release: 2021.9.2

website/docs: prepare 2021.9.2
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-09-23 12:34:02 +02:00 · 2021-09-23 12:33:42 +02:00 · 2021-09-23 10:16:49 +02:00 · 2021-09-23 09:57:42 +02:00 · 2021-09-23 09:57:24 +02:00 · 2021-09-23 08:34:40 +02:00
617 changed files with 15655 additions and 12477 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.8.1-rc1
+current_version = 2021.9.2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
@ -23,7 +23,7 @@ values =
 [bumpversion:file:schema.yml]
-[bumpversion:file:.github/workflows/release.yml]
+[bumpversion:file:.github/workflows/release-publish.yml]
 [bumpversion:file:authentik/__init__.py]
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -27,7 +27,7 @@ If applicable, add screenshots to help explain your problem.
 Output of docker-compose logs or kubectl logs respectively
 **Version and Deployment (please complete the following information):**
- - authentik version: [e.g. 0.10.0-stable]
+ - authentik version: [e.g. 2021.8.5]
 - Deployment: [e.g. docker-compose, helm]
 **Additional context**
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -20,7 +20,7 @@ If applicable, add screenshots to help explain your problem.
 Output of docker-compose logs or kubectl logs respectively
 **Version and Deployment (please complete the following information):**
- - authentik version: [e.g. 0.10.0-stable]
+ - authentik version: [e.g. 2021.8.5]
 - Deployment: [e.g. docker-compose, helm]
 **Additional context**
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -0,0 +1,309 @@
 name: authentik-ci-main
 on:
  push:
    branches:
      - master
      - next
      - version-*
    paths-ignore:
      - website
  pull_request:
    branches:
      - master
 env:
  POSTGRES_DB: authentik
  POSTGRES_USER: authentik
  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 jobs:
  lint-pylint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run pylint
        run: pipenv run pylint authentik tests lifecycle
  lint-black:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run black
        run: pipenv run black --check authentik tests lifecycle
  lint-isort:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run isort
        run: pipenv run isort --check authentik tests lifecycle
  lint-bandit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run bandit
        run: pipenv run bandit -r authentik tests lifecycle
  lint-pyright:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
      - name: prepare
        run: |
          scripts/ci_prepare.sh
          npm install -g pyright@1.1.136
      - name: run bandit
        run: pipenv run pyright e2e lifecycle
  test-migrations:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run migrations
        run: pipenv run python -m lifecycle.migrate
  test-migrations-from-stable:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      - name: checkout stable
        run: |
          # Copy current, latest config to local
          cp authentik/lib/default.yml local.env.yml
          git checkout $(git describe --abbrev=0 --match 'version/*')
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run migrations to stable
        run: pipenv run python -m lifecycle.migrate
      - name: prepare variables
        id: ev
        run: |
          python ./scripts/gh_do_set_branch.py
      - name: checkout current code
        run: |
          set -x
          git fetch
          git checkout ${{ steps.ev.outputs.branchName }}
          pipenv sync --dev
      - name: migrate to latest
        run: pipenv run python -m lifecycle.migrate
  test-unittest:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - uses: testspace-com/setup-testspace@v1
        with:
          domain: ${{github.repository_owner}}
      - name: run unittest
        run: |
          pipenv run make test
          pipenv run coverage xml
      - name: run testspace
        if: ${{ always() }}
        run: |
          testspace [unittest]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v2
  test-integration:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - uses: testspace-com/setup-testspace@v1
        with:
          domain: ${{github.repository_owner}}
      - name: Create k8s Kind Cluster
        uses: helm/kind-action@v1.2.0
      - name: run integration
        run: |
          pipenv run make test-integration
          pipenv run coverage xml
      - name: run testspace
        if: ${{ always() }}
        run: |
          testspace [integration]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v2
  test-e2e:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - uses: testspace-com/setup-testspace@v1
        with:
          domain: ${{github.repository_owner}}
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: |
          scripts/ci_prepare.sh
          docker-compose -f tests/e2e/ci.docker-compose.yml up -d
      - id: cache-web
        uses: actions/cache@v2.1.6
        with:
          path: web/dist
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        run: |
          cd web
          npm i
          npm run build
      - name: run e2e
        run: |
          pipenv run make test-e2e
          pipenv run coverage xml
      - name: run testspace
        if: ${{ always() }}
        run: |
          testspace [e2e]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v2
  build:
    needs:
      - lint-pylint
      - lint-black
      - lint-isort
      - lint-bandit
      - lint-pyright
      - test-migrations
      - test-migrations-from-stable
      - test-unittest
      - test-integration
      - test-e2e
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: prepare variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.HARBOR_USERNAME }}
        run: |
          python ./scripts/gh_do_set_branch.py
      - name: Login to Container Registry
        uses: docker/login-action@v1
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          registry: beryju.org
          username: ${{ secrets.HARBOR_USERNAME }}
          password: ${{ secrets.HARBOR_PASSWORD }}
      - name: Building Docker Image
        uses: docker/build-push-action@v2
        with:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            beryju.org/authentik/server:gh-${{ steps.ev.outputs.branchName }}
            beryju.org/authentik/server:gh-${{ steps.ev.outputs.branchName }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.sha }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -0,0 +1,69 @@
 name: authentik-ci-outpost
 on:
  push:
    branches:
      - master
      - next
      - version-*
  pull_request:
    branches:
      - master
 jobs:
  lint-golint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
          go-version: '^1.16.3'
      - name: Run linter
        run: |
          # Create folder structure for go embeds
          mkdir -p web/dist
          mkdir -p website/help
          touch web/dist/test website/help/test
          docker run \
            --rm \
            -v $(pwd):/app \
            -w /app \
            golangci/golangci-lint:v1.39.0 \
            golangci-lint run -v --timeout 200s
  build:
    needs:
      - lint-golint
    strategy:
      matrix:
        type:
          - proxy
          - ldap
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: prepare variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.HARBOR_USERNAME }}
        run: |
          python ./scripts/gh_do_set_branch.py
      - name: Login to Container Registry
        uses: docker/login-action@v1
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          registry: beryju.org
          username: ${{ secrets.HARBOR_USERNAME }}
          password: ${{ secrets.HARBOR_PASSWORD }}
      - name: Building Docker Image
        uses: docker/build-push-action@v2
        with:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            beryju.org/authentik/outpost-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchName }}
            beryju.org/authentik/outpost-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchName }}-${{ steps.ev.outputs.timestamp }}
            beryju.org/authentik/outpost-${{ matrix.type }}:gh-${{ steps.ev.outputs.sha }}
          file: ${{ matrix.type }}.Dockerfile
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -0,0 +1,89 @@
 name: authentik-ci-web
 on:
  push:
    branches:
      - master
      - next
      - version-*
  pull_request:
    branches:
      - master
 jobs:
  lint-eslint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - run: |
          cd web
          npm install
      - name: Generate API
        run: make gen-web
      - name: Eslint
        run: |
          cd web
          npm run lint
  lint-prettier:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - run: |
          cd web
          npm install
      - name: Generate API
        run: make gen-web
      - name: prettier
        run: |
          cd web
          npm run prettier-check
  lint-lit-analyse:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - run: |
          cd web
          npm install
      - name: Generate API
        run: make gen-web
      - name: prettier
        run: |
          cd web
          npm run lit-analyse
  build:
    needs:
      - lint-eslint
      - lint-prettier
      - lint-lit-analyse
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - run: |
          cd web
          npm install
      - name: Generate API
        run: make gen-web
      - name: build
        run: |
          cd web
          npm run build
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -33,14 +33,14 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik:2021.8.1-rc1,
+            beryju/authentik:2021.9.2,
            beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.8.1-rc1,
+            ghcr.io/goauthentik/server:2021.9.2,
            ghcr.io/goauthentik/server:latest
          platforms: linux/amd64,linux/arm64
          context: .
      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.1-rc1', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.9.2', 'rc') }}
        run: |
          docker pull beryju/authentik:latest
          docker tag beryju/authentik:latest beryju/authentik:stable
@ -75,14 +75,14 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik-proxy:2021.8.1-rc1,
+            beryju/authentik-proxy:2021.9.2,
            beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.8.1-rc1,
+            ghcr.io/goauthentik/proxy:2021.9.2,
            ghcr.io/goauthentik/proxy:latest
          file: proxy.Dockerfile
          platforms: linux/amd64,linux/arm64
      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.1-rc1', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.9.2', 'rc') }}
        run: |
          docker pull beryju/authentik-proxy:latest
          docker tag beryju/authentik-proxy:latest beryju/authentik-proxy:stable
@ -117,14 +117,14 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik-ldap:2021.8.1-rc1,
+            beryju/authentik-ldap:2021.9.2,
            beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.8.1-rc1,
+            ghcr.io/goauthentik/ldap:2021.9.2,
            ghcr.io/goauthentik/ldap:latest
          file: ldap.Dockerfile
          platforms: linux/amd64,linux/arm64
      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.1-rc1', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.9.2', 'rc') }}
        run: |
          docker pull beryju/authentik-ldap:latest
          docker tag beryju/authentik-ldap:latest beryju/authentik-ldap:stable
@ -157,13 +157,12 @@ jobs:
    steps:
      - uses: actions/checkout@v2
      - name: Setup Node.js environment
-        uses: actions/setup-node@v2.4.0
+        uses: actions/setup-node@v2
        with:
-          node-version: 12.x
+          node-version: '16'
      - name: Build web api client and web ui
        run: |
          export NODE_ENV=production
          make gen-web
          cd web
          npm i
          npm run build
@ -176,7 +175,7 @@ jobs:
          SENTRY_PROJECT: authentik
          SENTRY_URL: https://sentry.beryju.org
        with:
-          version: authentik@2021.8.1-rc1
+          version: authentik@2021.9.2
          environment: beryjuorg-prod
          sourcemaps: './web/dist'
          url_prefix: '~/static/dist'
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
--- a/.github/workflows/web-api-publish.yml
+++ b/.github/workflows/web-api-publish.yml
@ -0,0 +1,39 @@
 name: authentik-web-api-publish
 on:
  push:
    branches: [ master ]
    paths:
      - 'schema.yml'
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      # Setup .npmrc file to publish to npm
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          registry-url: 'https://registry.npmjs.org'
      - name: Generate API Client
        run: make gen-web
      - name: Publish package
        run: |
          cd web-api/
          npm i
          npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
      - name: Upgrade /web
        run: |
          cd web/
          export VERSION=`node -e 'console.log(require("../web-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v3
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          branch: update-web-api-client
          commit-message: "web: Update Web API Client version"
          title: "web: Update Web API Client version"
          delete-branch: true
          signoff: true
--- a/.gitignore
+++ b/.gitignore
@ -201,3 +201,4 @@ media/
 .idea/
 /api/
 /web-api/
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,22 @@
 {
    "cSpell.words": [
        "asgi",
        "authentik",
        "authn",
        "goauthentik",
        "jwks",
        "oidc",
        "openid",
        "plex",
        "saml",
        "totp",
        "webauthn"
    ],
    "python.linting.pylintEnabled": true,
    "todo-tree.tree.showCountsInTree": true,
    "todo-tree.tree.showBadges": true,
    "python.formatting.provider": "black",
    "files.associations": {
        "*.akflow": "json"
    }
 }
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -11,8 +11,8 @@ The following is a set of guidelines for contributing to authentik and its compo
 [I don't want to read this whole thing, I just have a question!!!](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question)
 [What should I know before I get started?](#what-should-i-know-before-i-get-started)
-  * [Atom and Packages](#atom-and-packages)
+  * [The components](#the-components)
-  * [Atom Design Decisions](#design-decisions)
+  * [authentik's structure](#authentiks-structure)
 [How Can I Contribute?](#how-can-i-contribute)
  * [Reporting Bugs](#reporting-bugs)
@ -22,14 +22,9 @@ The following is a set of guidelines for contributing to authentik and its compo
 [Styleguides](#styleguides)
  * [Git Commit Messages](#git-commit-messages)
-  * [JavaScript Styleguide](#javascript-styleguide)
+  * [Python Styleguide](#python-styleguide)
  * [CoffeeScript Styleguide](#coffeescript-styleguide)
  * [Specs Styleguide](#specs-styleguide)
  * [Documentation Styleguide](#documentation-styleguide)
 [Additional Notes](#additional-notes)
  * [Issue and Pull Request Labels](#issue-and-pull-request-labels)
 ## Code of Conduct
 Basically, don't be a dickhead. This is an open-source non-profit project, that is made in the free time of Volunteers. If there's something you dislike or think can be done better, tell us! We'd love to hear any suggestions for improvement.
--- a/42
+++ b/42
@ -18,43 +18,16 @@ COPY ./website /static/
 ENV NODE_ENV=production
 RUN cd /static && npm i && npm run build-docs-only
-# Stage 3: Build web API
+# Stage 3: Build webui
 FROM openapitools/openapi-generator-cli as web-api-builder
 COPY ./schema.yml /local/schema.yml
 RUN	docker-entrypoint.sh generate \
    -i /local/schema.yml \
    -g typescript-fetch \
    -o /local/web/api \
    --additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
 # Stage 3: Generate API Client
 FROM openapitools/openapi-generator-cli as go-api-builder
 COPY ./schema.yml /local/schema.yml
 RUN	docker-entrypoint.sh generate \
    --git-host goauthentik.io \
    --git-repo-id outpost \
    --git-user-id api \
    -i /local/schema.yml \
    -g go \
    -o /local/api \
    --additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true && \
    rm -f /local/api/go.mod /local/api/go.sum
 # Stage 4: Build webui
 FROM node as web-builder
 COPY ./web /static/
 COPY --from=web-api-builder /local/web/api /static/api
 ENV NODE_ENV=production
 RUN cd /static && npm i && npm run build
-# Stage 5: Build go proxy
+# Stage 4: Build go proxy
-FROM golang:1.17.0 AS builder
+FROM golang:1.17.1 AS builder
 WORKDIR /work
@ -64,7 +37,6 @@ COPY --from=web-builder /static/dist/ /work/web/dist/
 COPY --from=web-builder /static/authentik/ /work/web/authentik/
 COPY --from=website-builder /static/help/ /work/website/help/
 COPY --from=go-api-builder /local/api api
 COPY ./cmd /work/cmd
 COPY ./web/static.go /work/web/static.go
 COPY ./website/static.go /work/website/static.go
@ -74,7 +46,7 @@ COPY ./go.sum /work/go.sum
 RUN go build -o /work/authentik ./cmd/server/main.go
-# Stage 6: Run
+# Stage 5: Run
 FROM python:3.9-slim-buster
 WORKDIR /
@ -109,5 +81,7 @@ COPY --from=builder /work/authentik /authentik-proxy
 USER authentik
 ENV TMPDIR /dev/shm/
-ENV PYTHONUBUFFERED 1
+ENV PYTHONUNBUFFERED 1
-ENTRYPOINT [ "/lifecycle/bootstrap.sh" ]
+ENV prometheus_multiproc_dir /dev/shm/
 ENV PATH "/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/lifecycle"
 ENTRYPOINT [ "/lifecycle/ak" ]
--- a/20
+++ b/20
@ -2,12 +2,11 @@
 PWD = $(shell pwd)
 UID = $(shell id -u)
 GID = $(shell id -g)
 NPM_VERSION = $(shell python -m scripts.npm_version)
 all: lint-fix lint test gen
 test-integration:
 	k3d cluster create || exit 0
 	k3d kubeconfig write -o ~/.kube/config --overwrite
 	coverage run manage.py test -v 3 tests/integration
 test-e2e:
@ -41,10 +40,13 @@ gen-web:
 		openapitools/openapi-generator-cli generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
-		-o /local/web/api \
+		-o /local/web-api \
-		--additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=authentik-api,npmVersion=1.0.0
+		--additional-properties=typescriptThreePlus=true,supportsES6=true,npmName=@goauthentik/api,npmVersion=${NPM_VERSION}
-	# npm i runs tsc as part of the installation process
+	mkdir -p web/node_modules/@goauthentik/api
-	cd web/api && npm i
+	python -m scripts.web_api_esm
 	\cp -fv scripts/web_api_readme.md web-api/README.md
 	cd web-api && npm i
 	\cp -rfv web-api/* web/node_modules/@goauthentik/api
 gen-outpost:
 	docker run \
@ -57,13 +59,13 @@ gen-outpost:
 		-i /local/schema.yml \
 		-g go \
 		-o /local/api \
-		--additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true
+		--additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true,disallowAdditionalPropertiesIfNotPresent=false
 	rm -f api/go.mod api/go.sum
-gen: gen-build gen-clean gen-web gen-outpost
+gen: gen-build gen-clean gen-web
 migrate:
 	python -m lifecycle.migrate
 run:
-	go run -v cmd/server/main.go
+	WORKERS=1 go run -v cmd/server/main.go
--- a/3
+++ b/3
@ -49,9 +49,6 @@ ua-parser = "*"
 deepmerge = "*"
 colorama = "*"
 [requires]
 python_version = "3.9"
 [dev-packages]
 bandit = "*"
 black = "==21.5b1"
--- a/Pipfile.lock
+++ b/Pipfile.lock
@ -1,12 +1,10 @@
 {
    "_meta": {
        "hash": {
-            "sha256": "f0befa9b3dacc1c3363b9442fa7a43f6be2c46a8fcb80a994230d288a384e54d"
+            "sha256": "19d5324fd1a4af125ed57a683030ca14ee2d3648117748e4b32656875484728e"
        },
        "pipfile-spec": 6,
-        "requires": {
+        "requires": {},
            "python_version": "3.9"
        },
        "sources": [
            {
                "name": "pypi",
@ -122,19 +120,19 @@
        },
        "boto3": {
            "hashes": [
-                "sha256:057196ac15de4de2221a24a3a0a41692414fa1dd697994d062ebd447163265e7",
+                "sha256:3d8b1c76a2d40775b3a8a5c457293741641bf3b6b7150e3ad351e584bb50786e",
-                "sha256:852e776cea4287f74edcb45564f8345fb6b0168dde0fd5bf46668b94c3f21177"
+                "sha256:f7e8ce6155a4d4fc23796cb58ea4d28dd4bbb61198a0da8ff2efcbee395c453c"
            ],
            "index": "pypi",
-            "version": "==1.18.25"
+            "version": "==1.18.46"
        },
        "botocore": {
            "hashes": [
-                "sha256:201e10d3b1b40d65b7c9214be7087d78ed65de00e7362bd1e020741301d09fbc",
+                "sha256:58622d4d84adcbc352d82ab8a7ec512c7af862bcffd3b93225b416a87f46a6a2",
-                "sha256:b9820ee29d70059c9b0e2a69ec13ebf80f4a0bc85f47578f17e951438c506b2d"
+                "sha256:a5df461647d1080185e91c3078ab570cc6fc346df05b9decac9fca68c149b7b8"
            ],
            "markers": "python_version >= '3.6'",
-            "version": "==1.21.25"
+            "version": "==1.21.46"
        },
        "cachetools": {
            "hashes": [
@ -254,11 +252,11 @@
        },
        "charset-normalizer": {
            "hashes": [
-                "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
+                "sha256:5d209c0a931f215cee683b6445e2d77677e7e75e159f78def0db09d68fafcaa6",
-                "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
+                "sha256:5ec46d183433dcbd0ab716f2d7f29d8dee50505b3fdb40c6b985c7c4f5a3591f"
            ],
            "markers": "python_version >= '3'",
-            "version": "==2.0.4"
+            "version": "==2.0.6"
        },
        "click": {
            "hashes": [
@ -305,22 +303,27 @@
        },
        "cryptography": {
            "hashes": [
-                "sha256:0f1212a66329c80d68aeeb39b8a16d54ef57071bf22ff4e521657b27372e327d",
+                "sha256:0a7dcbcd3f1913f664aca35d47c1331fce738d44ec34b7be8b9d332151b0b01e",
-                "sha256:1e056c28420c072c5e3cb36e2b23ee55e260cb04eee08f702e0edfec3fb51959",
+                "sha256:1eb7bb0df6f6f583dd8e054689def236255161ebbcf62b226454ab9ec663746b",
-                "sha256:240f5c21aef0b73f40bb9f78d2caff73186700bf1bc6b94285699aff98cc16c6",
+                "sha256:21ca464b3a4b8d8e86ba0ee5045e103a1fcfac3b39319727bc0fc58c09c6aff7",
-                "sha256:26965837447f9c82f1855e0bc8bc4fb910240b6e0d16a664bb722df3b5b06873",
+                "sha256:34dae04a0dce5730d8eb7894eab617d8a70d0c97da76b905de9efb7128ad7085",
-                "sha256:37340614f8a5d2fb9aeea67fd159bfe4f5f4ed535b1090ce8ec428b2f15a11f2",
+                "sha256:3520667fda779eb788ea00080124875be18f2d8f0848ec00733c0ec3bb8219fc",
-                "sha256:3d10de8116d25649631977cb37da6cbdd2d6fa0e0281d014a5b7d337255ca713",
+                "sha256:3c4129fc3fdc0fa8e40861b5ac0c673315b3c902bbdc05fc176764815b43dd1d",
-                "sha256:3d8427734c781ea5f1b41d6589c293089704d4759e34597dce91014ac125aad1",
+                "sha256:3fa3a7ccf96e826affdf1a0a9432be74dc73423125c8f96a909e3835a5ef194a",
-                "sha256:7ec5d3b029f5fa2b179325908b9cd93db28ab7b85bb6c1db56b10e0b54235177",
+                "sha256:5b0fbfae7ff7febdb74b574055c7466da334a5371f253732d7e2e7525d570498",
-                "sha256:8e56e16617872b0957d1c9742a3f94b43533447fd78321514abbe7db216aa250",
+                "sha256:695104a9223a7239d155d7627ad912953b540929ef97ae0c34c7b8bf30857e89",
-                "sha256:b01fd6f2737816cb1e08ed4807ae194404790eac7ad030b34f2ce72b332f5586",
+                "sha256:8695456444f277af73a4877db9fc979849cd3ee74c198d04fc0776ebc3db52b9",
-                "sha256:bf40af59ca2465b24e54f671b2de2c59257ddc4f7e5706dbd6930e26823668d3",
+                "sha256:94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c",
-                "sha256:de4e5f7f68220d92b7637fc99847475b59154b7a1b3868fb7385337af54ac9ca",
+                "sha256:94fff993ee9bc1b2440d3b7243d488c6a3d9724cc2b09cdb297f6a886d040ef7",
-                "sha256:eb8cc2afe8b05acbd84a43905832ec78e7b3873fb124ca190f574dca7389a87d",
+                "sha256:9965c46c674ba8cc572bc09a03f4c649292ee73e1b683adb1ce81e82e9a6a0fb",
-                "sha256:ee77aa129f481be46f8d92a1a7db57269a2f23052d5f2433b4621bb457081cc9"
+                "sha256:a00cf305f07b26c351d8d4e1af84ad7501eca8a342dedf24a7acb0e7b7406e14",
                "sha256:a305600e7a6b7b855cd798e00278161b681ad6e9b7eca94c721d5f588ab212af",
                "sha256:cd65b60cfe004790c795cc35f272e41a3df4631e2fb6b35aa7ac6ef2859d554e",
                "sha256:d2a6e5ef66503da51d2110edf6c403dc6b494cc0082f85db12f54e9c5d4c3ec5",
                "sha256:d9ec0e67a14f9d1d48dd87a2531009a9b251c02ea42851c060b25c782516ff06",
                "sha256:f44d141b8c4ea5eb4dbc9b3ad992d45580c1d22bf5e24363f2fbf50c2d7ae8a7"
            ],
-            "version": "==3.4.7"
+            "version": "==3.4.8"
        },
        "dacite": {
            "hashes": [
@ -356,11 +359,11 @@
        },
        "django": {
            "hashes": [
-                "sha256:7f92413529aa0e291f3be78ab19be31aefb1e1c9a52cd59e130f505f27a51f13",
+                "sha256:95b318319d6997bac3595517101ad9cc83fe5672ac498ba48d1a410f47afecd2",
-                "sha256:f27f8544c9d4c383bbe007c57e3235918e258364577373d4920e9162837be022"
+                "sha256:e93c93565005b37ddebf2396b4dc4b6913c1838baa82efdfb79acedd5816c240"
            ],
            "index": "pypi",
-            "version": "==3.2.6"
+            "version": "==3.2.7"
        },
        "django-dbbackup": {
            "git": "https://github.com/django-dbbackup/django-dbbackup.git",
@ -392,11 +395,11 @@
        },
        "django-otp": {
            "hashes": [
-                "sha256:01b5888f0bde5125e139433aacb947e52d5c406fa56c9db43c3e8d75b5c323c4",
+                "sha256:0c03a471db9e876f3671314bc9a65bd56a5c3c108ee0562c473701310bba4a77",
-                "sha256:0d56dd2a7fbb6ee6e54557e036ca64add0bd3596f471794bad673b7637d5e935"
+                "sha256:4c90cdaed683d736b0efafc034a3c6b410e1be2a53c24da287165b1f371d8776"
            ],
            "index": "pypi",
-            "version": "==1.0.6"
+            "version": "==1.1.1"
        },
        "django-prometheus": {
            "hashes": [
@ -440,19 +443,19 @@
        },
        "docker": {
            "hashes": [
-                "sha256:3e8bc47534e0ca9331d72c32f2881bb13b93ded0bcdeab3c833fb7cf61c0a9a5",
+                "sha256:21ec4998e90dff7a7aaaa098ca8d839c7de412b89e6f6c30908372d58fecf663",
-                "sha256:fc961d622160e8021c10d1bcabc388c57d55fb1f917175afbe24af442e6879bd"
+                "sha256:9b17f0723d83c1f3418d2aa17bf90b24dbe97deda06208dd4262fa30a6ee87eb"
            ],
            "index": "pypi",
-            "version": "==5.0.0"
+            "version": "==5.0.2"
        },
        "drf-spectacular": {
            "hashes": [
-                "sha256:f080128c42183fcaed6b9e8e5afcd2e5cd68426b1f80bfc85938f25e62db7fe5",
+                "sha256:65df818226477cdfa629947ea52bc0cc13eb40550b192eeccec64a6b782651fd",
-                "sha256:fb19aa69fcfcd37b0c9dfb9989c0671e1bb47af332ca2171378c7f840263788c"
+                "sha256:f71205da3645d770545abeaf48e8a15afd6ee9a76e57c03df4592e51be1059bf"
            ],
            "index": "pypi",
-            "version": "==0.17.3"
+            "version": "==0.19.0"
        },
        "duo-client": {
            "hashes": [
@ -479,19 +482,19 @@
        },
        "geoip2": {
            "hashes": [
-                "sha256:906a1dbf15a179a1af3522970e8420ab15bb3e0afc526942cc179e12146d9c1d",
+                "sha256:599914784cea08b50fb50c22ed6a59143b5ff2d027ba782d2d5b6f3668293821",
-                "sha256:b97b44031fdc463e84eb1316b4f19edd978cb1d78703465fcb1e36dc5a822ba6"
+                "sha256:7ad10942e9fd6c54bc850d8311618f04dacd3fff5b55ba48b7ad83502fc884bd"
            ],
            "index": "pypi",
-            "version": "==4.2.0"
+            "version": "==4.3.0"
        },
        "google-auth": {
            "hashes": [
-                "sha256:c012c8be7c442c8309ca8fa0876fef33f5fd977c467be1e1c1c2f721e8ebd73c",
+                "sha256:7ae5eda089d393ca01658b550df24913cbbbdd34e9e6dedc1cea747485ae0c04",
-                "sha256:ea1af050b3e06eb73e4470f704d23007307bc0e87c13e015f6b90460f1407bd3"
+                "sha256:bde03220ed56e4e147dec92339c90ce95159dce657e2cccd0ac1fe82f6a96284"
            ],
            "markers": "python_version >= '3.6'",
-            "version": "==2.0.1"
+            "version": "==2.1.0"
        },
        "gunicorn": {
            "hashes": [
@ -703,10 +706,10 @@
        },
        "maxminddb": {
            "hashes": [
-                "sha256:47e86a084dd814fac88c99ea34ba3278a74bc9de5a25f4b815b608798747c7dc"
+                "sha256:c47b8acba98d03b8c762684d899623c257976f3eb0c9d557ff865d20cddc9d6b"
            ],
            "markers": "python_version >= '3.6'",
-            "version": "==2.0.3"
+            "version": "==2.1.0"
        },
        "msgpack": {
            "hashes": [
@ -810,11 +813,11 @@
        },
        "prompt-toolkit": {
            "hashes": [
-                "sha256:08360ee3a3148bdb5163621709ee322ec34fc4375099afa4bbf751e9b7b7fa4f",
+                "sha256:6076e46efae19b1e0ca1ec003ed37a933dc94b4d20f486235d436e64771dcd5c",
-                "sha256:7089d8d2938043508aa9420ec18ce0922885304cddae87fb96eebca942299f88"
+                "sha256:eb71d5a6b72ce6db177af4a7d4d7085b99756bf656d98ffcc4fecd36850eea6c"
            ],
-            "markers": "python_full_version >= '3.6.1'",
+            "markers": "python_full_version >= '3.6.2'",
-            "version": "==3.0.19"
+            "version": "==3.0.20"
        },
        "psycopg2-binary": {
            "hashes": [
@ -1081,11 +1084,11 @@
        },
        "sentry-sdk": {
            "hashes": [
-                "sha256:ebe99144fa9618d4b0e7617e7929b75acd905d258c3c779edcd34c0adfffe26c",
+                "sha256:4297555ddc37c7136740e6b547b7d68f5bca0b4832f94ac097e5d531a4c77528",
-                "sha256:f33d34c886d0ba24c75ea8885a8b3a172358853c7cbde05979fc99c29ef7bc52"
+                "sha256:ea04bc3be6eb082f34ff3f8f6380ea9c691766592298f3f975a435dafac6bf6a"
            ],
            "index": "pypi",
-            "version": "==1.3.1"
+            "version": "==1.4.1"
        },
        "service-identity": {
            "hashes": [
@ -1105,11 +1108,11 @@
        },
        "sqlparse": {
            "hashes": [
-                "sha256:017cde379adbd6a1f15a61873f43e8274179378e95ef3fede90b5aa64d304ed0",
+                "sha256:0c00730c74263a94e5a9919ade150dfc3b19c574389985446148402998287dae",
-                "sha256:0f91fd2e829c44362cbcfab3e9ae12e22badaa8a29ad5ff599f9ec109f0454e8"
+                "sha256:48719e356bb8b42991bdbb1e8b83223757b93789c00910a616a071910ca4a64d"
            ],
            "markers": "python_version >= '3.5'",
-            "version": "==0.4.1"
+            "version": "==0.4.2"
        },
        "structlog": {
            "hashes": [
@ -1148,11 +1151,11 @@
        },
        "typing-extensions": {
            "hashes": [
-                "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
+                "sha256:49f75d16ff11f1cd258e1b988ccff82a3ca5570217d7ad8c5f48205dd99a677e",
-                "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
+                "sha256:d8226d10bc02a29bcc81df19a26e56a9647f8b0a6d4a83924139f4a8b01f17b7",
-                "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
+                "sha256:f1d25edafde516b146ecd0613dabcc61409817af4766fbbcfb8d1ad4ec441a34"
            ],
-            "version": "==3.10.0.0"
+            "version": "==3.10.0.2"
        },
        "ua-parser": {
            "hashes": [
@ -1175,11 +1178,11 @@
                "secure"
            ],
            "hashes": [
-                "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
+                "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece",
-                "sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f"
+                "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"
            ],
            "index": "pypi",
-            "version": "==1.26.6"
+            "version": "==1.26.7"
        },
        "uvicorn": {
            "extras": [
@ -1253,58 +1256,50 @@
        },
        "websockets": {
            "hashes": [
-                "sha256:0dd4eb8e0bbf365d6f652711ce21b8fd2b596f873d32aabb0fbb53ec604418cc",
+                "sha256:01db0ecd1a0ca6702d02a5ed40413e18b7d22f94afb3bbe0d323bac86c42c1c8",
-                "sha256:1d0971cc7251aeff955aa742ec541ee8aaea4bb2ebf0245748fbec62f744a37e",
+                "sha256:085bb8a6e780d30eaa1ba48ac7f3a6707f925edea787cfb761ce5a39e77ac09b",
-                "sha256:1d6b4fddb12ab9adf87b843cd4316c4bd602db8d5efd2fb83147f0458fe85135",
+                "sha256:1ac35426fe3e7d3d0fac3d63c8965c76ed67a8fd713937be072bf0ce22808539",
-                "sha256:230a3506df6b5f446fed2398e58dcaafdff12d67fe1397dff196411a9e820d02",
+                "sha256:1f6b814cff6aadc4288297cb3a248614829c6e4ff5556593c44a115e9dd49939",
-                "sha256:276d2339ebf0df4f45df453923ebd2270b87900eda5dfd4a6b0cfa15f82111c3",
+                "sha256:2a43072e434c041a99f2e1eb9b692df0232a38c37c61d00e9f24db79474329e4",
-                "sha256:2cf04601633a4ec176b9cc3d3e73789c037641001dbfaf7c411f89cd3e04fcaf",
+                "sha256:5b2600e01c7ca6f840c42c747ffbe0254f319594ed108db847eb3d75f4aacb80",
-                "sha256:3ddff38894c7857c476feb3538dd847514379d6dc844961dc99f04b0384b1b1b",
+                "sha256:62160772314920397f9d219147f958b33fa27a12c662d4455c9ccbba9a07e474",
-                "sha256:48c222feb3ced18f3dc61168ca18952a22fb88e5eb8902d2bf1b50faefdc34a2",
+                "sha256:706e200fc7f03bed99ad0574cd1ea8b0951477dd18cc978ccb190683c69dba76",
-                "sha256:51d04df04ed9d08077d10ccbe21e6805791b78eac49d16d30a1f1fe2e44ba0af",
+                "sha256:71358c7816e2762f3e4af3adf0040f268e219f5a38cb3487a9d0fc2e554fef6a",
-                "sha256:597c28f3aa7a09e8c070a86b03107094ee5cdafcc0d55f2f2eac92faac8dc67d",
+                "sha256:7d2e12e4f901f1bc062dfdf91831712c4106ed18a9a4cdb65e2e5f502124ca37",
-                "sha256:5c8f0d82ea2468282e08b0cf5307f3ad022290ed50c45d5cb7767957ca782880",
+                "sha256:7f79f02c7f9a8320aff7d3321cd1c7e3a7dbc15d922ac996cca827301ee75238",
-                "sha256:7189e51955f9268b2bdd6cc537e0faa06f8fffda7fb386e5922c6391de51b077",
+                "sha256:82b17524b1ce6ae7f7dd93e4d18e9b9474071e28b65dbf1dfe9b5767778db379",
-                "sha256:7df3596838b2a0c07c6f6d67752c53859a54993d4f062689fdf547cb56d0f84f",
+                "sha256:82bd921885231f4a30d9bc550552495b3fc36b1235add6d374e7c65c3babd805",
-                "sha256:826ccf85d4514609219725ba4a7abd569228c2c9f1968e8be05be366f68291ec",
+                "sha256:8bbf8660c3f833ddc8b1afab90213f2e672a9ddac6eecb3cde968e6b2807c1c7",
-                "sha256:836d14eb53b500fd92bd5db2fc5894f7c72b634f9c2a28f546f75967503d8e25",
+                "sha256:9a4d889162bd48588e80950e07fa5e039eee9deb76a58092e8c3ece96d7ef537",
-                "sha256:85db8090ba94e22d964498a47fdd933b8875a1add6ebc514c7ac8703eb97bbf0",
+                "sha256:b4ade7569b6fd17912452f9c3757d96f8e4044016b6d22b3b8391e641ca50456",
-                "sha256:85e701a6c316b7067f1e8675c638036a796fe5116783a4c932e7eb8e305a3ffe",
+                "sha256:b8176deb6be540a46695960a765a77c28ac8b2e3ef2ec95d50a4f5df901edb1c",
-                "sha256:900589e19200be76dd7cbaa95e9771605b5ce3f62512d039fb3bc5da9014912a",
+                "sha256:c4fc9a1d242317892590abe5b61a9127f1a61740477bfb121743f290b8054002",
-                "sha256:9147868bb0cc01e6846606cd65cbf9c58598f187b96d14dd1ca17338b08793bb",
+                "sha256:c5880442f5fc268f1ef6d37b2c152c114deccca73f48e3a8c48004d2f16f4567",
-                "sha256:9e7fdc775fe7403dbd8bc883ba59576a6232eac96dacb56512daacf7af5d618d",
+                "sha256:cd8c6f2ec24aedace251017bc7a414525171d4e6578f914acab9349362def4da",
-                "sha256:ab5ee15d3462198c794c49ccd31773d8a2b8c17d622aa184f669d2b98c2f0857",
+                "sha256:d67646ddd17a86117ae21c27005d83c1895c0cef5d7be548b7549646372f868a",
-                "sha256:ad893d889bc700a5835e0a95a3e4f2c39e91577ab232a3dc03c262a0f8fc4b5c",
+                "sha256:e42a1f1e03437b017af341e9bbfdc09252cd48ef32a8c3c3ead769eab3b17368",
-                "sha256:b2e71c4670ebe1067fa8632f0d081e47254ee2d3d409de54168b43b0ba9147e0",
+                "sha256:eb282127e9c136f860c6068a4fba5756eb25e755baffb5940b6f1eae071928b2",
-                "sha256:b43b13e5622c5a53ab12f3272e6f42f1ce37cd5b6684b2676cb365403295cd40",
+                "sha256:fe83b3ec9ef34063d86dfe1029160a85f24a5a94271036e5714a57acfdd089a1",
-                "sha256:b4ad84b156cf50529b8ac5cc1638c2cf8680490e3fccb6121316c8c02620a2e4",
+                "sha256:ff59c6bdb87b31f7e2d596f09353d5a38c8c8ff571b0e2238e8ee2d55ad68465"
                "sha256:be5fd35e99970518547edc906efab29afd392319f020c3c58b0e1a158e16ed20",
                "sha256:caa68c95bc1776d3521f81eeb4d5b9438be92514ec2a79fececda814099c8314",
                "sha256:d144b350045c53c8ff09aa1cfa955012dd32f00c7e0862c199edcabb1a8b32da",
                "sha256:d2c2d9b24d3c65b5a02cac12cbb4e4194e590314519ed49db2f67ef561c3cf58",
                "sha256:e9e5fd6dbdf95d99bc03732ded1fc8ef22ebbc05999ac7e0c7bf57fe6e4e5ae2",
                "sha256:ebf459a1c069f9866d8569439c06193c586e72c9330db1390af7c6a0a32c4afd",
                "sha256:f31722f1c033c198aa4a39a01905951c00bd1c74f922e8afc1b1c62adbcdd56a",
                "sha256:f68c352a68e5fdf1e97288d5cec9296664c590c25932a8476224124aaf90dbcd"
            ],
-            "version": "==9.1"
+            "version": "==10.0"
        },
        "xmlsec": {
            "hashes": [
-                "sha256:23f209260b37bdc2fd96af837494c47dd1e67964f077442b63acd83c0f62e212",
+                "sha256:135724cdce60e6bbd072fca6f09a21f72e2cecc59eebb4eed7740c316ecabc7b",
-                "sha256:4fb38ab0bf3e47cbae136119674a869e09d61c939b510350f369c8ac46087373",
+                "sha256:1b4377f6d37ad714ba95a227ef40fb54ba1b22ef5170ce04c330fe45ee6ad184",
-                "sha256:705ab5b848afdf3a5c78b1322276054c885f44dc51601e14cb883a9c86cbe20f",
+                "sha256:2c86ac6ce570c9e04f04da0cd5e7d3db346e4b5b1d006311606368f17c756ef9",
-                "sha256:843d10bba4c480609da74ee11fff1ee0fc1c12821c656979f12a7a4ecb043e03",
+                "sha256:4e5f565de311afa33aaee4724566e685f951afe301212b6cf82f98cf9d8a1749",
-                "sha256:86d54b93f8278e2f0c504d0744e39a483c1c7ce9993f2ca70184cc7770faa982",
+                "sha256:9a2b8a780093b0fe8cecae53a81a8cd9edd50c08980d374c5317c91f065042d9",
-                "sha256:8922fba55a060ee81de4a7f5efc593c5bf121047763aecf0eead02e061c9d2db",
+                "sha256:ce9c681adbc87b4f06c2b16725d9b2edbdbd508117dae4288b5faf78c1406038",
-                "sha256:c7b49d4fce83186b89f7ce6cec765245d36a70d0acc2f3ed0ba95c735b3667da",
+                "sha256:d22da4d3dcc559fb2e54e782f39c9ddad5f8d5b356f86a79bbb80b0a45115c97",
-                "sha256:cd2eaaff7f31784a07dd99ce81fa767313df3ba1834faa4143ee2c07000cac7a",
+                "sha256:db3e18ca883c01bbe28c9f5197c66f676c9772cf2d85f667e6122fc4d0702225",
-                "sha256:dea5bef9b5830c36ccb7a68a0d94d49eaea4d03fbbd04179652bf661b7e6e30f",
+                "sha256:e4783f7814aa2a3e318385cce8ef87c82954b9a59535a48f67da4e2c21c08ce1",
-                "sha256:eadff662d89c80db409c69d82eb3e695e16d4a5e8ab56b5b22670a54e9c6ff20",
+                "sha256:f32e54065f0404ceff71388daa7fa7df10e1fb800051dfe302d63abb0acf0020",
-                "sha256:ee233d0bc27fb8f447ca2622b0de2ac2df45b8795f02ef263825912011fe4fe9"
+                "sha256:f5d242b1a19a36078608f5d7f4d561c5ca55cac8061a323a071c06275267dc19"
            ],
            "index": "pypi",
-            "version": "==1.3.11"
+            "version": "==1.3.12"
        },
        "yarl": {
            "hashes": [
@ -1417,11 +1412,11 @@
        },
        "astroid": {
            "hashes": [
-                "sha256:3975a0bd5373bdce166e60c851cfcbaf21ee96de80ec518c1f4cb3e94c3fb334",
+                "sha256:dcc06f6165f415220013801642bd6c9808a02967070919c4b746c6864c205471",
-                "sha256:ab7f36e8a78b8e54a62028ba6beef7561db4cdb6f2a5009ecc44a6f42b5697ef"
+                "sha256:fe81f80c0b35264acb5653302ffbd935d394f1775c5e4487df745bf9c2442708"
            ],
            "markers": "python_version ~= '3.6'",
-            "version": "==2.6.6"
+            "version": "==2.8.0"
        },
        "attrs": {
            "hashes": [
@ -1464,11 +1459,11 @@
        },
        "charset-normalizer": {
            "hashes": [
-                "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
+                "sha256:5d209c0a931f215cee683b6445e2d77677e7e75e159f78def0db09d68fafcaa6",
-                "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
+                "sha256:5ec46d183433dcbd0ab716f2d7f29d8dee50505b3fdb40c6b985c7c4f5a3591f"
            ],
            "markers": "python_version >= '3'",
-            "version": "==2.0.4"
+            "version": "==2.0.6"
        },
        "click": {
            "hashes": [
@ -1554,11 +1549,11 @@
        },
        "gitpython": {
            "hashes": [
-                "sha256:b838a895977b45ab6f0cc926a9045c8d1c44e2b653c1fcc39fe91f42c6e8f05b",
+                "sha256:dc0a7f2f697657acc8d7f89033e8b1ea94dd90356b2983bca89dc8d2ab3cc647",
-                "sha256:fce760879cd2aebd2991b3542876dc5c4a909b30c9d69dfc488e504a8db37ee8"
+                "sha256:df83fdf5e684fef7c6ee2c02fc68a5ceb7e7e759d08b694088d0cacb4eba59e5"
            ],
-            "markers": "python_version >= '3.6'",
+            "markers": "python_version >= '3.7'",
-            "version": "==3.1.18"
+            "version": "==3.1.24"
        },
        "idna": {
            "hashes": [
@ -1579,7 +1574,7 @@
                "sha256:9c2ea1e62d871267b78307fe511c0838ba0da28698c5732d54e2790bf3ba9899",
                "sha256:e17d6e2b81095c9db0a03a8025a957f334d6ea30b26f9ec70805411e5c7c81f2"
            ],
-            "markers": "python_version < '4' and python_full_version >= '3.6.1'",
+            "markers": "python_version < '4.0' and python_full_version >= '3.6.1'",
            "version": "==5.9.3"
        },
        "lazy-object-proxy": {
@ -1647,13 +1642,21 @@
            "markers": "python_version >= '2.6'",
            "version": "==5.6.0"
        },
        "platformdirs": {
            "hashes": [
                "sha256:15b056538719b1c94bdaccb29e5f81879c7f7f0f4a153f46086d155dffcd4f0f",
                "sha256:8003ac87717ae2c7ee1ea5a84a1a61e87f3fbd16eb5aadba194ea30a9019f648"
            ],
            "markers": "python_version >= '3.6'",
            "version": "==2.3.0"
        },
        "pluggy": {
            "hashes": [
-                "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0",
+                "sha256:4224373bacce55f955a878bf9cfa763c1e360858e330072059e10bad68531159",
-                "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d"
+                "sha256:74134bbf457f031a36d68416e1509f34bd5ccc019f0bcc952c7b909d06b37bd3"
            ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "markers": "python_version >= '3.6'",
-            "version": "==0.13.1"
+            "version": "==1.0.0"
        },
        "py": {
            "hashes": [
@ -1665,11 +1668,11 @@
        },
        "pylint": {
            "hashes": [
-                "sha256:2e1a0eb2e8ab41d6b5dbada87f066492bb1557b12b76c47c2ee8aa8a11186594",
+                "sha256:0f358e221c45cbd4dad2a1e4b883e75d28acdcccd29d40c76eb72b307269b126",
-                "sha256:8b838c8983ee1904b2de66cce9d0b96649a91901350e956d78f289c3bc87b48e"
+                "sha256:2c9843fff1a88ca0ad98a256806c82c5a8f86086e7ccbdb93297d86c3f90c436"
            ],
            "index": "pypi",
-            "version": "==2.9.6"
+            "version": "==2.11.1"
        },
        "pylint-django": {
            "hashes": [
@ -1696,11 +1699,11 @@
        },
        "pytest": {
            "hashes": [
-                "sha256:50bcad0a0b9c5a72c8e4e7c9855a3ad496ca6a881a3641b4260605450772c54b",
+                "sha256:131b36680866a76e6781d13f101efb86cf674ebb9762eb70d3082b6f29889e89",
-                "sha256:91ef2131a9bd6be8f76f1f08eac5c5317221d6ad1e143ae03894b862e8976890"
+                "sha256:7310f8d27bc79ced999e760ca304d69f6ba6c6649c0b60fb0e04a4a77cacc134"
            ],
            "index": "pypi",
-            "version": "==6.2.4"
+            "version": "==6.2.5"
        },
        "pytest-django": {
            "hashes": [
@ -1747,41 +1750,49 @@
        },
        "regex": {
            "hashes": [
-                "sha256:026beb631097a4a3def7299aa5825e05e057de3c6d72b139c37813bfa351274b",
+                "sha256:04f6b9749e335bb0d2f68c707f23bb1773c3fb6ecd10edf0f04df12a8920d468",
-                "sha256:14caacd1853e40103f59571f169704367e79fb78fac3d6d09ac84d9197cadd16",
+                "sha256:08d74bfaa4c7731b8dac0a992c63673a2782758f7cfad34cf9c1b9184f911354",
-                "sha256:16d9eaa8c7e91537516c20da37db975f09ac2e7772a0694b245076c6d68f85da",
+                "sha256:0fc1f8f06977c2d4f5e3d3f0d4a08089be783973fc6b6e278bde01f0544ff308",
-                "sha256:18fdc51458abc0a974822333bd3a932d4e06ba2a3243e9a1da305668bd62ec6d",
+                "sha256:121f4b3185feaade3f85f70294aef3f777199e9b5c0c0245c774ae884b110a2d",
-                "sha256:28e8af338240b6f39713a34e337c3813047896ace09d51593d6907c66c0708ba",
+                "sha256:1413b5022ed6ac0d504ba425ef02549a57d0f4276de58e3ab7e82437892704fc",
-                "sha256:3835de96524a7b6869a6c710b26c90e94558c31006e96ca3cf6af6751b27dca1",
+                "sha256:1743345e30917e8c574f273f51679c294effba6ad372db1967852f12c76759d8",
-                "sha256:3905c86cc4ab6d71635d6419a6f8d972cab7c634539bba6053c47354fd04452c",
+                "sha256:28fc475f560d8f67cc8767b94db4c9440210f6958495aeae70fac8faec631797",
-                "sha256:3c09d88a07483231119f5017904db8f60ad67906efac3f1baa31b9b7f7cca281",
+                "sha256:31a99a4796bf5aefc8351e98507b09e1b09115574f7c9dbb9cf2111f7220d2e2",
-                "sha256:4551728b767f35f86b8e5ec19a363df87450c7376d7419c3cac5b9ceb4bce576",
+                "sha256:328a1fad67445550b982caa2a2a850da5989fd6595e858f02d04636e7f8b0b13",
-                "sha256:459bbe342c5b2dec5c5223e7c363f291558bc27982ef39ffd6569e8c082bdc83",
+                "sha256:473858730ef6d6ff7f7d5f19452184cd0caa062a20047f6d6f3e135a4648865d",
-                "sha256:4f421e3cdd3a273bace013751c345f4ebeef08f05e8c10757533ada360b51a39",
+                "sha256:4cde065ab33bcaab774d84096fae266d9301d1a2f5519d7bd58fc55274afbf7a",
-                "sha256:577737ec3d4c195c4aef01b757905779a9e9aee608fa1cf0aec16b5576c893d3",
+                "sha256:5f6a808044faae658f546dd5f525e921de9fa409de7a5570865467f03a626fc0",
-                "sha256:57fece29f7cc55d882fe282d9de52f2f522bb85290555b49394102f3621751ee",
+                "sha256:610b690b406653c84b7cb6091facb3033500ee81089867ee7d59e675f9ca2b73",
-                "sha256:7976d410e42be9ae7458c1816a416218364e06e162b82e42f7060737e711d9ce",
+                "sha256:66256b6391c057305e5ae9209941ef63c33a476b73772ca967d4a2df70520ec1",
-                "sha256:85f568892422a0e96235eb8ea6c5a41c8ccbf55576a2260c0160800dbd7c4f20",
+                "sha256:6eebf512aa90751d5ef6a7c2ac9d60113f32e86e5687326a50d7686e309f66ed",
-                "sha256:8764a78c5464ac6bde91a8c87dd718c27c1cabb7ed2b4beaf36d3e8e390567f9",
+                "sha256:79aef6b5cd41feff359acaf98e040844613ff5298d0d19c455b3d9ae0bc8c35a",
-                "sha256:8935937dad2c9b369c3d932b0edbc52a62647c2afb2fafc0c280f14a8bf56a6a",
+                "sha256:808ee5834e06f57978da3e003ad9d6292de69d2bf6263662a1a8ae30788e080b",
-                "sha256:8fe58d9f6e3d1abf690174fd75800fda9bdc23d2a287e77758dc0e8567e38ce6",
+                "sha256:8e44769068d33e0ea6ccdf4b84d80c5afffe5207aa4d1881a629cf0ef3ec398f",
-                "sha256:937b20955806381e08e54bd9d71f83276d1f883264808521b70b33d98e4dec5d",
+                "sha256:999ad08220467b6ad4bd3dd34e65329dd5d0df9b31e47106105e407954965256",
-                "sha256:9569da9e78f0947b249370cb8fadf1015a193c359e7e442ac9ecc585d937f08d",
+                "sha256:9b006628fe43aa69259ec04ca258d88ed19b64791693df59c422b607b6ece8bb",
-                "sha256:a3b73390511edd2db2d34ff09aa0b2c08be974c71b4c0505b4a048d5dc128c2b",
+                "sha256:9d05ad5367c90814099000442b2125535e9d77581855b9bee8780f1b41f2b1a2",
-                "sha256:a4eddbe2a715b2dd3849afbdeacf1cc283160b24e09baf64fa5675f51940419d",
+                "sha256:a577a21de2ef8059b58f79ff76a4da81c45a75fe0bfb09bc8b7bb4293fa18983",
-                "sha256:a5c6dbe09aff091adfa8c7cfc1a0e83fdb8021ddb2c183512775a14f1435fe16",
+                "sha256:a617593aeacc7a691cc4af4a4410031654f2909053bd8c8e7db837f179a630eb",
-                "sha256:b63e3571b24a7959017573b6455e05b675050bbbea69408f35f3cb984ec54363",
+                "sha256:abb48494d88e8a82601af905143e0de838c776c1241d92021e9256d5515b3645",
-                "sha256:bb350eb1060591d8e89d6bac4713d41006cd4d479f5e11db334a48ff8999512f",
+                "sha256:ac88856a8cbccfc14f1b2d0b829af354cc1743cb375e7f04251ae73b2af6adf8",
-                "sha256:bf6d987edd4a44dd2fa2723fca2790f9442ae4de2c8438e53fcb1befdf5d823a",
+                "sha256:b4c220a1fe0d2c622493b0a1fd48f8f991998fb447d3cd368033a4b86cf1127a",
-                "sha256:bfa6a679410b394600eafd16336b2ce8de43e9b13f7fb9247d84ef5ad2b45e91",
+                "sha256:b844fb09bd9936ed158ff9df0ab601e2045b316b17aa8b931857365ea8586906",
-                "sha256:c856ec9b42e5af4fe2d8e75970fcc3a2c15925cbcc6e7a9bcb44583b10b95e80",
+                "sha256:bdc178caebd0f338d57ae445ef8e9b737ddf8fbc3ea187603f65aec5b041248f",
-                "sha256:cea56288eeda8b7511d507bbe7790d89ae7049daa5f51ae31a35ae3c05408531",
+                "sha256:c206587c83e795d417ed3adc8453a791f6d36b67c81416676cad053b4104152c",
-                "sha256:ea212df6e5d3f60341aef46401d32fcfded85593af1d82b8b4a7a68cd67fdd6b",
+                "sha256:c61dcc1cf9fd165127a2853e2c31eb4fb961a4f26b394ac9fe5669c7a6592892",
-                "sha256:f35567470ee6dbfb946f069ed5f5615b40edcbb5f1e6e1d3d2b114468d505fc6",
+                "sha256:c7cb4c512d2d3b0870e00fbbac2f291d4b4bf2634d59a31176a87afe2777c6f0",
-                "sha256:fbc20975eee093efa2071de80df7f972b7b35e560b213aafabcec7c0bd00bd8c",
+                "sha256:d4a332404baa6665b54e5d283b4262f41f2103c255897084ec8f5487ce7b9e8e",
-                "sha256:ff4a8ad9638b7ca52313d8732f37ecd5fd3c8e3aff10a8ccb93176fd5b3812f6"
+                "sha256:d5111d4c843d80202e62b4fdbb4920db1dcee4f9366d6b03294f45ed7b18b42e",
                "sha256:e1e8406b895aba6caa63d9fd1b6b1700d7e4825f78ccb1e5260551d168db38ed",
                "sha256:e8690ed94481f219a7a967c118abaf71ccc440f69acd583cab721b90eeedb77c",
                "sha256:ed283ab3a01d8b53de3a05bfdf4473ae24e43caee7dcb5584e86f3f3e5ab4374",
                "sha256:ed4b50355b066796dacdd1cf538f2ce57275d001838f9b132fab80b75e8c84dd",
                "sha256:ee329d0387b5b41a5dddbb6243a21cb7896587a651bebb957e2d2bb8b63c0791",
                "sha256:f3bf1bc02bc421047bfec3343729c4bbbea42605bcfd6d6bfe2c07ade8b12d2a",
                "sha256:f585cbbeecb35f35609edccb95efd95a3e35824cd7752b586503f7e6087303f1",
                "sha256:f60667673ff9c249709160529ab39667d1ae9fd38634e006bec95611f632e759"
            ],
-            "version": "==2021.8.3"
+            "version": "==2021.8.28"
        },
        "requests": {
            "hashes": [
@ -1839,16 +1850,24 @@
            "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
            "version": "==0.10.2"
        },
        "typing-extensions": {
            "hashes": [
                "sha256:49f75d16ff11f1cd258e1b988ccff82a3ca5570217d7ad8c5f48205dd99a677e",
                "sha256:d8226d10bc02a29bcc81df19a26e56a9647f8b0a6d4a83924139f4a8b01f17b7",
                "sha256:f1d25edafde516b146ecd0613dabcc61409817af4766fbbcfb8d1ad4ec441a34"
            ],
            "version": "==3.10.0.2"
        },
        "urllib3": {
            "extras": [
                "secure"
            ],
            "hashes": [
-                "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
+                "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece",
-                "sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f"
+                "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"
            ],
            "index": "pypi",
-            "version": "==1.26.6"
+            "version": "==1.26.7"
        },
        "wrapt": {
            "hashes": [
--- a/README.md
+++ b/README.md
@ -4,14 +4,15 @@
 ---
-[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://discord.gg/jg33eMhnj6)
+[![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://discord.gg/jg33eMhnj6)
-[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/6?style=for-the-badge)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-main?label=core%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-main.yml)
-[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/6?compact_message&style=for-the-badge)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-outpost?label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
 [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-web?label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
 [![Testspace tests](https://img.shields.io/testspace/total/goauthentik/goauthentik:authentik/master?style=for-the-badge)](https://goauthentik.testspace.com/)
 ![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=for-the-badge)
 ![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=for-the-badge)
-![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/goauthentik/authentik?style=for-the-badge)
+[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/beryjuorg/authentik/)
 [Transifex](https://www.transifex.com/beryjuorg/authentik/)
 ## What is authentik?
--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,9 +6,8 @@
 | Version    | Supported          |
 | ---------- | ------------------ |
 | 2021.5.x   | :white_check_mark: |
 | 2021.6.x   | :white_check_mark: |
 | 2021.7.x   | :white_check_mark: |
 | 2021.8.x   | :white_check_mark: |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.8.1-rc1"
+__version__ = "2021.9.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/api/system.py
+++ b/authentik/admin/api/system.py
@ -34,6 +34,7 @@ class RuntimeDict(TypedDict):
 class SystemSerializer(PassiveSerializer):
    """Get system information."""
    env = SerializerMethodField()
    http_headers = SerializerMethodField()
    http_host = SerializerMethodField()
    http_is_secure = SerializerMethodField()
@ -42,6 +43,10 @@ class SystemSerializer(PassiveSerializer):
    server_time = SerializerMethodField()
    embedded_outpost_host = SerializerMethodField()
    def get_env(self, request: Request) -> dict[str, str]:
        """Get Environment"""
        return os.environ.copy()
    def get_http_headers(self, request: Request) -> dict[str, str]:
        """Get HTTP Request headers"""
        headers = {}
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -6,12 +6,14 @@ from django.core.cache import cache
 from django.core.validators import URLValidator
 from packaging.version import parse
 from prometheus_client import Info
-from requests import RequestException, get
+from requests import RequestException
 from structlog.stdlib import get_logger
 from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.events.models import Event, EventAction
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 LOGGER = get_logger()
@ -36,12 +38,17 @@ def _set_prom_info():
@CELERY_APP.task(bind=True, base=MonitoredTask)
 def update_latest_version(self: MonitoredTask):
    """Update latest version info"""
    if CONFIG.y_bool("disable_update_check"):
        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
        self.set_status(TaskResult(TaskResultStatus.WARNING, messages=["Version check disabled."]))
        return
    try:
-        response = get("https://api.github.com/repos/goauthentik/authentik/releases/latest")
+        response = get_http_session().get(
            "https://version.goauthentik.io/version.json",
        )
        response.raise_for_status()
        data = response.json()
-        tag_name = data.get("tag_name")
+        upstream_version = data.get("stable", {}).get("version")
        upstream_version = tag_name.split("/")[1]
        cache.set(VERSION_CACHE_KEY, upstream_version, VERSION_CACHE_TIMEOUT)
        self.set_status(
            TaskResult(TaskResultStatus.SUCCESSFUL, ["Successfully updated latest Version"])
@ -58,7 +65,7 @@ def update_latest_version(self: MonitoredTask):
            ).exists():
                return
            event_dict = {"new_version": upstream_version}
-            if match := re.search(URL_FINDER, data.get("body", "")):
+            if match := re.search(URL_FINDER, data.get("stable", {}).get("changelog", "")):
                event_dict["message"] = f"Changelog: {match.group()}"
            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
    except (RequestException, IndexError) as exc:
--- a/authentik/admin/tests/test_tasks.py
+++ b/authentik/admin/tests/test_tasks.py
@ -1,81 +1,58 @@
 """test admin tasks"""
 import json
 from dataclasses import dataclass
 from unittest.mock import Mock, patch
 from django.core.cache import cache
 from django.test import TestCase
-from requests.exceptions import RequestException
+from requests_mock import Mocker
 from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
 from authentik.events.models import Event, EventAction
-
+RESPONSE_VALID = {
-@dataclass
+    "$schema": "https://version.goauthentik.io/schema.json",
-class MockResponse:
+    "stable": {
-    """Mock class to emulate the methods of requests's Response we need"""
+        "version": "99999999.9999999",
-
+        "changelog": "See https://goauthentik.io/test",
-    status_code: int
+        "reason": "bugfix",
-    response: str
+    },
-
+}
    def json(self) -> dict:
        """Get json parsed response"""
        return json.loads(self.response)
    def raise_for_status(self):
        """raise RequestException if status code is 400 or more"""
        if self.status_code >= 400:
            raise RequestException
 REQUEST_MOCK_VALID = Mock(
    return_value=MockResponse(
        200,
        """{
            "tag_name": "version/99999999.9999999",
            "body": "https://goauthentik.io/test"
        }""",
    )
 )
 REQUEST_MOCK_INVALID = Mock(return_value=MockResponse(400, "{}"))
 class TestAdminTasks(TestCase):
    """test admin tasks"""
    @patch("authentik.admin.tasks.get", REQUEST_MOCK_VALID)
    def test_version_valid_response(self):
        """Test Update checker with valid response"""
-        update_latest_version.delay().get()
+        with Mocker() as mocker:
-        self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")
+            mocker.get("https://version.goauthentik.io/version.json", json=RESPONSE_VALID)
-        self.assertTrue(
+            update_latest_version.delay().get()
-            Event.objects.filter(
+            self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")
-                action=EventAction.UPDATE_AVAILABLE,
+            self.assertTrue(
                context__new_version="99999999.9999999",
                context__message="Changelog: https://goauthentik.io/test",
            ).exists()
        )
        # test that a consecutive check doesn't create a duplicate event
        update_latest_version.delay().get()
        self.assertEqual(
            len(
                Event.objects.filter(
                    action=EventAction.UPDATE_AVAILABLE,
                    context__new_version="99999999.9999999",
                    context__message="Changelog: https://goauthentik.io/test",
-                )
+                ).exists()
-            ),
+            )
-            1,
+            # test that a consecutive check doesn't create a duplicate event
-        )
+            update_latest_version.delay().get()
            self.assertEqual(
                len(
                    Event.objects.filter(
                        action=EventAction.UPDATE_AVAILABLE,
                        context__new_version="99999999.9999999",
                        context__message="Changelog: https://goauthentik.io/test",
                    )
                ),
                1,
            )
    @patch("authentik.admin.tasks.get", REQUEST_MOCK_INVALID)
    def test_version_error(self):
        """Test Update checker with invalid response"""
-        update_latest_version.delay().get()
+        with Mocker() as mocker:
-        self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
+            mocker.get("https://version.goauthentik.io/version.json", status_code=400)
-        self.assertFalse(
+            update_latest_version.delay().get()
-            Event.objects.filter(
+            self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
-                action=EventAction.UPDATE_AVAILABLE, context__new_version="0.0.0"
+            self.assertFalse(
-            ).exists()
+                Event.objects.filter(
-        )
+                    action=EventAction.UPDATE_AVAILABLE, context__new_version="0.0.0"
                ).exists()
            )
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -33,14 +33,13 @@ def bearer_auth(raw_header: bytes) -> Optional[User]:
            raise AuthenticationFailed("Malformed header")
        # Accept credentials with username and without
        if ":" in auth_credentials:
-            _, password = auth_credentials.split(":")
+            _, _, password = auth_credentials.partition(":")
        else:
            password = auth_credentials
    if password == "":  # nosec
        raise AuthenticationFailed("Malformed header")
    tokens = Token.filter_not_expired(key=password, intent=TokenIntents.INTENT_API)
    if not tokens.exists():
        LOGGER.info("Authenticating via secret_key")
        user = token_secret_key(password)
        if not user:
            raise AuthenticationFailed("Token invalid/expired")
@ -58,6 +57,7 @@ def token_secret_key(value: str) -> Optional[User]:
    outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
    if not outposts:
        return None
    LOGGER.info("Authenticating via secret_key")
    outpost = outposts.first()
    return outpost.user
--- a/authentik/api/authorization.py
+++ b/authentik/api/authorization.py
@ -33,3 +33,12 @@ class OwnerPermissions(BasePermission):
        if owner != request.user:
            return False
        return True
 class OwnerSuperuserPermissions(OwnerPermissions):
    """Similar to OwnerPermissions, except always allow access for superusers"""
    def has_object_permission(self, request: Request, view, obj: Model) -> bool:
        if request.user.is_superuser:
            return True
        return super().has_object_permission(request, view, obj)
--- a/authentik/api/decorators.py
+++ b/authentik/api/decorators.py
@ -5,6 +5,9 @@ from typing import Callable, Optional
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger
 LOGGER = get_logger()
 def permission_required(perm: Optional[str] = None, other_perms: Optional[list[str]] = None):
@ -18,10 +21,12 @@ def permission_required(perm: Optional[str] = None, other_perms: Optional[list[s
            if perm:
                obj = self.get_object()
                if not request.user.has_perm(perm, obj):
                    LOGGER.debug("denying access for object", user=request.user, perm=perm, obj=obj)
                    return self.permission_denied(request)
            if other_perms:
                for other_perm in other_perms:
                    if not request.user.has_perm(other_perm):
                        LOGGER.debug("denying access for other", user=request.user, perm=perm)
                        return self.permission_denied(request)
            return func(self, request, *args, **kwargs)
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -31,7 +31,7 @@ VALIDATION_ERROR = build_object_type(
        "non_field_errors": build_array_type(build_standard_type(OpenApiTypes.STR)),
        "code": build_standard_type(OpenApiTypes.STR),
    },
-    required=["detail"],
+    required=[],
    additionalProperties={},
 )
--- a/authentik/api/tasks.py
+++ b/authentik/api/tasks.py
@ -0,0 +1,19 @@
 """API tasks"""
 from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 SENTRY_SESSION = get_http_session()
@CELERY_APP.task()
 def sentry_proxy(payload: str):
    """Relay data to sentry"""
    SENTRY_SESSION.post(
        "https://sentry.beryju.org/api/8/envelope/",
        data=payload,
        headers={
            "Content-Type": "application/octet-stream",
        },
        timeout=10,
    )
--- a/authentik/api/urls.py
+++ b/authentik/api/urls.py
@ -1,8 +1,10 @@
 """authentik api urls"""
 from django.urls import include, path
-from authentik.api.v2.urls import urlpatterns as v2_urls
+from authentik.api.v3.urls import urlpatterns as v3_urls
 urlpatterns = [
-    path("v2beta/", include(v2_urls)),
+    # Remove in 2022.1
    path("v2beta/", include(v3_urls)),
    path("v3/", include(v3_urls)),
 ]
--- a/authentik/api/v2/sentry.py
+++ b/authentik/api/v2/sentry.py
@ -1,38 +0,0 @@
 """Sentry tunnel"""
 from json import loads
 from django.conf import settings
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
 from django.views.generic.base import View
 from requests import post
 from requests.exceptions import RequestException
 from authentik.lib.config import CONFIG
 class SentryTunnelView(View):
    """Sentry tunnel, to prevent ad blockers from blocking sentry"""
    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Sentry tunnel, to prevent ad blockers from blocking sentry"""
        # Only allow usage of this endpoint when error reporting is enabled
        if not CONFIG.y_bool("error_reporting.enabled", False):
            return HttpResponse(status=400)
        # Body is 2 json objects separated by \n
        full_body = request.body
        header = loads(full_body.splitlines()[0])
        # Check that the DSN is what we expect
        dsn = header.get("dsn", "")
        if dsn != settings.SENTRY_DSN:
            return HttpResponse(status=400)
        response = post(
            "https://sentry.beryju.org/api/8/envelope/",
            data=full_body,
            headers={"Content-Type": "application/octet-stream"},
        )
        try:
            response.raise_for_status()
        except RequestException:
            return HttpResponse(status=500)
        return HttpResponse(status=response.status_code)
--- a/authentik/api/v3/init.py
+++ b/authentik/api/v3/init.py
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
--- a/authentik/api/v3/sentry.py
+++ b/authentik/api/v3/sentry.py
@ -0,0 +1,65 @@
 """Sentry tunnel"""
 from json import loads
 from django.conf import settings
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
 from rest_framework.authentication import SessionAuthentication
 from rest_framework.parsers import BaseParser
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.throttling import AnonRateThrottle
 from rest_framework.views import APIView
 from structlog.stdlib import get_logger
 from authentik.api.tasks import sentry_proxy
 from authentik.lib.config import CONFIG
 LOGGER = get_logger()
 class PlainTextParser(BaseParser):
    """Plain text parser."""
    media_type = "text/plain"
    def parse(self, stream, media_type=None, parser_context=None) -> str:
        """Simply return a string representing the body of the request."""
        return stream.read()
 class CsrfExemptSessionAuthentication(SessionAuthentication):
    """CSRF-exempt Session authentication"""
    def enforce_csrf(self, request: Request):
        return  # To not perform the csrf check previously happening
 class SentryTunnelView(APIView):
    """Sentry tunnel, to prevent ad blockers from blocking sentry"""
    serializer_class = None
    parser_classes = [PlainTextParser]
    throttle_classes = [AnonRateThrottle]
    permission_classes = [AllowAny]
    authentication_classes = [CsrfExemptSessionAuthentication]
    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Sentry tunnel, to prevent ad blockers from blocking sentry"""
        # Only allow usage of this endpoint when error reporting is enabled
        if not CONFIG.y_bool("error_reporting.enabled", False):
            LOGGER.debug("error reporting disabled")
            return HttpResponse(status=400)
        # Body is 2 json objects separated by \n
        full_body = request.body
        lines = full_body.splitlines()
        if len(lines) < 1:
            return HttpResponse(status=400)
        header = loads(lines[0])
        # Check that the DSN is what we expect
        dsn = header.get("dsn", "")
        if dsn != settings.SENTRY_DSN:
            LOGGER.debug("Invalid dsn", have=dsn, expected=settings.SENTRY_DSN)
            return HttpResponse(status=400)
        sentry_proxy.delay(full_body.decode())
        return HttpResponse(status=204)
--- a/authentik/api/v3/urls.py
+++ b/authentik/api/v3/urls.py
@ -1,6 +1,6 @@
-"""api v2 urls"""
+"""api v3 urls"""
 from django.urls import path
-from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.cache import cache_page
 from drf_spectacular.views import SpectacularAPIView
 from rest_framework import routers
@ -10,8 +10,8 @@ from authentik.admin.api.system import SystemView
 from authentik.admin.api.tasks import TaskViewSet
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.workers import WorkerView
-from authentik.api.v2.config import ConfigView
+from authentik.api.v3.config import ConfigView
-from authentik.api.v2.sentry import SentryTunnelView
+from authentik.api.v3.sentry import SentryTunnelView
 from authentik.api.views import APIBrowserView
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@ -24,6 +24,7 @@ from authentik.core.api.users import UserViewSet
 from authentik.crypto.api import CertificateKeyPairViewSet
 from authentik.events.api.event import EventViewSet
 from authentik.events.api.notification import NotificationViewSet
 from authentik.events.api.notification_mapping import NotificationWebhookMappingViewSet
 from authentik.events.api.notification_rule import NotificationRuleViewSet
 from authentik.events.api.notification_transport import NotificationTransportViewSet
 from authentik.flows.api.bindings import FlowStageBindingViewSet
@ -98,6 +99,7 @@ from authentik.stages.user_write.api import UserWriteStageViewSet
 from authentik.tenants.api import TenantViewSet
 router = routers.DefaultRouter()
 router.include_format_suffixes = False
 router.register("admin/system_tasks", TaskViewSet, basename="admin_system_tasks")
 router.register("admin/apps", AppsViewSet, basename="apps")
@ -159,6 +161,7 @@ router.register("propertymappings/all", PropertyMappingViewSet)
 router.register("propertymappings/ldap", LDAPPropertyMappingViewSet)
 router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
 router.register("propertymappings/scope", ScopeMappingViewSet)
 router.register("propertymappings/notification", NotificationWebhookMappingViewSet)
 router.register("authenticators/duo", DuoDeviceViewSet)
 router.register("authenticators/static", StaticDeviceViewSet)
@ -225,7 +228,7 @@ urlpatterns = (
            FlowExecutorView.as_view(),
            name="flow-executor",
        ),
-        path("sentry/", csrf_exempt(SentryTunnelView.as_view()), name="sentry"),
+        path("sentry/", SentryTunnelView.as_view(), name="sentry"),
-        path("schema/", SpectacularAPIView.as_view(), name="schema"),
+        path("schema/", cache_page(86400)(SpectacularAPIView.as_view()), name="schema"),
    ]
 )
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -4,14 +4,9 @@ from django.db.models import QuerySet
 from django.http.response import HttpResponseBadRequest
 from django.shortcuts import get_object_or_404
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import (
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
    OpenApiParameter,
    OpenApiResponse,
    extend_schema,
    inline_serializer,
 )
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, CharField, FileField, ReadOnlyField
+from rest_framework.fields import ReadOnlyField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -24,6 +19,7 @@ from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
 from authentik.api.decorators import permission_required
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import FilePathSerializer, FileUploadSerializer
 from authentik.core.models import Application, User
 from authentik.events.models import EventAction
 from authentik.policies.api.exec import PolicyTestResultSerializer
@ -71,7 +67,7 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
    """Application Viewset"""
-    queryset = Application.objects.all()
+    queryset = Application.objects.all().prefetch_related("provider")
    serializer_class = ApplicationSerializer
    search_fields = [
        "name",
@ -122,7 +118,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        # If the current user is superuser, they can set `for_user`
        for_user = request.user
        if request.user.is_superuser and "for_user" in request.query_params:
-            for_user = get_object_or_404(User, pk=request.query_params.get("for_user"))
+            try:
                for_user = get_object_or_404(User, pk=request.query_params.get("for_user"))
            except ValueError:
                return HttpResponseBadRequest("for_user must be numerical")
        engine = PolicyEngine(application, for_user, request)
        engine.use_cache = False
        engine.build()
@ -177,13 +176,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_core.change_application")
    @extend_schema(
        request={
-            "multipart/form-data": inline_serializer(
+            "multipart/form-data": FileUploadSerializer,
                "SetIcon",
                fields={
                    "file": FileField(required=False),
                    "clear": BooleanField(default=False),
                },
            )
        },
        responses={
            200: OpenApiResponse(description="Success"),
@ -215,7 +208,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_core.change_application")
    @extend_schema(
-        request=inline_serializer("SetIconURL", fields={"url": CharField()}),
+        request=FilePathSerializer,
        responses={
            200: OpenApiResponse(description="Success"),
            400: OpenApiResponse(description="Bad request"),
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -11,6 +11,7 @@ from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.models import AuthenticatedSession
 from authentik.events.geo import GEOIP_READER, GeoIPDict
@ -102,11 +103,8 @@ class AuthenticatedSessionViewSet(
    search_fields = ["user__username", "last_ip", "last_user_agent"]
    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
    ordering = ["user__username"]
-    filter_backends = [
+    permission_classes = [OwnerSuperuserPermissions]
-        DjangoFilterBackend,
+    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
        OrderingFilter,
        SearchFilter,
    ]
    def get_queryset(self):
        user = self.request.user if self.request else get_anonymous_user()
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -2,7 +2,7 @@
 from django.db.models.query import QuerySet
 from django_filters.filters import ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from rest_framework.fields import BooleanField, CharField, JSONField
+from rest_framework.fields import CharField, JSONField
 from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter
@ -15,7 +15,6 @@ from authentik.core.models import Group, User
 class GroupMemberSerializer(ModelSerializer):
    """Stripped down user serializer to show relevant users for groups"""
    is_superuser = BooleanField(read_only=True)
    avatar = CharField(read_only=True)
    attributes = JSONField(validators=[is_dict], required=False)
    uid = CharField(read_only=True)
@ -29,7 +28,6 @@ class GroupMemberSerializer(ModelSerializer):
            "name",
            "is_active",
            "last_login",
            "is_superuser",
            "email",
            "avatar",
            "attributes",
@ -81,7 +79,7 @@ class GroupFilter(FilterSet):
 class GroupViewSet(UsedByMixin, ModelViewSet):
    """Group Viewset"""
-    queryset = Group.objects.all()
+    queryset = Group.objects.all().select_related("parent").prefetch_related("users")
    serializer_class = GroupSerializer
    search_fields = ["name", "is_superuser"]
    filterset_class = GroupFilter
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -95,7 +95,9 @@ class SourceViewSet(
    @action(detail=False, pagination_class=None, filter_backends=[])
    def user_settings(self, request: Request) -> Response:
        """Get all sources the user can configure"""
-        _all_sources: Iterable[Source] = Source.objects.filter(enabled=True).select_subclasses()
+        _all_sources: Iterable[Source] = (
            Source.objects.filter(enabled=True).select_subclasses().order_by("name")
        )
        matching_sources: list[UserSettingSerializer] = []
        for source in _all_sources:
            user_settings = source.ui_user_settings
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -1,13 +1,20 @@
 """Tokens API Viewset"""
 from typing import Any
 from django.http.response import Http404
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
@ -20,7 +27,16 @@ from authentik.managed.api import ManagedSerializer
 class TokenSerializer(ManagedSerializer, ModelSerializer):
    """Token Serializer"""
-    user = UserSerializer(required=False)
+    user_obj = UserSerializer(required=False, source="user")
    def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
        """Ensure only API or App password tokens are created."""
        request: Request = self.context["request"]
        attrs.setdefault("user", request.user)
        attrs.setdefault("intent", TokenIntents.INTENT_API)
        if attrs.get("intent") not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
            raise ValidationError(f"Invalid intent {attrs.get('intent')}")
        return attrs
    class Meta:
@ -31,11 +47,14 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
            "identifier",
            "intent",
            "user",
            "user_obj",
            "description",
            "expires",
            "expiring",
        ]
-        depth = 2
+        extra_kwargs = {
            "user": {"required": False},
        }
 class TokenViewSerializer(PassiveSerializer):
@ -64,14 +83,23 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
        "expires",
        "expiring",
    ]
-    ordering = ["expires"]
+    ordering = ["identifier", "expires"]
    permission_classes = [OwnerSuperuserPermissions]
    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
    def get_queryset(self):
        user = self.request.user if self.request else get_anonymous_user()
        if user.is_superuser:
            return super().get_queryset()
        return super().get_queryset().filter(user=user.pk)
    def perform_create(self, serializer: TokenSerializer):
-        serializer.save(
+        if not self.request.user.is_superuser:
-            user=self.request.user,
+            return serializer.save(
-            intent=TokenIntents.INTENT_API,
+                user=self.request.user,
-            expiring=self.request.user.attributes.get(USER_ATTRIBUTE_TOKEN_EXPIRING, True),
+                expiring=self.request.user.attributes.get(USER_ATTRIBUTE_TOKEN_EXPIRING, True),
-        )
+            )
        return super().perform_create(serializer)
    @permission_required("authentik_core.view_token_key")
    @extend_schema(
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -1,15 +1,25 @@
 """User API Views"""
 from datetime import timedelta
 from json import loads
 from typing import Optional
 from django.db.models.query import QuerySet
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
 from django.utils.http import urlencode
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from django_filters.filters import BooleanFilter, CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiParameter, extend_schema, extend_schema_field
+from drf_spectacular.utils import (
    OpenApiParameter,
    extend_schema,
    extend_schema_field,
    inline_serializer,
 )
 from guardian.shortcuts import get_anonymous_user, get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, JSONField, SerializerMethodField
@ -34,7 +44,14 @@ from authentik.core.api.groups import GroupSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
-from authentik.core.models import Group, Token, TokenIntents, User
+from authentik.core.models import (
    USER_ATTRIBUTE_SA,
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    Group,
    Token,
    TokenIntents,
    User,
 )
 from authentik.events.models import EventAction
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
@ -220,6 +237,52 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        )
        return link, token
    @permission_required(None, ["authentik_core.add_user", "authentik_core.add_token"])
    @extend_schema(
        request=inline_serializer(
            "UserServiceAccountSerializer",
            {
                "name": CharField(required=True),
                "create_group": BooleanField(default=False),
            },
        ),
        responses={
            200: inline_serializer(
                "UserServiceAccountResponse",
                {
                    "username": CharField(required=True),
                    "token": CharField(required=True),
                },
            )
        },
    )
    @action(detail=False, methods=["POST"], pagination_class=None, filter_backends=[])
    def service_account(self, request: Request) -> Response:
        """Create a new user account that is marked as a service account"""
        username = request.data.get("name")
        create_group = request.data.get("create_group", False)
        with atomic():
            try:
                user = User.objects.create(
                    username=username,
                    name=username,
                    attributes={USER_ATTRIBUTE_SA: True, USER_ATTRIBUTE_TOKEN_EXPIRING: False},
                )
                if create_group:
                    group = Group.objects.create(
                        name=username,
                    )
                    group.users.add(user)
                token = Token.objects.create(
                    identifier=slugify(f"service-account-{username}-password"),
                    intent=TokenIntents.INTENT_APP_PASSWORD,
                    user=user,
                    expires=now() + timedelta(days=360),
                )
                return Response({"username": user.username, "token": token.key})
            except (IntegrityError) as exc:
                return Response(data={"non_field_errors": [str(exc)]}, status=400)
    @extend_schema(responses={200: SessionUserSerializer(many=False)})
    @action(detail=False, pagination_class=None, filter_backends=[])
    # pylint: disable=invalid-name
@ -251,7 +314,9 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        # since it caches the full object
        if SESSION_IMPERSONATE_USER in request.session:
            request.session[SESSION_IMPERSONATE_USER] = new_user
-        return self.me(request)
+        serializer = SessionUserSerializer(data={"user": UserSelfSerializer(request.user).data})
        serializer.is_valid()
        return Response(serializer.data)
    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -2,7 +2,7 @@
 from typing import Any
 from django.db.models import Model
-from rest_framework.fields import CharField, IntegerField
+from rest_framework.fields import BooleanField, CharField, FileField, IntegerField
 from rest_framework.serializers import Serializer, SerializerMethodField, ValidationError
@ -22,8 +22,18 @@ class PassiveSerializer(Serializer):
    def update(self, instance: Model, validated_data: dict) -> Model:  # pragma: no cover
        return Model()
-    class Meta:
+
-        model = Model
+class FileUploadSerializer(PassiveSerializer):
    """Serializer to upload file"""
    file = FileField(required=False)
    clear = BooleanField(default=False)
 class FilePathSerializer(PassiveSerializer):
    """Serializer to upload file"""
    url = CharField()
 class MetaNameSerializer(PassiveSerializer):
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@ -0,0 +1,59 @@
 """Authenticate with tokens"""
 from typing import Any, Optional
 from django.contrib.auth.backends import ModelBackend
 from django.http.request import HttpRequest
 from authentik.core.models import Token, TokenIntents, User
 from authentik.events.utils import cleanse_dict, sanitize_dict
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views import SESSION_KEY_PLAN
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 class InbuiltBackend(ModelBackend):
    """Inbuilt backend"""
    def authenticate(
        self, request: HttpRequest, username: Optional[str], password: Optional[str], **kwargs: Any
    ) -> Optional[User]:
        user = super().authenticate(request, username=username, password=password, **kwargs)
        if not user:
            return None
        self.set_method("password", request)
        return user
    def set_method(self, method: str, request: Optional[HttpRequest], **kwargs):
        """Set method data on current flow, if possbiel"""
        if not request:
            return
        # Since we can't directly pass other variables to signals, and we want to log the method
        # and the token used, we assume we're running in a flow and set a variable in the context
        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
        flow_plan.context[PLAN_CONTEXT_METHOD] = method
        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = cleanse_dict(sanitize_dict(kwargs))
        request.session[SESSION_KEY_PLAN] = flow_plan
 class TokenBackend(InbuiltBackend):
    """Authenticate with token"""
    def authenticate(
        self, request: HttpRequest, username: Optional[str], password: Optional[str], **kwargs: Any
    ) -> Optional[User]:
        try:
            user = User._default_manager.get_by_natural_key(username)
        except User.DoesNotExist:
            # Run the default password hasher once to reduce the timing
            # difference between an existing and a nonexistent user (#20760).
            User().set_password(password)
            return None
        tokens = Token.filter_not_expired(
            user=user, key=password, intent=TokenIntents.INTENT_APP_PASSWORD
        )
        if not tokens.exists():
            return None
        token = tokens.first()
        self.set_method("password", request, token=token)
        return token.user
--- a/authentik/core/migrations/0028_alter_token_intent.py
+++ b/authentik/core/migrations/0028_alter_token_intent.py
@ -0,0 +1,26 @@
 # Generated by Django 3.2.6 on 2021-08-23 14:35
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0027_bootstrap_token"),
    ]
    operations = [
        migrations.AlterField(
            model_name="token",
            name="intent",
            field=models.TextField(
                choices=[
                    ("verification", "Intent Verification"),
                    ("api", "Intent Api"),
                    ("recovery", "Intent Recovery"),
                    ("app_password", "Intent App Password"),
                ],
                default="verification",
            ),
        ),
    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -28,6 +28,7 @@ from authentik.core.signals import password_changed
 from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id
 from authentik.lib.models import CreatedUpdatedModel, SerializerModel
 from authentik.lib.utils.http import get_client_ip
 from authentik.managed.models import ManagedModel
@ -54,7 +55,9 @@ def default_token_duration():
 def default_token_key():
    """Default token key"""
-    return uuid4().hex
+    # We use generate_id since the chars in the key should be easy
    # to use in Emails (for verification) and URLs (for recovery)
    return generate_id(128)
 class Group(models.Model):
@ -408,6 +411,9 @@ class TokenIntents(models.TextChoices):
    # Recovery use for the recovery app
    INTENT_RECOVERY = "recovery"
    # App-specific passwords
    INTENT_APP_PASSWORD = "app_password"  # nosec
 class Token(ManagedModel, ExpiringModel):
    """Token used to authenticate the User for API Access or confirm another Stage like Email."""
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -25,7 +25,7 @@ from authentik.flows.planner import (
 from authentik.flows.views import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.utils import delete_none_keys
-from authentik.stages.password import BACKEND_DJANGO
+from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
@ -184,12 +184,12 @@ class SourceFlowManager:
        # Ensure redirect is carried through when user was trying to
        # authorize application
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
-            NEXT_ARG_NAME, "authentik_core:if-admin"
+            NEXT_ARG_NAME, "authentik_core:if-user"
        )
        kwargs.update(
            {
                # Since we authenticate the user by their token, they have no backend set
-                PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_DJANGO,
+                PLAN_CONTEXT_AUTHENTICATION_BACKEND: BACKEND_INBUILT,
                PLAN_CONTEXT_SSO: True,
                PLAN_CONTEXT_SOURCE: self.source,
                PLAN_CONTEXT_REDIRECT: final_redirect,
@ -243,9 +243,9 @@ class SourceFlowManager:
            return self.handle_auth_user(connection)
        return redirect(
            reverse(
-                "authentik_core:if-admin",
+                "authentik_core:if-user",
            )
-            + f"#/user;page-{self.source.slug}"
+            + f"#/settings;page-{self.source.slug}"
        )
    def handle_enroll(
--- a/authentik/core/sources/stage.py
+++ b/authentik/core/sources/stage.py
@ -28,3 +28,7 @@ class PostUserEnrollmentStage(StageView):
            source=connection.source,
        ).from_http(self.request)
        return self.executor.stage_ok()
    def post(self, request: HttpRequest) -> HttpResponse:
        """Wrapper for post requests"""
        return self.get(request)
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -8,16 +8,15 @@
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
        <title>{% block title %}{% trans title|default:tenant.branding_title %}{% endblock %}</title>
-        <link rel="shortcut icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}?v={{ ak_version }}">
+        <link rel="shortcut icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/empty-state.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/empty-state.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/spinner.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/spinner.css' %}">
        {% block head_before %}
        {% endblock %}
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <script src="{% static 'dist/poly.js' %}?v={{ ak_version }}" type="module"></script>
+        <script src="{% static 'dist/poly.js' %}" type="module"></script>
        <script>window["polymerSkipLoadingFontRoboto"] = true;</script>
        {% block head %}
        {% endblock %}
    </head>
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -4,7 +4,7 @@
 {% load i18n %}
 {% block head %}
-<script src="{% static 'dist/AdminInterface.js' %}?v={{ ak_version }}" type="module"></script>
+<script src="{% static 'dist/AdminInterface.js' %}" type="module"></script>
 {% endblock %}
 {% block body %}
--- a/authentik/core/templates/if/end_session.html
+++ b/authentik/core/templates/if/end_session.html
@ -21,7 +21,7 @@ You've logged out of {{ application }}.
        {% endblocktrans %}
    </p>
-    <a id="ak-back-home" href="{% url 'authentik_core:if-admin' %}" class="pf-c-button pf-m-primary">{% trans 'Go back to overview' %}</a>
+    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">{% trans 'Go back to overview' %}</a>
    <a id="logout" href="{% url 'authentik_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">{% trans 'Log out of authentik' %}</a>
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@ -4,13 +4,14 @@
 {% load i18n %}
 {% block head_before %}
 {{ block.super }}
 {% if flow.compatibility_mode %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
 {% endblock %}
 {% block head %}
-<script src="{% static 'dist/FlowInterface.js' %}?v={{ ak_version }}" type="module"></script>
+<script src="{% static 'dist/FlowInterface.js' %}" type="module"></script>
 <style>
 .pf-c-background-image::before {
    --ak-flow-background: url("{{ flow.background_url }}");
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -0,0 +1,28 @@
 {% extends "base/skeleton.html" %}
 {% load static %}
 {% load i18n %}
 {% block head %}
 <script src="{% static 'dist/UserInterface.js' %}" type="module"></script>
 {% endblock %}
 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-interface-user>
    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
        <div class="pf-c-empty-state" style="height: 100vh;">
            <div class="pf-c-empty-state__content">
                <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="{% trans 'Loading...' %}">
                    <span class="pf-c-spinner__clipper"></span>
                    <span class="pf-c-spinner__lead-ball"></span>
                    <span class="pf-c-spinner__tail-ball"></span>
                </span>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans "Loading..." %}
                </h1>
            </div>
        </div>
    </section>
 </ak-interface-user>
 {% endblock %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -4,7 +4,7 @@
 {% load i18n %}
 {% block head_before %}
-<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}?v={{ ak_version }}">
+<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 {% endblock %}
 {% block head %}
--- a/authentik/core/tests/test_impersonation.py
+++ b/authentik/core/tests/test_impersonation.py
@ -58,4 +58,4 @@ class TestImpersonation(TestCase):
        self.client.force_login(self.other_user)
        response = self.client.get(reverse("authentik_core:impersonate-end"))
-        self.assertRedirects(response, reverse("authentik_core:if-admin"))
+        self.assertRedirects(response, reverse("authentik_core:if-user"))
--- a/authentik/core/tests/test_source_flow_manager.py
+++ b/authentik/core/tests/test_source_flow_manager.py
@ -1,16 +1,13 @@
 """Test Source flow_manager"""
 from django.contrib.auth.models import AnonymousUser
 from django.contrib.messages.middleware import MessageMiddleware
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.http.request import HttpRequest
 from django.test import TestCase
 from django.test.client import RequestFactory
 from guardian.utils import get_anonymous_user
 from authentik.core.models import SourceUserMatchingModes, User
 from authentik.core.sources.flow_manager import Action
-from authentik.flows.tests.test_planner import dummy_get_response
+from authentik.lib.generators import generate_id
-from authentik.providers.oauth2.generators import generate_client_id
+from authentik.lib.tests.utils import get_request
 from authentik.sources.oauth.models import OAuthSource, UserOAuthSourceConnection
 from authentik.sources.oauth.views.callback import OAuthSourceFlowManager
@ -22,24 +19,12 @@ class TestSourceFlowManager(TestCase):
        super().setUp()
        self.source = OAuthSource.objects.create(name="test")
        self.factory = RequestFactory()
-        self.identifier = generate_client_id()
+        self.identifier = generate_id()
    def get_request(self, user: User) -> HttpRequest:
        """Helper to create a get request with session and message middleware"""
        request = self.factory.get("/")
        request.user = user
        middleware = SessionMiddleware(dummy_get_response)
        middleware.process_request(request)
        request.session.save()
        middleware = MessageMiddleware(dummy_get_response)
        middleware.process_request(request)
        request.session.save()
        return request
    def test_unauthenticated_enroll(self):
        """Test un-authenticated user enrolling"""
        flow_manager = OAuthSourceFlowManager(
-            self.source, self.get_request(AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
        )
        action, _ = flow_manager.get_action()
        self.assertEqual(action, Action.ENROLL)
@ -52,7 +37,7 @@ class TestSourceFlowManager(TestCase):
        )
        flow_manager = OAuthSourceFlowManager(
-            self.source, self.get_request(AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
        )
        action, _ = flow_manager.get_action()
        self.assertEqual(action, Action.AUTH)
@ -65,7 +50,7 @@ class TestSourceFlowManager(TestCase):
        )
        user = User.objects.create(username="foo", email="foo@bar.baz")
        flow_manager = OAuthSourceFlowManager(
-            self.source, self.get_request(user), self.identifier, {}
+            self.source, get_request("/", user=user), self.identifier, {}
        )
        action, _ = flow_manager.get_action()
        self.assertEqual(action, Action.LINK)
@ -78,7 +63,7 @@ class TestSourceFlowManager(TestCase):
        # Without email, deny
        flow_manager = OAuthSourceFlowManager(
-            self.source, self.get_request(AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
        )
        action, _ = flow_manager.get_action()
        self.assertEqual(action, Action.DENY)
@ -86,7 +71,7 @@ class TestSourceFlowManager(TestCase):
        # With email
        flow_manager = OAuthSourceFlowManager(
            self.source,
-            self.get_request(AnonymousUser()),
+            get_request("/", user=AnonymousUser()),
            self.identifier,
            {"email": "foo@bar.baz"},
        )
@ -101,7 +86,7 @@ class TestSourceFlowManager(TestCase):
        # Without username, deny
        flow_manager = OAuthSourceFlowManager(
-            self.source, self.get_request(AnonymousUser()), self.identifier, {}
+            self.source, get_request("/", user=AnonymousUser()), self.identifier, {}
        )
        action, _ = flow_manager.get_action()
        self.assertEqual(action, Action.DENY)
@ -109,7 +94,7 @@ class TestSourceFlowManager(TestCase):
        # With username
        flow_manager = OAuthSourceFlowManager(
            self.source,
-            self.get_request(AnonymousUser()),
+            get_request("/", user=AnonymousUser()),
            self.identifier,
            {"username": "foo"},
        )
@ -125,7 +110,7 @@ class TestSourceFlowManager(TestCase):
        # With non-existent username, enroll
        flow_manager = OAuthSourceFlowManager(
            self.source,
-            self.get_request(AnonymousUser()),
+            get_request("/", user=AnonymousUser()),
            self.identifier,
            {
                "username": "bar",
@ -137,7 +122,7 @@ class TestSourceFlowManager(TestCase):
        # With username
        flow_manager = OAuthSourceFlowManager(
            self.source,
-            self.get_request(AnonymousUser()),
+            get_request("/", user=AnonymousUser()),
            self.identifier,
            {"username": "foo"},
        )
@ -151,7 +136,7 @@ class TestSourceFlowManager(TestCase):
        flow_manager = OAuthSourceFlowManager(
            self.source,
-            self.get_request(AnonymousUser()),
+            get_request("/", user=AnonymousUser()),
            self.identifier,
            {"username": "foo"},
        )
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@ -1,4 +1,6 @@
 """Test token API"""
 from json import loads
 from django.urls.base import reverse
 from django.utils.timezone import now
 from guardian.shortcuts import get_anonymous_user
@ -13,7 +15,8 @@ class TestTokenAPI(APITestCase):
    def setUp(self) -> None:
        super().setUp()
-        self.user = User.objects.get(username="akadmin")
+        self.user = User.objects.create(username="testuser")
        self.admin = User.objects.get(username="akadmin")
        self.client.force_login(self.user)
    def test_token_create(self):
@ -27,6 +30,14 @@ class TestTokenAPI(APITestCase):
        self.assertEqual(token.intent, TokenIntents.INTENT_API)
        self.assertEqual(token.expiring, True)
    def test_token_create_invalid(self):
        """Test token creation endpoint (invalid data)"""
        response = self.client.post(
            reverse("authentik_api:token-list"),
            {"identifier": "test-token", "intent": TokenIntents.INTENT_RECOVERY},
        )
        self.assertEqual(response.status_code, 400)
    def test_token_create_non_expiring(self):
        """Test token creation endpoint"""
        self.user.attributes[USER_ATTRIBUTE_TOKEN_EXPIRING] = False
@ -47,3 +58,29 @@ class TestTokenAPI(APITestCase):
        clean_expired_models.delay().get()
        token.refresh_from_db()
        self.assertNotEqual(key, token.key)
    def test_list(self):
        """Test Token List (Test normal authentication)"""
        token_should: Token = Token.objects.create(
            identifier="test", expiring=False, user=self.user
        )
        Token.objects.create(identifier="test-2", expiring=False, user=get_anonymous_user())
        response = self.client.get(reverse(("authentik_api:token-list")))
        body = loads(response.content)
        self.assertEqual(len(body["results"]), 1)
        self.assertEqual(body["results"][0]["identifier"], token_should.identifier)
    def test_list_admin(self):
        """Test Token List (Test with admin auth)"""
        self.client.force_login(self.admin)
        token_should: Token = Token.objects.create(
            identifier="test", expiring=False, user=self.user
        )
        token_should_not: Token = Token.objects.create(
            identifier="test-2", expiring=False, user=get_anonymous_user()
        )
        response = self.client.get(reverse(("authentik_api:token-list")))
        body = loads(response.content)
        self.assertEqual(len(body["results"]), 2)
        self.assertEqual(body["results"][0]["identifier"], token_should.identifier)
        self.assertEqual(body["results"][1]["identifier"], token_should_not.identifier)
--- a/authentik/core/tests/test_token_auth.py
+++ b/authentik/core/tests/test_token_auth.py
@ -0,0 +1,40 @@
 """Test token auth"""
 from django.test import TestCase
 from authentik.core.auth import TokenBackend
 from authentik.core.models import Token, TokenIntents, User
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views import SESSION_KEY_PLAN
 from authentik.lib.tests.utils import get_request
 class TestTokenAuth(TestCase):
    """Test token auth"""
    def setUp(self) -> None:
        self.user = User.objects.create(username="test-user")
        self.token = Token.objects.create(
            expiring=False, user=self.user, intent=TokenIntents.INTENT_APP_PASSWORD
        )
        # To test with session we need to create a request and pass it through all middlewares
        self.request = get_request("/")
        self.request.session[SESSION_KEY_PLAN] = FlowPlan("test")
    def test_token_auth(self):
        """Test auth with token"""
        self.assertEqual(
            TokenBackend().authenticate(self.request, "test-user", self.token.key), self.user
        )
    def test_token_auth_none(self):
        """Test auth with token (non-existent user)"""
        self.assertIsNone(
            TokenBackend().authenticate(self.request, "test-user-foo", self.token.key), self.user
        )
    def test_token_auth_invalid(self):
        """Test auth with token (invalid token)"""
        self.assertIsNone(
            TokenBackend().authenticate(self.request, "test-user", self.token.key + "foo"),
            self.user,
        )
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -105,3 +105,39 @@ class TestUsersAPI(APITestCase):
            + f"?email_stage={stage.pk}"
        )
        self.assertEqual(response.status_code, 204)
    def test_service_account(self):
        """Service account creation"""
        self.client.force_login(self.admin)
        response = self.client.post(reverse("authentik_api:user-service-account"))
        self.assertEqual(response.status_code, 400)
        response = self.client.post(
            reverse("authentik_api:user-service-account"),
            data={
                "name": "test-sa",
                "create_group": True,
            },
        )
        self.assertEqual(response.status_code, 200)
        self.assertTrue(User.objects.filter(username="test-sa").exists())
    def test_service_account_invalid(self):
        """Service account creation (twice with same name, expect error)"""
        self.client.force_login(self.admin)
        response = self.client.post(
            reverse("authentik_api:user-service-account"),
            data={
                "name": "test-sa",
                "create_group": True,
            },
        )
        self.assertEqual(response.status_code, 200)
        self.assertTrue(User.objects.filter(username="test-sa").exists())
        response = self.client.post(
            reverse("authentik_api:user-service-account"),
            data={
                "name": "test-sa",
                "create_group": True,
            },
        )
        self.assertEqual(response.status_code, 400)
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -12,7 +12,7 @@ from authentik.core.views.session import EndSessionView
 urlpatterns = [
    path(
        "",
-        login_required(RedirectView.as_view(pattern_name="authentik_core:if-admin")),
+        login_required(RedirectView.as_view(pattern_name="authentik_core:if-user")),
        name="root-redirect",
    ),
    # Impersonation
@ -32,6 +32,11 @@ urlpatterns = [
        ensure_csrf_cookie(TemplateView.as_view(template_name="if/admin.html")),
        name="if-admin",
    ),
    path(
        "if/user/",
        ensure_csrf_cookie(TemplateView.as_view(template_name="if/user.html")),
        name="if-user",
    ),
    path(
        "if/flow/<slug:flow_slug>/",
        ensure_csrf_cookie(FlowInterfaceView.as_view()),
--- a/authentik/core/views/impersonate.py
+++ b/authentik/core/views/impersonate.py
@ -28,7 +28,7 @@ class ImpersonateInitView(View):
        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
-        return redirect("authentik_core:if-admin")
+        return redirect("authentik_core:if-user")
 class ImpersonateEndView(View):
@ -41,7 +41,7 @@ class ImpersonateEndView(View):
            or SESSION_IMPERSONATE_ORIGINAL_USER not in request.session
        ):
            LOGGER.debug("Can't end impersonation", user=request.user)
-            return redirect("authentik_core:if-admin")
+            return redirect("authentik_core:if-user")
        original_user = request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
--- a/authentik/crypto/models.py
+++ b/authentik/crypto/models.py
@ -78,9 +78,7 @@ class CertificateKeyPair(CreatedUpdatedModel):
    @property
    def kid(self):
        """Get Key ID used for JWKS"""
-        return "{0}".format(
+        return md5(self.key_data.encode("utf-8")).hexdigest() if self.key_data else ""  # nosec
            md5(self.key_data.encode("utf-8")).hexdigest() if self.key_data else ""  # nosec
        )
    def __str__(self) -> str:
        return f"Certificate-Key Pair {self.name}"
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@ -10,7 +10,7 @@ from authentik.crypto.api import CertificateKeyPairSerializer
 from authentik.crypto.builder import CertificateBuilder
 from authentik.crypto.models import CertificateKeyPair
 from authentik.flows.models import Flow
-from authentik.providers.oauth2.generators import generate_client_secret
+from authentik.lib.generators import generate_key
 from authentik.providers.oauth2.models import OAuth2Provider
@ -103,7 +103,7 @@ class TestCrypto(TestCase):
        provider = OAuth2Provider.objects.create(
            name="test",
            client_id="test",
-            client_secret=generate_client_secret(),
+            client_secret=generate_key(),
            authorization_flow=Flow.objects.first(),
            redirect_uris="http://localhost",
            rsa_key=CertificateKeyPair.objects.first(),
--- a/authentik/events/api/notification.py
+++ b/authentik/events/api/notification.py
@ -1,8 +1,13 @@
 """Notification API Views"""
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
@ -53,3 +58,18 @@ class NotificationViewSet(
    ]
    permission_classes = [OwnerPermissions]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
    @extend_schema(
        request=OpenApiTypes.NONE,
        responses={
            204: OpenApiResponse(description="Marked tasks as read successfully."),
        },
    )
    @action(detail=False, methods=["post"])
    def mark_all_seen(self, request: Request) -> Response:
        """Mark all the user's notifications as seen"""
        notifications = Notification.objects.filter(user=request.user)
        for notification in notifications:
            notification.seen = True
        Notification.objects.bulk_update(notifications, ["seen"])
        return Response({}, status=204)
--- a/authentik/events/api/notification_mapping.py
+++ b/authentik/events/api/notification_mapping.py
@ -0,0 +1,28 @@
 """NotificationWebhookMapping API Views"""
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.used_by import UsedByMixin
 from authentik.events.models import NotificationWebhookMapping
 class NotificationWebhookMappingSerializer(ModelSerializer):
    """NotificationWebhookMapping Serializer"""
    class Meta:
        model = NotificationWebhookMapping
        fields = [
            "pk",
            "name",
            "expression",
        ]
 class NotificationWebhookMappingViewSet(UsedByMixin, ModelViewSet):
    """NotificationWebhookMapping Viewset"""
    queryset = NotificationWebhookMapping.objects.all()
    serializer_class = NotificationWebhookMappingSerializer
    filterset_fields = ["name"]
    ordering = ["name"]
--- a/authentik/events/api/notification_transport.py
+++ b/authentik/events/api/notification_transport.py
@ -38,6 +38,7 @@ class NotificationTransportSerializer(ModelSerializer):
            "mode",
            "mode_verbose",
            "webhook_url",
            "webhook_mapping",
            "send_once",
        ]
--- a/authentik/events/apps.py
+++ b/authentik/events/apps.py
@ -1,10 +1,7 @@
 """authentik events app"""
 from datetime import timedelta
 from importlib import import_module
 from django.apps import AppConfig
 from django.db import ProgrammingError
 from django.utils.timezone import now
 class AuthentikEventsConfig(AppConfig):
@ -16,12 +13,3 @@ class AuthentikEventsConfig(AppConfig):
    def ready(self):
        import_module("authentik.events.signals")
        try:
            from authentik.events.models import Event
            date_from = now() - timedelta(days=1)
            for event in Event.objects.filter(created__gte=date_from):
                event._set_prom_metrics()
        except ProgrammingError:
            pass
--- a/authentik/events/migrations/0018_auto_20210911_2217.py
+++ b/authentik/events/migrations/0018_auto_20210911_2217.py
@ -0,0 +1,46 @@
 # Generated by Django 3.2.6 on 2021-09-11 22:17
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0028_alter_token_intent"),
        ("authentik_events", "0017_alter_event_action"),
    ]
    operations = [
        migrations.CreateModel(
            name="NotificationWebhookMapping",
            fields=[
                (
                    "propertymapping_ptr",
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to="authentik_core.propertymapping",
                    ),
                ),
            ],
            options={
                "verbose_name": "Notification Webhook Mapping",
                "verbose_name_plural": "Notification Webhook Mappings",
            },
            bases=("authentik_core.propertymapping",),
        ),
        migrations.AddField(
            model_name="notificationtransport",
            name="webhook_mapping",
            field=models.ForeignKey(
                default=None,
                null=True,
                on_delete=django.db.models.deletion.SET_DEFAULT,
                to="authentik_events.notificationwebhookmapping",
            ),
        ),
    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -2,25 +2,25 @@
 from datetime import timedelta
 from inspect import getmodule, stack
 from smtplib import SMTPException
-from typing import Optional, Union
+from typing import TYPE_CHECKING, Optional, Type, Union
 from uuid import uuid4
 from django.conf import settings
 from django.db import models
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
-from prometheus_client import Gauge
+from requests import RequestException
 from requests import RequestException, post
 from structlog.stdlib import get_logger
 from authentik import __version__
 from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
-from authentik.core.models import ExpiringModel, Group, User
+from authentik.core.models import ExpiringModel, Group, PropertyMapping, User
 from authentik.events.geo import GEOIP_READER
 from authentik.events.utils import cleanse_dict, get_user, model_to_dict, sanitize_dict
 from authentik.lib.sentry import SentryIgnoredException
-from authentik.lib.utils.http import get_client_ip
+from authentik.lib.utils.http import get_client_ip, get_http_session
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.stages.email.utils import TemplateEmailMessage
@ -28,11 +28,8 @@ from authentik.tenants.models import Tenant
 from authentik.tenants.utils import DEFAULT_TENANT
 LOGGER = get_logger("authentik.events")
-GAUGE_EVENTS = Gauge(
+if TYPE_CHECKING:
-    "authentik_events",
+    from rest_framework.serializers import Serializer
    "Events in authentik",
    ["action", "user_username", "app", "client_ip"],
 )
 def default_event_duration():
@ -143,8 +140,9 @@ class Event(ExpiringModel):
        `user` arguments optionally overrides user from requests."""
        if request:
            self.context["http_request"] = {
-                "path": request.get_full_path(),
+                "path": request.path,
                "method": request.method,
                "args": QueryDict(request.META.get("QUERY_STRING", "")),
            }
        if hasattr(request, "tenant"):
            tenant: Tenant = request.tenant
@ -182,14 +180,6 @@ class Event(ExpiringModel):
            return
        self.context["geo"] = city
    def _set_prom_metrics(self):
        GAUGE_EVENTS.labels(
            action=self.action,
            user_username=self.user.get("username"),
            app=self.app,
            client_ip=self.client_ip,
        ).set(self.created.timestamp())
    def save(self, *args, **kwargs):
        if self._state.adding:
            LOGGER.debug(
@ -200,7 +190,6 @@ class Event(ExpiringModel):
                user=self.user,
            )
        super().save(*args, **kwargs)
        self._set_prom_metrics()
    @property
    def summary(self) -> str:
@ -235,6 +224,9 @@ class NotificationTransport(models.Model):
    mode = models.TextField(choices=TransportMode.choices)
    webhook_url = models.TextField(blank=True)
    webhook_mapping = models.ForeignKey(
        "NotificationWebhookMapping", on_delete=models.SET_DEFAULT, null=True, default=None
    )
    send_once = models.BooleanField(
        default=False,
        help_text=_(
@ -254,15 +246,22 @@ class NotificationTransport(models.Model):
    def send_webhook(self, notification: "Notification") -> list[str]:
        """Send notification to generic webhook"""
        default_body = {
            "body": notification.body,
            "severity": notification.severity,
            "user_email": notification.user.email,
            "user_username": notification.user.username,
        }
        if self.webhook_mapping:
            default_body = self.webhook_mapping.evaluate(
                user=notification.user,
                request=None,
                notification=notification,
            )
        try:
-            response = post(
+            response = get_http_session().post(
                self.webhook_url,
-                json={
+                json=default_body,
                    "body": notification.body,
                    "severity": notification.severity,
                    "user_email": notification.user.email,
                    "user_username": notification.user.username,
                },
            )
            response.raise_for_status()
        except RequestException as exc:
@ -312,7 +311,7 @@ class NotificationTransport(models.Model):
        if notification.event:
            body["attachments"][0]["title"] = notification.event.action
        try:
-            response = post(self.webhook_url, json=body)
+            response = get_http_session().post(self.webhook_url, json=body)
            response.raise_for_status()
        except RequestException as exc:
            text = exc.response.text if exc.response else str(exc)
@ -429,3 +428,25 @@ class NotificationRule(PolicyBindingModel):
        verbose_name = _("Notification Rule")
        verbose_name_plural = _("Notification Rules")
 class NotificationWebhookMapping(PropertyMapping):
    """Modify the schema and layout of the webhook being sent"""
    @property
    def component(self) -> str:
        return "ak-property-mapping-notification-form"
    @property
    def serializer(self) -> Type["Serializer"]:
        from authentik.events.api.notification_mapping import NotificationWebhookMappingSerializer
        return NotificationWebhookMappingSerializer
    def __str__(self):
        return f"Notification Webhook Mapping {self.name}"
    class Meta:
        verbose_name = _("Notification Webhook Mapping")
        verbose_name_plural = _("Notification Webhook Mappings")
--- a/authentik/events/monitored_tasks.py
+++ b/authentik/events/monitored_tasks.py
@ -3,7 +3,6 @@ from dataclasses import dataclass, field
 from datetime import datetime
 from enum import Enum
 from timeit import default_timer
 from traceback import format_tb
 from typing import Any, Optional
 from celery import Task
@ -11,6 +10,7 @@ from django.core.cache import cache
 from prometheus_client import Gauge
 from authentik.events.models import Event, EventAction
 from authentik.lib.utils.errors import exception_to_string
 GAUGE_TASKS = Gauge(
    "authentik_system_tasks",
@ -41,8 +41,7 @@ class TaskResult:
    def with_error(self, exc: Exception) -> "TaskResult":
        """Since errors might not always be pickle-able, set the traceback"""
-        self.messages.extend(format_tb(exc.__traceback__))
+        self.messages.extend(exception_to_string(exc).splitlines())
        self.messages.append(str(exc))
        return self
@ -174,9 +173,7 @@ class MonitoredTask(Task):
        ).save(self.result_timeout_hours)
        Event.new(
            EventAction.SYSTEM_TASK_EXCEPTION,
-            message=(
+            message=(f"Task {self.__name__} encountered an error: {exception_to_string(exc)}"),
                f"Task {self.__name__} encountered an error: " "\n".join(self._result.messages)
            ),
        ).save()
        return super().on_failure(exc, task_id, args, kwargs, einfo=einfo)
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -15,6 +15,7 @@ from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
 from authentik.flows.views import SESSION_KEY_PLAN
 from authentik.stages.invitation.models import Invitation
 from authentik.stages.invitation.signals import invitation_used
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS
 from authentik.stages.user_write.signals import user_write
@ -46,7 +47,13 @@ def on_user_logged_in(sender, request: HttpRequest, user: User, **_):
        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
        if PLAN_CONTEXT_SOURCE in flow_plan.context:
            # Login request came from an external source, save it in the context
-            thread.kwargs["using_source"] = flow_plan.context[PLAN_CONTEXT_SOURCE]
+            thread.kwargs[PLAN_CONTEXT_SOURCE] = flow_plan.context[PLAN_CONTEXT_SOURCE]
        if PLAN_CONTEXT_METHOD in flow_plan.context:
            thread.kwargs[PLAN_CONTEXT_METHOD] = flow_plan.context[PLAN_CONTEXT_METHOD]
            # Save the login method used
            thread.kwargs[PLAN_CONTEXT_METHOD_ARGS] = flow_plan.context.get(
                PLAN_CONTEXT_METHOD_ARGS, {}
            )
    thread.user = user
    thread.run()
--- a/authentik/events/tests/test_api.py
+++ b/authentik/events/tests/test_api.py
@ -4,15 +4,15 @@ from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import User
-from authentik.events.models import Event, EventAction
+from authentik.events.models import Event, EventAction, Notification, NotificationSeverity
 class TestEventsAPI(APITestCase):
    """Test Event API"""
    def setUp(self) -> None:
-        user = User.objects.get(username="akadmin")
+        self.user = User.objects.get(username="akadmin")
-        self.client.force_login(user)
+        self.client.force_login(self.user)
    def test_top_n(self):
        """Test top_per_user"""
@ -30,3 +30,14 @@ class TestEventsAPI(APITestCase):
            reverse("authentik_api:event-actions"),
        )
        self.assertEqual(response.status_code, 200)
    def test_notifications(self):
        """Test notifications"""
        notification = Notification.objects.create(
            user=self.user, severity=NotificationSeverity.ALERT, body="", seen=False
        )
        self.client.post(
            reverse("authentik_api:notification-mark-all-seen"),
        )
        notification.refresh_from_db()
        self.assertTrue(notification.seen)
--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@ -7,10 +7,10 @@ from django.http.response import HttpResponseBadRequest, JsonResponse
 from django.urls import reverse
 from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
+from drf_spectacular.utils import OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, FileField, ReadOnlyField
+from rest_framework.fields import ReadOnlyField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -20,7 +20,12 @@ from structlog.stdlib import get_logger
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import CacheSerializer, LinkSerializer
+from authentik.core.api.utils import (
    CacheSerializer,
    FilePathSerializer,
    FileUploadSerializer,
    LinkSerializer,
 )
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
@ -147,7 +152,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
        ],
    )
    @extend_schema(
-        request={"multipart/form-data": inline_serializer("SetIcon", fields={"file": FileField()})},
+        request={"multipart/form-data": FileUploadSerializer},
        responses={
            204: OpenApiResponse(description="Successfully imported flow"),
            400: OpenApiResponse(description="Bad request"),
@ -259,13 +264,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_flows.change_flow")
    @extend_schema(
        request={
-            "multipart/form-data": inline_serializer(
+            "multipart/form-data": FileUploadSerializer,
                "SetIcon",
                fields={
                    "file": FileField(required=False),
                    "clear": BooleanField(default=False),
                },
            )
        },
        responses={
            200: OpenApiResponse(description="Success"),
@ -301,7 +300,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_core.change_application")
    @extend_schema(
-        request=inline_serializer("SetIconURL", fields={"url": CharField()}),
+        request=FilePathSerializer,
        responses={
            200: OpenApiResponse(description="Success"),
            400: OpenApiResponse(description="Bad request"),
--- a/authentik/flows/api/stages.py
+++ b/authentik/flows/api/stages.py
@ -86,7 +86,7 @@ class StageViewSet(
    @action(detail=False, pagination_class=None, filter_backends=[])
    def user_settings(self, request: Request) -> Response:
        """Get all stages the user can configure"""
-        _all_stages: Iterable[Stage] = Stage.objects.all().select_subclasses()
+        _all_stages: Iterable[Stage] = Stage.objects.all().select_subclasses().order_by("name")
        matching_stages: list[dict] = []
        for stage in _all_stages:
            user_settings = stage.ui_user_settings
--- a/authentik/flows/management/commands/apply_flow.py
+++ b/authentik/flows/management/commands/apply_flow.py
@ -11,7 +11,7 @@ class Command(BaseCommand):  # pragma: no cover
    def handle(self, *args, **options):
        """Apply all flows in order, abort when one fails to import"""
        for flow_path in options.get("flows", []):
-            with open(flow_path, "r") as flow_file:
+            with open(flow_path, "r", encoding="utf8") as flow_file:
                importer = FlowImporter(flow_file.read())
                valid = importer.validate()
                if not valid:
--- a/authentik/flows/management/commands/benchmark.py
+++ b/authentik/flows/management/commands/benchmark.py
@ -31,6 +31,7 @@ class FlowPlanProcess(PROCESS_CLASS):  # pragma: no cover
        self.request = RequestFactory().get("/")
    def run(self):
        """Execute 1000 flow plans"""
        print(f"Proc {self.index} Running")
        def test_inner():
--- a/authentik/flows/migrations/0008_default_flows.py
+++ b/authentik/flows/migrations/0008_default_flows.py
@ -6,7 +6,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from authentik.flows.models import FlowDesignation
 from authentik.stages.identification.models import UserFields
-from authentik.stages.password import BACKEND_DJANGO, BACKEND_LDAP
+from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT, BACKEND_LDAP
 def create_default_authentication_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
@ -26,7 +26,7 @@ def create_default_authentication_flow(apps: Apps, schema_editor: BaseDatabaseSc
    password_stage, _ = PasswordStage.objects.using(db_alias).update_or_create(
        name="default-authentication-password",
-        defaults={"backends": [BACKEND_DJANGO, BACKEND_LDAP]},
+        defaults={"backends": [BACKEND_INBUILT, BACKEND_LDAP, BACKEND_APP_PASSWORD]},
    )
    login_stage, _ = UserLoginStage.objects.using(db_alias).update_or_create(
--- a/authentik/flows/migrations/0024_alter_flow_compatibility_mode.py
+++ b/authentik/flows/migrations/0024_alter_flow_compatibility_mode.py
@ -0,0 +1,21 @@
 # Generated by Django 3.2.6 on 2021-08-30 14:49
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_flows", "0023_alter_flow_background"),
    ]
    operations = [
        migrations.AlterField(
            model_name="flow",
            name="compatibility_mode",
            field=models.BooleanField(
                default=False,
                help_text="Enable compatibility mode, increases compatibility with password managers on mobile devices.",
            ),
        ),
    ]
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -125,7 +125,7 @@ class Flow(SerializerModel, PolicyBindingModel):
    )
    compatibility_mode = models.BooleanField(
-        default=True,
+        default=False,
        help_text=_(
            "Enable compatibility mode, increases compatibility with "
            "password managers on mobile devices."
--- a/authentik/flows/tests/test_planner.py
+++ b/authentik/flows/tests/test_planner.py
@ -3,7 +3,6 @@ from unittest.mock import MagicMock, Mock, PropertyMock, patch
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.core.cache import cache
 from django.http import HttpRequest
 from django.test import RequestFactory, TestCase
 from django.urls import reverse
 from guardian.shortcuts import get_anonymous_user
@ -13,6 +12,7 @@ from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableExce
 from authentik.flows.markers import ReevaluateMarker, StageMarker
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
 from authentik.lib.tests.utils import dummy_get_response
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.policies.types import PolicyResult
@ -24,11 +24,6 @@ CACHE_MOCK = Mock(wraps=cache)
 POLICY_RETURN_TRUE = MagicMock(return_value=PolicyResult(True))
 def dummy_get_response(request: HttpRequest):  # pragma: no cover
    """Dummy get_response for SessionMiddleware"""
    return None
 class TestFlowPlanner(TestCase):
    """Test planner logic"""
--- a/authentik/flows/tests/test_stage_views.py
+++ b/authentik/flows/tests/test_stage_views.py
@ -0,0 +1,31 @@
 """stage view tests"""
 from typing import Callable, Type
 from django.test import RequestFactory, TestCase
 from authentik.flows.stage import StageView
 from authentik.flows.views import FlowExecutorView
 from authentik.lib.utils.reflection import all_subclasses
 class TestViews(TestCase):
    """Generic model properties tests"""
    def setUp(self) -> None:
        self.factory = RequestFactory()
        self.exec = FlowExecutorView(request=self.factory.get("/"))
 def view_tester_factory(view_class: Type[StageView]) -> Callable:
    """Test a form"""
    def tester(self: TestViews):
        model_class = view_class(self.exec)
        self.assertIsNotNone(model_class.post)
        self.assertIsNotNone(model_class.get)
    return tester
 for view in all_subclasses(StageView):
    setattr(TestViews, f"test_view_{view.__name__}", view_tester_factory(view))
--- a/authentik/flows/tests/test_transfer.py
+++ b/authentik/flows/tests/test_transfer.py
@ -7,9 +7,9 @@ from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.flows.transfer.common import DataclassEncoder
 from authentik.flows.transfer.exporter import FlowExporter
 from authentik.flows.transfer.importer import FlowImporter, transaction_rollback
 from authentik.lib.generators import generate_id
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.providers.oauth2.generators import generate_client_id
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
 from authentik.stages.user_login.models import UserLoginStage
@ -31,15 +31,15 @@ class TestFlowTransfer(TransactionTestCase):
    def test_export_validate_import(self):
        """Test export and validate it"""
-        flow_slug = generate_client_id()
+        flow_slug = generate_id()
        with transaction_rollback():
-            login_stage = UserLoginStage.objects.create(name=generate_client_id())
+            login_stage = UserLoginStage.objects.create(name=generate_id())
            flow = Flow.objects.create(
                slug=flow_slug,
                designation=FlowDesignation.AUTHENTICATION,
-                name=generate_client_id(),
+                name=generate_id(),
-                title=generate_client_id(),
+                title=generate_id(),
            )
            FlowStageBinding.objects.update_or_create(
                target=flow,
@ -60,18 +60,18 @@ class TestFlowTransfer(TransactionTestCase):
    def test_export_validate_import_policies(self):
        """Test export and validate it"""
-        flow_slug = generate_client_id()
+        flow_slug = generate_id()
-        stage_name = generate_client_id()
+        stage_name = generate_id()
        with transaction_rollback():
            flow_policy = ExpressionPolicy.objects.create(
-                name=generate_client_id(),
+                name=generate_id(),
                expression="return True",
            )
            flow = Flow.objects.create(
                slug=flow_slug,
                designation=FlowDesignation.AUTHENTICATION,
-                name=generate_client_id(),
+                name=generate_id(),
-                title=generate_client_id(),
+                title=generate_id(),
            )
            PolicyBinding.objects.create(policy=flow_policy, target=flow, order=0)
@ -111,15 +111,15 @@ class TestFlowTransfer(TransactionTestCase):
            )
            # Stages
-            first_stage = PromptStage.objects.create(name=generate_client_id())
+            first_stage = PromptStage.objects.create(name=generate_id())
            first_stage.fields.set([username_prompt, password, password_repeat])
            first_stage.save()
            flow = Flow.objects.create(
-                name=generate_client_id(),
+                name=generate_id(),
-                slug=generate_client_id(),
+                slug=generate_id(),
                designation=FlowDesignation.ENROLLMENT,
-                title=generate_client_id(),
+                title=generate_id(),
            )
            FlowStageBinding.objects.create(target=flow, stage=first_stage, order=0)
--- a/authentik/flows/tests/test_transfer_docs.py
+++ b/authentik/flows/tests/test_transfer_docs.py
@ -16,7 +16,7 @@ def pbflow_tester(file_name: str) -> Callable:
    """This is used instead of subTest for better visibility"""
    def tester(self: TestTransferDocs):
-        with open(file_name, "r") as flow_json:
+        with open(file_name, "r", encoding="utf8") as flow_json:
            importer = FlowImporter(flow_json.read())
        self.assertTrue(importer.validate())
        self.assertTrue(importer.apply())
--- a/authentik/flows/tests/test_views.py
+++ b/authentik/flows/tests/test_views.py
@ -2,10 +2,10 @@
 from unittest.mock import MagicMock, PropertyMock, patch
 from django.http import HttpRequest, HttpResponse
 from django.test import TestCase
 from django.test.client import RequestFactory
 from django.urls import reverse
 from django.utils.encoding import force_str
 from rest_framework.test import APITestCase
 from authentik.core.models import User
 from authentik.flows.challenge import ChallengeTypes
@ -37,7 +37,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse):
 TO_STAGE_RESPONSE_MOCK = MagicMock(side_effect=to_stage_response)
-class TestFlowExecutor(TestCase):
+class TestFlowExecutor(APITestCase):
    """Test views logic"""
    def setUp(self):
--- a/authentik/flows/tests/test_views_helper.py
+++ b/authentik/flows/tests/test_views_helper.py
@ -1,5 +1,5 @@
 """flow views tests"""
-from django.test import Client, TestCase
+from django.test import TestCase
 from django.urls import reverse
 from authentik.flows.models import Flow, FlowDesignation
@ -10,9 +10,6 @@ from authentik.flows.views import SESSION_KEY_PLAN
 class TestHelperView(TestCase):
    """Test helper views logic"""
    def setUp(self):
        self.client = Client()
    def test_default_view(self):
        """Test that ToDefaultFlow returns the expected URL"""
        flow = Flow.objects.filter(
--- a/authentik/flows/transfer/common.py
+++ b/authentik/flows/transfer/common.py
@ -25,6 +25,8 @@ def get_attrs(obj: SerializerModel) -> dict[str, Any]:
        "component",
        "flow_set",
        "promptstage_set",
        "policybindingmodel_ptr_id",
        "export_url",
    )
    for to_remove_name in to_remove:
        if to_remove_name in data:
--- a/authentik/flows/views.py
+++ b/authentik/flows/views.py
@ -14,12 +14,7 @@ from django.utils.decorators import method_decorator
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.generic import View
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import (
+from drf_spectacular.utils import OpenApiParameter, PolymorphicProxySerializer, extend_schema
    OpenApiParameter,
    OpenApiResponse,
    PolymorphicProxySerializer,
    extend_schema,
 )
 from rest_framework.permissions import AllowAny
 from rest_framework.views import APIView
 from sentry_sdk import capture_exception
@ -213,9 +208,6 @@ class FlowExecutorView(APIView):
                serializers=challenge_types(),
                resource_type_field_name="component",
            ),
            404: OpenApiResponse(
                description="No Token found"
            ),  # This error can be raised by the email stage
        },
        request=OpenApiTypes.NONE,
        parameters=[
--- a/authentik/lib/config.py
+++ b/authentik/lib/config.py
@ -79,7 +79,7 @@ class ConfigLoader:
            value = os.getenv(url.netloc, url.query)
        if url.scheme == "file":
            try:
-                with open(url.path, "r") as _file:
+                with open(url.path, "r", encoding="utf8") as _file:
                    value = _file.read()
            except OSError:
                self._log("error", f"Failed to read config value from {url.path}")
@ -89,7 +89,7 @@ class ConfigLoader:
    def update_from_file(self, path: str):
        """Update config from file contents"""
        try:
-            with open(path) as file:
+            with open(path, encoding="utf8") as file:
                try:
                    self.update(self.__config, yaml.safe_load(file))
                    self._log("debug", "Loaded config", file=path)
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -9,7 +9,9 @@ postgresql:
 web:
  listen: 0.0.0.0:9000
  listen_tls: 0.0.0.0:9443
  listen_metrics: 0.0.0.0:9300
  load_local_files: false
  outpost_port_offset: 0
 redis:
  host: localhost
@ -54,6 +56,7 @@ outposts:
  # %(build_hash)s: Build hash if you're running a beta version
  docker_image_base: "ghcr.io/goauthentik/%(type)s:%(version)s"
 disable_update_check: false
 avatars: env://AUTHENTIK_AUTHENTIK__AVATARS?gravatar
 geoip: "./GeoLite2-City.mmdb"
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -4,13 +4,13 @@ from textwrap import indent
 from typing import Any, Iterable, Optional
 from django.core.exceptions import FieldError
 from requests import Session
 from rest_framework.serializers import ValidationError
 from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger
 from authentik.core.models import User
 from authentik.lib.utils.http import get_http_session
 LOGGER = get_logger()
@ -35,7 +35,7 @@ class BaseEvaluator:
            "ak_is_group_member": BaseEvaluator.expr_is_group_member,
            "ak_user_by": BaseEvaluator.expr_user_by,
            "ak_logger": get_logger(),
-            "requests": Session(),
+            "requests": get_http_session(),
        }
        self._context = {}
        self._filename = "BaseEvalautor"
--- a/authentik/lib/generators.py
+++ b/authentik/lib/generators.py
@ -0,0 +1,18 @@
 """ID/Secret Generators"""
 import string
 from random import SystemRandom
 def generate_id(length=40):
    """Generate a random client ID"""
    rand = SystemRandom()
    return "".join(rand.choice(string.ascii_letters + string.digits) for x in range(length))
 def generate_key(length=128):
    """Generate a suitable client secret"""
    rand = SystemRandom()
    return "".join(
        rand.choice(string.ascii_letters + string.digits + string.punctuation)
        for x in range(length)
    )
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -93,6 +93,7 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
    if "exc_info" in hint:
        _, exc_value, _ = hint["exc_info"]
        if isinstance(exc_value, ignored_classes):
            LOGGER.debug("dropping exception", exception=exc_value)
            return None
    if "logger" in event:
        if event["logger"] in [
--- a/authentik/lib/tests/utils.py
+++ b/authentik/lib/tests/utils.py
@ -0,0 +1,27 @@
 """Test utils"""
 from django.contrib.messages.middleware import MessageMiddleware
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.http import HttpRequest
 from django.test.client import RequestFactory
 from guardian.utils import get_anonymous_user
 def dummy_get_response(request: HttpRequest):  # pragma: no cover
    """Dummy get_response for SessionMiddleware"""
    return None
 def get_request(*args, user=None, **kwargs):
    """Get a request with usable session"""
    request = RequestFactory().get(*args, **kwargs)
    if user:
        request.user = user
    else:
        request.user = get_anonymous_user()
    middleware = SessionMiddleware(dummy_get_response)
    middleware.process_request(request)
    request.session.save()
    middleware = MessageMiddleware(dummy_get_response)
    middleware.process_request(request)
    request.session.save()
    return request
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -1,9 +1,13 @@
 """http helpers"""
 from os import environ
 from typing import Any, Optional
 from django.http import HttpRequest
 from requests.sessions import Session
 from structlog.stdlib import get_logger
 from authentik import ENV_GIT_HASH_KEY, __version__
 OUTPOST_REMOTE_IP_HEADER = "HTTP_X_AUTHENTIK_REMOTE_IP"
 OUTPOST_TOKEN_HEADER = "HTTP_X_AUTHENTIK_OUTPOST_TOKEN"  # nosec
 DEFAULT_IP = "255.255.255.255"
@ -60,3 +64,16 @@ def get_client_ip(request: Optional[HttpRequest]) -> str:
    if override:
        return override
    return _get_client_ip_from_meta(request.META)
 def authentik_user_agent() -> str:
    """Get a common user agent"""
    build = environ.get(ENV_GIT_HASH_KEY, "tagged")
    return f"authentik@{__version__} (build={build})"
 def get_http_session() -> Session:
    """Get a requests session with common headers"""
    session = Session()
    session.headers["User-Agent"] = authentik_user_agent()
    return session
--- a/authentik/lib/utils/reflection.py
+++ b/authentik/lib/utils/reflection.py
@ -1,5 +1,6 @@
 """authentik lib reflection utilities"""
 from importlib import import_module
 from typing import Union
 from django.conf import settings
@ -19,12 +20,12 @@ def all_subclasses(cls, sort=True):
    return classes
-def class_to_path(cls):
+def class_to_path(cls: type) -> str:
    """Turn Class (Class or instance) into module path"""
    return f"{cls.__module__}.{cls.__name__}"
-def path_to_class(path):
+def path_to_class(path: Union[str, None]) -> Union[type, None]:
    """Import module and return class"""
    if not path:
        return None
--- a/authentik/outposts/channels.py
+++ b/authentik/outposts/channels.py
@ -15,7 +15,7 @@ from authentik.core.channels import AuthJsonConsumer
 from authentik.outposts.models import OUTPOST_HELLO_INTERVAL, Outpost, OutpostState
 GAUGE_OUTPOSTS_CONNECTED = Gauge(
-    "authentik_outposts_connected", "Currently connected outposts", ["outpost", "uid"]
+    "authentik_outposts_connected", "Currently connected outposts", ["outpost", "uid", "expected"]
 )
 GAUGE_OUTPOSTS_LAST_UPDATE = Gauge(
    "authentik_outposts_last_update",
@ -76,6 +76,7 @@ class OutpostConsumer(AuthJsonConsumer):
            GAUGE_OUTPOSTS_CONNECTED.labels(
                outpost=self.outpost.name,
                uid=self.last_uid,
                expected=self.outpost.config.kubernetes_replicas,
            ).dec()
        LOGGER.debug(
            "removed outpost instance from cache",
@ -100,6 +101,7 @@ class OutpostConsumer(AuthJsonConsumer):
            GAUGE_OUTPOSTS_CONNECTED.labels(
                outpost=self.outpost.name,
                uid=self.last_uid,
                expected=self.outpost.config.kubernetes_replicas,
            ).inc()
            LOGGER.debug(
                "added outpost instace to cache",
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@ -29,7 +29,9 @@ class DockerController(BaseController):
            raise ControllerException from exc
    def _get_labels(self) -> dict[str, str]:
-        return {}
+        return {
            "io.goauthentik.outpost-uuid": self.outpost.pk.hex,
        }
    def _get_env(self) -> dict[str, str]:
        return {
@ -49,6 +51,17 @@ class DockerController(BaseController):
                return True
        return False
    def _comp_labels(self, container: Container) -> bool:
        """Check if container's labels is equal to what we would set. Return true if container needs
        to be rebuilt."""
        should_be = self._get_labels()
        for key, expected_value in should_be.items():
            if key not in container.labels:
                return True
            if container.labels[key] != expected_value:
                return True
        return False
    def _comp_ports(self, container: Container) -> bool:
        """Check that the container has the correct ports exposed. Return true if container needs
        to be rebuilt."""
@ -92,9 +105,11 @@ class DockerController(BaseController):
                "environment": self._get_env(),
                "labels": self._get_labels(),
                "restart_policy": {"Name": "unless-stopped"},
                "network": self.outpost.config.docker_network,
            }
            if settings.TEST:
                del container_args["ports"]
                del container_args["network"]
                container_args["network_mode"] = "host"
            return (
                self.client.containers.create(**container_args),
@ -102,9 +117,11 @@ class DockerController(BaseController):
            )
    # pylint: disable=too-many-return-statements
-    def up(self):
+    def up(self, depth=1):
        if self.outpost.managed == MANAGED_OUTPOST:
            return None
        if depth >= 10:
            raise ControllerException("Giving up since we exceeded recursion limit.")
        try:
            container, has_been_created = self._get_container()
            if has_been_created:
@ -120,17 +137,22 @@ class DockerController(BaseController):
                        should=self.get_container_image(),
                    )
                    self.down()
-                    return self.up()
+                    return self.up(depth + 1)
            # Check container's ports
            if self._comp_ports(container):
                self.logger.info("Container has mis-matched ports, re-creating...")
                self.down()
-                return self.up()
+                return self.up(depth + 1)
            # Check that container values match our values
            if self._comp_env(container):
                self.logger.info("Container has outdated config, re-creating...")
                self.down()
-                return self.up()
+                return self.up(depth + 1)
            # Check that container values match our values
            if self._comp_labels(container):
                self.logger.info("Container has outdated labels, re-creating...")
                self.down()
                return self.up(depth + 1)
            if (
                container.attrs.get("HostConfig", {})
                .get("RestartPolicy", {})
@ -140,13 +162,11 @@ class DockerController(BaseController):
            ):
                self.logger.info("Container has mis-matched restart policy, re-creating...")
                self.down()
-                return self.up()
+                return self.up(depth + 1)
            # Check that container is healthy
-            if (
+            if container.status == "running" and container.attrs.get("State", {}).get(
-                container.status == "running"
+                "Health", {}
-                and container.attrs.get("State", {}).get("Health", {}).get("Status", "")
+            ).get("Status", "") not in ["healthy", "starting"]:
                != "healthy"
            ):
                # At this point we know the config is correct, but the container isn't healthy,
                # so we just restart it with the same config
                if has_been_created:
--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@ -3,10 +3,11 @@ from typing import TYPE_CHECKING, Generic, TypeVar
 from django.utils.text import slugify
 from kubernetes.client import V1ObjectMeta
 from kubernetes.client.exceptions import ApiException, OpenApiException
 from kubernetes.client.models.v1_deployment import V1Deployment
 from kubernetes.client.models.v1_pod import V1Pod
 from kubernetes.client.rest import ApiException
 from structlog.stdlib import get_logger
 from urllib3.exceptions import HTTPError
 from authentik import __version__
 from authentik.lib.sentry import SentryIgnoredException
@ -72,8 +73,9 @@ class KubernetesObjectReconciler(Generic[T]):
        try:
            try:
                current = self.retrieve()
-            except ApiException as exc:
+            except (OpenApiException, HTTPError) as exc:
-                if exc.status == 404:
+                # pylint: disable=no-member
                if isinstance(exc, ApiException) and exc.status == 404:
                    self.logger.debug("Failed to get current, triggering recreate")
                    raise NeedsRecreate from exc
                self.logger.debug("Other unhandled error", exc=exc)
@ -104,8 +106,9 @@ class KubernetesObjectReconciler(Generic[T]):
            current = self.retrieve()
            self.delete(current)
            self.logger.debug("Removing")
-        except ApiException as exc:
+        except (OpenApiException, HTTPError) as exc:
-            if exc.status == 404:
+            # pylint: disable=no-member
            if isinstance(exc, ApiException) and exc.status == 404:
                self.logger.debug("Failed to get current, assuming non-existant")
                return
            self.logger.debug("Other unhandled error", exc=exc)
--- a/authentik/outposts/controllers/k8s/service.py
+++ b/authentik/outposts/controllers/k8s/service.py
@ -3,8 +3,8 @@ from typing import TYPE_CHECKING
 from kubernetes.client import CoreV1Api, V1Service, V1ServicePort, V1ServiceSpec
-from authentik.outposts.controllers.base import FIELD_MANAGER, DeploymentPort
+from authentik.outposts.controllers.base import FIELD_MANAGER
-from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler, NeedsUpdate
+from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler, NeedsRecreate
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 if TYPE_CHECKING:
@ -21,44 +21,13 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
    def reconcile(self, current: V1Service, reference: V1Service):
        super().reconcile(current, reference)
        if len(current.spec.ports) != len(reference.spec.ports):
-            raise NeedsUpdate()
+            raise NeedsRecreate()
        for port in reference.spec.ports:
            if port not in current.spec.ports:
-                raise NeedsUpdate()
+                raise NeedsRecreate()
    def get_embedded_reference_object(self) -> V1Service:
        """Get Service for embedded outpost"""
        selector_labels = {
            "app.kubernetes.io/name": "authentik",
            "app.kubernetes.io/component": "server",
        }
        meta = self.get_object_meta(name=self.name)
        ports = []
        for port in [
            DeploymentPort(9000, "http", "tcp"),
            DeploymentPort(9443, "https", "tcp"),
        ]:
            ports.append(
                V1ServicePort(
                    name=port.name,
                    port=port.port,
                    protocol=port.protocol.upper(),
                    target_port=port.inner_port or port.port,
                )
            )
        return V1Service(
            metadata=meta,
            spec=V1ServiceSpec(
                ports=ports,
                selector=selector_labels,
                type=self.controller.outpost.config.kubernetes_service_type,
            ),
        )
    def get_reference_object(self) -> V1Service:
        """Get deployment object for outpost"""
        if self.is_embedded:
            return self.get_embedded_reference_object()
        meta = self.get_object_meta(name=self.name)
        ports = []
        for port in self.controller.deployment_ports:
@ -70,7 +39,13 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
                    target_port=port.inner_port or port.port,
                )
            )
-        selector_labels = DeploymentReconciler(self.controller).get_pod_meta()
+        if self.is_embedded:
            selector_labels = {
                "app.kubernetes.io/name": "authentik",
                "app.kubernetes.io/component": "server",
            }
        else:
            selector_labels = DeploymentReconciler(self.controller).get_pod_meta()
        return V1Service(
            metadata=meta,
            spec=V1ServiceSpec(
--- a/authentik/outposts/controllers/k8s/service_monitor.py
+++ b/authentik/outposts/controllers/k8s/service_monitor.py
@ -0,0 +1,150 @@
 """Kubernetes Prometheus ServiceMonitor Reconciler"""
 from dataclasses import asdict, dataclass, field
 from typing import TYPE_CHECKING
 from dacite import from_dict
 from kubernetes.client import ApiextensionsV1Api, CustomObjectsApi
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 if TYPE_CHECKING:
    from authentik.outposts.controllers.kubernetes import KubernetesController
@dataclass
 class PrometheusServiceMonitorSpecEndpoint:
    """Prometheus ServiceMonitor endpoint spec"""
    port: str
    path: str = field(default="/metrics")
@dataclass
 class PrometheusServiceMonitorSpecSelector:
    """Prometheus ServiceMonitor selector spec"""
    # pylint: disable=invalid-name
    matchLabels: dict
@dataclass
 class PrometheusServiceMonitorSpec:
    """Prometheus ServiceMonitor spec"""
    endpoints: list[PrometheusServiceMonitorSpecEndpoint]
    # pylint: disable=invalid-name
    selector: PrometheusServiceMonitorSpecSelector
@dataclass
 class PrometheusServiceMonitorMetadata:
    """Prometheus ServiceMonitor metadata"""
    name: str
    namespace: str
    labels: dict = field(default_factory=dict)
@dataclass
 class PrometheusServiceMonitor:
    """Prometheus ServiceMonitor"""
    # pylint: disable=invalid-name
    apiVersion: str
    kind: str
    metadata: PrometheusServiceMonitorMetadata
    spec: PrometheusServiceMonitorSpec
 CRD_NAME = "servicemonitors.monitoring.coreos.com"
 CRD_GROUP = "monitoring.coreos.com"
 CRD_VERSION = "v1"
 CRD_PLURAL = "servicemonitors"
 class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusServiceMonitor]):
    """Kubernetes Prometheus ServiceMonitor Reconciler"""
    def __init__(self, controller: "KubernetesController") -> None:
        super().__init__(controller)
        self.api_ex = ApiextensionsV1Api(controller.client)
        self.api = CustomObjectsApi(controller.client)
    @property
    def noop(self) -> bool:
        return (not self._crd_exists()) or (self.is_embedded)
    def _crd_exists(self) -> bool:
        """Check if the Prometheus ServiceMonitor exists"""
        return bool(
            len(
                self.api_ex.list_custom_resource_definition(
                    field_selector=f"metadata.name={CRD_NAME}"
                ).items
            )
        )
    def get_reference_object(self) -> PrometheusServiceMonitor:
        """Get service monitor object for outpost"""
        return PrometheusServiceMonitor(
            apiVersion=f"{CRD_GROUP}/{CRD_VERSION}",
            kind="ServiceMonitor",
            metadata=PrometheusServiceMonitorMetadata(
                name=self.name,
                namespace=self.namespace,
                labels=self.get_object_meta().labels,
            ),
            spec=PrometheusServiceMonitorSpec(
                endpoints=[
                    PrometheusServiceMonitorSpecEndpoint(
                        port="http-metrics",
                    )
                ],
                selector=PrometheusServiceMonitorSpecSelector(
                    matchLabels=self.get_object_meta(name=self.name).labels,
                ),
            ),
        )
    def create(self, reference: PrometheusServiceMonitor):
        return self.api.create_namespaced_custom_object(
            group=CRD_GROUP,
            version=CRD_VERSION,
            plural=CRD_PLURAL,
            namespace=self.namespace,
            body=asdict(reference),
            field_manager=FIELD_MANAGER,
        )
    def delete(self, reference: PrometheusServiceMonitor):
        return self.api.delete_namespaced_custom_object(
            group=CRD_GROUP,
            version=CRD_VERSION,
            namespace=self.namespace,
            plural=CRD_PLURAL,
            name=self.name,
        )
    def retrieve(self) -> PrometheusServiceMonitor:
        return from_dict(
            PrometheusServiceMonitor,
            self.api.get_namespaced_custom_object(
                group=CRD_GROUP,
                version=CRD_VERSION,
                namespace=self.namespace,
                plural=CRD_PLURAL,
                name=self.name,
            ),
        )
    def update(self, current: PrometheusServiceMonitor, reference: PrometheusServiceMonitor):
        return self.api.patch_namespaced_custom_object(
            group=CRD_GROUP,
            version=CRD_VERSION,
            namespace=self.namespace,
            plural=CRD_PLURAL,
            name=self.name,
            body=asdict(reference),
            field_manager=FIELD_MANAGER,
        )
--- a/authentik/outposts/controllers/k8s/utils.py
+++ b/authentik/outposts/controllers/k8s/utils.py
@ -1,11 +1,13 @@
 """k8s utils"""
 from pathlib import Path
 from kubernetes.config.incluster_config import SERVICE_TOKEN_FILENAME
 def get_namespace() -> str:
    """Get the namespace if we're running in a pod, otherwise default to default"""
-    path = Path("/var/run/secrets/kubernetes.io/serviceaccount/namespace")
+    path = Path(SERVICE_TOKEN_FILENAME.replace("token", "namespace"))
    if path.exists():
-        with open(path, "r") as _namespace_file:
+        with open(path, "r", encoding="utf8") as _namespace_file:
            return _namespace_file.read()
    return "default"
--- a/authentik/outposts/controllers/kubernetes.py
+++ b/authentik/outposts/controllers/kubernetes.py
@ -3,8 +3,9 @@ from io import StringIO
 from typing import Type
 from kubernetes.client.api_client import ApiClient
-from kubernetes.client.exceptions import ApiException
+from kubernetes.client.exceptions import OpenApiException
 from structlog.testing import capture_logs
 from urllib3.exceptions import HTTPError
 from yaml import dump_all
 from authentik.outposts.controllers.base import BaseController, ControllerException
@ -12,7 +13,8 @@ from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.k8s.secret import SecretReconciler
 from authentik.outposts.controllers.k8s.service import ServiceReconciler
-from authentik.outposts.models import KubernetesServiceConnection, Outpost
+from authentik.outposts.controllers.k8s.service_monitor import PrometheusServiceMonitorReconciler
 from authentik.outposts.models import KubernetesServiceConnection, Outpost, ServiceConnectionInvalid
 class KubernetesController(BaseController):
@ -31,8 +33,9 @@ class KubernetesController(BaseController):
            "secret": SecretReconciler,
            "deployment": DeploymentReconciler,
            "service": ServiceReconciler,
            "prometheus servicemonitor": PrometheusServiceMonitorReconciler,
        }
-        self.reconcile_order = ["secret", "deployment", "service"]
+        self.reconcile_order = ["secret", "deployment", "service", "prometheus servicemonitor"]
    def up(self):
        try:
@ -40,7 +43,7 @@ class KubernetesController(BaseController):
                reconciler = self.reconcilers[reconcile_key](self)
                reconciler.up()
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
            raise ControllerException(str(exc)) from exc
    def up_with_logs(self) -> list[str]:
@ -55,7 +58,7 @@ class KubernetesController(BaseController):
                    reconciler.up()
                all_logs += [f"{reconcile_key.title()}: {x['event']}" for x in logs]
            return all_logs
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
            raise ControllerException(str(exc)) from exc
    def down(self):
@ -65,7 +68,7 @@ class KubernetesController(BaseController):
                self.logger.debug("Tearing down object", name=reconcile_key)
                reconciler.down()
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
            raise ControllerException(str(exc)) from exc
    def down_with_logs(self) -> list[str]:
@ -80,7 +83,7 @@ class KubernetesController(BaseController):
                    reconciler.down()
                all_logs += [f"{reconcile_key.title()}: {x['event']}" for x in logs]
            return all_logs
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
            raise ControllerException(str(exc)) from exc
    def get_static_deployment(self) -> str:
--- a/authentik/outposts/docker_tls.py
+++ b/authentik/outposts/docker_tls.py
@ -25,7 +25,7 @@ class DockerInlineTLS:
    def write_file(self, name: str, contents: str) -> str:
        """Wrapper for mkstemp that uses fdopen"""
        path = Path(gettempdir(), name)
-        with open(path, "w") as _file:
+        with open(path, "w", encoding="utf8") as _file:
            _file.write(contents)
        return str(path)
--- a/Show More
+++ b/Show More