApiTypes.NONE,
-        responses={
-            204: OpenApiResponse(description="Task retried successfully"),
-            404: OpenApiResponse(description="Task not found"),
-            500: OpenApiResponse(description="Failed to retry task"),
-        },
-    )
     @action(detail=True, methods=["post"])
     # pylint: disable=invalid-name
     def retry(self, request: Request, pk=None) -> Response:
@@ -97,8 +62,12 @@ class TaskViewSet(ViewSet):
                     % {"name": task.task_name}
                 ),
             )
-            return Response(status=204)
+            return Response(
+                {
+                    "successful": True,
+                }
+            )
         except ImportError:  # pragma: no cover
             # if we get an import error, the module path has probably changed
             task.delete()
-            return Response(status=500)
+            return Response({"successful": False})

authentik/admin/api/version.py

@@ -1,32 +1,27 @@
 """authentik administration overview"""
-from os import environ
-
 from django.core.cache import cache
-from drf_spectacular.utils import extend_schema
+from django.db.models import Model
+from drf_yasg2.utils import swagger_auto_schema
 from packaging.version import parse
 from rest_framework.fields import SerializerMethodField
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.mixins import ListModelMixin
+from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.views import APIView
+from rest_framework.serializers import Serializer
+from rest_framework.viewsets import GenericViewSet
 
-from authentik import ENV_GIT_HASH_KEY, __version__
+from authentik import __version__
 from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
-from authentik.core.api.utils import PassiveSerializer
 
 
-class VersionSerializer(PassiveSerializer):
+class VersionSerializer(Serializer):
     """Get running and latest version."""
 
     version_current = SerializerMethodField()
     version_latest = SerializerMethodField()
-    build_hash = SerializerMethodField()
     outdated = SerializerMethodField()
 
-    def get_build_hash(self, _) -> str:
-        """Get build hash, if version is not latest or released"""
-        return environ.get(ENV_GIT_HASH_KEY, "")
-
     def get_version_current(self, _) -> str:
         """Get current version"""
         return __version__
@@ -45,15 +40,22 @@ class VersionSerializer(PassiveSerializer):
             self.get_version_latest(instance)
         )
 
+    def create(self, validated_data: dict) -> Model:
+        raise NotImplementedError
 
-class VersionView(APIView):
+    def update(self, instance: Model, validated_data: dict) -> Model:
+        raise NotImplementedError
+
+
+class VersionViewSet(ListModelMixin, GenericViewSet):
     """Get running and latest version."""
 
-    permission_classes = [IsAuthenticated]
-    pagination_class = None
-    filter_backends = []
+    permission_classes = [IsAdminUser]
 
-    @extend_schema(responses={200: VersionSerializer(many=False)})
-    def get(self, request: Request) -> Response:
+    def get_queryset(self):  # pragma: no cover
+        return None
+
+    @swagger_auto_schema(responses={200: VersionSerializer(many=True)})
+    def list(self, request: Request) -> Response:
         """Get running and latest version."""
         return Response(VersionSerializer(True).data)

authentik/admin/api/workers.py

@@ -1,26 +1,25 @@
 """authentik administration overview"""
-from drf_spectacular.utils import extend_schema, inline_serializer
-from prometheus_client import Gauge
-from rest_framework.fields import IntegerField
+from rest_framework.mixins import ListModelMixin
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.views import APIView
+from rest_framework.serializers import Serializer
+from rest_framework.viewsets import GenericViewSet
 
 from authentik.root.celery import CELERY_APP
 
-GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
 
-
-class WorkerView(APIView):
+class WorkerViewSet(ListModelMixin, GenericViewSet):
     """Get currently connected worker count."""
 
+    serializer_class = Serializer
     permission_classes = [IsAdminUser]
 
-    @extend_schema(
-        responses=inline_serializer("Workers", fields={"count": IntegerField()})
-    )
-    def get(self, request: Request) -> Response:
+    def get_queryset(self):  # pragma: no cover
+        return None
+
+    def list(self, request: Request) -> Response:
         """Get currently connected worker count."""
-        count = len(CELERY_APP.control.ping(timeout=0.5))
-        return Response({"count": count})
+        return Response(
+            {"pagination": {"count": len(CELERY_APP.control.ping(timeout=0.5))}}
+        )

authentik/admin/apps.py

@@ -7,4 +7,5 @@ class AuthentikAdminConfig(AppConfig):
 
     name = "authentik.admin"
     label = "authentik_admin"
+    mountpoint = "administration/"
     verbose_name = "authentik Admin"

authentik/admin/fields.py

@@ -0,0 +1,107 @@
+"""Additional fields"""
+import yaml
+from django import forms
+from django.utils.datastructures import MultiValueDict
+from django.utils.translation import gettext_lazy as _
+
+
+class ArrayFieldSelectMultiple(forms.SelectMultiple):
+    """This is a Form Widget for use with a Postgres ArrayField. It implements
+    a multi-select interface that can be given a set of `choices`.
+    You can provide a `delimiter` keyword argument to specify the delimeter used.
+
+    https://gist.github.com/stephane/00e73c0002de52b1c601"""
+
+    def __init__(self, *args, **kwargs):
+        # Accept a `delimiter` argument, and grab it (defaulting to a comma)
+        self.delimiter = kwargs.pop("delimiter", ",")
+        super().__init__(*args, **kwargs)
+
+    def value_from_datadict(self, data, files, name):
+        if isinstance(data, MultiValueDict):
+            # Normally, we'd want a list here, which is what we get from the
+            # SelectMultiple superclass, but the SimpleArrayField expects to
+            # get a delimited string, so we're doing a little extra work.
+            return self.delimiter.join(data.getlist(name))
+
+        return data.get(name)
+
+    def get_context(self, name, value, attrs):
+        return super().get_context(name, value.split(self.delimiter), attrs)
+
+
+class CodeMirrorWidget(forms.Textarea):
+    """Custom Textarea-based Widget that triggers a CodeMirror editor"""
+
+    # CodeMirror mode to enable
+    mode: str
+
+    template_name = "fields/codemirror.html"
+
+    def __init__(self, *args, mode="yaml", **kwargs):
+        super().__init__(*args, **kwargs)
+        self.mode = mode
+
+    def render(self, *args, **kwargs):
+        attrs = kwargs.setdefault("attrs", {})
+        attrs["mode"] = self.mode
+        return super().render(*args, **kwargs)
+
+
+class InvalidYAMLInput(str):
+    """Invalid YAML String type"""
+
+
+class YAMLString(str):
+    """YAML String type"""
+
+
+class YAMLField(forms.JSONField):
+    """Django's JSON Field converted to YAML"""
+
+    default_error_messages = {
+        "invalid": _("'%(value)s' value must be valid YAML."),
+    }
+    widget = forms.Textarea
+
+    def to_python(self, value):
+        if self.disabled:
+            return value
+        if value in self.empty_values:
+            return None
+        if isinstance(value, (list, dict, int, float, YAMLString)):
+            return value
+        try:
+            converted = yaml.safe_load(value)
+        except yaml.YAMLError:
+            raise forms.ValidationError(
+                self.error_messages["invalid"],
+                code="invalid",
+                params={"value": value},
+            )
+        if isinstance(converted, str):
+            return YAMLString(converted)
+        if converted is None:
+            return {}
+        return converted
+
+    def bound_data(self, data, initial):
+        if self.disabled:
+            return initial
+        try:
+            return yaml.safe_load(data)
+        except yaml.YAMLError:
+            return InvalidYAMLInput(data)
+
+    def prepare_value(self, value):
+        if isinstance(value, InvalidYAMLInput):
+            return value
+        return yaml.dump(value, explicit_start=True, default_flow_style=False)
+
+    def has_changed(self, initial, data):
+        if super().has_changed(initial, data):
+            return True
+        # For purposes of seeing whether something has changed, True isn't the
+        # same as 1 and the order of keys doesn't matter.
+        data = self.to_python(data)
+        return yaml.dump(initial, sort_keys=True) != yaml.dump(data, sort_keys=True)

authentik/admin/forms/overview.py

@@ -0,0 +1,18 @@
+"""Forms for modals on overview page"""
+from django import forms
+
+
+class PolicyCacheClearForm(forms.Form):
+    """Form to clear Policy cache"""
+
+    title = "Clear Policy cache"
+    body = """Are you sure you want to clear the policy cache?
+    This will cause all policies to be re-evaluated on their next usage."""
+
+
+class FlowCacheClearForm(forms.Form):
+    """Form to clear Flow cache"""
+
+    title = "Clear Flow cache"
+    body = """Are you sure you want to clear the flow cache?
+    This will cause all flows to be re-evaluated on their next usage."""

authentik/admin/forms/policies.py

@@ -0,0 +1,12 @@
+"""authentik administration forms"""
+from django import forms
+
+from authentik.admin.fields import CodeMirrorWidget, YAMLField
+from authentik.core.models import User
+
+
+class PolicyTestForm(forms.Form):
+    """Form to test policies against user"""
+
+    user = forms.ModelChoiceField(queryset=User.objects.all())
+    context = YAMLField(widget=CodeMirrorWidget(), required=False, initial=dict)

authentik/admin/forms/source.py

@@ -0,0 +1,19 @@
+"""authentik core source form fields"""
+
+SOURCE_FORM_FIELDS = [
+    "name",
+    "slug",
+    "enabled",
+    "authentication_flow",
+    "enrollment_flow",
+]
+SOURCE_SERIALIZER_FIELDS = [
+    "pk",
+    "name",
+    "slug",
+    "enabled",
+    "authentication_flow",
+    "enrollment_flow",
+    "verbose_name",
+    "verbose_name_plural",
+]

authentik/admin/forms/users.py

@@ -0,0 +1,22 @@
+"""authentik administrative user forms"""
+
+from django import forms
+
+from authentik.admin.fields import CodeMirrorWidget, YAMLField
+from authentik.core.models import User
+
+
+class UserForm(forms.ModelForm):
+    """Update User Details"""
+
+    class Meta:
+
+        model = User
+        fields = ["username", "name", "email", "is_active", "attributes"]
+        widgets = {
+            "name": forms.TextInput,
+            "attributes": CodeMirrorWidget,
+        }
+        field_classes = {
+            "attributes": YAMLField,
+        }

authentik/admin/mixins.py

@@ -0,0 +1,9 @@
+"""authentik admin mixins"""
+from django.contrib.auth.mixins import UserPassesTestMixin
+
+
+class AdminRequiredMixin(UserPassesTestMixin):
+    """Make sure user is administrator"""
+
+    def test_func(self):
+        return self.request.user.is_superuser

authentik/admin/settings.py

@@ -4,7 +4,7 @@ from celery.schedules import crontab
 CELERY_BEAT_SCHEDULE = {
     "admin_latest_version": {
         "task": "authentik.admin.tasks.update_latest_version",
-        "schedule": crontab(minute="*/60"),  # Run every hour
+        "schedule": crontab(minute=0),  # Run every hour
         "options": {"queue": "authentik_scheduled"},
     }
 }

authentik/admin/tasks.py

@@ -1,45 +1,24 @@
 """authentik admin tasks"""
-import re
-from os import environ
-
 from django.core.cache import cache
-from django.core.validators import URLValidator
 from packaging.version import parse
-from prometheus_client import Info
 from requests import RequestException, get
-from structlog.stdlib import get_logger
+from structlog import get_logger
 
-from authentik import ENV_GIT_HASH_KEY, __version__
+from authentik import __version__
 from authentik.events.models import Event, EventAction
-from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
+from authentik.lib.tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.root.celery import CELERY_APP
 
 LOGGER = get_logger()
 VERSION_CACHE_KEY = "authentik_latest_version"
-VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
-# Chop of the first ^ because we want to search the entire string
-URL_FINDER = URLValidator.regex.pattern[1:]
-PROM_INFO = Info("authentik_version", "Currently running authentik version")
-
-
-def _set_prom_info():
-    """Set prometheus info for version"""
-    PROM_INFO.info(
-        {
-            "version": __version__,
-            "latest": cache.get(VERSION_CACHE_KEY, ""),
-            "build_hash": environ.get(ENV_GIT_HASH_KEY, ""),
-        }
-    )
+VERSION_CACHE_TIMEOUT = 2 * 60 * 60  # 2 hours
 
 
 @CELERY_APP.task(bind=True, base=MonitoredTask)
 def update_latest_version(self: MonitoredTask):
     """Update latest version info"""
     try:
-        response = get(
-            "https://api.github.com/repos/goauthentik/authentik/releases/latest"
-        )
+        response = get("https://api.github.com/repos/beryju/authentik/releases/latest")
         response.raise_for_status()
         data = response.json()
         tag_name = data.get("tag_name")
@@ -50,7 +29,6 @@ def update_latest_version(self: MonitoredTask):
                 TaskResultStatus.SUCCESSFUL, ["Successfully updated latest Version"]
             )
         )
-        _set_prom_info()
         # Check if upstream version is newer than what we're running,
         # and if no event exists yet, create one.
         local_version = parse(__version__)
@@ -61,13 +39,7 @@ def update_latest_version(self: MonitoredTask):
                 context__new_version=upstream_version,
             ).exists():
                 return
-            event_dict = {"new_version": upstream_version}
-            if match := re.search(URL_FINDER, data.get("body", "")):
-                event_dict["message"] = f"Changelog: {match.group()}"
-            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
+            Event.new(EventAction.UPDATE_AVAILABLE, new_version=upstream_version).save()
     except (RequestException, IndexError) as exc:
         cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
         self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
-
-
-_set_prom_info()

authentik/admin/templates/administration/base.html

@@ -0,0 +1,5 @@
+{% load static %}
+{% load i18n %}
+
+{% block content %}
+{% endblock %}

authentik/admin/templates/administration/certificatekeypair/list.html

@@ -0,0 +1,116 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-key"></i>
+            {% trans 'Certificate-Key Pairs' %}
+        </h1>
+        <p>{% trans "Import certificates of external providers or create certificates to sign requests with." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-modal-button href="{% url 'authentik_admin:certificatekeypair-create' %}">
+                        <ak-spinner-button slot="trigger" class="pf-m-primary">
+                            {% trans 'Create' %}
+                        </ak-spinner-button>
+                        <div slot="modal"></div>
+                    </ak-modal-button>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Name' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Private Key available' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Fingerprint' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for kp in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <div>
+                            <div>{{ kp.name }}</div>
+                        </div>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {% if kp.key_data is not None %}
+                            {% trans 'Yes' %}
+                            {% else %}
+                            {% trans 'No' %}
+                            {% endif %}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <code>{{ kp.fingerprint }}</code>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:certificatekeypair-update' pk=kp.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Edit' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-modal-button href="{% url 'authentik_admin:certificatekeypair-delete' pk=kp.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="pf-icon pf-icon-key pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Certificates.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any certificates." %}
+                {% else %}
+                    {% trans 'Currently no certificates exist. Click the button below to create one.' %}
+                {% endif %}
+                </div>
+                <ak-modal-button href="{% url 'authentik_admin:certificatekeypair-create' %}">
+                    <ak-spinner-button slot="trigger" class="pf-m-primary">
+                        {% trans 'Create' %}
+                    </ak-spinner-button>
+                    <div slot="modal"></div>
+                </ak-modal-button>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/flow/import.html

@@ -0,0 +1,13 @@
+{% extends base_template|default:"generic/form.html" %}
+
+{% load i18n %}
+
+{% block above_form %}
+<h1>
+{% trans 'Import Flow' %}
+</h1>
+{% endblock %}
+
+{% block action %}
+{% trans 'Import Flow' %}
+{% endblock %}

authentik/admin/templates/administration/flow/list.html

@@ -0,0 +1,135 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-process-automation"></i>
+            {% trans 'Flows' %}
+        </h1>
+        <p>{% trans "Flows describe a chain of Stages to authenticate, enroll or recover a user. Stages are chosen based on policies applied to them." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-modal-button href="{% url 'authentik_admin:flow-create' %}">
+                        <ak-spinner-button slot="trigger" class="pf-m-primary">
+                            {% trans 'Create' %}
+                        </ak-spinner-button>
+                        <div slot="modal"></div>
+                    </ak-modal-button>
+                    <ak-modal-button href="{% url 'authentik_admin:flow-import' %}">
+                        <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                            {% trans 'Import' %}
+                        </ak-spinner-button>
+                        <div slot="modal"></div>
+                    </ak-modal-button>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Identifier' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Designation' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Stages' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Policies' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for flow in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <a href="/flows/{{ flow.slug }}">
+                            <div><code>{{ flow.slug }}</code></div>
+                            <small>{{ flow.name }}</small>
+                        </a>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {{ flow.designation }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ flow.stages.all|length }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ flow.policies.all|length }}
+                        </span>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:flow-update' pk=flow.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Edit' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-modal-button href="{% url 'authentik_admin:flow-delete' pk=flow.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <a class="pf-c-button pf-m-secondary ak-root-link" href="{% url 'authentik_admin:flow-execute' pk=flow.pk %}?next={{ request.get_full_path }}">{% trans 'Execute' %}</a>
+                        <a class="pf-c-button pf-m-secondary ak-root-link" href="{% url 'authentik_admin:flow-export' pk=flow.pk %}?next={{ request.get_full_path }}">{% trans 'Export' %}</a>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="pf-icon pf-icon-process-automation pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Flows.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any flows." %}
+                {% else %}
+                    {% trans 'Currently no flows exist. Click the button below to create one.' %}
+                {% endif %}
+                </div>
+                <ak-modal-button href="{% url 'authentik_admin:flow-create' %}">
+                    <ak-spinner-button slot="trigger" class="pf-m-primary">
+                        {% trans 'Create' %}
+                    </ak-spinner-button>
+                    <div slot="modal"></div>
+                </ak-modal-button>
+                <ak-modal-button href="{% url 'authentik_admin:flow-import' %}">
+                    <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                        {% trans 'Import' %}
+                    </ak-spinner-button>
+                    <div slot="modal"></div>
+                </ak-modal-button>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/group/list.html

@@ -0,0 +1,114 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-users"></i>
+            {% trans 'Groups' %}
+        </h1>
+        <p>{% trans "Group users together and give them permissions based on the membership." %}
+        </p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-modal-button href="{% url 'authentik_admin:group-create' %}">
+                        <ak-spinner-button slot="trigger" class="pf-m-primary">
+                            {% trans 'Create' %}
+                        </ak-spinner-button>
+                        <div slot="modal"></div>
+                    </ak-modal-button>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Name' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Parent' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Members' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for group in object_list %}
+                <tr role="row">
+                    <td role="cell">
+                        <span>
+                            {{ group.name }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ group.parent }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ group.users.all|length }}
+                        </span>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:group-update' pk=group.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Edit' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-modal-button href="{% url 'authentik_admin:group-delete' pk=group.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="pf-icon pf-icon-users pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Groups.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any groups." %}
+                {% else %}
+                    {% trans 'Currently no group exist. Click the button below to create one.' %}
+                {% endif %}
+                </div>
+                <ak-modal-button href="{% url 'authentik_admin:group-create' %}">
+                    <ak-spinner-button slot="trigger" class="pf-m-primary">
+                        {% trans 'Create' %}
+                    </ak-spinner-button>
+                    <div slot="modal"></div>
+                </ak-modal-button>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/outpost/list.html

@@ -0,0 +1,149 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load humanize %}
+{% load authentik_utils %}
+{% load admin_reflection %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-zone"></i>
+            {% trans 'Outposts' %}
+        </h1>
+        <p>{% trans "Outposts are deployments of authentik components to support different environments and protocols, like reverse proxies." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-modal-button href="{% url 'authentik_admin:outpost-create' %}">
+                        <ak-spinner-button slot="trigger" class="pf-m-primary">
+                            {% trans 'Create' %}
+                        </ak-spinner-button>
+                        <div slot="modal"></div>
+                    </ak-modal-button>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Name' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Providers' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Health' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Version' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for outpost in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <span>{{ outpost.name }}</span>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {{ outpost.providers.all.select_subclasses|join:", " }}
+                        </span>
+                    </td>
+                    {% with states=outpost.state %}
+                    {% if states|length > 0 %}
+                        <td role="cell">
+                            {% for state in states %}
+                            <div>
+                                {% if state.last_seen %}
+                                <i class="fas fa-check pf-m-success"></i> {{ state.last_seen|naturaltime }}
+                                {% else %}
+                                <i class="fas fa-times pf-m-danger"></i> {% trans 'Unhealthy' %}
+                                {% endif %}
+                            </div>
+                            {% endfor %}
+                        </td>
+                        <td role="cell">
+                            {% for state in states %}
+                                <div>
+                                    {% if not state.version %}
+                                    <i class="fas fa-question-circle"></i>
+                                    {% elif state.version_outdated %}
+                                    <i class="fas fa-times pf-m-danger"></i> {% blocktrans with is=state.version should=state.version_should %}{{ is }}, should be {{ should }}{% endblocktrans %}
+                                    {% else %}
+                                    <i class="fas fa-check pf-m-success"></i> {{ state.version }}
+                                    {% endif %}
+                                </div>
+                            {% endfor %}
+                        </td>
+                    {% else %}
+                        <td role="cell">
+                            <i class="fas fa-question-circle"></i>
+                        </td>
+                        <td role="cell">
+                            <i class="fas fa-question-circle"></i>
+                        </td>
+                    {% endif %}
+                    {% endwith %}
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:outpost-update' pk=outpost.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Edit' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-modal-button href="{% url 'authentik_admin:outpost-delete' pk=outpost.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        {% get_htmls outpost as htmls %}
+                        {% for html in htmls %}
+                        {{ html|safe }}
+                        {% endfor %}
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="fas fa-map-marker pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Outposts.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any outposts." %}
+                {% else %}
+                    {% trans 'Currently no outposts exist. Click the button below to create one.' %}
+                {% endif %}
+                </div>
+                <ak-modal-button href="{% url 'authentik_admin:outpost-create' %}">
+                    <ak-spinner-button slot="trigger" class="pf-m-primary">
+                        {% trans 'Create' %}
+                    </ak-spinner-button>
+                    <div slot="modal"></div>
+                </ak-modal-button>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/outpost_service_connection/list.html

@@ -0,0 +1,154 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load humanize %}
+{% load authentik_utils %}
+{% load admin_reflection %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon-integration"></i>
+            {% trans 'Outpost Service-Connections' %}
+        </h1>
+        <p>{% trans "Outpost Service-Connections define how authentik connects to external platforms to manage and deploy Outposts." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-dropdown class="pf-c-dropdown">
+                        <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
+                            <span class="pf-c-dropdown__toggle-text">{% trans 'Create' %}</span>
+                            <i class="fas fa-caret-down pf-c-dropdown__toggle-icon" aria-hidden="true"></i>
+                        </button>
+                        <ul class="pf-c-dropdown__menu" hidden>
+                            {% for type, name in types.items %}
+                            <li>
+                                <ak-modal-button href="{% url 'authentik_admin:outpost-service-connection-create' %}?type={{ type }}">
+                                    <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                        {{ name|verbose_name }}<br>
+                                        <small>
+                                            {{ name|doc }}
+                                        </small>
+                                    </button>
+                                    <div slot="modal"></div>
+                                </ak-modal-button>
+                            </li>
+                            {% endfor %}
+                        </ul>
+                    </ak-dropdown>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Name' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Type' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Local?' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Status' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for sc in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <span>{{ sc.name }}</span>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {{ sc|verbose_name }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ sc.local|yesno:"Yes,No" }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {% if sc.state.healthy %}
+                            <i class="fas fa-check pf-m-success"></i> {{ sc.state.version }}
+                            {% else %}
+                            <i class="fas fa-times pf-m-danger"></i> {% trans 'Unhealthy' %}
+                            {% endif %}
+                        </span>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:outpost-service-connection-update' pk=sc.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Edit' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-modal-button href="{% url 'authentik_admin:outpost-service-connection-delete' pk=sc.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="fas fa-map-marker pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Outpost Service Connections.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any outposts." %}
+                {% else %}
+                    {% trans 'Currently no service connections exist. Click the button below to create one.' %}
+                {% endif %}
+                </div>
+                <ak-dropdown class="pf-c-dropdown">
+                    <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
+                        <span class="pf-c-dropdown__toggle-text">{% trans 'Create' %}</span>
+                        <i class="fas fa-caret-down pf-c-dropdown__toggle-icon" aria-hidden="true"></i>
+                    </button>
+                    <ul class="pf-c-dropdown__menu" hidden>
+                        {% for type, name in types.items %}
+                        <li>
+                            <ak-modal-button href="{% url 'authentik_admin:outpost-service-connection-create' %}?type={{ type }}">
+                                <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                    {{ name|verbose_name }}<br>
+                                    <small>
+                                        {{ name|doc }}
+                                    </small>
+                                </button>
+                                <div slot="modal"></div>
+                            </ak-modal-button>
+                        </li>
+                        {% endfor %}
+                    </ul>
+                </ak-dropdown>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/policy/list.html

@@ -0,0 +1,148 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-infrastructure"></i>
+            {% trans 'Policies' %}
+        </h1>
+        <p>{% trans "Allow users to use Applications based on properties, enforce Password Criteria and selectively apply Stages." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-dropdown class="pf-c-dropdown">
+                        <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
+                            <span class="pf-c-dropdown__toggle-text">{% trans 'Create' %}</span>
+                            <i class="fas fa-caret-down pf-c-dropdown__toggle-icon" aria-hidden="true"></i>
+                        </button>
+                        <ul class="pf-c-dropdown__menu" hidden>
+                            {% for type, name in types.items %}
+                            <li>
+                                <ak-modal-button href="{% url 'authentik_admin:policy-create' %}?type={{ type }}">
+                                    <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                        {{ name|verbose_name }}<br>
+                                        <small>
+                                            {{ name|doc }}
+                                        </small>
+                                    </button>
+                                    <div slot="modal"></div>
+                                </ak-modal-button>
+                            </li>
+                            {% endfor %}
+                        </ul>
+                    </ak-dropdown>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Name' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Type' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for policy in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <div>
+                            <div>{{ policy.name }}</div>
+                            {% if not policy.bindings.exists and not policy.promptstage_set.exists %}
+                            <i class="pf-icon pf-icon-warning-triangle"></i>
+                            <small>{% trans 'Warning: Policy is not assigned.' %}</small>
+                            {% else %}
+                            <i class="pf-icon pf-icon-ok"></i>
+                            <small>{% blocktrans with object_count=policy.bindings.all|length %}Assigned to {{ object_count }} objects.{% endblocktrans %}</small>
+                            {% endif %}
+                        </div>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {{ policy|verbose_name }}
+                        </span>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:policy-update' pk=policy.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Edit' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-modal-button href="{% url 'authentik_admin:policy-test' pk=policy.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Test' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-modal-button href="{% url 'authentik_admin:policy-delete' pk=policy.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="pf-icon pf-icon-infrastructure pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Policies.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any policies." %}
+                {% else %}
+                    {% trans 'Currently no policies exist. Click the button below to create one.' %}
+                {% endif %}
+                </div>
+                <ak-dropdown class="pf-c-dropdown">
+                    <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
+                        <span class="pf-c-dropdown__toggle-text">{% trans 'Create' %}</span>
+                        <i class="fas fa-caret-down pf-c-dropdown__toggle-icon" aria-hidden="true"></i>
+                    </button>
+                    <ul class="pf-c-dropdown__menu" hidden>
+                        {% for type, name in types.items %}
+                        <li>
+                            <ak-modal-button href="{% url 'authentik_admin:policy-create' %}?type={{ type }}">
+                                <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                    {{ name|verbose_name }}<br>
+                                    <small>
+                                        {{ name|doc }}
+                                    </small>
+                                </button>
+                                <div slot="modal"></div>
+                            </ak-modal-button>
+                        </li>
+                        {% endfor %}
+                    </ul>
+                </ak-dropdown>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/policy/test.html

@@ -0,0 +1,11 @@
+{% extends 'generic/form.html' %}
+
+{% load i18n %}
+
+{% block above_form %}
+<h1>{% blocktrans with policy=policy %}Test policy {{ policy }}{% endblocktrans %}</h1>
+{% endblock %}
+
+{% block action %}
+{% trans 'Test' %}
+{% endblock %}

authentik/admin/templates/administration/policy_binding/list.html

@@ -0,0 +1,119 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-infrastructure"></i>
+            {% trans 'Policy Bindings' %}
+        </h1>
+        <p>{% trans "Bind existing Policies to Models accepting policies." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-modal-button href="{% url 'authentik_admin:policy-binding-create' %}">
+                        <ak-spinner-button slot="trigger" class="pf-m-primary">
+                            {% trans 'Create' %}
+                        </ak-spinner-button>
+                        <div slot="modal"></div>
+                    </ak-modal-button>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Policy' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Enabled' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Order' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Timeout' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for pbm in object_list %}
+                    <tr role="role">
+                        <td>
+                            {{ pbm }}
+                            <small>
+                                {{ pbm|fieldtype }}
+                            </small>
+                        </td>
+                        <td></td>
+                        <td></td>
+                        <td></td>
+                        <td></td>
+                    </tr>
+                    {% for binding in pbm.bindings %}
+                    <tr class="row pf-c-table__expandable-row pf-m-expanded">
+                        <th role="cell">
+                            <div>{{ binding.policy }}</div>
+                            <small>
+                                {{ binding.policy|fieldtype }}
+                            </small>
+                        </th>
+                        <th role="cell">
+                            <div>{{ binding.enabled }}</div>
+                        </th>
+                        <th role="cell">
+                            <div>{{ binding.order }}</div>
+                        </th>
+                        <th role="cell">
+                            <div>{{ binding.timeout }}</div>
+                        </th>
+                        <td>
+                            <ak-modal-button href="{% url 'authentik_admin:policy-binding-update' pk=binding.pk %}">
+                                <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                    {% trans 'Edit' %}
+                                </ak-spinner-button>
+                                <div slot="modal"></div>
+                            </ak-modal-button>
+                            <ak-modal-button href="{% url 'authentik_admin:policy-binding-delete' pk=binding.pk %}">
+                                <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                    {% trans 'Delete' %}
+                                </ak-spinner-button>
+                                <div slot="modal"></div>
+                            </ak-modal-button>
+                        </td>
+                    </tr>
+                    {% endfor %}
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Policy Bindings.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                    {% trans 'Currently no policy bindings exist. Click the button below to create one.' %}
+                </div>
+                <ak-modal-button href="{% url 'authentik_admin:policy-binding-create' %}">
+                    <ak-spinner-button slot="trigger" class="pf-m-primary">
+                        {% trans 'Create' %}
+                    </ak-spinner-button>
+                    <div slot="modal"></div>
+                </ak-modal-button>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/property_mapping/list.html

@@ -0,0 +1,139 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-blueprint"></i>
+            {% trans 'Property Mappings' %}
+        </h1>
+        <p>{% trans "Control how authentik exposes and interprets information." %}
+        </p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-dropdown class="pf-c-dropdown">
+                        <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
+                            <span class="pf-c-dropdown__toggle-text">{% trans 'Create' %}</span>
+                            <i class="fas fa-caret-down pf-c-dropdown__toggle-icon" aria-hidden="true"></i>
+                        </button>
+                        <ul class="pf-c-dropdown__menu" hidden>
+                            {% for type, name in types.items %}
+                            <li>
+                                <ak-modal-button href="{% url 'authentik_admin:property-mapping-create' %}?type={{ type }}">
+                                    <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                        {{ name|verbose_name }}<br>
+                                        <small>
+                                            {{ name|doc }}
+                                        </small>
+                                    </button>
+                                    <div slot="modal"></div>
+                                </ak-modal-button>
+                            </li>
+                            {% endfor %}
+                        </ul>
+                    </ak-dropdown>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Name' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Type' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for property_mapping in object_list %}
+                <tr role="row">
+                    <td role="cell">
+                        <span>
+                            {{ property_mapping.name }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ property_mapping|verbose_name }}
+                        </span>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:property-mapping-update' pk=property_mapping.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Edit' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-modal-button href="{% url 'authentik_admin:property-mapping-delete' pk=property_mapping.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="pf-icon pf-icon-blueprint pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Property Mappings.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any property mappings." %}
+                {% else %}
+                    {% trans 'Currently no property mappings exist. Click the button below to create one.' %}
+                {% endif %}
+                </div>
+                <ak-dropdown class="pf-c-dropdown">
+                    <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
+                        <span class="pf-c-dropdown__toggle-text">{% trans 'Create' %}</span>
+                        <i class="fas fa-caret-down pf-c-dropdown__toggle-icon" aria-hidden="true"></i>
+                    </button>
+                    <ul class="pf-c-dropdown__menu" hidden>
+                        {% for type, name in types.items %}
+                        <li>
+                            <ak-modal-button href="{% url 'authentik_admin:property-mapping-create' %}?type={{ type }}">
+                                <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                    {{ name|verbose_name }}<br>
+                                    <small>
+                                        {{ name|doc }}
+                                    </small>
+                                </button>
+                                <div slot="modal"></div>
+                            </ak-modal-button>
+                        </li>
+                        {% endfor %}
+                    </ul>
+                </ak-dropdown>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/provider/list.html

@@ -0,0 +1,170 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+{% load admin_reflection %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-integration"></i>
+            {% trans 'Providers' %}
+        </h1>
+        <p>{% trans "Provide support for protocols like SAML and OAuth to assigned applications." %}
+    </p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-dropdown class="pf-c-dropdown">
+                        <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
+                            <span class="pf-c-dropdown__toggle-text">{% trans 'Create' %}</span>
+                            <i class="fas fa-caret-down pf-c-dropdown__toggle-icon" aria-hidden="true"></i>
+                        </button>
+                        <ul class="pf-c-dropdown__menu" hidden>
+                            {% for type, name in types.items %}
+                            <li>
+                                <ak-modal-button href="{% url 'authentik_admin:provider-create' %}?type={{ type }}">
+                                    <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                        {{ name|verbose_name }}<br>
+                                        <small>
+                                            {{ name|doc }}
+                                        </small>
+                                    </button>
+                                    <div slot="modal"></div>
+                                </ak-modal-button>
+                            </li>
+                            {% endfor %}
+                            <li>
+                                <ak-modal-button href="{% url 'authentik_admin:provider-saml-from-metadata' %}">
+                                    <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                        {% trans 'SAML Provider from Metadata' %}<br>
+                                        <small>
+                                            {% trans "Create a SAML Provider by importing its Metadata." %}
+                                        </small>
+                                    </button>
+                                    <div slot="modal"></div>
+                                </ak-modal-button>
+                            </li>
+                        </ul>
+                    </ak-dropdown>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Name' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Type' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for provider in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <div>
+                            <div>{{ provider.name }}</div>
+                            {% if not provider.application %}
+                            <i class="pf-icon pf-icon-warning-triangle"></i>
+                            <small>{% trans 'Warning: Provider not assigned to any application.' %}</small>
+                            {% else %}
+                            <i class="pf-icon pf-icon-ok"></i>
+                            <small>
+                                {% blocktrans with app=provider.application %}
+                                    Assigned to application {{ app }}.
+                                {% endblocktrans %}
+                            </small>
+                            {% endif %}
+                        </div>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {{ provider|verbose_name }}
+                        </span>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:provider-update' pk=provider.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Edit' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-modal-button href="{% url 'authentik_admin:provider-delete' pk=provider.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        {% get_links provider as links %}
+                        {% for name, href in links.items %}
+                            <a class="pf-c-button pf-m-tertiary ak-root-link" href="{{ href }}?back={{ request.get_full_path }}">{% trans name %}</a>
+                        {% endfor %}
+                        {% get_htmls provider as htmls %}
+                        {% for html in htmls %}
+                            {{ html|safe }}
+                        {% endfor %}
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="pf-icon-integration pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Providers.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any providers." %}
+                {% else %}
+                    {% trans 'Currently no providers exist. Click the button below to create one.' %}
+                {% endif %}
+                </div>
+                <ak-dropdown class="pf-c-dropdown">
+                    <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
+                        <span class="pf-c-dropdown__toggle-text">{% trans 'Create' %}</span>
+                        <i class="fas fa-caret-down pf-c-dropdown__toggle-icon" aria-hidden="true"></i>
+                    </button>
+                    <ul class="pf-c-dropdown__menu" hidden>
+                        {% for type, name in types.items %}
+                        <li>
+                            <ak-modal-button href="{% url 'authentik_admin:provider-create' %}?type={{ type }}">
+                                <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                    {{ name|verbose_name }}<br>
+                                    <small>
+                                        {{ name|doc }}
+                                    </small>
+                                </button>
+                                <div slot="modal"></div>
+                            </ak-modal-button>
+                        </li>
+                        {% endfor %}
+                    </ul>
+                </ak-dropdown>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/source/list.html

@@ -0,0 +1,153 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+{% load admin_reflection %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-middleware"></i>
+            {% trans 'Source' %}
+        </h1>
+        <p>{% trans "External Sources which can be used to get Identities into authentik, for example Social Providers like Twiter and GitHub or Enterprise Providers like ADFS and LDAP." %}
+        </p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-dropdown class="pf-c-dropdown">
+                        <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
+                            <span class="pf-c-dropdown__toggle-text">{% trans 'Create' %}</span>
+                            <i class="fas fa-caret-down pf-c-dropdown__toggle-icon" aria-hidden="true"></i>
+                        </button>
+                        <ul class="pf-c-dropdown__menu" hidden>
+                            {% for type, name in types.items %}
+                            <li>
+                                <ak-modal-button href="{% url 'authentik_admin:source-create' %}?type={{ type }}">
+                                    <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                        {{ name|verbose_name }}<br>
+                                        <small>
+                                            {{ name|doc }}
+                                        </small>
+                                    </button>
+                                    <div slot="modal"></div>
+                                </ak-modal-button>
+                            </li>
+                            {% endfor %}
+                        </ul>
+                    </ak-dropdown>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Name' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Type' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Additional Info' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for source in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <a href="/sources/{{ source.slug }}/">
+                            <div>{{ source.name }}</div>
+                            {% if not source.enabled %}
+                            <small>{% trans 'Disabled' %}</small>
+                            {% endif %}
+                        </a>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {{ source|fieldtype }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ source.ui_additional_info|default:""|safe }}
+                        </span>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:source-update' pk=source.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Edit' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-modal-button href="{% url 'authentik_admin:source-delete' pk=source.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        {% get_links source as links %}
+                        {% for name, href in links %}
+                            <a class="pf-c-button pf-m-tertiary ak-root-link" href="{{ href }}?back={{ request.get_full_path }}">{% trans name %}</a>
+                        {% endfor %}
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="pf-icon pf-icon-middleware pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Sources.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any sources." %}
+                {% else %}
+                    {% trans 'Currently no sources exist. Click the button below to create one.' %}
+                {% endif %}
+                </div>
+                <ak-dropdown class="pf-c-dropdown">
+                    <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
+                        <span class="pf-c-dropdown__toggle-text">{% trans 'Create' %}</span>
+                        <i class="fas fa-caret-down pf-c-dropdown__toggle-icon" aria-hidden="true"></i>
+                    </button>
+                    <ul class="pf-c-dropdown__menu" hidden>
+                        {% for type, name in types.items %}
+                        <li>
+                            <ak-modal-button href="{% url 'authentik_admin:source-create' %}?type={{ type }}">
+                                <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                    {{ name|verbose_name }}<br>
+                                    <small>
+                                        {{ name|doc }}
+                                    </small>
+                                </button>
+                                <div slot="modal"></div>
+                            </ak-modal-button>
+                        </li>
+                        {% endfor %}
+                    </ul>
+                </ak-dropdown>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/stage/list.html

@@ -0,0 +1,148 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+{% load admin_reflection %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-plugged"></i>
+            {% trans 'Stages' %}
+        </h1>
+        <p>{% trans "Stages are single steps of a Flow that a user is guided through." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-dropdown class="pf-c-dropdown">
+                        <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
+                            <span class="pf-c-dropdown__toggle-text">{% trans 'Create' %}</span>
+                            <i class="fas fa-caret-down pf-c-dropdown__toggle-icon" aria-hidden="true"></i>
+                        </button>
+                        <ul class="pf-c-dropdown__menu" hidden>
+                            {% for type, name in types.items %}
+                            <li>
+                                <ak-modal-button href="{% url 'authentik_admin:stage-create' %}?type={{ type }}">
+                                    <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                        {{ name|verbose_name }}<br>
+                                        <small>
+                                            {{ name|doc }}
+                                        </small>
+                                    </button>
+                                    <div slot="modal"></div>
+                                </ak-modal-button>
+                            </li>
+                            {% endfor %}
+                        </ul>
+                    </ak-dropdown>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Name' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Flows' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for stage in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <div>
+                            <div>{{ stage.name }}</div>
+                            <small>{{ stage|verbose_name }}</small>
+                        </div>
+                    </th>
+                    <td role="cell">
+                        <ul>
+                            {% for flow in stage.flow_set.all %}
+                            <li>{{ flow.slug }}<</li>
+                            {% empty %}
+                            <li>-</li>
+                            {% endfor %}
+                        </ul>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:stage-update' pk=stage.stage_uuid %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Edit' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-modal-button href="{% url 'authentik_admin:stage-delete' pk=stage.stage_uuid %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        {% get_links stage as links %}
+                        {% for name, href in links.items %}
+                        <a class="pf-c-button pf-m-tertiary ak-root-link" href="{{ href }}?back={{ request.get_full_path }}">{% trans name %}</a>
+                        {% endfor %}
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="pf-icon pf-icon-plugged pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Stages.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any stages." %}
+                {% else %}
+                    {% trans 'Currently no stages exist. Click the button below to create one.' %}
+                {% endif %}
+                </div>
+                <ak-dropdown class="pf-c-dropdown">
+                    <button class="pf-m-primary pf-c-dropdown__toggle" type="button">
+                        <span class="pf-c-dropdown__toggle-text">{% trans 'Create' %}</span>
+                        <i class="fas fa-caret-down pf-c-dropdown__toggle-icon" aria-hidden="true"></i>
+                    </button>
+                    <ul class="pf-c-dropdown__menu" hidden>
+                        {% for type, name in types.items %}
+                        <li>
+                            <ak-modal-button href="{% url 'authentik_admin:stage-create' %}?type={{ type }}">
+                                <button slot="trigger" class="pf-c-dropdown__menu-item">
+                                    {{ name|verbose_name }}<br>
+                                    <small>
+                                        {{ name|doc }}
+                                    </small>
+                                </button>
+                                <div slot="modal"></div>
+                            </ak-modal-button>
+                        </li>
+                        {% endfor %}
+                    </ul>
+                </ak-dropdown>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/stage_binding/list.html

@@ -0,0 +1,125 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-infrastructure"></i>
+            {% trans 'Stage Bindings' %}
+        </h1>
+        <p>{% trans "Bind existing Stages to Flows." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-modal-button href="{% url 'authentik_admin:stage-binding-create' %}">
+                        <ak-spinner-button slot="trigger" class="pf-m-primary">
+                            {% trans 'Create' %}
+                        </ak-spinner-button>
+                        <div slot="modal"></div>
+                    </ak-modal-button>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Order' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Name' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Stage Type' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% regroup object_list by target as grouped_bindings %}
+                {% for flow in grouped_bindings %}
+                    <tr role="role">
+                        <td>
+                            {% blocktrans with slug=flow.grouper.slug %}
+                            Flow {{ slug }}
+                            {% endblocktrans %}
+                        </td>
+                        <td></td>
+                        <td></td>
+                        <td></td>
+                    </tr>
+                    {% for binding in flow.list %}
+                    <tr class="pf-c-table__expandable-row pf-m-expanded" role="row">
+                        <td role="cell">
+                            <span>
+                                {{ binding.order }}
+                            </span>
+                        </td>
+                        <th role="columnheader">
+                            <div>
+                                <div>{{ binding.target.slug }}</div>
+                                <small>
+                                    {{ binding.target.name }}
+                                </small>
+                            </div>
+                        </th>
+                        <td role="cell">
+                            <div>
+                                <div>
+                                    {{ binding.stage.name }}
+                                </div>
+                                <small>
+                                    {{ binding.stage }}
+                                </small>
+                            </div>
+                        </td>
+                        <td>
+                            <ak-modal-button href="{% url 'authentik_admin:stage-binding-update' pk=binding.pk %}">
+                                <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                    {% trans 'Update' %}
+                                </ak-spinner-button>
+                                <div slot="modal"></div>
+                            </ak-modal-button>
+                            <ak-modal-button href="{% url 'authentik_admin:stage-binding-delete' pk=binding.pk %}">
+                                <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                    {% trans 'Delete' %}
+                                </ak-spinner-button>
+                                <div slot="modal"></div>
+                            </ak-modal-button>
+                        </td>
+                    </tr>
+                    {% endfor %}
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="fas fa-cubes pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Flow-Stage Bindings.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                    {% trans 'Currently no flow-stage bindings exist. Click the button below to create one.' %}
+                </div>
+                <ak-modal-button href="{% url 'authentik_admin:stage-binding-create' %}">
+                    <ak-spinner-button slot="trigger" class="pf-m-primary">
+                        {% trans 'Create' %}
+                    </ak-spinner-button>
+                    <div slot="modal"></div>
+                </ak-modal-button>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/stage_invitation/list.html

@@ -0,0 +1,109 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-migration"></i>
+            {% trans 'Invitations' %}
+        </h1>
+        <p>{% trans "Create Invitation Links to enroll Users, and optionally force specific attributes of their account." %}
+        </p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-modal-button href="{% url 'authentik_admin:stage-invitation-create' %}">
+                        <ak-spinner-button slot="trigger" class="pf-m-primary">
+                            {% trans 'Create' %}
+                        </ak-spinner-button>
+                        <div slot="modal"></div>
+                    </ak-modal-button>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'ID' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Created by' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Expiry' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for invitation in object_list %}
+                <tr role="row">
+                    <td role="cell">
+                        <span>
+                            {{ invitation.invite_uuid }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ invitation.created_by }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ invitation.expiry|default:"-" }}
+                        </span>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:stage-invitation-delete' pk=invitation.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="pf-icon pf-icon-migration pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Invitations.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any invitations." %}
+                {% else %}
+                    {% trans 'Currently no invitations exist. Click the button below to create one.' %}
+                {% endif %}
+                </div>
+                <ak-modal-button href="{% url 'authentik_admin:stage-invitation-create' %}">
+                    <ak-spinner-button slot="trigger" class="pf-m-primary">
+                        {% trans 'Create' %}
+                    </ak-spinner-button>
+                    <div slot="modal"></div>
+                </ak-modal-button>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/stage_prompt/list.html

@@ -0,0 +1,130 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+{% load admin_reflection %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-plugged"></i>
+            {% trans 'Prompts' %}
+        </h1>
+        <p>{% trans "Single Prompts that can be used for Prompt Stages." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-modal-button href="{% url 'authentik_admin:stage-prompt-create' %}">
+                        <ak-spinner-button slot="trigger" class="pf-m-primary">
+                            {% trans 'Create' %}
+                        </ak-spinner-button>
+                        <div slot="modal"></div>
+                    </ak-modal-button>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Field' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Label' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Type' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Order' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Flows' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for prompt in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <div>
+                            <div>{{ prompt.field_key }}</div>
+                        </div>
+                    </th>
+                    <td role="cell">
+                        <div>
+                            {{ prompt.label }}
+                        </div>
+                    </td>
+                    <td role="cell">
+                        <div>
+                            {{ prompt.type }}
+                        </div>
+                    </td>
+                    <td role="cell">
+                        <div>
+                            {{ prompt.order }}
+                        </div>
+                    </td>
+                    <td role="cell">
+                        <ul>
+                            {% for flow in prompt.flow_set.all %}
+                            <li>{{ flow.slug }}</li>
+                            {% empty %}
+                            <li>-</li>
+                            {% endfor %}
+                        </ul>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:stage-prompt-update' pk=prompt.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Update' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-modal-button href="{% url 'authentik_admin:stage-prompt-delete' pk=prompt.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        {% get_links prompt as links %}
+                        {% for name, href in links.items %}
+                        <a class="pf-c-button pf-m-tertiary ak-root-link" href="{{ href }}?back={{ request.get_full_path }}">{% trans name %}</a>
+                        {% endfor %}
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="pf-icon pf-icon-plugged pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Stage Prompts.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any stage prompts." %}
+                {% else %}
+                    {% trans 'Currently no stage prompts exist. Click the button below to create one.' %}
+                {% endif %}
+                </div>
+                <a href="{% url 'authentik_admin:stage-prompt-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/task/list.html

@@ -0,0 +1,84 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load humanize %}
+{% load authentik_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-automation"></i>
+            {% trans 'System Tasks' %}
+        </h1>
+        <p>{% trans "Long-running operations which authentik executes in the background." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                    {% trans 'Refresh' %}
+                </button>
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Identifier' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Description' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Last Run' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Status' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Messages' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for task in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <pre>{{ task.task_name }}</pre>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {{ task.task_description }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ task.finish_timestamp|naturaltime }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {% if task.result.status == task_successful %}
+                            <i class="fas fa-check pf-m-success"></i> {% trans 'Successful' %}
+                            {% elif task.result.status == task_warning %}
+                            <i class="fas fa-exclamation-triangle pf-m-warning"></i> {% trans 'Warning' %}
+                            {% elif task.result.status == task_error %}
+                            <i class="fas fa-times pf-m-danger"></i> {% trans 'Error' %}
+                            {% else %}
+                            <i class="fas fa-question-circle"></i> {% trans 'Unknown' %}
+                            {% endif %}
+                        </span>
+                    </td>
+                    <td>
+                        {% for message in task.result.messages %}
+                        <div>
+                            {{ message }}
+                        </div>
+                        {% endfor %}
+                    </td>
+                    <td>
+                        <ak-action-button url="{% url 'authentik_api:admin_system_tasks-retry' pk=task.task_name %}">
+                            {% trans 'Retry Task' %}
+                        </ak-action-button>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/token/list.html

@@ -0,0 +1,102 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-security"></i>
+            {% trans 'Tokens' %}
+        </h1>
+        <p>{% trans "Tokens are used throughout authentik for Email validation stages, Recovery keys and API access." %}</p>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Identifier' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'User' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Expires?' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Expiry Date' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for token in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <div>{{ token.identifier }}</div>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {{ token.user }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ token.expiring|yesno:"Yes,No" }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {% if not token.expiring %}
+                            -
+                            {% else %}
+                            {{ token.expires }}
+                            {% endif %}
+                        </span>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:token-delete' pk=token.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-danger">
+                                {% trans 'Delete' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        <ak-token-copy-button identifier="{{ token.identifier }}">
+                            {% trans 'Copy token' %}
+                        </ak-token-copy-button>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="fas fa-key pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Tokens.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any token." %}
+                {% else %}
+                    {% trans 'Currently no tokens exist.' %}
+                {% endif %}
+                </div>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/user/disable.html

@@ -0,0 +1,42 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        {% block above_form %}
+        <h1>
+            {% blocktrans with object_type=object|verbose_name %}
+            Disable {{ object_type }}
+            {% endblocktrans %}
+        </h1>
+        {% endblock %}
+    </div>
+</section>
+<section class="pf-c-page__main-section">
+    <div class="pf-l-stack">
+        <div class="pf-l-stack__item">
+            <div class="pf-c-card">
+                <div class="pf-c-card__body">
+                    <form action="" method="post" class="pf-c-form">
+                        {% csrf_token %}
+                        <p>
+                            {% blocktrans with object_type=object|verbose_name name=object %}
+                            Are you sure you want to disable {{ object_type }} "{{ object }}"?
+                            {% endblocktrans %}
+                        </p>
+                        <div class="pf-c-form__group pf-m-action">
+                            <div class="pf-c-form__actions">
+                                <input class="pf-c-button pf-m-danger" type="submit" value="{% trans 'Disable' %}" />
+                                <a class="pf-c-button pf-m-secondary" href="{% back %}">{% trans "Back" %}</a>
+                            </div>
+                        </div>
+                    </form>
+                </div>
+            </div>
+        </div>
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/administration/user/list.html

@@ -0,0 +1,125 @@
+{% extends "administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        <h1>
+            <i class="pf-icon pf-icon-user"></i>
+            {% trans 'Users' %}
+        </h1>
+    </div>
+</section>
+<section class="pf-c-page__main-section pf-m-no-padding-mobile">
+    <div class="pf-c-card">
+        {% if object_list %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+                <div class="pf-c-toolbar__bulk-select">
+                    <ak-modal-button href="{% url 'authentik_admin:user-create' %}">
+                        <ak-spinner-button slot="trigger" class="pf-m-primary">
+                            {% trans 'Create' %}
+                        </ak-spinner-button>
+                        <div slot="modal"></div>
+                    </ak-modal-button>
+                    <button role="ak-refresh" class="pf-c-button pf-m-primary">
+                        {% trans 'Refresh' %}
+                    </button>
+                </div>
+                {% include 'partials/pagination.html' %}
+            </div>
+        </div>
+        <table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
+            <thead>
+                <tr role="row">
+                    <th role="columnheader" scope="col">{% trans 'Name' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Active' %}</th>
+                    <th role="columnheader" scope="col">{% trans 'Last Login' %}</th>
+                    <th role="cell"></th>
+                </tr>
+            </thead>
+            <tbody role="rowgroup">
+                {% for user in object_list %}
+                <tr role="row">
+                    <th role="columnheader">
+                        <div>
+                            <div>{{ user.username }}</div>
+                            <small>{{ user.name }}</small>
+                        </div>
+                    </th>
+                    <td role="cell">
+                        <span>
+                            {{ user.is_active }}
+                        </span>
+                    </td>
+                    <td role="cell">
+                        <span>
+                            {{ user.last_login }}
+                        </span>
+                    </td>
+                    <td>
+                        <ak-modal-button href="{% url 'authentik_admin:user-update' pk=user.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-secondary">
+                                {% trans 'Edit' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        {% if user.is_active %}
+                        <ak-modal-button href="{% url 'authentik_admin:user-disable' pk=user.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-warning">
+                                {% trans 'Disable' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        {% else %}
+                        <ak-modal-button href="{% url 'authentik_admin:user-delete' pk=user.pk %}">
+                            <ak-spinner-button slot="trigger" class="pf-m-primary">
+                                {% trans 'Enable' %}
+                            </ak-spinner-button>
+                            <div slot="modal"></div>
+                        </ak-modal-button>
+                        {% endif %}
+                        <a class="pf-c-button pf-m-tertiary ak-root-link" href="{% url 'authentik_admin:user-password-reset' pk=user.pk %}?back={{ request.get_full_path }}">{% trans 'Reset Password' %}</a>
+                        <a class="pf-c-button pf-m-tertiary ak-root-link" href="{% url 'authentik_core:impersonate-init' user_id=user.pk %}">{% trans 'Impersonate' %}</a>
+                    </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+        <div class="pf-c-pagination pf-m-bottom">
+            {% include 'partials/pagination.html' %}
+        </div>
+        {% else %}
+        <div class="pf-c-toolbar">
+            <div class="pf-c-toolbar__content">
+                {% include 'partials/toolbar_search.html' %}
+            </div>
+        </div>
+        <div class="pf-c-empty-state">
+            <div class="pf-c-empty-state__content">
+                <i class="pf-icon pf-icon-user pf-c-empty-state__icon" aria-hidden="true"></i>
+                <h1 class="pf-c-title pf-m-lg">
+                    {% trans 'No Users.' %}
+                </h1>
+                <div class="pf-c-empty-state__body">
+                {% if request.GET.search != "" %}
+                    {% trans "Your search query doesn't match any users." %}
+                {% else %}
+                    {% trans 'Currently no users exist. How did you even get here.' %}
+                {% endif %}
+                </div>
+                <ak-modal-button href="{% url 'authentik_admin:user-create' %}">
+                    <ak-spinner-button slot="trigger" class="pf-m-primary">
+                        {% trans 'Create' %}
+                    </ak-spinner-button>
+                    <div slot="modal"></div>
+                </ak-modal-button>
+            </div>
+        </div>
+        {% endif %}
+    </div>
+</section>
+{% endblock %}

authentik/admin/templates/fields/codemirror.html

@@ -0,0 +1 @@
+<ak-codemirror mode="{{ widget.attrs.mode }}"><textarea class="pf-c-form-control" name="{{ widget.name }}">{% if widget.value %}{{ widget.value }}{% endif %}</textarea></ak-codemirror>

authentik/admin/templates/generic/create.html

@@ -0,0 +1,18 @@
+{% extends base_template|default:"generic/form.html" %}
+
+{% load authentik_utils %}
+{% load i18n %}
+
+{% block above_form %}
+<h1>
+    {% blocktrans with type=form|form_verbose_name %}
+    Create {{ type }}
+    {% endblocktrans %}
+</h1>
+{% endblock %}
+
+{% block action %}
+{% blocktrans with type=form|form_verbose_name %}
+Create {{ type }}
+{% endblocktrans %}
+{% endblock %}

authentik/admin/templates/generic/form.html

@@ -0,0 +1,38 @@
+{% extends container_template|default:"administration/base.html" %}
+
+{% load i18n %}
+{% load authentik_utils %}
+{% load static %}
+
+{% block content %}
+<section class="pf-c-page__main-section pf-m-light">
+    <div class="pf-c-content">
+        {% block above_form %}
+        {% endblock %}
+    </div>
+</section>
+<section class="pf-c-page__main-section">
+    <div class="pf-l-stack">
+        <div class="pf-l-stack__item">
+            <div class="pf-c-card">
+                <div class="pf-c-card__body">
+                    <form id="main-form" action="" method="post" class="pf-c-form pf-m-horizontal" enctype="multipart/form-data">
+                        {% include 'partials/form_horizontal.html' with form=form %}
+                        {% block beneath_form %}
+                        {% endblock %}
+                    </form>
+                </div>
+            </div>
+        </div>
+    </div>
+</section>
+<footer class="pf-c-modal-box__footer">
+    <input class="pf-c-button pf-m-primary" type="submit" form="main-form" value="{% block action %}{% endblock %}" />
+    <a class="pf-c-button pf-m-secondary" href="{% back %}">{% trans "Cancel" %}</a>
+</footer>
+{% endblock %}
+
+{% block scripts %}
+{{ block.super }}
+{{ form.media.js }}
+{% endblock %}

authentik/admin/templates/generic/form_non_model.html

@@ -0,0 +1,20 @@
+{% extends base_template|default:"generic/form.html" %}
+
+{% load authentik_utils %}
+{% load i18n %}
+
+{% block above_form %}
+<h1>
+    {% trans form.title %}
+</h1>
+{% endblock %}
+
+{% block beneath_form %}
+<p>
+    {% trans form.body %}
+</p>
+{% endblock %}
+
+{% block action %}
+{% trans 'Confirm' %}
+{% endblock %}

authentik/admin/templates/generic/update.html

@@ -0,0 +1,18 @@
+{% extends base_template|default:"generic/form.html" %}
+
+{% load authentik_utils %}
+{% load i18n %}
+
+{% block above_form %}
+<h1>
+    {% blocktrans with type=form|form_verbose_name|title inst=form.instance %}
+    Update {{ inst }}
+    {% endblocktrans %}
+</h1>
+{% endblock %}
+
+{% block action %}
+{% blocktrans with type=form|form_verbose_name %}
+Update {{ type }}
+{% endblocktrans %}
+{% endblock %}

authentik/admin/templatetags/admin_reflection.py

@@ -0,0 +1,62 @@
+"""authentik admin templatetags"""
+from django import template
+from django.db.models import Model
+from django.utils.html import mark_safe
+from structlog import get_logger
+
+register = template.Library()
+LOGGER = get_logger()
+
+
+@register.simple_tag()
+def get_links(model_instance):
+    """Find all link_ methods on an object instance, run them and return as dict"""
+    prefix = "link_"
+    links = {}
+
+    if not isinstance(model_instance, Model):
+        LOGGER.warning("Model is not instance of Model", model_instance=model_instance)
+        return links
+
+    try:
+        for name in dir(model_instance):
+            if not name.startswith(prefix):
+                continue
+            value = getattr(model_instance, name)
+            if not callable(value):
+                continue
+            human_name = name.replace(prefix, "").replace("_", " ").capitalize()
+            link = value()
+            if link:
+                links[human_name] = link
+    except NotImplementedError:
+        pass
+
+    return links
+
+
+@register.simple_tag(takes_context=True)
+def get_htmls(context, model_instance):
+    """Find all html_ methods on an object instance, run them and return as dict"""
+    prefix = "html_"
+    htmls = []
+
+    if not isinstance(model_instance, Model):
+        LOGGER.warning("Model is not instance of Model", model_instance=model_instance)
+        return htmls
+
+    try:
+        for name in dir(model_instance):
+            if not name.startswith(prefix):
+                continue
+            value = getattr(model_instance, name)
+            if not callable(value):
+                continue
+            if name.startswith(prefix):
+                html = value(context.get("request"))
+                if html:
+                    htmls.append(mark_safe(html))
+    except NotImplementedError:
+        pass
+
+    return htmls

authentik/admin/tests/test_api.py

@@ -1,13 +1,12 @@
 """test admin api"""
 from json import loads
 
+from django.shortcuts import reverse
 from django.test import TestCase
-from django.urls import reverse
 
 from authentik import __version__
 from authentik.core.models import Group, User
 from authentik.core.tasks import clean_expired_models
-from authentik.events.monitored_tasks import TaskResultStatus
 
 
 class TestAdminAPI(TestCase):
@@ -28,29 +27,9 @@ class TestAdminAPI(TestCase):
         self.assertEqual(response.status_code, 200)
         body = loads(response.content)
         self.assertTrue(
-            any(task["task_name"] == "clean_expired_models" for task in body)
+            any([task["task_name"] == "clean_expired_models" for task in body])
         )
 
-    def test_tasks_single(self):
-        """Test Task API (read single)"""
-        clean_expired_models.delay()
-        response = self.client.get(
-            reverse(
-                "authentik_api:admin_system_tasks-detail",
-                kwargs={"pk": "clean_expired_models"},
-            )
-        )
-        self.assertEqual(response.status_code, 200)
-        body = loads(response.content)
-        self.assertEqual(body["status"], TaskResultStatus.SUCCESSFUL.name)
-        self.assertEqual(body["task_name"], "clean_expired_models")
-        response = self.client.get(
-            reverse(
-                "authentik_api:admin_system_tasks-detail", kwargs={"pk": "qwerqwer"}
-            )
-        )
-        self.assertEqual(response.status_code, 404)
-
     def test_tasks_retry(self):
         """Test Task API (retry)"""
         clean_expired_models.delay()
@@ -60,7 +39,9 @@ class TestAdminAPI(TestCase):
                 kwargs={"pk": "clean_expired_models"},
             )
         )
-        self.assertEqual(response.status_code, 204)
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content)
+        self.assertTrue(body["successful"])
 
     def test_tasks_retry_404(self):
         """Test Task API (retry, 404)"""
@@ -74,29 +55,19 @@ class TestAdminAPI(TestCase):
 
     def test_version(self):
         """Test Version API"""
-        response = self.client.get(reverse("authentik_api:admin_version"))
+        response = self.client.get(reverse("authentik_api:admin_version-list"))
         self.assertEqual(response.status_code, 200)
         body = loads(response.content)
         self.assertEqual(body["version_current"], __version__)
 
     def test_workers(self):
         """Test Workers API"""
-        response = self.client.get(reverse("authentik_api:admin_workers"))
+        response = self.client.get(reverse("authentik_api:admin_workers-list"))
         self.assertEqual(response.status_code, 200)
         body = loads(response.content)
-        self.assertEqual(body["count"], 0)
+        self.assertEqual(body["pagination"]["count"], 0)
 
     def test_metrics(self):
         """Test metrics API"""
-        response = self.client.get(reverse("authentik_api:admin_metrics"))
-        self.assertEqual(response.status_code, 200)
-
-    def test_apps(self):
-        """Test apps API"""
-        response = self.client.get(reverse("authentik_api:apps-list"))
-        self.assertEqual(response.status_code, 200)
-
-    def test_system(self):
-        """Test system API"""
-        response = self.client.get(reverse("authentik_api:admin_system"))
+        response = self.client.get(reverse("authentik_api:admin_metrics-list"))
         self.assertEqual(response.status_code, 200)

authentik/admin/tests/test_generated.py

@@ -0,0 +1,66 @@
+"""admin tests"""
+from importlib import import_module
+from typing import Callable
+
+from django.forms import ModelForm
+from django.shortcuts import reverse
+from django.test import Client, TestCase
+from django.urls.exceptions import NoReverseMatch
+
+from authentik.admin.urls import urlpatterns
+from authentik.core.models import Group, User
+from authentik.lib.utils.reflection import get_apps
+
+
+class TestAdmin(TestCase):
+    """Generic admin tests"""
+
+    def setUp(self):
+        self.user = User.objects.create_user(username="test")
+        self.user.ak_groups.add(Group.objects.filter(is_superuser=True).first())
+        self.user.save()
+        self.client = Client()
+        self.client.force_login(self.user)
+
+
+def generic_view_tester(view_name: str) -> Callable:
+    """This is used instead of subTest for better visibility"""
+
+    def tester(self: TestAdmin):
+        try:
+            full_url = reverse(f"authentik_admin:{view_name}")
+            response = self.client.get(full_url)
+            self.assertTrue(response.status_code < 500)
+        except NoReverseMatch:
+            pass
+
+    return tester
+
+
+for url in urlpatterns:
+    method_name = url.name.replace("-", "_")
+    setattr(TestAdmin, f"test_view_{method_name}", generic_view_tester(url.name))
+
+
+def generic_form_tester(form: ModelForm) -> Callable:
+    """Test a form"""
+
+    def tester(self: TestAdmin):
+        form_inst = form()
+        self.assertFalse(form_inst.is_valid())
+
+    return tester
+
+
+# Load the forms module from every app, so we have all forms loaded
+for app in get_apps():
+    module = app.__module__.replace(".apps", ".forms")
+    try:
+        import_module(module)
+    except ImportError:
+        pass
+
+for form_class in ModelForm.__subclasses__():
+    setattr(
+        TestAdmin, f"test_form_{form_class.__name__}", generic_form_tester(form_class)
+    )

authentik/admin/tests/test_policy_binding.py

@@ -0,0 +1,43 @@
+"""admin tests"""
+from uuid import uuid4
+
+from django import forms
+from django.test import TestCase
+from django.test.client import RequestFactory
+
+from authentik.admin.views.policies_bindings import PolicyBindingCreateView
+from authentik.core.models import Application
+from authentik.policies.forms import PolicyBindingForm
+
+
+class TestPolicyBindingView(TestCase):
+    """Generic admin tests"""
+
+    def setUp(self):
+        self.factory = RequestFactory()
+
+    def test_without_get_param(self):
+        """Test PolicyBindingCreateView without get params"""
+        request = self.factory.get("/")
+        view = PolicyBindingCreateView(request=request)
+        self.assertEqual(view.get_initial(), {})
+
+    def test_with_params_invalid(self):
+        """Test PolicyBindingCreateView with invalid get params"""
+        request = self.factory.get("/", {"target": uuid4()})
+        view = PolicyBindingCreateView(request=request)
+        self.assertEqual(view.get_initial(), {})
+
+    def test_with_params(self):
+        """Test PolicyBindingCreateView with get params"""
+        target = Application.objects.create(name="test")
+        request = self.factory.get("/", {"target": target.pk.hex})
+        view = PolicyBindingCreateView(request=request)
+        self.assertEqual(view.get_initial(), {"target": target, "order": 0})
+
+        self.assertTrue(
+            isinstance(
+                PolicyBindingForm(initial={"target": "foo"}).fields["target"].widget,
+                forms.HiddenInput,
+            )
+        )

authentik/admin/tests/test_stage_bindings.py

@@ -0,0 +1,43 @@
+"""admin tests"""
+from uuid import uuid4
+
+from django import forms
+from django.test import TestCase
+from django.test.client import RequestFactory
+
+from authentik.admin.views.stages_bindings import StageBindingCreateView
+from authentik.flows.forms import FlowStageBindingForm
+from authentik.flows.models import Flow
+
+
+class TestStageBindingView(TestCase):
+    """Generic admin tests"""
+
+    def setUp(self):
+        self.factory = RequestFactory()
+
+    def test_without_get_param(self):
+        """Test StageBindingCreateView without get params"""
+        request = self.factory.get("/")
+        view = StageBindingCreateView(request=request)
+        self.assertEqual(view.get_initial(), {})
+
+    def test_with_params_invalid(self):
+        """Test StageBindingCreateView with invalid get params"""
+        request = self.factory.get("/", {"target": uuid4()})
+        view = StageBindingCreateView(request=request)
+        self.assertEqual(view.get_initial(), {})
+
+    def test_with_params(self):
+        """Test StageBindingCreateView with get params"""
+        target = Flow.objects.create(name="test", slug="test")
+        request = self.factory.get("/", {"target": target.pk.hex})
+        view = StageBindingCreateView(request=request)
+        self.assertEqual(view.get_initial(), {"target": target, "order": 0})
+
+        self.assertTrue(
+            isinstance(
+                FlowStageBindingForm(initial={"target": "foo"}).fields["target"].widget,
+                forms.HiddenInput,
+            )
+        )

authentik/admin/tests/test_tasks.py

@@ -32,8 +32,7 @@ REQUEST_MOCK_VALID = Mock(
     return_value=MockResponse(
         200,
         """{
-            "tag_name": "version/99999999.9999999",
-            "body": "https://goauthentik.io/test"
+            "tag_name": "version/1.2.3"
         }""",
     )
 )
@@ -48,12 +47,10 @@ class TestAdminTasks(TestCase):
     def test_version_valid_response(self):
         """Test Update checker with valid response"""
         update_latest_version.delay().get()
-        self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")
+        self.assertEqual(cache.get(VERSION_CACHE_KEY), "1.2.3")
         self.assertTrue(
             Event.objects.filter(
-                action=EventAction.UPDATE_AVAILABLE,
-                context__new_version="99999999.9999999",
-                context__message="Changelog: https://goauthentik.io/test",
+                action=EventAction.UPDATE_AVAILABLE, context__new_version="1.2.3"
             ).exists()
         )
         # test that a consecutive check doesn't create a duplicate event
@@ -61,9 +58,7 @@ class TestAdminTasks(TestCase):
         self.assertEqual(
             len(
                 Event.objects.filter(
-                    action=EventAction.UPDATE_AVAILABLE,
-                    context__new_version="99999999.9999999",
-                    context__message="Changelog: https://goauthentik.io/test",
+                    action=EventAction.UPDATE_AVAILABLE, context__new_version="1.2.3"
                 )
             ),
             1,

authentik/admin/urls.py

@@ -0,0 +1,355 @@
+"""authentik URL Configuration"""
+from django.urls import path
+
+from authentik.admin.views import (
+    applications,
+    certificate_key_pair,
+    flows,
+    groups,
+    outposts,
+    outposts_service_connections,
+    overview,
+    policies,
+    policies_bindings,
+    property_mappings,
+    providers,
+    sources,
+    stages,
+    stages_bindings,
+    stages_invitations,
+    stages_prompts,
+    tasks,
+    tokens,
+    users,
+)
+from authentik.providers.saml.views import MetadataImportView
+
+urlpatterns = [
+    path(
+        "overview/cache/flow/",
+        overview.FlowCacheClearView.as_view(),
+        name="overview-clear-flow-cache",
+    ),
+    path(
+        "overview/cache/policy/",
+        overview.PolicyCacheClearView.as_view(),
+        name="overview-clear-policy-cache",
+    ),
+    # Applications
+    path(
+        "applications/create/",
+        applications.ApplicationCreateView.as_view(),
+        name="application-create",
+    ),
+    path(
+        "applications/<uuid:pk>/update/",
+        applications.ApplicationUpdateView.as_view(),
+        name="application-update",
+    ),
+    path(
+        "applications/<uuid:pk>/delete/",
+        applications.ApplicationDeleteView.as_view(),
+        name="application-delete",
+    ),
+    # Tokens
+    path("tokens/", tokens.TokenListView.as_view(), name="tokens"),
+    path(
+        "tokens/<uuid:pk>/delete/",
+        tokens.TokenDeleteView.as_view(),
+        name="token-delete",
+    ),
+    # Sources
+    path("sources/", sources.SourceListView.as_view(), name="sources"),
+    path("sources/create/", sources.SourceCreateView.as_view(), name="source-create"),
+    path(
+        "sources/<uuid:pk>/update/",
+        sources.SourceUpdateView.as_view(),
+        name="source-update",
+    ),
+    path(
+        "sources/<uuid:pk>/delete/",
+        sources.SourceDeleteView.as_view(),
+        name="source-delete",
+    ),
+    # Policies
+    path("policies/", policies.PolicyListView.as_view(), name="policies"),
+    path("policies/create/", policies.PolicyCreateView.as_view(), name="policy-create"),
+    path(
+        "policies/<uuid:pk>/update/",
+        policies.PolicyUpdateView.as_view(),
+        name="policy-update",
+    ),
+    path(
+        "policies/<uuid:pk>/delete/",
+        policies.PolicyDeleteView.as_view(),
+        name="policy-delete",
+    ),
+    path(
+        "policies/<uuid:pk>/test/",
+        policies.PolicyTestView.as_view(),
+        name="policy-test",
+    ),
+    # Policy bindings
+    path(
+        "policies/bindings/",
+        policies_bindings.PolicyBindingListView.as_view(),
+        name="policies-bindings",
+    ),
+    path(
+        "policies/bindings/create/",
+        policies_bindings.PolicyBindingCreateView.as_view(),
+        name="policy-binding-create",
+    ),
+    path(
+        "policies/bindings/<uuid:pk>/update/",
+        policies_bindings.PolicyBindingUpdateView.as_view(),
+        name="policy-binding-update",
+    ),
+    path(
+        "policies/bindings/<uuid:pk>/delete/",
+        policies_bindings.PolicyBindingDeleteView.as_view(),
+        name="policy-binding-delete",
+    ),
+    # Providers
+    path("providers/", providers.ProviderListView.as_view(), name="providers"),
+    path(
+        "providers/create/",
+        providers.ProviderCreateView.as_view(),
+        name="provider-create",
+    ),
+    path(
+        "providers/create/saml/from-metadata/",
+        MetadataImportView.as_view(),
+        name="provider-saml-from-metadata",
+    ),
+    path(
+        "providers/<int:pk>/update/",
+        providers.ProviderUpdateView.as_view(),
+        name="provider-update",
+    ),
+    path(
+        "providers/<int:pk>/delete/",
+        providers.ProviderDeleteView.as_view(),
+        name="provider-delete",
+    ),
+    # Stages
+    path("stages/", stages.StageListView.as_view(), name="stages"),
+    path("stages/create/", stages.StageCreateView.as_view(), name="stage-create"),
+    path(
+        "stages/<uuid:pk>/update/",
+        stages.StageUpdateView.as_view(),
+        name="stage-update",
+    ),
+    path(
+        "stages/<uuid:pk>/delete/",
+        stages.StageDeleteView.as_view(),
+        name="stage-delete",
+    ),
+    # Stage bindings
+    path(
+        "stages/bindings/",
+        stages_bindings.StageBindingListView.as_view(),
+        name="stage-bindings",
+    ),
+    path(
+        "stages/bindings/create/",
+        stages_bindings.StageBindingCreateView.as_view(),
+        name="stage-binding-create",
+    ),
+    path(
+        "stages/bindings/<uuid:pk>/update/",
+        stages_bindings.StageBindingUpdateView.as_view(),
+        name="stage-binding-update",
+    ),
+    path(
+        "stages/bindings/<uuid:pk>/delete/",
+        stages_bindings.StageBindingDeleteView.as_view(),
+        name="stage-binding-delete",
+    ),
+    # Stage Prompts
+    path(
+        "stages/prompts/",
+        stages_prompts.PromptListView.as_view(),
+        name="stage-prompts",
+    ),
+    path(
+        "stages/prompts/create/",
+        stages_prompts.PromptCreateView.as_view(),
+        name="stage-prompt-create",
+    ),
+    path(
+        "stages/prompts/<uuid:pk>/update/",
+        stages_prompts.PromptUpdateView.as_view(),
+        name="stage-prompt-update",
+    ),
+    path(
+        "stages/prompts/<uuid:pk>/delete/",
+        stages_prompts.PromptDeleteView.as_view(),
+        name="stage-prompt-delete",
+    ),
+    # Stage Invitations
+    path(
+        "stages/invitations/",
+        stages_invitations.InvitationListView.as_view(),
+        name="stage-invitations",
+    ),
+    path(
+        "stages/invitations/create/",
+        stages_invitations.InvitationCreateView.as_view(),
+        name="stage-invitation-create",
+    ),
+    path(
+        "stages/invitations/<uuid:pk>/delete/",
+        stages_invitations.InvitationDeleteView.as_view(),
+        name="stage-invitation-delete",
+    ),
+    # Flows
+    path("flows/", flows.FlowListView.as_view(), name="flows"),
+    path(
+        "flows/create/",
+        flows.FlowCreateView.as_view(),
+        name="flow-create",
+    ),
+    path(
+        "flows/import/",
+        flows.FlowImportView.as_view(),
+        name="flow-import",
+    ),
+    path(
+        "flows/<uuid:pk>/update/",
+        flows.FlowUpdateView.as_view(),
+        name="flow-update",
+    ),
+    path(
+        "flows/<uuid:pk>/execute/",
+        flows.FlowDebugExecuteView.as_view(),
+        name="flow-execute",
+    ),
+    path(
+        "flows/<uuid:pk>/export/",
+        flows.FlowExportView.as_view(),
+        name="flow-export",
+    ),
+    path(
+        "flows/<uuid:pk>/delete/",
+        flows.FlowDeleteView.as_view(),
+        name="flow-delete",
+    ),
+    # Property Mappings
+    path(
+        "property-mappings/",
+        property_mappings.PropertyMappingListView.as_view(),
+        name="property-mappings",
+    ),
+    path(
+        "property-mappings/create/",
+        property_mappings.PropertyMappingCreateView.as_view(),
+        name="property-mapping-create",
+    ),
+    path(
+        "property-mappings/<uuid:pk>/update/",
+        property_mappings.PropertyMappingUpdateView.as_view(),
+        name="property-mapping-update",
+    ),
+    path(
+        "property-mappings/<uuid:pk>/delete/",
+        property_mappings.PropertyMappingDeleteView.as_view(),
+        name="property-mapping-delete",
+    ),
+    # Users
+    path("users/", users.UserListView.as_view(), name="users"),
+    path("users/create/", users.UserCreateView.as_view(), name="user-create"),
+    path("users/<int:pk>/update/", users.UserUpdateView.as_view(), name="user-update"),
+    path("users/<int:pk>/delete/", users.UserDeleteView.as_view(), name="user-delete"),
+    path(
+        "users/<int:pk>/disable/", users.UserDisableView.as_view(), name="user-disable"
+    ),
+    path("users/<int:pk>/enable/", users.UserEnableView.as_view(), name="user-enable"),
+    path(
+        "users/<int:pk>/reset/",
+        users.UserPasswordResetView.as_view(),
+        name="user-password-reset",
+    ),
+    # Groups
+    path("groups/", groups.GroupListView.as_view(), name="groups"),
+    path("groups/create/", groups.GroupCreateView.as_view(), name="group-create"),
+    path(
+        "groups/<uuid:pk>/update/",
+        groups.GroupUpdateView.as_view(),
+        name="group-update",
+    ),
+    path(
+        "groups/<uuid:pk>/delete/",
+        groups.GroupDeleteView.as_view(),
+        name="group-delete",
+    ),
+    # Certificate-Key Pairs
+    path(
+        "crypto/certificates/",
+        certificate_key_pair.CertificateKeyPairListView.as_view(),
+        name="certificate_key_pair",
+    ),
+    path(
+        "crypto/certificates/create/",
+        certificate_key_pair.CertificateKeyPairCreateView.as_view(),
+        name="certificatekeypair-create",
+    ),
+    path(
+        "crypto/certificates/<uuid:pk>/update/",
+        certificate_key_pair.CertificateKeyPairUpdateView.as_view(),
+        name="certificatekeypair-update",
+    ),
+    path(
+        "crypto/certificates/<uuid:pk>/delete/",
+        certificate_key_pair.CertificateKeyPairDeleteView.as_view(),
+        name="certificatekeypair-delete",
+    ),
+    # Outposts
+    path(
+        "outposts/",
+        outposts.OutpostListView.as_view(),
+        name="outposts",
+    ),
+    path(
+        "outposts/create/",
+        outposts.OutpostCreateView.as_view(),
+        name="outpost-create",
+    ),
+    path(
+        "outposts/<uuid:pk>/update/",
+        outposts.OutpostUpdateView.as_view(),
+        name="outpost-update",
+    ),
+    path(
+        "outposts/<uuid:pk>/delete/",
+        outposts.OutpostDeleteView.as_view(),
+        name="outpost-delete",
+    ),
+    # Outpost Service Connections
+    path(
+        "outposts/service_connections/",
+        outposts_service_connections.OutpostServiceConnectionListView.as_view(),
+        name="outpost-service-connections",
+    ),
+    path(
+        "outposts/service_connections/create/",
+        outposts_service_connections.OutpostServiceConnectionCreateView.as_view(),
+        name="outpost-service-connection-create",
+    ),
+    path(
+        "outposts/service_connections/<uuid:pk>/update/",
+        outposts_service_connections.OutpostServiceConnectionUpdateView.as_view(),
+        name="outpost-service-connection-update",
+    ),
+    path(
+        "outposts/service_connections/<uuid:pk>/delete/",
+        outposts_service_connections.OutpostServiceConnectionDeleteView.as_view(),
+        name="outpost-service-connection-delete",
+    ),
+    # Tasks
+    path(
+        "tasks/",
+        tasks.TaskListView.as_view(),
+        name="tasks",
+    ),
+]

authentik/admin/views/applications.py

@@ -0,0 +1,64 @@
+"""authentik Application administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import UpdateView
+from guardian.mixins import PermissionRequiredMixin
+
+from authentik.admin.views.utils import BackSuccessUrlMixin, DeleteMessageView
+from authentik.core.forms.applications import ApplicationForm
+from authentik.core.models import Application
+from authentik.lib.views import CreateAssignPermView
+
+
+class ApplicationCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Application"""
+
+    model = Application
+    form_class = ApplicationForm
+    permission_required = "authentik_core.add_application"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully created Application")
+
+
+class ApplicationUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update application"""
+
+    model = Application
+    form_class = ApplicationForm
+    permission_required = "authentik_core.change_application"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully updated Application")
+
+
+class ApplicationDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete application"""
+
+    model = Application
+    permission_required = "authentik_core.delete_application"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_core:shell")
+    success_message = _("Successfully deleted Application")

authentik/admin/views/certificate_key_pair.py

@@ -0,0 +1,86 @@
+"""authentik CertificateKeyPair administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import ListView, UpdateView
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.crypto.forms import CertificateKeyPairForm
+from authentik.crypto.models import CertificateKeyPair
+from authentik.lib.views import CreateAssignPermView
+
+
+class CertificateKeyPairListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
+):
+    """Show list of all keypairs"""
+
+    model = CertificateKeyPair
+    permission_required = "authentik_crypto.view_certificatekeypair"
+    ordering = "name"
+    template_name = "administration/certificatekeypair/list.html"
+
+    search_fields = ["name"]
+
+
+class CertificateKeyPairCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new CertificateKeyPair"""
+
+    model = CertificateKeyPair
+    form_class = CertificateKeyPairForm
+    permission_required = "authentik_crypto.add_certificatekeypair"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:certificate_key_pair")
+    success_message = _("Successfully created CertificateKeyPair")
+
+
+class CertificateKeyPairUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update certificatekeypair"""
+
+    model = CertificateKeyPair
+    form_class = CertificateKeyPairForm
+    permission_required = "authentik_crypto.change_certificatekeypair"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:certificate_key_pair")
+    success_message = _("Successfully updated Certificate-Key Pair")
+
+
+class CertificateKeyPairDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete certificatekeypair"""
+
+    model = CertificateKeyPair
+    permission_required = "authentik_crypto.delete_certificatekeypair"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:certificate_key_pair")
+    success_message = _("Successfully deleted Certificate-Key Pair")

authentik/admin/views/flows.py

@@ -0,0 +1,151 @@
+"""authentik Flow administration"""
+from django.contrib import messages
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import DetailView, FormView, ListView, UpdateView
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.flows.forms import FlowForm, FlowImportForm
+from authentik.flows.models import Flow
+from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
+from authentik.flows.transfer.common import DataclassEncoder
+from authentik.flows.transfer.exporter import FlowExporter
+from authentik.flows.transfer.importer import FlowImporter
+from authentik.flows.views import SESSION_KEY_PLAN, FlowPlanner
+from authentik.lib.utils.urls import redirect_with_qs
+from authentik.lib.views import CreateAssignPermView
+
+
+class FlowListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
+):
+    """Show list of all flows"""
+
+    model = Flow
+    permission_required = "authentik_flows.view_flow"
+    ordering = "name"
+    template_name = "administration/flow/list.html"
+    search_fields = ["name", "slug", "designation", "title"]
+
+
+class FlowCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Flow"""
+
+    model = Flow
+    form_class = FlowForm
+    permission_required = "authentik_flows.add_flow"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:flows")
+    success_message = _("Successfully created Flow")
+
+
+class FlowUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update flow"""
+
+    model = Flow
+    form_class = FlowForm
+    permission_required = "authentik_flows.change_flow"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:flows")
+    success_message = _("Successfully updated Flow")
+
+
+class FlowDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete flow"""
+
+    model = Flow
+    permission_required = "authentik_flows.delete_flow"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:flows")
+    success_message = _("Successfully deleted Flow")
+
+
+class FlowDebugExecuteView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
+    """Debug exectue flow, setting the current user as pending user"""
+
+    model = Flow
+    permission_required = "authentik_flows.view_flow"
+
+    # pylint: disable=unused-argument
+    def get(self, request: HttpRequest, pk: str) -> HttpResponse:
+        """Debug exectue flow, setting the current user as pending user"""
+        flow: Flow = self.get_object()
+        planner = FlowPlanner(flow)
+        planner.use_cache = False
+        plan = planner.plan(self.request, {PLAN_CONTEXT_PENDING_USER: request.user})
+        self.request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs(
+            "authentik_flows:flow-executor-shell",
+            self.request.GET,
+            flow_slug=flow.slug,
+        )
+
+
+class FlowImportView(LoginRequiredMixin, FormView):
+    """Import flow from JSON Export; only allowed for superusers
+    as these flows can contain python code"""
+
+    form_class = FlowImportForm
+    template_name = "administration/flow/import.html"
+    success_url = reverse_lazy("authentik_admin:flows")
+
+    def dispatch(self, request, *args, **kwargs):
+        if not request.user.is_superuser:
+            return self.handle_no_permission()
+        return super().dispatch(request, *args, **kwargs)
+
+    def form_valid(self, form: FlowImportForm) -> HttpResponse:
+        importer = FlowImporter(form.cleaned_data["flow"].read().decode())
+        successful = importer.apply()
+        if not successful:
+            messages.error(self.request, _("Failed to import flow."))
+        else:
+            messages.success(self.request, _("Successfully imported flow."))
+        return super().form_valid(form)
+
+
+class FlowExportView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
+    """Export Flow"""
+
+    model = Flow
+    permission_required = "authentik_flows.export_flow"
+
+    # pylint: disable=unused-argument
+    def get(self, request: HttpRequest, pk: str) -> HttpResponse:
+        """Debug exectue flow, setting the current user as pending user"""
+        flow: Flow = self.get_object()
+        exporter = FlowExporter(flow)
+        response = JsonResponse(exporter.export(), encoder=DataclassEncoder, safe=False)
+        response["Content-Disposition"] = f'attachment; filename="{flow.slug}.akflow"'
+        return response

authentik/admin/views/groups.py

@@ -0,0 +1,83 @@
+"""authentik Group administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import ListView, UpdateView
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.core.forms.groups import GroupForm
+from authentik.core.models import Group
+from authentik.lib.views import CreateAssignPermView
+
+
+class GroupListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
+):
+    """Show list of all groups"""
+
+    model = Group
+    permission_required = "authentik_core.view_group"
+    ordering = "name"
+    template_name = "administration/group/list.html"
+    search_fields = ["name", "attributes"]
+
+
+class GroupCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Group"""
+
+    model = Group
+    form_class = GroupForm
+    permission_required = "authentik_core.add_group"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:groups")
+    success_message = _("Successfully created Group")
+
+
+class GroupUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update group"""
+
+    model = Group
+    form_class = GroupForm
+    permission_required = "authentik_core.change_group"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:groups")
+    success_message = _("Successfully updated Group")
+
+
+class GroupDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete group"""
+
+    model = Group
+    permission_required = "authentik_flows.delete_group"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:groups")
+    success_message = _("Successfully deleted Group")

authentik/admin/views/outposts.py

@@ -0,0 +1,93 @@
+"""authentik Outpost administration"""
+from dataclasses import asdict
+from typing import Any, Dict
+
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import ListView, UpdateView
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.lib.views import CreateAssignPermView
+from authentik.outposts.forms import OutpostForm
+from authentik.outposts.models import Outpost, OutpostConfig
+
+
+class OutpostListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
+):
+    """Show list of all outposts"""
+
+    model = Outpost
+    permission_required = "authentik_outposts.view_outpost"
+    ordering = "name"
+    template_name = "administration/outpost/list.html"
+    search_fields = ["name", "_config"]
+
+
+class OutpostCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Outpost"""
+
+    model = Outpost
+    form_class = OutpostForm
+    permission_required = "authentik_outposts.add_outpost"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:outposts")
+    success_message = _("Successfully created Outpost")
+
+    def get_initial(self) -> Dict[str, Any]:
+        return {
+            "_config": asdict(
+                OutpostConfig(authentik_host=self.request.build_absolute_uri("/"))
+            )
+        }
+
+
+class OutpostUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update outpost"""
+
+    model = Outpost
+    form_class = OutpostForm
+    permission_required = "authentik_outposts.change_outpost"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:outposts")
+    success_message = _("Successfully updated Outpost")
+
+
+class OutpostDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete outpost"""
+
+    model = Outpost
+    permission_required = "authentik_outposts.delete_outpost"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:outposts")
+    success_message = _("Successfully deleted Outpost")

authentik/admin/views/outposts_service_connections.py

@@ -0,0 +1,83 @@
+"""authentik OutpostServiceConnection administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    InheritanceCreateView,
+    InheritanceListView,
+    InheritanceUpdateView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.outposts.models import OutpostServiceConnection
+
+
+class OutpostServiceConnectionListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    InheritanceListView,
+):
+    """Show list of all outpost-service-connections"""
+
+    model = OutpostServiceConnection
+    permission_required = "authentik_outposts.add_outpostserviceconnection"
+    template_name = "administration/outpost_service_connection/list.html"
+    ordering = "pk"
+    search_fields = ["pk", "name"]
+
+
+class OutpostServiceConnectionCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    InheritanceCreateView,
+):
+    """Create new OutpostServiceConnection"""
+
+    model = OutpostServiceConnection
+    permission_required = "authentik_outposts.add_outpostserviceconnection"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:outpost-service-connections")
+    success_message = _("Successfully created OutpostServiceConnection")
+
+
+class OutpostServiceConnectionUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    InheritanceUpdateView,
+):
+    """Update outpostserviceconnection"""
+
+    model = OutpostServiceConnection
+    permission_required = "authentik_outposts.change_outpostserviceconnection"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:outpost-service-connections")
+    success_message = _("Successfully updated OutpostServiceConnection")
+
+
+class OutpostServiceConnectionDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete outpostserviceconnection"""
+
+    model = OutpostServiceConnection
+    permission_required = "authentik_outposts.delete_outpostserviceconnection"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:outpost-service-connections")
+    success_message = _("Successfully deleted OutpostServiceConnection")

authentik/admin/views/overview.py

@@ -0,0 +1,45 @@
+"""authentik administration overview"""
+from django.contrib.messages.views import SuccessMessageMixin
+from django.core.cache import cache
+from django.http.request import HttpRequest
+from django.http.response import HttpResponse
+from django.utils.translation import gettext as _
+from django.views.generic import FormView
+from structlog import get_logger
+
+from authentik.admin.forms.overview import FlowCacheClearForm, PolicyCacheClearForm
+from authentik.admin.mixins import AdminRequiredMixin
+
+LOGGER = get_logger()
+
+
+class PolicyCacheClearView(AdminRequiredMixin, SuccessMessageMixin, FormView):
+    """View to clear Policy cache"""
+
+    form_class = PolicyCacheClearForm
+
+    template_name = "generic/form_non_model.html"
+    success_url = "/"
+    success_message = _("Successfully cleared Policy cache")
+
+    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        keys = cache.keys("policy_*")
+        cache.delete_many(keys)
+        LOGGER.debug("Cleared Policy cache", keys=len(keys))
+        return super().post(request, *args, **kwargs)
+
+
+class FlowCacheClearView(AdminRequiredMixin, SuccessMessageMixin, FormView):
+    """View to clear Flow cache"""
+
+    form_class = FlowCacheClearForm
+
+    template_name = "generic/form_non_model.html"
+    success_url = "/"
+    success_message = _("Successfully cleared Flow cache")
+
+    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        keys = cache.keys("flow_*")
+        cache.delete_many(keys)
+        LOGGER.debug("Cleared flow cache", keys=len(keys))
+        return super().post(request, *args, **kwargs)

authentik/admin/views/policies.py

@@ -0,0 +1,129 @@
+"""authentik Policy administration"""
+from typing import Any, Dict
+
+from django.contrib import messages
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.db.models import QuerySet
+from django.http import HttpResponse
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import FormView
+from django.views.generic.detail import DetailView
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.forms.policies import PolicyTestForm
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    InheritanceCreateView,
+    InheritanceListView,
+    InheritanceUpdateView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.policies.models import Policy, PolicyBinding
+from authentik.policies.process import PolicyProcess, PolicyRequest
+
+
+class PolicyListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    InheritanceListView,
+):
+    """Show list of all policies"""
+
+    model = Policy
+    permission_required = "authentik_policies.view_policy"
+    ordering = "name"
+    template_name = "administration/policy/list.html"
+    search_fields = ["name"]
+
+
+class PolicyCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    InheritanceCreateView,
+):
+    """Create new Policy"""
+
+    model = Policy
+    permission_required = "authentik_policies.add_policy"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:policies")
+    success_message = _("Successfully created Policy")
+
+
+class PolicyUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    InheritanceUpdateView,
+):
+    """Update policy"""
+
+    model = Policy
+    permission_required = "authentik_policies.change_policy"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:policies")
+    success_message = _("Successfully updated Policy")
+
+
+class PolicyDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete policy"""
+
+    model = Policy
+    permission_required = "authentik_policies.delete_policy"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:policies")
+    success_message = _("Successfully deleted Policy")
+
+
+class PolicyTestView(LoginRequiredMixin, DetailView, PermissionRequiredMixin, FormView):
+    """View to test policy(s)"""
+
+    model = Policy
+    form_class = PolicyTestForm
+    permission_required = "authentik_policies.view_policy"
+    template_name = "administration/policy/test.html"
+    object = None
+
+    def get_object(self, queryset=None) -> QuerySet:
+        return (
+            Policy.objects.filter(pk=self.kwargs.get("pk")).select_subclasses().first()
+        )
+
+    def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
+        kwargs["policy"] = self.get_object()
+        return super().get_context_data(**kwargs)
+
+    def post(self, *args, **kwargs) -> HttpResponse:
+        self.object = self.get_object()
+        return super().post(*args, **kwargs)
+
+    def form_valid(self, form: PolicyTestForm) -> HttpResponse:
+        policy = self.get_object()
+        user = form.cleaned_data.get("user")
+
+        p_request = PolicyRequest(user)
+        p_request.http_request = self.request
+        p_request.context = form.cleaned_data
+
+        proc = PolicyProcess(PolicyBinding(policy=policy), p_request, None)
+        result = proc.execute()
+        if result.passing:
+            messages.success(self.request, _("User successfully passed policy."))
+        else:
+            messages.error(self.request, _("User didn't pass policy."))
+        return self.render_to_response(self.get_context_data(form=form, result=result))

authentik/admin/views/policies_bindings.py

@@ -0,0 +1,117 @@
+"""authentik PolicyBinding administration"""
+from typing import Any
+
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.db.models import Max, QuerySet
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import ListView, UpdateView
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+from guardian.shortcuts import get_objects_for_user
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    UserPaginateListMixin,
+)
+from authentik.lib.views import CreateAssignPermView
+from authentik.policies.forms import PolicyBindingForm
+from authentik.policies.models import PolicyBinding, PolicyBindingModel
+
+
+class PolicyBindingListView(
+    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, ListView
+):
+    """Show list of all policies"""
+
+    model = PolicyBinding
+    permission_required = "authentik_policies.view_policybinding"
+    ordering = ["order", "target"]
+    template_name = "administration/policy_binding/list.html"
+
+    def get_queryset(self) -> QuerySet:
+        # Since `select_subclasses` does not work with a foreign key, we have to do two queries here
+        # First, get all pbm objects that have bindings attached
+        objects = (
+            get_objects_for_user(
+                self.request.user, "authentik_policies.view_policybindingmodel"
+            )
+            .filter(policies__isnull=False)
+            .select_subclasses()
+            .select_related()
+            .order_by("pk")
+        )
+        for pbm in objects:
+            pbm.bindings = get_objects_for_user(
+                self.request.user, self.permission_required
+            ).filter(target__pk=pbm.pbm_uuid)
+        return objects
+
+
+class PolicyBindingCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new PolicyBinding"""
+
+    model = PolicyBinding
+    permission_required = "authentik_policies.add_policybinding"
+    form_class = PolicyBindingForm
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:policies-bindings")
+    success_message = _("Successfully created PolicyBinding")
+
+    def get_initial(self) -> dict[str, Any]:
+        if "target" in self.request.GET:
+            initial_target_pk = self.request.GET["target"]
+            targets = PolicyBindingModel.objects.filter(
+                pk=initial_target_pk
+            ).select_subclasses()
+            if not targets.exists():
+                return {}
+            max_order = PolicyBinding.objects.filter(target=targets.first()).aggregate(
+                Max("order")
+            )["order__max"]
+            if not isinstance(max_order, int):
+                max_order = -1
+            return {"target": targets.first(), "order": max_order + 1}
+        return super().get_initial()
+
+
+class PolicyBindingUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update policybinding"""
+
+    model = PolicyBinding
+    permission_required = "authentik_policies.change_policybinding"
+    form_class = PolicyBindingForm
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:policies-bindings")
+    success_message = _("Successfully updated PolicyBinding")
+
+
+class PolicyBindingDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete policybinding"""
+
+    model = PolicyBinding
+    permission_required = "authentik_policies.delete_policybinding"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:policies-bindings")
+    success_message = _("Successfully deleted PolicyBinding")

authentik/admin/views/property_mappings.py

@@ -0,0 +1,83 @@
+"""authentik PropertyMapping administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    InheritanceCreateView,
+    InheritanceListView,
+    InheritanceUpdateView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.core.models import PropertyMapping
+
+
+class PropertyMappingListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    InheritanceListView,
+):
+    """Show list of all property_mappings"""
+
+    model = PropertyMapping
+    permission_required = "authentik_core.view_propertymapping"
+    template_name = "administration/property_mapping/list.html"
+    ordering = "name"
+    search_fields = ["name", "expression"]
+
+
+class PropertyMappingCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    InheritanceCreateView,
+):
+    """Create new PropertyMapping"""
+
+    model = PropertyMapping
+    permission_required = "authentik_core.add_propertymapping"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:property-mappings")
+    success_message = _("Successfully created Property Mapping")
+
+
+class PropertyMappingUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    InheritanceUpdateView,
+):
+    """Update property_mapping"""
+
+    model = PropertyMapping
+    permission_required = "authentik_core.change_propertymapping"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:property-mappings")
+    success_message = _("Successfully updated Property Mapping")
+
+
+class PropertyMappingDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete property_mapping"""
+
+    model = PropertyMapping
+    permission_required = "authentik_core.delete_propertymapping"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:property-mappings")
+    success_message = _("Successfully deleted Property Mapping")

authentik/admin/views/providers.py

@@ -0,0 +1,83 @@
+"""authentik Provider administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    InheritanceCreateView,
+    InheritanceListView,
+    InheritanceUpdateView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.core.models import Provider
+
+
+class ProviderListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    InheritanceListView,
+):
+    """Show list of all providers"""
+
+    model = Provider
+    permission_required = "authentik_core.add_provider"
+    template_name = "administration/provider/list.html"
+    ordering = "pk"
+    search_fields = ["pk", "name"]
+
+
+class ProviderCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    InheritanceCreateView,
+):
+    """Create new Provider"""
+
+    model = Provider
+    permission_required = "authentik_core.add_provider"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:providers")
+    success_message = _("Successfully created Provider")
+
+
+class ProviderUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    InheritanceUpdateView,
+):
+    """Update provider"""
+
+    model = Provider
+    permission_required = "authentik_core.change_provider"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:providers")
+    success_message = _("Successfully updated Provider")
+
+
+class ProviderDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete provider"""
+
+    model = Provider
+    permission_required = "authentik_core.delete_provider"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:providers")
+    success_message = _("Successfully deleted Provider")

authentik/admin/views/sources.py

@@ -0,0 +1,81 @@
+"""authentik Source administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    InheritanceCreateView,
+    InheritanceListView,
+    InheritanceUpdateView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.core.models import Source
+
+
+class SourceListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    InheritanceListView,
+):
+    """Show list of all sources"""
+
+    model = Source
+    permission_required = "authentik_core.view_source"
+    ordering = "name"
+    template_name = "administration/source/list.html"
+    search_fields = ["name", "slug"]
+
+
+class SourceCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    InheritanceCreateView,
+):
+    """Create new Source"""
+
+    model = Source
+    permission_required = "authentik_core.add_source"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:sources")
+    success_message = _("Successfully created Source")
+
+
+class SourceUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    InheritanceUpdateView,
+):
+    """Update source"""
+
+    model = Source
+    permission_required = "authentik_core.change_source"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:sources")
+    success_message = _("Successfully updated Source")
+
+
+class SourceDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete source"""
+
+    model = Source
+    permission_required = "authentik_core.delete_source"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:sources")
+    success_message = _("Successfully deleted Source")

authentik/admin/views/stages.py

@@ -0,0 +1,79 @@
+"""authentik Stage administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    InheritanceCreateView,
+    InheritanceListView,
+    InheritanceUpdateView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.flows.models import Stage
+
+
+class StageListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    InheritanceListView,
+):
+    """Show list of all stages"""
+
+    model = Stage
+    template_name = "administration/stage/list.html"
+    permission_required = "authentik_flows.view_stage"
+    ordering = "name"
+    search_fields = ["name"]
+
+
+class StageCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    InheritanceCreateView,
+):
+    """Create new Stage"""
+
+    model = Stage
+    template_name = "generic/create.html"
+    permission_required = "authentik_flows.add_stage"
+
+    success_url = reverse_lazy("authentik_admin:stages")
+    success_message = _("Successfully created Stage")
+
+
+class StageUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    InheritanceUpdateView,
+):
+    """Update stage"""
+
+    model = Stage
+    permission_required = "authentik_flows.update_application"
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:stages")
+    success_message = _("Successfully updated Stage")
+
+
+class StageDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete stage"""
+
+    model = Stage
+    template_name = "generic/delete.html"
+    permission_required = "authentik_flows.delete_stage"
+    success_url = reverse_lazy("authentik_admin:stages")
+    success_message = _("Successfully deleted Stage")

authentik/admin/views/stages_bindings.py

@@ -0,0 +1,96 @@
+"""authentik StageBinding administration"""
+from typing import Any
+
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.db.models import Max
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import ListView, UpdateView
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    UserPaginateListMixin,
+)
+from authentik.flows.forms import FlowStageBindingForm
+from authentik.flows.models import Flow, FlowStageBinding
+from authentik.lib.views import CreateAssignPermView
+
+
+class StageBindingListView(
+    LoginRequiredMixin, PermissionListMixin, UserPaginateListMixin, ListView
+):
+    """Show list of all flows"""
+
+    model = FlowStageBinding
+    permission_required = "authentik_flows.view_flowstagebinding"
+    ordering = ["target", "order"]
+    template_name = "administration/stage_binding/list.html"
+
+
+class StageBindingCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new StageBinding"""
+
+    model = FlowStageBinding
+    permission_required = "authentik_flows.add_flowstagebinding"
+    form_class = FlowStageBindingForm
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:stage-bindings")
+    success_message = _("Successfully created StageBinding")
+
+    def get_initial(self) -> dict[str, Any]:
+        if "target" in self.request.GET:
+            initial_target_pk = self.request.GET["target"]
+            targets = Flow.objects.filter(pk=initial_target_pk).select_subclasses()
+            if not targets.exists():
+                return {}
+            max_order = FlowStageBinding.objects.filter(
+                target=targets.first()
+            ).aggregate(Max("order"))["order__max"]
+            if not isinstance(max_order, int):
+                max_order = -1
+            return {"target": targets.first(), "order": max_order + 1}
+        return super().get_initial()
+
+
+class StageBindingUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update FlowStageBinding"""
+
+    model = FlowStageBinding
+    permission_required = "authentik_flows.change_flowstagebinding"
+    form_class = FlowStageBindingForm
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:stage-bindings")
+    success_message = _("Successfully updated StageBinding")
+
+
+class StageBindingDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete FlowStageBinding"""
+
+    model = FlowStageBinding
+    permission_required = "authentik_flows.delete_flowstagebinding"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:stage-bindings")
+    success_message = _("Successfully deleted FlowStageBinding")

authentik/admin/views/stages_invitations.py

@@ -0,0 +1,74 @@
+"""authentik Invitation administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import HttpResponseRedirect
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import ListView
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.lib.views import CreateAssignPermView
+from authentik.stages.invitation.forms import InvitationForm
+from authentik.stages.invitation.models import Invitation
+
+
+class InvitationListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
+):
+    """Show list of all invitations"""
+
+    model = Invitation
+    permission_required = "authentik_stages_invitation.view_invitation"
+    template_name = "administration/stage_invitation/list.html"
+    ordering = "-expires"
+    search_fields = ["created_by__username", "expires", "fixed_data"]
+
+
+class InvitationCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Invitation"""
+
+    model = Invitation
+    form_class = InvitationForm
+    permission_required = "authentik_stages_invitation.add_invitation"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:stage-invitations")
+    success_message = _("Successfully created Invitation")
+
+    def form_valid(self, form):
+        obj = form.save(commit=False)
+        obj.created_by = self.request.user
+        obj.save()
+        return HttpResponseRedirect(self.success_url)
+
+
+class InvitationDeleteView(
+    LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView
+):
+    """Delete invitation"""
+
+    model = Invitation
+    permission_required = "authentik_stages_invitation.delete_invitation"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:stage-invitations")
+    success_message = _("Successfully deleted Invitation")

authentik/admin/views/stages_prompts.py

@@ -0,0 +1,88 @@
+"""authentik Prompt administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import ListView, UpdateView
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.lib.views import CreateAssignPermView
+from authentik.stages.prompt.forms import PromptAdminForm
+from authentik.stages.prompt.models import Prompt
+
+
+class PromptListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
+):
+    """Show list of all prompts"""
+
+    model = Prompt
+    permission_required = "authentik_stages_prompt.view_prompt"
+    ordering = "order"
+    template_name = "administration/stage_prompt/list.html"
+    search_fields = [
+        "field_key",
+        "label",
+        "type",
+        "placeholder",
+    ]
+
+
+class PromptCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create new Prompt"""
+
+    model = Prompt
+    form_class = PromptAdminForm
+    permission_required = "authentik_stages_prompt.add_prompt"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:stage-prompts")
+    success_message = _("Successfully created Prompt")
+
+
+class PromptUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update prompt"""
+
+    model = Prompt
+    form_class = PromptAdminForm
+    permission_required = "authentik_stages_prompt.change_prompt"
+
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:stage-prompts")
+    success_message = _("Successfully updated Prompt")
+
+
+class PromptDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete prompt"""
+
+    model = Prompt
+    permission_required = "authentik_stages_prompt.delete_prompt"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:stage-prompts")
+    success_message = _("Successfully deleted Prompt")

authentik/admin/views/tasks.py

@@ -0,0 +1,23 @@
+"""authentik Tasks List"""
+from typing import Any, Dict
+
+from django.views.generic.base import TemplateView
+
+from authentik.admin.mixins import AdminRequiredMixin
+from authentik.lib.tasks import TaskInfo, TaskResultStatus
+
+
+class TaskListView(AdminRequiredMixin, TemplateView):
+    """Show list of all background tasks"""
+
+    template_name = "administration/task/list.html"
+
+    def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
+        kwargs = super().get_context_data(**kwargs)
+        kwargs["object_list"] = sorted(
+            TaskInfo.all().values(), key=lambda x: x.task_name
+        )
+        kwargs["task_successful"] = TaskResultStatus.SUCCESSFUL
+        kwargs["task_warning"] = TaskResultStatus.WARNING
+        kwargs["task_error"] = TaskResultStatus.ERROR
+        return kwargs

authentik/admin/views/tokens.py

@@ -0,0 +1,45 @@
+"""authentik Token administration"""
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.urls import reverse_lazy
+from django.utils.translation import gettext as _
+from django.views.generic import ListView
+from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
+
+from authentik.admin.views.utils import (
+    DeleteMessageView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.core.models import Token
+
+
+class TokenListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
+):
+    """Show list of all tokens"""
+
+    model = Token
+    permission_required = "authentik_core.view_token"
+    ordering = "expires"
+    template_name = "administration/token/list.html"
+    search_fields = [
+        "identifier",
+        "intent",
+        "user__username",
+        "description",
+    ]
+
+
+class TokenDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete token"""
+
+    model = Token
+    permission_required = "authentik_core.delete_token"
+
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:tokens")
+    success_message = _("Successfully deleted Token")

authentik/admin/views/users.py

@@ -0,0 +1,168 @@
+"""authentik User administration"""
+from django.contrib import messages
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.auth.mixins import (
+    PermissionRequiredMixin as DjangoPermissionRequiredMixin,
+)
+from django.contrib.messages.views import SuccessMessageMixin
+from django.http import HttpRequest, HttpResponse
+from django.http.response import HttpResponseRedirect
+from django.shortcuts import redirect
+from django.urls import reverse, reverse_lazy
+from django.utils.http import urlencode
+from django.utils.translation import gettext as _
+from django.views.generic import DetailView, ListView, UpdateView
+from guardian.mixins import (
+    PermissionListMixin,
+    PermissionRequiredMixin,
+    get_anonymous_user,
+)
+
+from authentik.admin.forms.users import UserForm
+from authentik.admin.views.utils import (
+    BackSuccessUrlMixin,
+    DeleteMessageView,
+    SearchListMixin,
+    UserPaginateListMixin,
+)
+from authentik.core.models import Token, User
+from authentik.lib.views import CreateAssignPermView
+
+
+class UserListView(
+    LoginRequiredMixin,
+    PermissionListMixin,
+    UserPaginateListMixin,
+    SearchListMixin,
+    ListView,
+):
+    """Show list of all users"""
+
+    model = User
+    permission_required = "authentik_core.view_user"
+    ordering = "username"
+    template_name = "administration/user/list.html"
+    search_fields = ["username", "name", "attributes"]
+
+    def get_queryset(self):
+        return super().get_queryset().exclude(pk=get_anonymous_user().pk)
+
+
+class UserCreateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    DjangoPermissionRequiredMixin,
+    CreateAssignPermView,
+):
+    """Create user"""
+
+    model = User
+    form_class = UserForm
+    permission_required = "authentik_core.add_user"
+
+    template_name = "generic/create.html"
+    success_url = reverse_lazy("authentik_admin:users")
+    success_message = _("Successfully created User")
+
+
+class UserUpdateView(
+    SuccessMessageMixin,
+    BackSuccessUrlMixin,
+    LoginRequiredMixin,
+    PermissionRequiredMixin,
+    UpdateView,
+):
+    """Update user"""
+
+    model = User
+    form_class = UserForm
+    permission_required = "authentik_core.change_user"
+
+    # By default the object's name is user which is used by other checks
+    context_object_name = "object"
+    template_name = "generic/update.html"
+    success_url = reverse_lazy("authentik_admin:users")
+    success_message = _("Successfully updated User")
+
+
+class UserDeleteView(LoginRequiredMixin, PermissionRequiredMixin, DeleteMessageView):
+    """Delete user"""
+
+    model = User
+    permission_required = "authentik_core.delete_user"
+
+    # By default the object's name is user which is used by other checks
+    context_object_name = "object"
+    template_name = "generic/delete.html"
+    success_url = reverse_lazy("authentik_admin:users")
+    success_message = _("Successfully deleted User")
+
+
+class UserDisableView(
+    LoginRequiredMixin, PermissionRequiredMixin, BackSuccessUrlMixin, DeleteMessageView
+):
+    """Disable user"""
+
+    object: User
+
+    model = User
+    permission_required = "authentik_core.update_user"
+
+    # By default the object's name is user which is used by other checks
+    context_object_name = "object"
+    template_name = "administration/user/disable.html"
+    success_url = reverse_lazy("authentik_admin:users")
+    success_message = _("Successfully disabled User")
+
+    def delete(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        self.object: User = self.get_object()
+        success_url = self.get_success_url()
+        self.object.is_active = False
+        self.object.save()
+        return HttpResponseRedirect(success_url)
+
+
+class UserEnableView(
+    LoginRequiredMixin, PermissionRequiredMixin, BackSuccessUrlMixin, DetailView
+):
+    """Enable user"""
+
+    object: User
+
+    model = User
+    permission_required = "authentik_core.update_user"
+
+    # By default the object's name is user which is used by other checks
+    context_object_name = "object"
+    success_url = reverse_lazy("authentik_admin:users")
+    success_message = _("Successfully enabled User")
+
+    def get(self, request: HttpRequest, *args, **kwargs):
+        self.object: User = self.get_object()
+        success_url = self.get_success_url()
+        self.object.is_active = True
+        self.object.save()
+        return HttpResponseRedirect(success_url)
+
+
+class UserPasswordResetView(LoginRequiredMixin, PermissionRequiredMixin, DetailView):
+    """Get Password reset link for user"""
+
+    model = User
+    permission_required = "authentik_core.reset_user_password"
+
+    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        """Create token for user and return link"""
+        super().get(request, *args, **kwargs)
+        token, __ = Token.objects.get_or_create(
+            identifier="password-reset-temp", user=self.object
+        )
+        querystring = urlencode({"token": token.key})
+        link = request.build_absolute_uri(
+            reverse("authentik_flows:default-recovery") + f"?{querystring}"
+        )
+        messages.success(
+            request, _("Password reset link: <pre>%(link)s</pre>" % {"link": link})
+        )
+        return redirect("authentik_admin:users")

authentik/admin/views/utils.py

@@ -0,0 +1,124 @@
+"""authentik admin util views"""
+from typing import Any, Dict, List, Optional
+from urllib.parse import urlparse
+
+from django.contrib import messages
+from django.contrib.messages.views import SuccessMessageMixin
+from django.contrib.postgres.search import SearchQuery, SearchVector
+from django.db.models import QuerySet
+from django.http import Http404
+from django.http.request import HttpRequest
+from django.views.generic import DeleteView, ListView, UpdateView
+from django.views.generic.list import MultipleObjectMixin
+
+from authentik.lib.utils.reflection import all_subclasses
+from authentik.lib.views import CreateAssignPermView
+
+
+class DeleteMessageView(SuccessMessageMixin, DeleteView):
+    """DeleteView which shows `self.success_message` on successful deletion"""
+
+    def delete(self, request, *args, **kwargs):
+        messages.success(self.request, self.success_message)
+        return super().delete(request, *args, **kwargs)
+
+
+class InheritanceListView(ListView):
+    """ListView for objects using InheritanceManager"""
+
+    def get_context_data(self, **kwargs):
+        kwargs["types"] = {x.__name__: x for x in all_subclasses(self.model)}
+        return super().get_context_data(**kwargs)
+
+    def get_queryset(self):
+        return super().get_queryset().select_subclasses()
+
+
+class SearchListMixin(MultipleObjectMixin):
+    """Accept search query using `search` querystring parameter. Requires self.search_fields,
+    a list of all fields to search. Can contain special lookups like __icontains"""
+
+    search_fields: List[str]
+
+    def get_queryset(self) -> QuerySet:
+        queryset = super().get_queryset()
+        if "search" in self.request.GET:
+            raw_query = self.request.GET["search"]
+            if raw_query == "":
+                # Empty query, don't search at all
+                return queryset
+            search = SearchQuery(raw_query, search_type="websearch")
+            return queryset.annotate(search=SearchVector(*self.search_fields)).filter(
+                search=search
+            )
+        return queryset
+
+
+class InheritanceCreateView(CreateAssignPermView):
+    """CreateView for objects using InheritanceManager"""
+
+    def get_form_class(self):
+        provider_type = self.request.GET.get("type")
+        try:
+            model = next(
+                x for x in all_subclasses(self.model) if x.__name__ == provider_type
+            )
+        except StopIteration as exc:
+            raise Http404 from exc
+        return model().form
+
+    def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
+        kwargs = super().get_context_data(**kwargs)
+        form_cls = self.get_form_class()
+        if hasattr(form_cls, "template_name"):
+            kwargs["base_template"] = form_cls.template_name
+        return kwargs
+
+
+class InheritanceUpdateView(UpdateView):
+    """UpdateView for objects using InheritanceManager"""
+
+    def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
+        kwargs = super().get_context_data(**kwargs)
+        form_cls = self.get_form_class()
+        if hasattr(form_cls, "template_name"):
+            kwargs["base_template"] = form_cls.template_name
+        return kwargs
+
+    def get_form_class(self):
+        return self.get_object().form
+
+    def get_object(self, queryset=None):
+        return (
+            self.model.objects.filter(pk=self.kwargs.get("pk"))
+            .select_subclasses()
+            .first()
+        )
+
+
+class BackSuccessUrlMixin:
+    """Checks if a relative URL has been given as ?back param, and redirect to it. Otherwise
+    default to self.success_url."""
+
+    request: HttpRequest
+
+    success_url: Optional[str]
+
+    def get_success_url(self) -> str:
+        """get_success_url from FormMixin"""
+        back_param = self.request.GET.get("back")
+        if back_param:
+            if not bool(urlparse(back_param).netloc):
+                return back_param
+        return str(self.success_url)
+
+
+class UserPaginateListMixin:
+    """Get paginate_by value from user's attributes, defaulting to 15"""
+
+    request: HttpRequest
+
+    # pylint: disable=unused-argument
+    def get_paginate_by(self, queryset: QuerySet) -> int:
+        """get_paginate_by Function of ListView"""
+        return self.request.user.attributes.get("paginate_by", 15)

authentik/api/auth.py

@@ -0,0 +1,58 @@
+"""API Authentication"""
+from base64 import b64decode
+from binascii import Error
+from typing import Any, Optional, Tuple, Union
+
+from rest_framework.authentication import BaseAuthentication, get_authorization_header
+from rest_framework.request import Request
+from structlog import get_logger
+
+from authentik.core.models import Token, TokenIntents, User
+
+LOGGER = get_logger()
+
+
+def token_from_header(raw_header: bytes) -> Optional[Token]:
+    """raw_header in the Format of `Basic dGVzdDp0ZXN0`"""
+    auth_credentials = raw_header.decode()
+    # Accept headers with Type format and without
+    if " " in auth_credentials:
+        auth_type, auth_credentials = auth_credentials.split()
+        if auth_type.lower() != "basic":
+            LOGGER.debug(
+                "Unsupported authentication type, denying", type=auth_type.lower()
+            )
+            return None
+    try:
+        auth_credentials = b64decode(auth_credentials.encode()).decode()
+    except (UnicodeDecodeError, Error):
+        return None
+    # Accept credentials with username and without
+    if ":" in auth_credentials:
+        _, password = auth_credentials.split(":")
+    else:
+        password = auth_credentials
+    if password == "":  # nosec
+        return None
+    tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)
+    if not tokens.exists():
+        LOGGER.debug("Token not found")
+        return None
+    return tokens.first()
+
+
+class AuthentikTokenAuthentication(BaseAuthentication):
+    """Token-based authentication using HTTP Basic authentication"""
+
+    def authenticate(self, request: Request) -> Union[Tuple[User, Any], None]:
+        """Token-based authentication using HTTP Basic authentication"""
+        auth = get_authorization_header(request)
+
+        token = token_from_header(auth)
+        if not token:
+            return None
+
+        return (token.user, None)
+
+    def authenticate_header(self, request: Request) -> str:
+        return 'Basic realm="authentik"'

authentik/api/authentication.py

@@ -1,73 +0,0 @@
-"""API Authentication"""
-from base64 import b64decode
-from binascii import Error
-from typing import Any, Optional, Union
-
-from drf_spectacular.authentication import OpenApiAuthenticationExtension
-from rest_framework.authentication import BaseAuthentication, get_authorization_header
-from rest_framework.exceptions import AuthenticationFailed
-from rest_framework.request import Request
-from structlog.stdlib import get_logger
-
-from authentik.core.models import Token, TokenIntents, User
-
-LOGGER = get_logger()
-
-
-# pylint: disable=too-many-return-statements
-def token_from_header(raw_header: bytes) -> Optional[Token]:
-    """raw_header in the Format of `Bearer dGVzdDp0ZXN0`"""
-    auth_credentials = raw_header.decode()
-    if auth_credentials == "" or " " not in auth_credentials:
-        return None
-    auth_type, auth_credentials = auth_credentials.split()
-    if auth_type.lower() not in ["basic", "bearer"]:
-        LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())
-        raise AuthenticationFailed("Unsupported authentication type")
-    password = auth_credentials
-    if auth_type.lower() == "basic":
-        try:
-            auth_credentials = b64decode(auth_credentials.encode()).decode()
-        except (UnicodeDecodeError, Error):
-            raise AuthenticationFailed("Malformed header")
-        # Accept credentials with username and without
-        if ":" in auth_credentials:
-            _, password = auth_credentials.split(":")
-        else:
-            password = auth_credentials
-    if password == "":  # nosec
-        raise AuthenticationFailed("Malformed header")
-    tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)
-    if not tokens.exists():
-        raise AuthenticationFailed("Token invalid/expired")
-    return tokens.first()
-
-
-class TokenAuthentication(BaseAuthentication):
-    """Token-based authentication using HTTP Bearer authentication"""
-
-    def authenticate(self, request: Request) -> Union[tuple[User, Any], None]:
-        """Token-based authentication using HTTP Bearer authentication"""
-        auth = get_authorization_header(request)
-
-        token = token_from_header(auth)
-        # None is only returned when the header isn't set.
-        if not token:
-            return None
-
-        return (token.user, None)  # pragma: no cover
-
-
-class TokenSchema(OpenApiAuthenticationExtension):
-    """Auth schema"""
-
-    target_class = TokenAuthentication
-    name = "authentik"
-
-    def get_security_definition(self, auto_schema):
-        """Auth schema"""
-        return {
-            "type": "apiKey",
-            "in": "header",
-            "name": "Authorization",
-        }

authentik/api/authorization.py

@@ -1,35 +0,0 @@
-"""API Authorization"""
-from django.db.models import Model
-from django.db.models.query import QuerySet
-from rest_framework.filters import BaseFilterBackend
-from rest_framework.permissions import BasePermission
-from rest_framework.request import Request
-
-
-class OwnerFilter(BaseFilterBackend):
-    """Filter objects by their owner"""
-
-    owner_key = "user"
-
-    def filter_queryset(self, request: Request, queryset: QuerySet, view) -> QuerySet:
-        return queryset.filter(**{self.owner_key: request.user})
-
-
-class OwnerPermissions(BasePermission):
-    """Authorize requests by an object's owner matching the requesting user"""
-
-    owner_key = "user"
-
-    def has_permission(self, request: Request, view) -> bool:
-        """If the user is authenticated, we allow all requests here. For listing, the
-        object-level permissions are done by the filter backend"""
-        return request.user.is_authenticated
-
-    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
-        """Check if the object's owner matches the currently logged in user"""
-        if not hasattr(obj, self.owner_key):
-            return False
-        owner = getattr(obj, self.owner_key)
-        if owner != request.user:
-            return False
-        return True

authentik/api/decorators.py

@@ -1,32 +0,0 @@
-"""API Decorators"""
-from functools import wraps
-from typing import Callable, Optional
-
-from rest_framework.request import Request
-from rest_framework.response import Response
-from rest_framework.viewsets import ModelViewSet
-
-
-def permission_required(
-    perm: Optional[str] = None, other_perms: Optional[list[str]] = None
-):
-    """Check permissions for a single custom action"""
-
-    def wrapper_outter(func: Callable):
-        """Check permissions for a single custom action"""
-
-        @wraps(func)
-        def wrapper(self: ModelViewSet, request: Request, *args, **kwargs) -> Response:
-            if perm:
-                obj = self.get_object()
-                if not request.user.has_perm(perm, obj):
-                    return self.permission_denied(request)
-            if other_perms:
-                for other_perm in other_perms:
-                    if not request.user.has_perm(other_perm):
-                        return self.permission_denied(request)
-            return func(self, request, *args, **kwargs)
-
-        return wrapper
-
-    return wrapper_outter

authentik/api/pagination.py

@@ -6,7 +6,6 @@ from rest_framework.response import Response
 class Pagination(pagination.PageNumberPagination):
     """Pagination which includes total pages and current page"""
 
-    page_query_param = "page"
     page_size_query_param = "page_size"
 
     def get_paginated_response(self, data):
@@ -30,47 +29,3 @@ class Pagination(pagination.PageNumberPagination):
                 "results": data,
             }
         )
-
-    def get_paginated_response_schema(self, schema):
-        return {
-            "type": "object",
-            "properties": {
-                "pagination": {
-                    "type": "object",
-                    "properties": {
-                        "next": {
-                            "type": "number",
-                        },
-                        "previous": {
-                            "type": "number",
-                        },
-                        "count": {
-                            "type": "number",
-                        },
-                        "current": {
-                            "type": "number",
-                        },
-                        "total_pages": {
-                            "type": "number",
-                        },
-                        "start_index": {
-                            "type": "number",
-                        },
-                        "end_index": {
-                            "type": "number",
-                        },
-                    },
-                    "required": [
-                        "next",
-                        "previous",
-                        "count",
-                        "current",
-                        "total_pages",
-                        "start_index",
-                        "end_index",
-                    ],
-                },
-                "results": schema,
-            },
-            "required": ["pagination", "results"],
-        }

authentik/api/schema.py

@@ -1,77 +0,0 @@
-"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
-from django.utils.translation import gettext_lazy as _
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    build_array_type,
-    build_basic_type,
-    build_object_type,
-)
-from drf_spectacular.settings import spectacular_settings
-from drf_spectacular.types import OpenApiTypes
-
-
-def build_standard_type(obj, **kwargs):
-    """Build a basic type with optional add ons."""
-    schema = build_basic_type(obj)
-    schema.update(kwargs)
-    return schema
-
-
-GENERIC_ERROR = build_object_type(
-    description=_("Generic API Error"),
-    properties={
-        "detail": build_standard_type(OpenApiTypes.STR),
-        "code": build_standard_type(OpenApiTypes.STR),
-    },
-    required=["detail"],
-)
-VALIDATION_ERROR = build_object_type(
-    description=_("Validation Error"),
-    properties={
-        "non_field_errors": build_array_type(build_standard_type(OpenApiTypes.STR)),
-        "code": build_standard_type(OpenApiTypes.STR),
-    },
-    required=["detail"],
-    additionalProperties={},
-)
-
-
-def postprocess_schema_responses(result, generator, **kwargs):  # noqa: W0613
-    """Workaround to set a default response for endpoints.
-    Workaround suggested at
-    <https://github.com/tfranzel/drf-spectacular/issues/119#issuecomment-656970357>
-    for the missing drf-spectacular feature discussed in
-    <https://github.com/tfranzel/drf-spectacular/issues/101>.
-    """
-
-    def create_component(name, schema, type_=ResolvedComponent.SCHEMA):
-        """Register a component and return a reference to it."""
-        component = ResolvedComponent(
-            name=name,
-            type=type_,
-            schema=schema,
-            object=name,
-        )
-        generator.registry.register_on_missing(component)
-        return component
-
-    generic_error = create_component("GenericError", GENERIC_ERROR)
-    validation_error = create_component("ValidationError", VALIDATION_ERROR)
-
-    for path in result["paths"].values():
-        for method in path.values():
-            method["responses"].setdefault("400", validation_error.ref)
-            method["responses"].setdefault("403", generic_error.ref)
-
-    result["components"] = generator.registry.build(
-        spectacular_settings.APPEND_COMPONENTS
-    )
-
-    # This is a workaround for authentik/stages/prompt/stage.py
-    # since the serializer PromptChallengeResponse
-    # accepts dynamic keys
-    for component in result["components"]["schemas"]:
-        if component == "PromptChallengeResponseRequest":
-            comp = result["components"]["schemas"][component]
-            comp["additionalProperties"] = {}
-    return result

authentik/api/templates/api/browser.html

@@ -1,49 +0,0 @@
-{% extends "base/skeleton.html" %}
-
-{% load static %}
-
-{% block title %}
-API Browser - {{ tenant.branding_title }}
-{% endblock %}
-
-{% block head %}
-<script type="module" src="{% static 'dist/rapidoc-min.js' %}"></script>
-{% endblock %}
-
-{% block body %}
-<script>
-function getCookie(name) {
-    let cookieValue = "";
-    if (document.cookie && document.cookie !== "") {
-        const cookies = document.cookie.split(";");
-        for (let i = 0; i < cookies.length; i++) {
-            const cookie = cookies[i].trim();
-            // Does this cookie string begin with the name we want?
-            if (cookie.substring(0, name.length + 1) === name + "=") {
-                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
-                break;
-            }
-        }
-    }
-    return cookieValue;
-}
-window.addEventListener('DOMContentLoaded', (event) => {
-    const rapidocEl = document.querySelector('rapi-doc');
-    rapidocEl.addEventListener('before-try', (e) => {
-        e.detail.request.headers.append('X-CSRFToken', getCookie("authentik_csrf"));
-    });
-});
-</script>
-<rapi-doc
-    spec-url="{{ path }}"
-    heading-text="authentik"
-    theme="dark"
-    render-style="view"
-    primary-color="#fd4b2d"
-    allow-spec-url-load="false"
-    allow-spec-file-load="false">
-    <div slot="logo">
-        <img src="{% static 'dist/assets/icons/icon.png' %}" style="width:50px; height:50px" />
-    </div>
-</rapi-doc>
-{% endblock %}

authentik/api/templates/rest_framework/api.html

@@ -0,0 +1,7 @@
+{% extends "rest_framework/base.html" %}
+
+{% block branding %}
+<span class='navbar-brand'>
+    authentik
+</span>
+{% endblock %}

authentik/api/tests.py

@@ -0,0 +1,37 @@
+"""Test API Authentication"""
+from base64 import b64encode
+
+from django.test import TestCase
+from guardian.shortcuts import get_anonymous_user
+
+from authentik.api.auth import token_from_header
+from authentik.core.models import Token, TokenIntents
+
+
+class TestAPIAuth(TestCase):
+    """Test API Authentication"""
+
+    def test_valid(self):
+        """Test valid token"""
+        token = Token.objects.create(
+            intent=TokenIntents.INTENT_API, user=get_anonymous_user()
+        )
+        auth = b64encode(f":{token.key}".encode()).decode()
+        self.assertEqual(token_from_header(f"Basic {auth}".encode()), token)
+
+    def test_invalid_type(self):
+        """Test invalid type"""
+        self.assertIsNone(token_from_header("foo bar".encode()))
+
+    def test_invalid_decode(self):
+        """Test invalid bas64"""
+        self.assertIsNone(token_from_header("Basic bar".encode()))
+
+    def test_invalid_empty_password(self):
+        """Test invalid with empty password"""
+        self.assertIsNone(token_from_header("Basic :".encode()))
+
+    def test_invalid_no_token(self):
+        """Test invalid with no token"""
+        auth = b64encode(":abc".encode()).decode()
+        self.assertIsNone(token_from_header(f"Basic :{auth}".encode()))

authentik/api/tests/test_auth.py

@@ -1,49 +0,0 @@
-"""Test API Authentication"""
-from base64 import b64encode
-
-from django.test import TestCase
-from guardian.shortcuts import get_anonymous_user
-from rest_framework.exceptions import AuthenticationFailed
-
-from authentik.api.authentication import token_from_header
-from authentik.core.models import Token, TokenIntents
-
-
-class TestAPIAuth(TestCase):
-    """Test API Authentication"""
-
-    def test_valid_basic(self):
-        """Test valid token"""
-        token = Token.objects.create(
-            intent=TokenIntents.INTENT_API, user=get_anonymous_user()
-        )
-        auth = b64encode(f":{token.key}".encode()).decode()
-        self.assertEqual(token_from_header(f"Basic {auth}".encode()), token)
-
-    def test_valid_bearer(self):
-        """Test valid token"""
-        token = Token.objects.create(
-            intent=TokenIntents.INTENT_API, user=get_anonymous_user()
-        )
-        self.assertEqual(token_from_header(f"Bearer {token.key}".encode()), token)
-
-    def test_invalid_type(self):
-        """Test invalid type"""
-        with self.assertRaises(AuthenticationFailed):
-            token_from_header("foo bar".encode())
-
-    def test_invalid_decode(self):
-        """Test invalid bas64"""
-        with self.assertRaises(AuthenticationFailed):
-            token_from_header("Basic bar".encode())
-
-    def test_invalid_empty_password(self):
-        """Test invalid with empty password"""
-        with self.assertRaises(AuthenticationFailed):
-            token_from_header("Basic :".encode())
-
-    def test_invalid_no_token(self):
-        """Test invalid with no token"""
-        with self.assertRaises(AuthenticationFailed):
-            auth = b64encode(":abc".encode()).decode()
-            self.assertIsNone(token_from_header(f"Basic :{auth}".encode()))

authentik/api/tests/test_config.py

@@ -1,16 +0,0 @@
-"""Test config API"""
-from json import loads
-
-from django.urls import reverse
-from rest_framework.test import APITestCase
-
-
-class TestConfig(APITestCase):
-    """Test config API"""
-
-    def test_config(self):
-        """Test YAML generation"""
-        response = self.client.get(
-            reverse("authentik_api:config"),
-        )
-        self.assertTrue(loads(response.content.decode()))

authentik/api/tests/test_decorators.py

@@ -1,33 +0,0 @@
-"""test decorators api"""
-from django.urls import reverse
-from guardian.shortcuts import assign_perm
-from rest_framework.test import APITestCase
-
-from authentik.core.models import Application, User
-
-
-class TestAPIDecorators(APITestCase):
-    """test decorators api"""
-
-    def setUp(self) -> None:
-        super().setUp()
-        self.user = User.objects.create(username="test-user")
-
-    def test_obj_perm_denied(self):
-        """Test object perm denied"""
-        self.client.force_login(self.user)
-        app = Application.objects.create(name="denied", slug="denied")
-        response = self.client.get(
-            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
-        )
-        self.assertEqual(response.status_code, 403)
-
-    def test_other_perm_denied(self):
-        """Test other perm denied"""
-        self.client.force_login(self.user)
-        app = Application.objects.create(name="denied", slug="denied")
-        assign_perm("authentik_core.view_application", self.user, app)
-        response = self.client.get(
-            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
-        )
-        self.assertEqual(response.status_code, 403)