release: 2021.6.1

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.6.1-rc6
+current_version = 2021.6.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)

.github/workflows/release.yml

@@ -33,15 +33,15 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik:2021.6.1-rc6,
+            beryju/authentik:2021.6.1,
             beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.6.1-rc6,
+            ghcr.io/goauthentik/server:2021.6.1,
             ghcr.io/goauthentik/server:latest
           platforms: linux/amd64,linux/arm64
           context: .
       - name: Building Docker Image (stable)
         uses: docker/build-push-action@v2
-        if: ${{ github.event_name == 'release' && !contains('2021.6.1-rc6', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.6.1', 'rc') }}
         with:
           push: true
           tags: |
@@ -76,15 +76,15 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-proxy:2021.6.1-rc6,
+            beryju/authentik-proxy:2021.6.1,
             beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.6.1-rc6,
+            ghcr.io/goauthentik/proxy:2021.6.1,
             ghcr.io/goauthentik/proxy:latest
           file: outpost/proxy.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
         uses: docker/build-push-action@v2
-        if: ${{ github.event_name == 'release' && !contains('2021.6.1-rc6', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.6.1', 'rc') }}
         with:
           push: true
           tags: |
@@ -119,15 +119,15 @@ jobs:
         with:
           push: ${{ github.event_name == 'release' }}
           tags: |
-            beryju/authentik-ldap:2021.6.1-rc6,
+            beryju/authentik-ldap:2021.6.1,
             beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.6.1-rc6,
+            ghcr.io/goauthentik/ldap:2021.6.1,
             ghcr.io/goauthentik/ldap:latest
           file: outpost/ldap.Dockerfile
           platforms: linux/amd64,linux/arm64
       - name: Building Docker Image (stable)
         uses: docker/build-push-action@v2
-        if: ${{ github.event_name == 'release' && !contains('2021.6.1-rc6', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.6.1', 'rc') }}
         with:
           push: true
           tags: |
@@ -168,5 +168,5 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          version: authentik@2021.6.1-rc6
+          version: authentik@2021.6.1
           environment: beryjuorg-prod

Pipfile.lock

@@ -122,19 +122,19 @@
         },
         "boto3": {
             "hashes": [
-                "sha256:6180272094030bda3ee5c242881892cd3d9d19c05cb513945f530e396c7de1e4",
-                "sha256:95d814d16fe55ae55e1e4a3db248596f9647a0c42f4796c6e05be0bfaffb1830"
+                "sha256:67a4b0578944f061fbfa05206eb5b10c5250374e9849743413739c539584b60e",
+                "sha256:c7d6f3f09081440ca80500e679fec19f0b7597648ee380ae940ed29ad5c3768f"
             ],
             "index": "pypi",
-            "version": "==1.17.94"
+            "version": "==1.17.96"
         },
         "botocore": {
             "hashes": [
-                "sha256:60a382a5b2f7d77b1b575d54fba819097526e3fdd0f3004f4d1142d50af0d642",
-                "sha256:ba8a7951be535e25219a82dea15c30d7bdf0c51e7c1623c3306248493c1616ac"
+                "sha256:204f7403bfe1ab837784421ddd069fd880be99d946cb59cbf31c72296ea9507a",
+                "sha256:b18d2d016b371b769a88cb080088ce75582748b4a7efa5748e9ced4f23bdbc99"
             ],
             "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
-            "version": "==1.20.94"
+            "version": "==1.20.96"
         },
         "cachetools": {
             "hashes": [
@@ -426,11 +426,11 @@
         },
         "drf-spectacular": {
             "hashes": [
-                "sha256:146e8c21dc806a20c84c687811c30163970fbf620213ab87280f7403469d80bb",
-                "sha256:8a028d251a6d0b39739ebdec487fd43ee4ecba244d8ffaaac43ff06430728dd8"
+                "sha256:6ffbfde7d96a4a2febd19182cc405217e1e86a50280fc739402291c93d1a32b7",
+                "sha256:77593024bb899f69227abedcf87def7851a11c9978f781aa4b385a10f67a38b7"
             ],
             "index": "pypi",
-            "version": "==0.17.1"
+            "version": "==0.17.2"
         },
         "duo-client": {
             "hashes": [
@@ -794,44 +794,38 @@
         },
         "psycopg2-binary": {
             "hashes": [
-                "sha256:0deac2af1a587ae12836aa07970f5cb91964f05a7c6cdb69d8425ff4c15d4e2c",
-                "sha256:0e4dc3d5996760104746e6cfcdb519d9d2cd27c738296525d5867ea695774e67",
-                "sha256:11b9c0ebce097180129e422379b824ae21c8f2a6596b159c7659e2e5a00e1aa0",
-                "sha256:15978a1fbd225583dd8cdaf37e67ccc278b5abecb4caf6b2d6b8e2b948e953f6",
-                "sha256:1fabed9ea2acc4efe4671b92c669a213db744d2af8a9fc5d69a8e9bc14b7a9db",
-                "sha256:2dac98e85565d5688e8ab7bdea5446674a83a3945a8f416ad0110018d1501b94",
-                "sha256:42ec1035841b389e8cc3692277a0bd81cdfe0b65d575a2c8862cec7a80e62e52",
-                "sha256:6422f2ff0919fd720195f64ffd8f924c1395d30f9a495f31e2392c2efafb5056",
-                "sha256:6a32f3a4cb2f6e1a0b15215f448e8ce2da192fd4ff35084d80d5e39da683e79b",
-                "sha256:7312e931b90fe14f925729cde58022f5d034241918a5c4f9797cac62f6b3a9dd",
-                "sha256:7d92a09b788cbb1aec325af5fcba9fed7203897bbd9269d5691bb1e3bce29550",
-                "sha256:833709a5c66ca52f1d21d41865a637223b368c0ee76ea54ca5bad6f2526c7679",
-                "sha256:89705f45ce07b2dfa806ee84439ec67c5d9a0ef20154e0e475e2b2ed392a5b83",
-                "sha256:8cd0fb36c7412996859cb4606a35969dd01f4ea34d9812a141cd920c3b18be77",
-                "sha256:950bc22bb56ee6ff142a2cb9ee980b571dd0912b0334aa3fe0fe3788d860bea2",
-                "sha256:a0c50db33c32594305b0ef9abc0cb7db13de7621d2cadf8392a1d9b3c437ef77",
-                "sha256:a0eb43a07386c3f1f1ebb4dc7aafb13f67188eab896e7397aa1ee95a9c884eb2",
-                "sha256:aaa4213c862f0ef00022751161df35804127b78adf4a2755b9f991a507e425fd",
-                "sha256:ac0c682111fbf404525dfc0f18a8b5f11be52657d4f96e9fcb75daf4f3984859",
-                "sha256:ad20d2eb875aaa1ea6d0f2916949f5c08a19c74d05b16ce6ebf6d24f2c9f75d1",
-                "sha256:b4afc542c0ac0db720cf516dd20c0846f71c248d2b3d21013aa0d4ef9c71ca25",
-                "sha256:b8a3715b3c4e604bcc94c90a825cd7f5635417453b253499664f784fc4da0152",
-                "sha256:ba28584e6bca48c59eecbf7efb1576ca214b47f05194646b081717fa628dfddf",
-                "sha256:ba381aec3a5dc29634f20692349d73f2d21f17653bda1decf0b52b11d694541f",
-                "sha256:bd1be66dde2b82f80afb9459fc618216753f67109b859a361cf7def5c7968729",
-                "sha256:c2507d796fca339c8fb03216364cca68d87e037c1f774977c8fc377627d01c71",
-                "sha256:cec7e622ebc545dbb4564e483dd20e4e404da17ae07e06f3e780b2dacd5cee66",
-                "sha256:d14b140a4439d816e3b1229a4a525df917d6ea22a0771a2a78332273fd9528a4",
-                "sha256:d1b4ab59e02d9008efe10ceabd0b31e79519da6fb67f7d8e8977118832d0f449",
-                "sha256:d5227b229005a696cc67676e24c214740efd90b148de5733419ac9aaba3773da",
-                "sha256:e1f57aa70d3f7cc6947fd88636a481638263ba04a742b4a37dd25c373e41491a",
-                "sha256:e74a55f6bad0e7d3968399deb50f61f4db1926acf4a6d83beaaa7df986f48b1c",
-                "sha256:e82aba2188b9ba309fd8e271702bd0d0fc9148ae3150532bbb474f4590039ffb",
-                "sha256:ee69dad2c7155756ad114c02db06002f4cded41132cc51378e57aad79cc8e4f4",
-                "sha256:f5ab93a2cb2d8338b1674be43b442a7f544a0971da062a5da774ed40587f18f5"
+                "sha256:0b7dae87f0b729922e06f85f667de7bf16455d411971b2043bbd9577af9d1975",
+                "sha256:0f2e04bd2a2ab54fa44ee67fe2d002bb90cee1c0f1cc0ebc3148af7b02034cbd",
+                "sha256:123c3fb684e9abfc47218d3784c7b4c47c8587951ea4dd5bc38b6636ac57f616",
+                "sha256:1473c0215b0613dd938db54a653f68251a45a78b05f6fc21af4326f40e8360a2",
+                "sha256:14db1752acdd2187d99cb2ca0a1a6dfe57fc65c3281e0f20e597aac8d2a5bd90",
+                "sha256:1e3a362790edc0a365385b1ac4cc0acc429a0c0d662d829a50b6ce743ae61b5a",
+                "sha256:1e85b74cbbb3056e3656f1cc4781294df03383127a8114cbc6531e8b8367bf1e",
+                "sha256:20f1ab44d8c352074e2d7ca67dc00843067788791be373e67a0911998787ce7d",
+                "sha256:2f62c207d1740b0bde5c4e949f857b044818f734a3d57f1d0d0edc65050532ed",
+                "sha256:3242b9619de955ab44581a03a64bdd7d5e470cc4183e8fcadd85ab9d3756ce7a",
+                "sha256:35c4310f8febe41f442d3c65066ca93cccefd75013df3d8c736c5b93ec288140",
+                "sha256:4235f9d5ddcab0b8dbd723dca56ea2922b485ea00e1dafacf33b0c7e840b3d32",
+                "sha256:5ced67f1e34e1a450cdb48eb53ca73b60aa0af21c46b9b35ac3e581cf9f00e31",
+                "sha256:7360647ea04db2e7dff1648d1da825c8cf68dc5fbd80b8fb5b3ee9f068dcd21a",
+                "sha256:8c13d72ed6af7fd2c8acbd95661cf9477f94e381fce0792c04981a8283b52917",
+                "sha256:988b47ac70d204aed01589ed342303da7c4d84b56c2f4c4b8b00deda123372bf",
+                "sha256:995fc41ebda5a7a663a254a1dcac52638c3e847f48307b5416ee373da15075d7",
+                "sha256:a36c7eb6152ba5467fb264d73844877be8b0847874d4822b7cf2d3c0cb8cdcb0",
+                "sha256:aed4a9a7e3221b3e252c39d0bf794c438dc5453bc2963e8befe9d4cd324dff72",
+                "sha256:aef9aee84ec78af51107181d02fe8773b100b01c5dfde351184ad9223eab3698",
+                "sha256:b0221ca5a9837e040ebf61f48899926b5783668b7807419e4adae8175a31f773",
+                "sha256:b4d7679a08fea64573c969f6994a2631908bb2c0e69a7235648642f3d2e39a68",
+                "sha256:c250a7ec489b652c892e4f0a5d122cc14c3780f9f643e1a326754aedf82d9a76",
+                "sha256:ca86db5b561b894f9e5f115d6a159fff2a2570a652e07889d8a383b5fae66eb4",
+                "sha256:cfc523edecddaef56f6740d7de1ce24a2fdf94fd5e704091856a201872e37f9f",
+                "sha256:da113b70f6ec40e7d81b43d1b139b9db6a05727ab8be1ee559f3a69854a69d34",
+                "sha256:f6fac64a38f6768e7bc7b035b9e10d8a538a9fadce06b983fb3e6fa55ac5f5ce",
+                "sha256:f8559617b1fcf59a9aedba2c9838b5b6aa211ffedecabca412b92a1ff75aac1a",
+                "sha256:fbb42a541b1093385a2d8c7eec94d26d30437d0e77c1d25dae1dcc46741a385e"
             ],
             "index": "pypi",
-            "version": "==2.8.6"
+            "version": "==2.9.1"
         },
         "pyasn1": {
             "hashes": [
@@ -1538,11 +1532,11 @@
         },
         "gitpython": {
             "hashes": [
-                "sha256:29fe82050709760081f588dd50ce83504feddbebdc4da6956d02351552b1c135",
-                "sha256:ee24bdc93dce357630764db659edaf6b8d664d4ff5447ccfeedd2dc5c253f41e"
+                "sha256:3283ae2fba31c913d857e12e5ba5f9a7772bbc064ae2bb09efafa71b0dd4939b",
+                "sha256:be27633e7509e58391f10207cd32b2a6cf5b908f92d9cd30da2e514e1137af61"
             ],
-            "markers": "python_version >= '3.5'",
-            "version": "==3.1.17"
+            "markers": "python_version >= '3.4'",
+            "version": "==3.1.14"
         },
         "idna": {
             "hashes": [
@@ -1563,7 +1557,7 @@
                 "sha256:0a943902919f65c5684ac4e0154b1ad4fac6dcaa5d9f3426b732f1c8b5419be6",
                 "sha256:2bb1680aad211e3c9944dbce1d4ba09a989f04e238296c87fe2139faa26d655d"
             ],
-            "markers": "python_version >= '3.6' and python_version < '4'",
+            "markers": "python_version >= '3.6' and python_version < '4.0'",
             "version": "==5.8.0"
         },
         "lazy-object-proxy": {

authentik/__init__.py

@@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.6.1-rc6"
+__version__ = "2021.6.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"

authentik/core/models.py

@@ -494,8 +494,12 @@ class AuthenticatedSession(ExpiringModel):
     last_used = models.DateTimeField(auto_now=True)
 
     @staticmethod
-    def from_request(request: HttpRequest, user: User) -> "AuthenticatedSession":
+    def from_request(
+        request: HttpRequest, user: User
+    ) -> Optional["AuthenticatedSession"]:
         """Create a new session from a http request"""
+        if not hasattr(request, "session") or not request.session.session_key:
+            return None
         return AuthenticatedSession(
             session_key=request.session.session_key,
             user=user,

authentik/core/signals.py

@@ -49,7 +49,9 @@ def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
     """Create an AuthenticatedSession from request"""
     from authentik.core.models import AuthenticatedSession
 
-    AuthenticatedSession.from_request(request, user).save()
+    session = AuthenticatedSession.from_request(request, user)
+    if session:
+        session.save()
 
 
 @receiver(user_logged_out)

authentik/core/sources/flow_manager.py

@@ -183,6 +183,8 @@ class SourceFlowManager:
     # pylint: disable=unused-argument
     def get_stages_to_append(self, flow: Flow) -> list[Stage]:
         """Hook to override stages which are appended to the flow"""
+        if not self.source.enrollment_flow:
+            return []
         if flow.slug == self.source.enrollment_flow.slug:
             return [
                 in_memory_stage(PostUserEnrollmentStage),

authentik/flows/stage.py

@@ -18,27 +18,11 @@ from authentik.flows.challenge import (
 )
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.views import FlowExecutorView
-from authentik.lib.sentry import SentryIgnoredException
 
 PLAN_CONTEXT_PENDING_USER_IDENTIFIER = "pending_user_identifier"
 LOGGER = get_logger()
 
 
-class InvalidChallengeError(SentryIgnoredException):
-    """Error raised when a challenge from a stage is not valid"""
-
-    def __init__(self, errors, stage_view: View, challenge: Challenge) -> None:
-        super().__init__()
-        self.errors = errors
-        self.stage_view = stage_view
-        self.challenge = challenge
-
-    def __str__(self) -> str:
-        return (
-            f"Invalid challenge from {self.stage_view}: {self.errors}\n{self.challenge}"
-        )
-
-
 class StageView(View):
     """Abstract Stage, inherits TemplateView but can be combined with FormView"""
 

authentik/flows/views.py

@@ -44,6 +44,7 @@ from authentik.flows.planner import (
     FlowPlan,
     FlowPlanner,
 )
+from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.reflection import all_subclasses, class_to_path
 from authentik.lib.utils.urls import is_url_absolute, redirect_with_qs
 from authentik.tenants.models import Tenant
@@ -93,6 +94,10 @@ def challenge_response_types():
     return Inner()
 
 
+class InvalidStageError(SentryIgnoredException):
+    """Error raised when a challenge from a stage is not valid"""
+
+
 @method_decorator(xframe_options_sameorigin, name="dispatch")
 class FlowExecutorView(APIView):
     """Stage 1 Flow executor, passing requests to Stage Views"""
@@ -164,12 +169,19 @@ class FlowExecutorView(APIView):
             current_stage=self.current_stage,
             flow_slug=self.flow.slug,
         )
-        stage_cls = self.current_stage.type
+        try:
+            stage_cls = self.current_stage.type
+        except NotImplementedError as exc:
+            self._logger.debug("Error getting stage type", exc=exc)
+            return self.stage_invalid()
         self.current_stage_view = stage_cls(self)
         self.current_stage_view.args = self.args
         self.current_stage_view.kwargs = self.kwargs
         self.current_stage_view.request = request
-        return super().dispatch(request)
+        try:
+            return super().dispatch(request)
+        except InvalidStageError as exc:
+            return self.stage_invalid(str(exc))
 
     @extend_schema(
         responses={

authentik/providers/saml/processors/assertion.py

@@ -24,6 +24,7 @@ from authentik.sources.saml.processors.constants import (
     SAML_NAME_ID_FORMAT_EMAIL,
     SAML_NAME_ID_FORMAT_PERSISTENT,
     SAML_NAME_ID_FORMAT_TRANSIENT,
+    SAML_NAME_ID_FORMAT_UNSPECIFIED,
     SAML_NAME_ID_FORMAT_WINDOWS,
     SAML_NAME_ID_FORMAT_X509,
     SIGN_ALGORITHM_TRANSFORM_MAP,
@@ -165,7 +166,10 @@ class AssertionProcessor:
         if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_EMAIL:
             name_id.text = self.http_request.user.email
             return name_id
-        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_PERSISTENT:
+        if name_id.attrib["Format"] in [
+            SAML_NAME_ID_FORMAT_PERSISTENT,
+            SAML_NAME_ID_FORMAT_UNSPECIFIED,
+        ]:
             name_id.text = persistent
             return name_id
         if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_X509:
@@ -180,7 +184,7 @@ class AssertionProcessor:
             return name_id
         if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
             # Use the hash of the user's session, which changes every session
-            session_key: str = self.http_request.user.session.session_key
+            session_key: str = self.http_request.session.session_key
             name_id.text = sha256(session_key.encode()).hexdigest()
             return name_id
         raise UnsupportedNameIDFormat(

authentik/providers/saml/processors/request_parser.py

@@ -20,7 +20,7 @@ from authentik.sources.saml.processors.constants import (
     RSA_SHA256,
     RSA_SHA384,
     RSA_SHA512,
-    SAML_NAME_ID_FORMAT_EMAIL,
+    SAML_NAME_ID_FORMAT_UNSPECIFIED,
 )
 
 LOGGER = get_logger()
@@ -42,7 +42,7 @@ class AuthNRequest:
 
     relay_state: Optional[str] = None
 
-    name_id_policy: str = SAML_NAME_ID_FORMAT_EMAIL
+    name_id_policy: str = SAML_NAME_ID_FORMAT_UNSPECIFIED
 
 
 class AuthNRequestParser:
@@ -69,10 +69,12 @@ class AuthNRequestParser:
         auth_n_request = AuthNRequest(id=root.attrib["ID"], relay_state=relay_state)
 
         # Check if AuthnRequest has a NameID Policy object
-        name_id_policies = root.findall(f"{{{NS_SAML_PROTOCOL}}}:NameIDPolicy")
+        name_id_policies = root.findall(f"{{{NS_SAML_PROTOCOL}}}NameIDPolicy")
         if len(name_id_policies) > 0:
             name_id_policy = name_id_policies[0]
-            auth_n_request.name_id_policy = name_id_policy.attrib["Format"]
+            auth_n_request.name_id_policy = name_id_policy.attrib.get(
+                "Format", SAML_NAME_ID_FORMAT_UNSPECIFIED
+            )
 
         return auth_n_request
 

authentik/providers/saml/tests/test_auth_n_request.py

@@ -14,7 +14,7 @@ from authentik.providers.saml.processors.assertion import AssertionProcessor
 from authentik.providers.saml.processors.request_parser import AuthNRequestParser
 from authentik.sources.saml.exceptions import MismatchedRequestID
 from authentik.sources.saml.models import SAMLSource
-from authentik.sources.saml.processors.constants import SAML_NAME_ID_FORMAT_EMAIL
+from authentik.sources.saml.processors.constants import SAML_NAME_ID_FORMAT_UNSPECIFIED
 from authentik.sources.saml.processors.request import (
     SESSION_REQUEST_ID,
     RequestProcessor,
@@ -206,5 +206,5 @@ class TestAuthNRequest(TestCase):
             REDIRECT_REQUEST, REDIRECT_RELAY_STATE, REDIRECT_SIGNATURE, REDIRECT_SIG_ALG
         )
         self.assertEqual(parsed_request.id, "_dcf55fcd27a887e60a7ef9ee6fd3adab")
-        self.assertEqual(parsed_request.name_id_policy, SAML_NAME_ID_FORMAT_EMAIL)
+        self.assertEqual(parsed_request.name_id_policy, SAML_NAME_ID_FORMAT_UNSPECIFIED)
         self.assertEqual(parsed_request.relay_state, REDIRECT_RELAY_STATE)

authentik/providers/saml/views/flows.py

@@ -17,6 +17,7 @@ from authentik.providers.saml.models import SAMLBindings, SAMLProvider
 from authentik.providers.saml.processors.assertion import AssertionProcessor
 from authentik.providers.saml.processors.request_parser import AuthNRequest
 from authentik.providers.saml.utils.encoding import deflate_and_base64_encode, nice64
+from authentik.sources.saml.exceptions import SAMLException
 
 LOGGER = get_logger()
 URL_VALIDATOR = URLValidator(schemes=("http", "https"))
@@ -56,22 +57,30 @@ class SAMLFlowFinalView(ChallengeStageView):
         provider: SAMLProvider = get_object_or_404(
             SAMLProvider, pk=application.provider_id
         )
-        # Log Application Authorization
-        Event.new(
-            EventAction.AUTHORIZE_APPLICATION,
-            authorized_application=application,
-            flow=self.executor.plan.flow_pk,
-        ).from_http(self.request)
-
         if SESSION_KEY_AUTH_N_REQUEST not in self.request.session:
             return self.executor.stage_invalid()
 
         auth_n_request: AuthNRequest = self.request.session.pop(
             SESSION_KEY_AUTH_N_REQUEST
         )
-        response = AssertionProcessor(
-            provider, request, auth_n_request
-        ).build_response()
+        try:
+            response = AssertionProcessor(
+                provider, request, auth_n_request
+            ).build_response()
+        except SAMLException as exc:
+            Event.new(
+                EventAction.CONFIGURATION_ERROR,
+                message=f"Failed to process SAML assertion: {str(exc)}",
+                provider=provider,
+            ).from_http(self.request)
+            return self.executor.stage_invalid()
+
+        # Log Application Authorization
+        Event.new(
+            EventAction.AUTHORIZE_APPLICATION,
+            authorized_application=application,
+            flow=self.executor.plan.flow_pk,
+        ).from_http(self.request)
 
         if provider.sp_binding == SAMLBindings.POST:
             form_attrs = {

authentik/recovery/management/commands/create_recovery_key.py

@@ -44,7 +44,7 @@ class Command(BaseCommand):
             user=user,
             intent=TokenIntents.INTENT_RECOVERY,
             description=f"Recovery Token generated by {getuser()} on {_now}",
-            identifier=f"ak-recovery-{user}",
+            identifier=f"ak-recovery-{user}-{_now}",
         )
         self.stdout.write(
             (

authentik/sources/saml/exceptions.py

@@ -2,17 +2,21 @@
 from authentik.lib.sentry import SentryIgnoredException
 
 
-class MissingSAMLResponse(SentryIgnoredException):
+class SAMLException(SentryIgnoredException):
+    """Base SAML Exception"""
+
+
+class MissingSAMLResponse(SAMLException):
     """Exception raised when request does not contain SAML Response."""
 
 
-class UnsupportedNameIDFormat(SentryIgnoredException):
+class UnsupportedNameIDFormat(SAMLException):
     """Exception raised when SAML Response contains NameID Format not supported."""
 
 
-class MismatchedRequestID(SentryIgnoredException):
+class MismatchedRequestID(SAMLException):
     """Exception raised when the returned request ID doesn't match the saved ID."""
 
 
-class InvalidSignature(SentryIgnoredException):
+class InvalidSignature(SAMLException):
     """Signature of XML Object is either missing or invalid"""

authentik/sources/saml/processors/constants.py

@@ -15,6 +15,9 @@ NS_MAP = {
 
 SAML_NAME_ID_FORMAT_EMAIL = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
 SAML_NAME_ID_FORMAT_PERSISTENT = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
+SAML_NAME_ID_FORMAT_UNSPECIFIED = (
+    "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
+)
 SAML_NAME_ID_FORMAT_X509 = "urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName"
 SAML_NAME_ID_FORMAT_WINDOWS = (
     "urn:oasis:names:tc:SAML:2.0:nameid-format:WindowsDomainQualifiedName"

authentik/stages/authenticator_duo/api.py

@@ -9,7 +9,7 @@ from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
-from rest_framework.viewsets import GenericViewSet, ModelViewSet, ReadOnlyModelViewSet
+from rest_framework.viewsets import GenericViewSet, ModelViewSet
 
 from authentik.api.authorization import OwnerFilter, OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
@@ -94,7 +94,7 @@ class DuoDeviceViewSet(
     filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
 
 
-class DuoAdminDeviceViewSet(ReadOnlyModelViewSet):
+class DuoAdminDeviceViewSet(ModelViewSet):
     """Viewset for Duo authenticator devices (for admins)"""
 
     permission_classes = [IsAdminUser]

authentik/stages/authenticator_duo/stage.py

@@ -3,6 +3,7 @@ from django.http import HttpRequest, HttpResponse
 from rest_framework.fields import CharField
 from structlog.stdlib import get_logger
 
+from authentik.events.models import Event, EventAction
 from authentik.flows.challenge import (
     Challenge,
     ChallengeResponse,
@@ -11,6 +12,7 @@ from authentik.flows.challenge import (
 )
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
 from authentik.flows.stage import ChallengeStageView
+from authentik.flows.views import InvalidStageError
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 
 LOGGER = get_logger()
@@ -42,7 +44,15 @@ class AuthenticatorDuoStageView(ChallengeStageView):
     def get_challenge(self, *args, **kwargs) -> Challenge:
         user = self.get_pending_user()
         stage: AuthenticatorDuoStage = self.executor.current_stage
-        enroll = stage.client.enroll(user.username)
+        try:
+            enroll = stage.client.enroll(user.username)
+        except RuntimeError as exc:
+            Event.new(
+                EventAction.CONFIGURATION_ERROR,
+                message=f"Failed to enroll user: {str(exc)}",
+                user=user,
+            ).from_http(self.request, user)
+            raise InvalidStageError(str(exc)) from exc
         user_id = enroll["user_id"]
         self.request.session[SESSION_KEY_DUO_USER_ID] = user_id
         self.request.session[SESSION_KEY_DUO_ACTIVATION_CODE] = enroll[

authentik/stages/identification/stage.py

@@ -175,7 +175,6 @@ class IdentificationStageView(ChallengeStageView):
                 button = asdict(ui_login_button)
                 button["challenge"] = ui_login_button.challenge.data
                 ui_sources.append(button)
-        print(ui_sources)
         challenge.initial_data["sources"] = ui_sources
         return challenge
 

azure-pipelines.yml

@@ -148,7 +148,7 @@ stages:
             inputs:
               script: |
                 pipenv run python -m scripts.generate_ci_config
-                pipenv run ./manage.py migrate
+                pipenv run python -m lifecycle.migrate
       - job: migrations_from_previous_release
         pool:
           vmImage: 'ubuntu-latest'

docker-compose.yml

@@ -21,7 +21,7 @@ services:
     networks:
       - internal
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.6.1-rc6}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.6.1}
     restart: unless-stopped
     command: server
     environment:
@@ -52,7 +52,7 @@ services:
       - "0.0.0.0:9000:9000"
       - "0.0.0.0:9443:9443"
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.6.1-rc6}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2021.6.1}
     restart: unless-stopped
     command: worker
     networks:

internal/constants/constants.go

@@ -1,3 +1,3 @@
 package constants
 
-const VERSION = "2021.6.1-rc6"
+const VERSION = "2021.6.1"

outpost/pkg/version.go

@@ -5,7 +5,7 @@ import (
 	"os"
 )
 
-const VERSION = "2021.6.1-rc6"
+const VERSION = "2021.6.1"
 
 func BUILD() string {
 	build := os.Getenv("GIT_BUILD_HASH")

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2021.6.1-rc5
+  version: 2021.6.1-rc6
   description: Making authentication simple.
   contact:
     email: hello@beryju.org
@@ -236,6 +236,37 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+    post:
+      operationId: authenticators_admin_duo_create
+      description: Viewset for Duo authenticator devices (for admins)
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/DuoDeviceRequest'
+          application/x-www-form-urlencoded:
+            schema:
+              $ref: '#/components/schemas/DuoDeviceRequest'
+          multipart/form-data:
+            schema:
+              $ref: '#/components/schemas/DuoDeviceRequest'
+        required: true
+      security:
+      - authentik: []
+      - cookieAuth: []
+      responses:
+        '201':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/DuoDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /api/v2beta/authenticators/admin/duo/{id}/:
     get:
       operationId: authenticators_admin_duo_retrieve
@@ -263,6 +294,103 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+    put:
+      operationId: authenticators_admin_duo_update
+      description: Viewset for Duo authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this Duo Device.
+        required: true
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/DuoDeviceRequest'
+          application/x-www-form-urlencoded:
+            schema:
+              $ref: '#/components/schemas/DuoDeviceRequest'
+          multipart/form-data:
+            schema:
+              $ref: '#/components/schemas/DuoDeviceRequest'
+        required: true
+      security:
+      - authentik: []
+      - cookieAuth: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/DuoDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    patch:
+      operationId: authenticators_admin_duo_partial_update
+      description: Viewset for Duo authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this Duo Device.
+        required: true
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/PatchedDuoDeviceRequest'
+          application/x-www-form-urlencoded:
+            schema:
+              $ref: '#/components/schemas/PatchedDuoDeviceRequest'
+          multipart/form-data:
+            schema:
+              $ref: '#/components/schemas/PatchedDuoDeviceRequest'
+      security:
+      - authentik: []
+      - cookieAuth: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/DuoDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    delete:
+      operationId: authenticators_admin_duo_destroy
+      description: Viewset for Duo authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this Duo Device.
+        required: true
+      tags:
+      - authenticators
+      security:
+      - authentik: []
+      - cookieAuth: []
+      responses:
+        '204':
+          description: No response body
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /api/v2beta/authenticators/admin/static/:
     get:
       operationId: authenticators_admin_static_list
@@ -18412,27 +18540,6 @@ components:
       required:
       - certificate_data
       - name
-    ChallT:
-      type: object
-      description: |-
-        Challenge that gets sent to the client based on which stage
-        is currently active
-      properties:
-        type:
-          $ref: '#/components/schemas/ChallengeChoices'
-        flow_info:
-          $ref: '#/components/schemas/ContextualFlowInfo'
-        component:
-          type: string
-          default: ''
-        response_errors:
-          type: object
-          additionalProperties:
-            type: array
-            items:
-              $ref: '#/components/schemas/ErrorDetail'
-      required:
-      - type
     ChallengeChoices:
       enum:
       - native
@@ -18449,7 +18556,6 @@ components:
       - $ref: '#/components/schemas/AuthenticatorWebAuthnChallenge'
       - $ref: '#/components/schemas/AutosubmitChallenge'
       - $ref: '#/components/schemas/CaptchaChallenge'
-      - $ref: '#/components/schemas/ChallT'
       - $ref: '#/components/schemas/ConsentChallenge'
       - $ref: '#/components/schemas/DummyChallenge'
       - $ref: '#/components/schemas/EmailChallenge'
@@ -18470,8 +18576,6 @@ components:
           ak-stage-authenticator-webauthn: '#/components/schemas/AuthenticatorWebAuthnChallenge'
           ak-stage-autosubmit: '#/components/schemas/AutosubmitChallenge'
           ak-stage-captcha: '#/components/schemas/CaptchaChallenge'
-          ? ''
-          : '#/components/schemas/ChallT'
           ak-stage-consent: '#/components/schemas/ConsentChallenge'
           ak-stage-dummy: '#/components/schemas/DummyChallenge'
           ak-stage-email: '#/components/schemas/EmailChallenge'

web/package-lock.json

@@ -16,7 +16,7 @@
                 "@babel/preset-typescript": "^7.14.5",
                 "@fortawesome/fontawesome-free": "^5.15.3",
                 "@lingui/cli": "^3.10.2",
-                "@lingui/core": "^3.10.3",
+                "@lingui/core": "^3.10.4",
                 "@lingui/macro": "^3.10.2",
                 "@patternfly/patternfly": "^4.108.2",
                 "@polymer/iron-form": "^3.0.1",
@@ -24,8 +24,8 @@
                 "@rollup/plugin-babel": "^5.3.0",
                 "@rollup/plugin-replace": "^2.4.2",
                 "@rollup/plugin-typescript": "^8.2.1",
-                "@sentry/browser": "^6.7.0",
-                "@sentry/tracing": "^6.7.0",
+                "@sentry/browser": "^6.7.1",
+                "@sentry/tracing": "^6.7.1",
                 "@types/chart.js": "^2.9.32",
                 "@types/codemirror": "5.60.0",
                 "@types/grecaptcha": "^3.0.2",
@@ -48,7 +48,7 @@
                 "lit-html": "^1.4.1",
                 "moment": "^2.29.1",
                 "rapidoc": "^9.0.0",
-                "rollup": "^2.51.2",
+                "rollup": "^2.52.1",
                 "rollup-plugin-commonjs": "^10.1.0",
                 "rollup-plugin-copy": "^3.4.0",
                 "rollup-plugin-cssimport": "^1.0.2",
@@ -58,7 +58,7 @@
                 "rollup-plugin-terser": "^7.0.2",
                 "ts-lit-plugin": "^1.2.1",
                 "tslib": "^2.3.0",
-                "typescript": "^4.3.2",
+                "typescript": "^4.3.3",
                 "webcomponent-qr-code": "^1.0.5",
                 "yaml": "^1.10.2"
             }
@@ -2047,9 +2047,9 @@
             }
         },
         "node_modules/@lingui/core": {
-            "version": "3.10.3",
-            "resolved": "https://registry.npmjs.org/@lingui/core/-/core-3.10.3.tgz",
-            "integrity": "sha512-BiuWi5xPpQa27oIWWnkOYNx4qTMdMeu7vp5y1AGPYQ/4SO0rHfAtOxXtvRU/ktVwht/lIgx5Ygq5J3F+XLvOQA==",
+            "version": "3.10.4",
+            "resolved": "https://registry.npmjs.org/@lingui/core/-/core-3.10.4.tgz",
+            "integrity": "sha512-V9QKQ9PFMTPrGGz2PaeKHZcxFikQZzJbptyQbVFJdXaKhdE2RH6HhdK1PIziDHqp6ZWPthVIfVLURT3ku8eu5w==",
             "dependencies": {
                 "@babel/runtime": "^7.11.2",
                 "make-plural": "^6.2.2",
@@ -2314,13 +2314,13 @@
             "integrity": "sha512-1fMXF3YP4pZZVozF8j/ZLfvnR8NSIljt56UhbZ5PeeDmmGHpgpdwQt7ITlGvYaQukCvuBRMLEiKiYC+oeIg4cg=="
         },
         "node_modules/@sentry/browser": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-6.7.0.tgz",
-            "integrity": "sha512-sZvy2fxHjHXPdlaz8Ax02BeUbdILRv6a4i9FvMHvgSBeDiAVRIS+ihBhJAqziNOqwwXYThCSPKcCYGyTTncrVw==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-6.7.1.tgz",
+            "integrity": "sha512-R5PYx4TTvifcU790XkK6JVGwavKaXwycDU0MaAwfc4Vf7BLm5KCNJCsDySu1RPAap/017MVYf54p6dWvKiRviA==",
             "dependencies": {
-                "@sentry/core": "6.7.0",
-                "@sentry/types": "6.7.0",
-                "@sentry/utils": "6.7.0",
+                "@sentry/core": "6.7.1",
+                "@sentry/types": "6.7.1",
+                "@sentry/utils": "6.7.1",
                 "tslib": "^1.9.3"
             },
             "engines": {
@@ -2333,14 +2333,14 @@
             "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
         },
         "node_modules/@sentry/core": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-6.7.0.tgz",
-            "integrity": "sha512-1TzDQIsS71a+6T1o3+NPyIgsTc37wdGh7cKZ8DRQ4bsML7MAkBV/LJeTVbXa0S9xha1v9v/oPindnHX5vBLJbg==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-6.7.1.tgz",
+            "integrity": "sha512-VAv8OR/7INn2JfiLcuop4hfDcyC7mfL9fdPndQEhlacjmw8gRrgXjR7qyhnCTgzFLkHI7V5bcdIzA83TRPYQpA==",
             "dependencies": {
-                "@sentry/hub": "6.7.0",
-                "@sentry/minimal": "6.7.0",
-                "@sentry/types": "6.7.0",
-                "@sentry/utils": "6.7.0",
+                "@sentry/hub": "6.7.1",
+                "@sentry/minimal": "6.7.1",
+                "@sentry/types": "6.7.1",
+                "@sentry/utils": "6.7.1",
                 "tslib": "^1.9.3"
             },
             "engines": {
@@ -2353,12 +2353,12 @@
             "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
         },
         "node_modules/@sentry/hub": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.7.0.tgz",
-            "integrity": "sha512-8e1IF6v8OIjuZVsolBAFoHhY0fEolsWwmZzm9k5N1wXWRbu4gpLHnCtDw47u2O9CFYr+b//bNXjmsA+DTckPkw==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.7.1.tgz",
+            "integrity": "sha512-eVCTWvvcp6xa0A5GGNHMQEWslmKPlisE5rGmsV/kjvSUv3zSrI0eIDfb51ikdnCiBjHpK2NBWP8Vy8cZOEJegg==",
             "dependencies": {
-                "@sentry/types": "6.7.0",
-                "@sentry/utils": "6.7.0",
+                "@sentry/types": "6.7.1",
+                "@sentry/utils": "6.7.1",
                 "tslib": "^1.9.3"
             },
             "engines": {
@@ -2371,12 +2371,12 @@
             "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
         },
         "node_modules/@sentry/minimal": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.7.0.tgz",
-            "integrity": "sha512-q0SX2t1+6c8TSe8nI4+EsWc8+kSsKiGhoGo2tN2OTk4EXKCYEsEEDqB9iu7md5StmtmrO3UnRiYwT7JV8QGOeg==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.7.1.tgz",
+            "integrity": "sha512-HDDPEnQRD6hC0qaHdqqKDStcdE1KhkFh0RCtJNMCDn0zpav8Dj9AteF70x6kLSlliAJ/JFwi6AmQrLz+FxPexw==",
             "dependencies": {
-                "@sentry/hub": "6.7.0",
-                "@sentry/types": "6.7.0",
+                "@sentry/hub": "6.7.1",
+                "@sentry/types": "6.7.1",
                 "tslib": "^1.9.3"
             },
             "engines": {
@@ -2389,14 +2389,14 @@
             "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
         },
         "node_modules/@sentry/tracing": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-6.7.0.tgz",
-            "integrity": "sha512-5joTxxDB4v2J1B3CIGDj4AJKJpeGztqExQMkCrwwWgBsZ+fFfctRSCyiwYo50TU93Zt/rt0rDjj8QF4o8ZH09A==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-6.7.1.tgz",
+            "integrity": "sha512-wyS3nWNl5mzaC1qZ2AIp1hjXnfO9EERjMIJjCihs2LWBz1r3efxrHxJHs8wXlNWvrT3KLhq/7vvF5CdU82uPeQ==",
             "dependencies": {
-                "@sentry/hub": "6.7.0",
-                "@sentry/minimal": "6.7.0",
-                "@sentry/types": "6.7.0",
-                "@sentry/utils": "6.7.0",
+                "@sentry/hub": "6.7.1",
+                "@sentry/minimal": "6.7.1",
+                "@sentry/types": "6.7.1",
+                "@sentry/utils": "6.7.1",
                 "tslib": "^1.9.3"
             },
             "engines": {
@@ -2409,19 +2409,19 @@
             "integrity": "sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg=="
         },
         "node_modules/@sentry/types": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.7.0.tgz",
-            "integrity": "sha512-5pKv0yJEOnkjy3J3eiGaM1CD2+p3rXkctJa8loZH7QgY7mJgUTKpozO3YymUmGjblthlrbuhH+5wUIBnVF60Bg==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.7.1.tgz",
+            "integrity": "sha512-9AO7HKoip2MBMNQJEd6+AKtjj2+q9Ze4ooWUdEvdOVSt5drg7BGpK221/p9JEOyJAZwEPEXdcMd3VAIMiOb4MA==",
             "engines": {
                 "node": ">=6"
             }
         },
         "node_modules/@sentry/utils": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.7.0.tgz",
-            "integrity": "sha512-K6s9svqOF4TT4AwvlDdiV9ZSGStSnf64s8KH1DNqwu5EZULvXvg0kbqgi6ZJTDHcchbnwHm7hLMNfuw95Aqi4Q==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.7.1.tgz",
+            "integrity": "sha512-Tq2otdbWlHAkctD+EWTYKkEx6BL1Qn3Z/imkO06/PvzpWvVhJWQ5qHAzz5XnwwqNHyV03KVzYB6znq1Bea9HuA==",
             "dependencies": {
-                "@sentry/types": "6.7.0",
+                "@sentry/types": "6.7.1",
                 "tslib": "^1.9.3"
             },
             "engines": {
@@ -6771,9 +6771,9 @@
             }
         },
         "node_modules/rollup": {
-            "version": "2.51.2",
-            "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.51.2.tgz",
-            "integrity": "sha512-ReV2eGEadA7hmXSzjxdDKs10neqH2QURf2RxJ6ayAlq93ugy6qIvXMmbc5cWMGCDh1h5T4thuWO1e2VNbMq8FA==",
+            "version": "2.52.1",
+            "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.52.1.tgz",
+            "integrity": "sha512-/SPqz8UGnp4P1hq6wc9gdTqA2bXQXGx13TtoL03GBm6qGRI6Hm3p4Io7GeiHNLl0BsQAne1JNYY+q/apcY933w==",
             "bin": {
                 "rollup": "dist/bin/rollup"
             },
@@ -6781,7 +6781,7 @@
                 "node": ">=10.0.0"
             },
             "optionalDependencies": {
-                "fsevents": "~2.3.1"
+                "fsevents": "~2.3.2"
             }
         },
         "node_modules/rollup-plugin-commonjs": {
@@ -7605,9 +7605,9 @@
             }
         },
         "node_modules/typescript": {
-            "version": "4.3.2",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.3.2.tgz",
-            "integrity": "sha512-zZ4hShnmnoVnAHpVHWpTcxdv7dWP60S2FsydQLV8V5PbS3FifjWFFRiHSWpDJahly88PRyV5teTSLoq4eG7mKw==",
+            "version": "4.3.3",
+            "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.3.3.tgz",
+            "integrity": "sha512-rUvLW0WtF7PF2b9yenwWUi9Da9euvDRhmH7BLyBG4DCFfOJ850LGNknmRpp8Z8kXNUPObdZQEfKOiHtXuQHHKA==",
             "bin": {
                 "tsc": "bin/tsc",
                 "tsserver": "bin/tsserver"
@@ -9431,9 +9431,9 @@
             }
         },
         "@lingui/core": {
-            "version": "3.10.3",
-            "resolved": "https://registry.npmjs.org/@lingui/core/-/core-3.10.3.tgz",
-            "integrity": "sha512-BiuWi5xPpQa27oIWWnkOYNx4qTMdMeu7vp5y1AGPYQ/4SO0rHfAtOxXtvRU/ktVwht/lIgx5Ygq5J3F+XLvOQA==",
+            "version": "3.10.4",
+            "resolved": "https://registry.npmjs.org/@lingui/core/-/core-3.10.4.tgz",
+            "integrity": "sha512-V9QKQ9PFMTPrGGz2PaeKHZcxFikQZzJbptyQbVFJdXaKhdE2RH6HhdK1PIziDHqp6ZWPthVIfVLURT3ku8eu5w==",
             "requires": {
                 "@babel/runtime": "^7.11.2",
                 "make-plural": "^6.2.2",
@@ -9670,13 +9670,13 @@
             }
         },
         "@sentry/browser": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-6.7.0.tgz",
-            "integrity": "sha512-sZvy2fxHjHXPdlaz8Ax02BeUbdILRv6a4i9FvMHvgSBeDiAVRIS+ihBhJAqziNOqwwXYThCSPKcCYGyTTncrVw==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-6.7.1.tgz",
+            "integrity": "sha512-R5PYx4TTvifcU790XkK6JVGwavKaXwycDU0MaAwfc4Vf7BLm5KCNJCsDySu1RPAap/017MVYf54p6dWvKiRviA==",
             "requires": {
-                "@sentry/core": "6.7.0",
-                "@sentry/types": "6.7.0",
-                "@sentry/utils": "6.7.0",
+                "@sentry/core": "6.7.1",
+                "@sentry/types": "6.7.1",
+                "@sentry/utils": "6.7.1",
                 "tslib": "^1.9.3"
             },
             "dependencies": {
@@ -9688,14 +9688,14 @@
             }
         },
         "@sentry/core": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-6.7.0.tgz",
-            "integrity": "sha512-1TzDQIsS71a+6T1o3+NPyIgsTc37wdGh7cKZ8DRQ4bsML7MAkBV/LJeTVbXa0S9xha1v9v/oPindnHX5vBLJbg==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-6.7.1.tgz",
+            "integrity": "sha512-VAv8OR/7INn2JfiLcuop4hfDcyC7mfL9fdPndQEhlacjmw8gRrgXjR7qyhnCTgzFLkHI7V5bcdIzA83TRPYQpA==",
             "requires": {
-                "@sentry/hub": "6.7.0",
-                "@sentry/minimal": "6.7.0",
-                "@sentry/types": "6.7.0",
-                "@sentry/utils": "6.7.0",
+                "@sentry/hub": "6.7.1",
+                "@sentry/minimal": "6.7.1",
+                "@sentry/types": "6.7.1",
+                "@sentry/utils": "6.7.1",
                 "tslib": "^1.9.3"
             },
             "dependencies": {
@@ -9707,12 +9707,12 @@
             }
         },
         "@sentry/hub": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.7.0.tgz",
-            "integrity": "sha512-8e1IF6v8OIjuZVsolBAFoHhY0fEolsWwmZzm9k5N1wXWRbu4gpLHnCtDw47u2O9CFYr+b//bNXjmsA+DTckPkw==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/hub/-/hub-6.7.1.tgz",
+            "integrity": "sha512-eVCTWvvcp6xa0A5GGNHMQEWslmKPlisE5rGmsV/kjvSUv3zSrI0eIDfb51ikdnCiBjHpK2NBWP8Vy8cZOEJegg==",
             "requires": {
-                "@sentry/types": "6.7.0",
-                "@sentry/utils": "6.7.0",
+                "@sentry/types": "6.7.1",
+                "@sentry/utils": "6.7.1",
                 "tslib": "^1.9.3"
             },
             "dependencies": {
@@ -9724,12 +9724,12 @@
             }
         },
         "@sentry/minimal": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.7.0.tgz",
-            "integrity": "sha512-q0SX2t1+6c8TSe8nI4+EsWc8+kSsKiGhoGo2tN2OTk4EXKCYEsEEDqB9iu7md5StmtmrO3UnRiYwT7JV8QGOeg==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/minimal/-/minimal-6.7.1.tgz",
+            "integrity": "sha512-HDDPEnQRD6hC0qaHdqqKDStcdE1KhkFh0RCtJNMCDn0zpav8Dj9AteF70x6kLSlliAJ/JFwi6AmQrLz+FxPexw==",
             "requires": {
-                "@sentry/hub": "6.7.0",
-                "@sentry/types": "6.7.0",
+                "@sentry/hub": "6.7.1",
+                "@sentry/types": "6.7.1",
                 "tslib": "^1.9.3"
             },
             "dependencies": {
@@ -9741,14 +9741,14 @@
             }
         },
         "@sentry/tracing": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-6.7.0.tgz",
-            "integrity": "sha512-5joTxxDB4v2J1B3CIGDj4AJKJpeGztqExQMkCrwwWgBsZ+fFfctRSCyiwYo50TU93Zt/rt0rDjj8QF4o8ZH09A==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/tracing/-/tracing-6.7.1.tgz",
+            "integrity": "sha512-wyS3nWNl5mzaC1qZ2AIp1hjXnfO9EERjMIJjCihs2LWBz1r3efxrHxJHs8wXlNWvrT3KLhq/7vvF5CdU82uPeQ==",
             "requires": {
-                "@sentry/hub": "6.7.0",
-                "@sentry/minimal": "6.7.0",
-                "@sentry/types": "6.7.0",
-                "@sentry/utils": "6.7.0",
+                "@sentry/hub": "6.7.1",
+                "@sentry/minimal": "6.7.1",
+                "@sentry/types": "6.7.1",
+                "@sentry/utils": "6.7.1",
                 "tslib": "^1.9.3"
             },
             "dependencies": {
@@ -9760,16 +9760,16 @@
             }
         },
         "@sentry/types": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.7.0.tgz",
-            "integrity": "sha512-5pKv0yJEOnkjy3J3eiGaM1CD2+p3rXkctJa8loZH7QgY7mJgUTKpozO3YymUmGjblthlrbuhH+5wUIBnVF60Bg=="
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/types/-/types-6.7.1.tgz",
+            "integrity": "sha512-9AO7HKoip2MBMNQJEd6+AKtjj2+q9Ze4ooWUdEvdOVSt5drg7BGpK221/p9JEOyJAZwEPEXdcMd3VAIMiOb4MA=="
         },
         "@sentry/utils": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.7.0.tgz",
-            "integrity": "sha512-K6s9svqOF4TT4AwvlDdiV9ZSGStSnf64s8KH1DNqwu5EZULvXvg0kbqgi6ZJTDHcchbnwHm7hLMNfuw95Aqi4Q==",
+            "version": "6.7.1",
+            "resolved": "https://registry.npmjs.org/@sentry/utils/-/utils-6.7.1.tgz",
+            "integrity": "sha512-Tq2otdbWlHAkctD+EWTYKkEx6BL1Qn3Z/imkO06/PvzpWvVhJWQ5qHAzz5XnwwqNHyV03KVzYB6znq1Bea9HuA==",
             "requires": {
-                "@sentry/types": "6.7.0",
+                "@sentry/types": "6.7.1",
                 "tslib": "^1.9.3"
             },
             "dependencies": {
@@ -13202,11 +13202,11 @@
             }
         },
         "rollup": {
-            "version": "2.51.2",
-            "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.51.2.tgz",
-            "integrity": "sha512-ReV2eGEadA7hmXSzjxdDKs10neqH2QURf2RxJ6ayAlq93ugy6qIvXMmbc5cWMGCDh1h5T4thuWO1e2VNbMq8FA==",
+            "version": "2.52.1",
+            "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.52.1.tgz",
+            "integrity": "sha512-/SPqz8UGnp4P1hq6wc9gdTqA2bXQXGx13TtoL03GBm6qGRI6Hm3p4Io7GeiHNLl0BsQAne1JNYY+q/apcY933w==",
             "requires": {
-                "fsevents": "~2.3.1"
+                "fsevents": "~2.3.2"
             }
         },
         "rollup-plugin-commonjs": {
@@ -13898,9 +13898,9 @@
             }
         },
         "typescript": {
-            "version": "4.3.2",
-            "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.3.2.tgz",
-            "integrity": "sha512-zZ4hShnmnoVnAHpVHWpTcxdv7dWP60S2FsydQLV8V5PbS3FifjWFFRiHSWpDJahly88PRyV5teTSLoq4eG7mKw=="
+            "version": "4.3.3",
+            "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.3.3.tgz",
+            "integrity": "sha512-rUvLW0WtF7PF2b9yenwWUi9Da9euvDRhmH7BLyBG4DCFfOJ850LGNknmRpp8Z8kXNUPObdZQEfKOiHtXuQHHKA=="
         },
         "uglify-js": {
             "version": "3.13.0",

web/package.json

@@ -45,7 +45,7 @@
         "@babel/preset-typescript": "^7.14.5",
         "@fortawesome/fontawesome-free": "^5.15.3",
         "@lingui/cli": "^3.10.2",
-        "@lingui/core": "^3.10.3",
+        "@lingui/core": "^3.10.4",
         "@lingui/macro": "^3.10.2",
         "@patternfly/patternfly": "^4.108.2",
         "@polymer/iron-form": "^3.0.1",
@@ -53,8 +53,8 @@
         "@rollup/plugin-babel": "^5.3.0",
         "@rollup/plugin-replace": "^2.4.2",
         "@rollup/plugin-typescript": "^8.2.1",
-        "@sentry/browser": "^6.7.0",
-        "@sentry/tracing": "^6.7.0",
+        "@sentry/browser": "^6.7.1",
+        "@sentry/tracing": "^6.7.1",
         "@types/chart.js": "^2.9.32",
         "@types/codemirror": "5.60.0",
         "@types/grecaptcha": "^3.0.2",
@@ -77,7 +77,7 @@
         "lit-html": "^1.4.1",
         "moment": "^2.29.1",
         "rapidoc": "^9.0.0",
-        "rollup": "^2.51.2",
+        "rollup": "^2.52.1",
         "rollup-plugin-commonjs": "^10.1.0",
         "rollup-plugin-copy": "^3.4.0",
         "rollup-plugin-cssimport": "^1.0.2",
@@ -87,7 +87,7 @@
         "rollup-plugin-terser": "^7.0.2",
         "ts-lit-plugin": "^1.2.1",
         "tslib": "^2.3.0",
-        "typescript": "^4.3.2",
+        "typescript": "^4.3.3",
         "webcomponent-qr-code": "^1.0.5",
         "yaml": "^1.10.2"
     },

web/src/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2021.6.1-rc6";
+export const VERSION = "2021.6.1";
 export const PAGE_SIZE = 20;
 export const EVENT_REFRESH = "ak-refresh";
 export const EVENT_NOTIFICATION_TOGGLE = "ak-notification-toggle";

website/developer-docs/flow-executor.md

@@ -0,0 +1,72 @@
+---
+title: Flow executor
+---
+
+A big focus of authentik is the flows system, which allows you to combine and build complex conditional processes using stages and policies. Normally, these flows are executed in the browser using the authentik inbuilt flow executor (/if/flows).
+
+However, any flow can be executed via an API from anywhere, in fact that is what the Web flow executor does. This means, you can, with a few requests, execute flows from anywhere, and integrate authentik even better.
+
+:::info
+Because the flow executor stores its state in the HTTP Session, so you need to ensure cookies between flow executor requests are persisted.
+:::
+
+The main endpoint for flow execution is `/api/v2beta/flows/executor/:slug`.
+
+This endpoint accepts a query parameter called `query`, in which the flow executor sends the full Query-string.
+
+To initiate a new flow, execute a GET request.
+
+## `GET /api/v2beta/flows/executor/test-flow/`
+
+Below is the response, for example for an Identification stage.
+
+```json
+{
+    "type": "native", // Stage type, can be "native", "shell" or "redirect"
+    "flow_info": {
+        // Related flow information, mostly used for UI and surrounding elements
+        "title": "Welcome to authentik",
+        "background": "/static/dist/assets/images/flow_background.jpg",
+        "cancel_url": "/flows/-/cancel/"
+    },
+    // Main component to distinguish which stage is currently active
+    "component": "ak-stage-identification",
+
+    // Stage-specific fields
+    "user_fields": [
+        "username",
+        "email"
+    ],
+    "password_fields": false,
+    "primary_action": "Log in",
+    "sources": []
+}
+```
+
+To respond to this challenge, send a response:
+
+## `POST /api/v2beta/flows/executor/test-flow/`
+
+With this body
+
+```json
+{
+    // Component is required to determine how to parse the response
+    "component": "ak-stage-identification",
+
+    // Stage-specific fields
+    "uid_field": "jens"
+}
+```
+
+Depending on the flow, you'll either get a 200 Response with another challenge, or a 302 redirect, which should be followed.
+
+Depending also on the stage, a response might take longer to be returned (especially with the Duo Authenticator validation).
+
+To see the data layout for every stage possible, see the [API Browser](https://goauthentik.io/api/#get-/api/v2beta/flows/executor/-flow_slug-/)
+
+## Result
+
+If a stage with the component `ak-stage-access-denied` is returned, the flow has been denied.
+
+If a stage with the component `xak-flow-redirect` is returned, the flow has been executed successfully.

website/docs/installation/docker-compose.md

@@ -12,11 +12,11 @@ This installation method is for test-setups and small-scale productive setups.
 
 ## Preparation
 
-Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/goauthentik/authentik/version/2021.6.1-rc6/docker-compose.yml). Place it in a directory of your choice.
+Download the latest `docker-compose.yml` from [here](https://raw.githubusercontent.com/goauthentik/authentik/version/2021.6.1/docker-compose.yml). Place it in a directory of your choice.
 
 To optionally enable error-reporting, run `echo AUTHENTIK_ERROR_REPORTING__ENABLED=true >> .env`
 
-To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.6.1-rc6 >> .env`
+To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.6.1 >> .env`
 
 If this is a fresh authentik install run the following commands to generate a password:
 
@@ -74,7 +74,6 @@ Afterwards, run these commands to finish
 ```shell
 docker-compose pull
 docker-compose up -d
-docker-compose run --rm server migrate
 ```
 
 The compose file statically references the latest version available at the time of downloading, which can be overridden with the `SERVER_TAG` environment variable.

website/docs/integrations/services/nextcloud/index.md

@@ -55,6 +55,12 @@ Under Attribute mapping, set these values:
 - Attribute to map the email address to.: `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
 - Attribute to map the users groups to.: `http://schemas.xmlsoap.org/claims/Group`
 
+:::note
+If Nextcloud is behind a reverse proxy you may need to force Nextcloud to use HTTPS. 
+To do this you will need to add the line `'overwriteprotocol' => 'https'` to `config.php` in the Nextcloud `config\config.php` file
+See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html#overwrite-parameters for additional information
+:::
+
 ## Group Quotas
 
 Create a group for each different level of quota you want users to have. Set a custom attribute, for example called `nextcloud_quota`, to the quota you want, for example `15 GB`.

website/docs/integrations/services/wekan/index.mdx

@@ -0,0 +1,80 @@
+---
+title: Wekan
+---
+
+## What is Wekan
+
+From https://github.com/wekan/wekan/wiki
+
+:::note
+Wekan is an open-source kanban board which allows a card-based task and to-do management.
+:::
+
+## Preparation
+
+The following placeholders will be used:
+
+- `wekan.company` is the FQDN of the wekan install.
+- `authentik.company` is the FQDN of the authentik install.
+
+Create an application in authentik. Create an OAuth2/OpenID provider with the following parameters:
+
+- Client Type: `Confidential`
+- JWT Algorithm: `RS256`
+- Scopes: OpenID, Email and Profile
+- RSA Key: Select any available key
+- Redirect URIs: `https://wekan.company/_oauth/oidc`
+
+Note the Client ID and Client Secret values. Create an application, using the provider you've created above. Note the slug of the application you've created.
+
+## Wekan
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+<Tabs
+  defaultValue="docker"
+  values={[
+    {label: 'Docker', value: 'docker'},
+    {label: 'Standalone', value: 'standalone'},
+  ]}>
+  <TabItem value="docker">
+If your Wekan is running in docker, add the following environment variables for Authentik
+
+```yaml
+environment:
+      OAUTH2_ENABLED=true
+      OAUTH2_LOGIN_STYLE=redirect
+      OAUTH2_CLIENT_ID=<Client ID from above>
+      OAUTH2_SERVER_URL=https://authentik.company
+      OAUTH2_AUTH_ENDPOINT=/application/o/authorize/
+      OAUTH2_USERINFO_ENDPOINT=/application/o/userinfo/
+      OAUTH2_TOKEN_ENDPOINT=/application/o/token/
+      OAUTH2_SECRET=<Client Secret from above>
+      OAUTH2_ID_MAP=preferred_username
+      OAUTH2_USERNAME_MAP=preferred_username
+      OAUTH2_FULLNAME_MAP=given_name
+      OAUTH2_EMAIL_MAP=email
+```
+  </TabItem>
+  <TabItem value="standalone">
+    
+edit `.env` and add the following:
+
+```ini
+     # Authentik OAUTH Config
+      OAUTH2_ENABLED='true'
+      OAUTH2_LOGIN_STYLE='redirect'
+      OAUTH2_CLIENT_ID='<Client ID from above>'
+      OAUTH2_SERVER_URL='https://authentik.company'
+      OAUTH2_AUTH_ENDPOINT='/application/o/authorize/'
+      OAUTH2_USERINFO_ENDPOINT='/application/o/userinfo/'
+      OAUTH2_TOKEN_ENDPOINT='/application/o/token/'
+      OAUTH2_SECRET='<Client Secret from above>'
+      OAUTH2_ID_MAP='preferred_username'
+      OAUTH2_USERNAME_MAP='preferred_username'
+      OAUTH2_FULLNAME_MAP='given_name'
+      OAUTH2_EMAIL_MAP='email'
+```
+  </TabItem>
+</Tabs>

website/docs/outposts/manual-deploy-docker-compose.md

@@ -11,7 +11,7 @@ version: "3.5"
 
 services:
   authentik_proxy:
-    image: ghcr.io/goauthentik/proxy:2021.6.1-rc6
+    image: ghcr.io/goauthentik/proxy:2021.6.1
     ports:
       - 4180:4180
       - 4443:4443
@@ -21,7 +21,7 @@ services:
       AUTHENTIK_TOKEN: token-generated-by-authentik
   # Or, for the LDAP Outpost
   authentik_proxy:
-    image: ghcr.io/goauthentik/ldap:2021.6.1-rc6
+    image: ghcr.io/goauthentik/ldap:2021.6.1
     ports:
       - 389:3389
     environment:

website/docs/outposts/manual-deploy-kubernetes.md

@@ -14,7 +14,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.6.1-rc6
+    app.kubernetes.io/version: 2021.6.1
   name: authentik-outpost-api
 stringData:
   authentik_host: "__AUTHENTIK_URL__"
@@ -29,7 +29,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.6.1-rc6
+    app.kubernetes.io/version: 2021.6.1
   name: authentik-outpost
 spec:
   ports:
@@ -54,7 +54,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.6.1-rc6
+    app.kubernetes.io/version: 2021.6.1
   name: authentik-outpost
 spec:
   selector:
@@ -62,14 +62,14 @@ spec:
       app.kubernetes.io/instance: __OUTPOST_NAME__
       app.kubernetes.io/managed-by: goauthentik.io
       app.kubernetes.io/name: authentik-proxy
-      app.kubernetes.io/version: 2021.6.1-rc6
+      app.kubernetes.io/version: 2021.6.1
   template:
     metadata:
       labels:
         app.kubernetes.io/instance: __OUTPOST_NAME__
         app.kubernetes.io/managed-by: goauthentik.io
         app.kubernetes.io/name: authentik-proxy
-        app.kubernetes.io/version: 2021.6.1-rc6
+        app.kubernetes.io/version: 2021.6.1
     spec:
       containers:
         - env:
@@ -88,7 +88,7 @@ spec:
               secretKeyRef:
                 key: authentik_host_insecure
                 name: authentik-outpost-api
-        image: ghcr.io/goauthentik/proxy:2021.6.1-rc6
+        image: ghcr.io/goauthentik/proxy:2021.6.1
         name: proxy
         ports:
           - containerPort: 4180
@@ -110,7 +110,7 @@ metadata:
     app.kubernetes.io/instance: __OUTPOST_NAME__
     app.kubernetes.io/managed-by: goauthentik.io
     app.kubernetes.io/name: authentik-proxy
-    app.kubernetes.io/version: 2021.6.1-rc6
+    app.kubernetes.io/version: 2021.6.1
   name: authentik-outpost
 spec:
   rules:

website/docs/releases/v2021.6.md

@@ -41,6 +41,45 @@ slug: "2021.6"
 - Fix proxy outpost not being able to redeem tokens when using with an un-trusted SSL Certificate
 - Add UI to check access of any application for any user
 
+## Fixed in 2021.6.1-rc5
+
+- flows: fix configuration URL being set when no flow is configure
+- stages/authenticator_totp: set TOTP issuer based on slug'd tenant title
+- stages/authenticator_webauthn: use tenant title as RP_NAME
+- stages/identification: add UPN
+- stages/password: add constants for password backends
+- web: fix flow download link
+
+## Fixed in 2021.6.1-rc6
+
+- ci: build and push stable tag when rc not in release name
+- core: delete real session when AuthenticatedSession is deleted
+- core: fix impersonation not working with inactive users
+- core: fix upload api not checking clear properly
+- core: revert check_access API to get to prevent CSRF errors
+- events: add tenant to event
+- events: catch unhandled exceptions from request as event, add button to open github issue
+- flows: fix error clearing flow background when no files have been uploaded
+- outpost: fix syntax error when creating an outpost with connection
+- outposts: fix integrity error with tokens
+- outposts/ldap: improve responses for unsuccessful binds
+- policies/reputation: fix race condition in tests
+- provider/proxy: mark forward_auth flag as deprecated
+- providers/saml: improve error handling for signature errors
+- root: fix build_hash being set incorrectly for tagged versions
+- sources/saml: check sessions before deleting user
+- stages/authenticator_duo: don't create default duo stage
+- stages/authenticator_validate: add tests for authenticator validation
+- stages/identification: fix challenges not being annotated correctly and API client not loading data correctly
+- web: add capabilities to sentry event
+- web: migrate banner to sidebar
+- web/admin: fix user enable/disable modal not matching other modals
+- web/admin: select service connection by default when only one exists
+- web/flows: fix expiry not shown on consent stage when loading
+- web/flows: fix IdentificationStage's label not matching fields
+- web/flows: improve display of allowed fields for identification stage
+- website/docs: add docs for outpost configuration
+
 ## Upgrading
 
 This release does not introduce any new requirements.

website/package-lock.json

@@ -11,7 +11,7 @@
                 "@docusaurus/preset-classic": "2.0.0-beta.0",
                 "@mdx-js/react": "^1.6.22",
                 "clsx": "^1.1.1",
-                "postcss": "^8.3.4",
+                "postcss": "^8.3.5",
                 "rapidoc": "^9.0.0",
                 "react": "^17.0.2",
                 "react-before-after-slider": "^1.0.4",
@@ -9636,9 +9636,9 @@
             }
         },
         "node_modules/postcss": {
-            "version": "8.3.4",
-            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.3.4.tgz",
-            "integrity": "sha512-/tZY0PXExXXnNhKv3TOvZAOUYRyuqcCbBm2c17YMDK0PlVII3K7/LKdt3ScHL+hhouddjUWi+1sKDf9xXW+8YA==",
+            "version": "8.3.5",
+            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.3.5.tgz",
+            "integrity": "sha512-NxTuJocUhYGsMiMFHDUkmjSKT3EdH4/WbGF6GCi1NDGk+vbcUTun4fpbOqaPtD8IIsztA2ilZm2DhYCuyN58gA==",
             "dependencies": {
                 "colorette": "^1.2.2",
                 "nanoid": "^3.1.23",
@@ -22424,9 +22424,9 @@
             "integrity": "sha1-AerA/jta9xoqbAL+q7jB/vfgDqs="
         },
         "postcss": {
-            "version": "8.3.4",
-            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.3.4.tgz",
-            "integrity": "sha512-/tZY0PXExXXnNhKv3TOvZAOUYRyuqcCbBm2c17YMDK0PlVII3K7/LKdt3ScHL+hhouddjUWi+1sKDf9xXW+8YA==",
+            "version": "8.3.5",
+            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.3.5.tgz",
+            "integrity": "sha512-NxTuJocUhYGsMiMFHDUkmjSKT3EdH4/WbGF6GCi1NDGk+vbcUTun4fpbOqaPtD8IIsztA2ilZm2DhYCuyN58gA==",
             "requires": {
                 "colorette": "^1.2.2",
                 "nanoid": "^3.1.23",

website/package.json

@@ -14,7 +14,7 @@
         "@docusaurus/preset-classic": "2.0.0-beta.0",
         "@mdx-js/react": "^1.6.22",
         "clsx": "^1.1.1",
-        "postcss": "^8.3.4",
+        "postcss": "^8.3.5",
         "rapidoc": "^9.0.0",
         "react": "^17.0.2",
         "react-before-after-slider": "^1.0.4",

website/sidebars.js

@@ -89,6 +89,7 @@ module.exports = {
                         "integrations/services/ubuntu-landscape/index",
                         "integrations/services/veeam-enterprise-manager/index",
                         "integrations/services/vmware-vcenter/index",
+                        "integrations/services/wekan/index",
                         "integrations/services/wiki-js/index",
                         "integrations/services/zabbix/index",
                     ],

website/sidebarsDev.js

@@ -12,5 +12,9 @@ module.exports = {
             type: "doc",
             id: "translation",
         },
+        {
+            type: "doc",
+            id: "flow-executor",
+        },
     ],
 };

website/src/comparison.jsx

@@ -22,7 +22,7 @@ function Comparison() {
                         </thead>
                         <thead className="group">
                             <tr>
-                                <th>Protocol Support</th>
+                                <th>Protocol Support (as a provider)</th>
                                 <th></th>
                                 <th></th>
                                 <th></th>
@@ -64,6 +64,60 @@ function Comparison() {
                                 <td className="result failed"><X></X></td>
                             </tr>
                         </tbody>
+                        <thead className="group">
+                            <tr>
+                                <th>Federation support</th>
+                                <th></th>
+                                <th></th>
+                                <th></th>
+                                <th></th>
+                                <th></th>
+                                <th></th>
+                                <th></th>
+                            </tr>
+                        </thead>
+                        <tbody>
+                            <tr>
+                                <td className="row-label">SAML2</td>
+                                <td className="result passed authentik"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result failed"><X></X></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result failed"><X></X></td>
+                            </tr>
+                            <tr>
+                                <td className="row-label">OAuth2 and OIDC</td>
+                                <td className="result passed authentik"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result failed"><X></X></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result failed"><X></X></td>
+                            </tr>
+                            <tr>
+                                <td className="row-label">OAuth1</td>
+                                <td className="result passed authentik"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result failed"><X></X></td>
+                                <td className="result failed"><X></X></td>
+                                <td className="result failed"><X></X></td>
+                                <td className="result failed"><X></X></td>
+                                <td className="result failed"><X></X></td>
+                            </tr>
+                            <tr>
+                                <td className="row-label">LDAP</td>
+                                <td className="result passed authentik"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                                <td className="result passed"><Check></Check></td>
+                            </tr>
+                        </tbody>
                         <thead className="group">
                             <tr>
                                 <th>Use-cases</th>