release: 2021.9.1-rc2

website: update screenshots
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-09-16 23:23:36 +02:00 · 2021-09-16 23:20:05 +02:00 · 2021-09-16 22:48:34 +02:00 · 2021-09-16 22:17:05 +02:00 · 2021-09-16 17:30:16 +02:00 · 2021-09-16 13:46:11 +02:00
351 changed files with 8345 additions and 7567 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.8.1-rc2
+current_version = 2021.9.1-rc2
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
@ -23,7 +23,7 @@ values =
 [bumpversion:file:schema.yml]
-[bumpversion:file:.github/workflows/release.yml]
+[bumpversion:file:.github/workflows/release-publish.yml]
 [bumpversion:file:authentik/__init__.py]
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -27,7 +27,7 @@ If applicable, add screenshots to help explain your problem.
 Output of docker-compose logs or kubectl logs respectively
 **Version and Deployment (please complete the following information):**
- - authentik version: [e.g. 0.10.0-stable]
+ - authentik version: [e.g. 2021.8.5]
 - Deployment: [e.g. docker-compose, helm]
 **Additional context**
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -20,7 +20,7 @@ If applicable, add screenshots to help explain your problem.
 Output of docker-compose logs or kubectl logs respectively
 **Version and Deployment (please complete the following information):**
- - authentik version: [e.g. 0.10.0-stable]
+ - authentik version: [e.g. 2021.8.5]
 - Deployment: [e.g. docker-compose, helm]
 **Additional context**
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -0,0 +1,309 @@
 name: authentik-ci-main
 on:
  push:
    branches:
      - master
      - next
      - version-*
    paths-ignore:
      - website
  pull_request:
    branches:
      - master
 env:
  POSTGRES_DB: authentik
  POSTGRES_USER: authentik
  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
 jobs:
  lint-pylint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run pylint
        run: pipenv run pylint authentik tests lifecycle
  lint-black:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run black
        run: pipenv run black --check authentik tests lifecycle
  lint-isort:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run isort
        run: pipenv run isort --check authentik tests lifecycle
  lint-bandit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run bandit
        run: pipenv run bandit -r authentik tests lifecycle
  lint-pyright:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
      - name: prepare
        run: |
          scripts/ci_prepare.sh
          npm install -g pyright@1.1.136
      - name: run bandit
        run: pipenv run pyright e2e lifecycle
  test-migrations:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run migrations
        run: pipenv run python -m lifecycle.migrate
  test-migrations-from-stable:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      - name: checkout stable
        run: |
          # Copy current, latest config to local
          cp authentik/lib/default.yml local.env.yml
          git checkout $(git describe --abbrev=0 --match 'version/*')
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - name: run migrations to stable
        run: pipenv run python -m lifecycle.migrate
      - name: prepare variables
        id: ev
        run: |
          python ./scripts/gh_do_set_branch.py
      - name: checkout current code
        run: |
          set -x
          git fetch
          git checkout ${{ steps.ev.outputs.branchName }}
          pipenv sync --dev
      - name: migrate to latest
        run: pipenv run python -m lifecycle.migrate
  test-unittest:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - uses: testspace-com/setup-testspace@v1
        with:
          domain: ${{github.repository_owner}}
      - name: run unittest
        run: |
          pipenv run make test
          pipenv run coverage xml
      - name: run testspace
        if: ${{ always() }}
        run: |
          testspace [unittest]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v2
  test-integration:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: scripts/ci_prepare.sh
      - uses: testspace-com/setup-testspace@v1
        with:
          domain: ${{github.repository_owner}}
      - name: Create k8s Kind Cluster
        uses: helm/kind-action@v1.2.0
      - name: run integration
        run: |
          pipenv run make test-integration
          pipenv run coverage xml
      - name: run testspace
        if: ${{ always() }}
        run: |
          testspace [integration]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v2
  test-e2e:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.9'
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - uses: testspace-com/setup-testspace@v1
        with:
          domain: ${{github.repository_owner}}
      # - id: cache-pipenv
      #   uses: actions/cache@v2.1.6
      #   with:
      #     path: ~/.local/share/virtualenvs
      #     key: ${{ runner.os }}-pipenv-v2-${{ hashFiles('**/Pipfile.lock') }}
      - name: prepare
        # env:
        #   INSTALL: ${{ steps.cache-pipenv.outputs.cache-hit }}
        run: |
          scripts/ci_prepare.sh
          docker-compose -f tests/e2e/ci.docker-compose.yml up -d
      - id: cache-web
        uses: actions/cache@v2.1.6
        with:
          path: web/dist
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        run: |
          cd web
          npm i
          npm run build
      - name: run e2e
        run: |
          pipenv run make test-e2e
          pipenv run coverage xml
      - name: run testspace
        if: ${{ always() }}
        run: |
          testspace [e2e]unittest.xml --link=codecov
      - if: ${{ always() }}
        uses: codecov/codecov-action@v2
  build:
    needs:
      - lint-pylint
      - lint-black
      - lint-isort
      - lint-bandit
      - lint-pyright
      - test-migrations
      - test-migrations-from-stable
      - test-unittest
      - test-integration
      - test-e2e
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: prepare variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.HARBOR_USERNAME }}
        run: |
          python ./scripts/gh_do_set_branch.py
      - name: Login to Container Registry
        uses: docker/login-action@v1
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          registry: beryju.org
          username: ${{ secrets.HARBOR_USERNAME }}
          password: ${{ secrets.HARBOR_PASSWORD }}
      - name: Building Docker Image
        uses: docker/build-push-action@v2
        with:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            beryju.org/authentik/server:gh-${{ steps.ev.outputs.branchName }}
            beryju.org/authentik/server:gh-${{ steps.ev.outputs.branchName }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.sha }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -0,0 +1,69 @@
 name: authentik-ci-outpost
 on:
  push:
    branches:
      - master
      - next
      - version-*
  pull_request:
    branches:
      - master
 jobs:
  lint-golint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
          go-version: '^1.16.3'
      - name: Run linter
        run: |
          # Create folder structure for go embeds
          mkdir -p web/dist
          mkdir -p website/help
          touch web/dist/test website/help/test
          docker run \
            --rm \
            -v $(pwd):/app \
            -w /app \
            golangci/golangci-lint:v1.39.0 \
            golangci-lint run -v --timeout 200s
  build:
    needs:
      - lint-golint
    strategy:
      matrix:
        type:
          - proxy
          - ldap
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: prepare variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.HARBOR_USERNAME }}
        run: |
          python ./scripts/gh_do_set_branch.py
      - name: Login to Container Registry
        uses: docker/login-action@v1
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
        with:
          registry: beryju.org
          username: ${{ secrets.HARBOR_USERNAME }}
          password: ${{ secrets.HARBOR_PASSWORD }}
      - name: Building Docker Image
        uses: docker/build-push-action@v2
        with:
          push: ${{ steps.ev.outputs.shouldBuild == 'true' }}
          tags: |
            beryju.org/authentik/outpost-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchName }}
            beryju.org/authentik/outpost-${{ matrix.type }}:gh-${{ steps.ev.outputs.branchName }}-${{ steps.ev.outputs.timestamp }}
            beryju.org/authentik/outpost-${{ matrix.type }}:gh-${{ steps.ev.outputs.sha }}
          file: ${{ matrix.type }}.Dockerfile
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -0,0 +1,89 @@
 name: authentik-ci-web
 on:
  push:
    branches:
      - master
      - next
      - version-*
  pull_request:
    branches:
      - master
 jobs:
  lint-eslint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - run: |
          cd web
          npm install
      - name: Generate API
        run: make gen-web
      - name: Eslint
        run: |
          cd web
          npm run lint
  lint-prettier:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - run: |
          cd web
          npm install
      - name: Generate API
        run: make gen-web
      - name: prettier
        run: |
          cd web
          npm run prettier-check
  lint-lit-analyse:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - run: |
          cd web
          npm install
      - name: Generate API
        run: make gen-web
      - name: prettier
        run: |
          cd web
          npm run lit-analyse
  build:
    needs:
      - lint-eslint
      - lint-prettier
      - lint-lit-analyse
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - run: |
          cd web
          npm install
      - name: Generate API
        run: make gen-web
      - name: build
        run: |
          cd web
          npm run build
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -33,14 +33,14 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik:2021.8.1-rc2,
+            beryju/authentik:2021.9.1-rc2,
            beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2021.8.1-rc2,
+            ghcr.io/goauthentik/server:2021.9.1-rc2,
            ghcr.io/goauthentik/server:latest
          platforms: linux/amd64,linux/arm64
          context: .
      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.1-rc2', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.9.1-rc2', 'rc') }}
        run: |
          docker pull beryju/authentik:latest
          docker tag beryju/authentik:latest beryju/authentik:stable
@ -75,14 +75,14 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik-proxy:2021.8.1-rc2,
+            beryju/authentik-proxy:2021.9.1-rc2,
            beryju/authentik-proxy:latest,
-            ghcr.io/goauthentik/proxy:2021.8.1-rc2,
+            ghcr.io/goauthentik/proxy:2021.9.1-rc2,
            ghcr.io/goauthentik/proxy:latest
          file: proxy.Dockerfile
          platforms: linux/amd64,linux/arm64
      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.1-rc2', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.9.1-rc2', 'rc') }}
        run: |
          docker pull beryju/authentik-proxy:latest
          docker tag beryju/authentik-proxy:latest beryju/authentik-proxy:stable
@ -117,14 +117,14 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik-ldap:2021.8.1-rc2,
+            beryju/authentik-ldap:2021.9.1-rc2,
            beryju/authentik-ldap:latest,
-            ghcr.io/goauthentik/ldap:2021.8.1-rc2,
+            ghcr.io/goauthentik/ldap:2021.9.1-rc2,
            ghcr.io/goauthentik/ldap:latest
          file: ldap.Dockerfile
          platforms: linux/amd64,linux/arm64
      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2021.8.1-rc2', 'rc') }}
+        if: ${{ github.event_name == 'release' && !contains('2021.9.1-rc2', 'rc') }}
        run: |
          docker pull beryju/authentik-ldap:latest
          docker tag beryju/authentik-ldap:latest beryju/authentik-ldap:stable
@ -157,9 +157,9 @@ jobs:
    steps:
      - uses: actions/checkout@v2
      - name: Setup Node.js environment
-        uses: actions/setup-node@v2.4.0
+        uses: actions/setup-node@v2
        with:
-          node-version: 12.x
+          node-version: '16'
      - name: Build web api client and web ui
        run: |
          export NODE_ENV=production
@ -175,7 +175,7 @@ jobs:
          SENTRY_PROJECT: authentik
          SENTRY_URL: https://sentry.beryju.org
        with:
-          version: authentik@2021.8.1-rc2
+          version: authentik@2021.9.1-rc2
          environment: beryjuorg-prod
          sourcemaps: './web/dist'
          url_prefix: '~/static/dist'
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
--- a/.github/workflows/web-api-publish.yml
+++ b/.github/workflows/web-api-publish.yml
@ -1,7 +1,7 @@
 name: authentik-web-api-publish
 on:
  push:
-    branches: [ master, version* ]
+    branches: [ master ]
    paths:
      - 'schema.yml'
 jobs:
@ -12,7 +12,7 @@ jobs:
      # Setup .npmrc file to publish to npm
      - uses: actions/setup-node@v2
        with:
-          node-version: '16.x'
+          node-version: '16'
          registry-url: 'https://registry.npmjs.org'
      - name: Generate API Client
        run: make gen-web
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -11,8 +11,8 @@ The following is a set of guidelines for contributing to authentik and its compo
 [I don't want to read this whole thing, I just have a question!!!](#i-dont-want-to-read-this-whole-thing-i-just-have-a-question)
 [What should I know before I get started?](#what-should-i-know-before-i-get-started)
-  * [Atom and Packages](#atom-and-packages)
+  * [The components](#the-components)
-  * [Atom Design Decisions](#design-decisions)
+  * [authentik's structure](#authentiks-structure)
 [How Can I Contribute?](#how-can-i-contribute)
  * [Reporting Bugs](#reporting-bugs)
@ -22,14 +22,9 @@ The following is a set of guidelines for contributing to authentik and its compo
 [Styleguides](#styleguides)
  * [Git Commit Messages](#git-commit-messages)
-  * [JavaScript Styleguide](#javascript-styleguide)
+  * [Python Styleguide](#python-styleguide)
  * [CoffeeScript Styleguide](#coffeescript-styleguide)
  * [Specs Styleguide](#specs-styleguide)
  * [Documentation Styleguide](#documentation-styleguide)
 [Additional Notes](#additional-notes)
  * [Issue and Pull Request Labels](#issue-and-pull-request-labels)
 ## Code of Conduct
 Basically, don't be a dickhead. This is an open-source non-profit project, that is made in the free time of Volunteers. If there's something you dislike or think can be done better, tell us! We'd love to hear any suggestions for improvement.
--- a/27
+++ b/27
@ -18,22 +18,7 @@ COPY ./website /static/
 ENV NODE_ENV=production
 RUN cd /static && npm i && npm run build-docs-only
-# Stage 3: Generate API Client
+# Stage 3: Build webui
 FROM openapitools/openapi-generator-cli as go-api-builder
 COPY ./schema.yml /local/schema.yml
 RUN	docker-entrypoint.sh generate \
    --git-host goauthentik.io \
    --git-repo-id outpost \
    --git-user-id api \
    -i /local/schema.yml \
    -g go \
    -o /local/api \
    --additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true && \
    rm -f /local/api/go.mod /local/api/go.sum
 # Stage 4: Build webui
 FROM node as web-builder
 COPY ./web /static/
@ -41,8 +26,8 @@ COPY ./web /static/
 ENV NODE_ENV=production
 RUN cd /static && npm i && npm run build
-# Stage 5: Build go proxy
+# Stage 4: Build go proxy
-FROM golang:1.17.0 AS builder
+FROM golang:1.17.1 AS builder
 WORKDIR /work
@ -52,7 +37,6 @@ COPY --from=web-builder /static/dist/ /work/web/dist/
 COPY --from=web-builder /static/authentik/ /work/web/authentik/
 COPY --from=website-builder /static/help/ /work/website/help/
 COPY --from=go-api-builder /local/api api
 COPY ./cmd /work/cmd
 COPY ./web/static.go /work/web/static.go
 COPY ./website/static.go /work/website/static.go
@ -62,7 +46,7 @@ COPY ./go.sum /work/go.sum
 RUN go build -o /work/authentik ./cmd/server/main.go
-# Stage 6: Run
+# Stage 5: Run
 FROM python:3.9-slim-buster
 WORKDIR /
@ -97,6 +81,7 @@ COPY --from=builder /work/authentik /authentik-proxy
 USER authentik
 ENV TMPDIR /dev/shm/
-ENV PYTHONUBUFFERED 1
+ENV PYTHONUNBUFFERED 1
 ENV prometheus_multiproc_dir /dev/shm/
 ENV PATH "/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/lifecycle"
 ENTRYPOINT [ "/lifecycle/ak" ]
--- a/8
+++ b/8
@ -7,8 +7,6 @@ NPM_VERSION = $(shell python -m scripts.npm_version)
 all: lint-fix lint test gen
 test-integration:
 	k3d cluster create || exit 0
 	k3d kubeconfig write -o ~/.kube/config --overwrite
 	coverage run manage.py test -v 3 tests/integration
 test-e2e:
@ -61,13 +59,13 @@ gen-outpost:
 		-i /local/schema.yml \
 		-g go \
 		-o /local/api \
-		--additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true
+		--additional-properties=packageName=api,enumClassPrefix=true,useOneOfDiscriminatorLookup=true,disallowAdditionalPropertiesIfNotPresent=false
 	rm -f api/go.mod api/go.sum
-gen: gen-build gen-clean gen-web gen-outpost
+gen: gen-build gen-clean gen-web
 migrate:
 	python -m lifecycle.migrate
 run:
-	go run -v cmd/server/main.go
+	WORKERS=1 go run -v cmd/server/main.go
--- a/3
+++ b/3
@ -49,9 +49,6 @@ ua-parser = "*"
 deepmerge = "*"
 colorama = "*"
 [requires]
 python_version = "3.9"
 [dev-packages]
 bandit = "*"
 black = "==21.5b1"
--- a/Pipfile.lock
+++ b/Pipfile.lock
@ -1,12 +1,10 @@
 {
    "_meta": {
        "hash": {
-            "sha256": "f0befa9b3dacc1c3363b9442fa7a43f6be2c46a8fcb80a994230d288a384e54d"
+            "sha256": "19d5324fd1a4af125ed57a683030ca14ee2d3648117748e4b32656875484728e"
        },
        "pipfile-spec": 6,
-        "requires": {
+        "requires": {},
            "python_version": "3.9"
        },
        "sources": [
            {
                "name": "pypi",
@ -122,19 +120,19 @@
        },
        "boto3": {
            "hashes": [
-                "sha256:7209b79833bdf13753aa24f76bf533890ffed2cc4fe1fe08619d223c209bbd11",
+                "sha256:63b9846c26e0905f4e9e39d6b59f152330c53a926d693439161c43dcf9779365",
-                "sha256:f46c93d09acd4d4bfc6b9522ed852fecbdc508e0365f29ddfb3c146aae784b4e"
+                "sha256:a9232185d8e7e2fd2b166c0ebee5d7b1f787fdb3093f33bbf5aa932c08f0ccac"
            ],
            "index": "pypi",
-            "version": "==1.18.27"
+            "version": "==1.18.42"
        },
        "botocore": {
            "hashes": [
-                "sha256:8c99abd7093ab11ce8d09c68732aeeb6065a53d2fe371568452e99291817fff5",
+                "sha256:0952d1200968365b440045efe8e45bbae38cf603fee12bcfc3d7b5f963cbfa18",
-                "sha256:b9e2c90bad164d111c229102f58f995c28576e719dd116b446965e1b786f8fa5"
+                "sha256:6de4fec4ee10987e4dea96f289553c2f45109fcaafcb74a5baee1221926e1306"
            ],
            "markers": "python_version >= '3.6'",
-            "version": "==1.21.27"
+            "version": "==1.21.42"
        },
        "cachetools": {
            "hashes": [
@ -254,11 +252,11 @@
        },
        "charset-normalizer": {
            "hashes": [
-                "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
+                "sha256:7098e7e862f6370a2a8d1a6398cd359815c45d12626267652c3f13dec58e2367",
-                "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
+                "sha256:fa471a601dfea0f492e4f4fca035cd82155e65dc45c9b83bf4322dfab63755dd"
            ],
            "markers": "python_version >= '3'",
-            "version": "==2.0.4"
+            "version": "==2.0.5"
        },
        "click": {
            "hashes": [
@ -305,22 +303,25 @@
        },
        "cryptography": {
            "hashes": [
-                "sha256:0f1212a66329c80d68aeeb39b8a16d54ef57071bf22ff4e521657b27372e327d",
+                "sha256:0a7dcbcd3f1913f664aca35d47c1331fce738d44ec34b7be8b9d332151b0b01e",
-                "sha256:1e056c28420c072c5e3cb36e2b23ee55e260cb04eee08f702e0edfec3fb51959",
+                "sha256:1eb7bb0df6f6f583dd8e054689def236255161ebbcf62b226454ab9ec663746b",
-                "sha256:240f5c21aef0b73f40bb9f78d2caff73186700bf1bc6b94285699aff98cc16c6",
+                "sha256:21ca464b3a4b8d8e86ba0ee5045e103a1fcfac3b39319727bc0fc58c09c6aff7",
-                "sha256:26965837447f9c82f1855e0bc8bc4fb910240b6e0d16a664bb722df3b5b06873",
+                "sha256:34dae04a0dce5730d8eb7894eab617d8a70d0c97da76b905de9efb7128ad7085",
-                "sha256:37340614f8a5d2fb9aeea67fd159bfe4f5f4ed535b1090ce8ec428b2f15a11f2",
+                "sha256:3520667fda779eb788ea00080124875be18f2d8f0848ec00733c0ec3bb8219fc",
-                "sha256:3d10de8116d25649631977cb37da6cbdd2d6fa0e0281d014a5b7d337255ca713",
+                "sha256:3fa3a7ccf96e826affdf1a0a9432be74dc73423125c8f96a909e3835a5ef194a",
-                "sha256:3d8427734c781ea5f1b41d6589c293089704d4759e34597dce91014ac125aad1",
+                "sha256:5b0fbfae7ff7febdb74b574055c7466da334a5371f253732d7e2e7525d570498",
-                "sha256:7ec5d3b029f5fa2b179325908b9cd93db28ab7b85bb6c1db56b10e0b54235177",
+                "sha256:8695456444f277af73a4877db9fc979849cd3ee74c198d04fc0776ebc3db52b9",
-                "sha256:8e56e16617872b0957d1c9742a3f94b43533447fd78321514abbe7db216aa250",
+                "sha256:94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c",
-                "sha256:b01fd6f2737816cb1e08ed4807ae194404790eac7ad030b34f2ce72b332f5586",
+                "sha256:94fff993ee9bc1b2440d3b7243d488c6a3d9724cc2b09cdb297f6a886d040ef7",
-                "sha256:bf40af59ca2465b24e54f671b2de2c59257ddc4f7e5706dbd6930e26823668d3",
+                "sha256:9965c46c674ba8cc572bc09a03f4c649292ee73e1b683adb1ce81e82e9a6a0fb",
-                "sha256:de4e5f7f68220d92b7637fc99847475b59154b7a1b3868fb7385337af54ac9ca",
+                "sha256:a00cf305f07b26c351d8d4e1af84ad7501eca8a342dedf24a7acb0e7b7406e14",
-                "sha256:eb8cc2afe8b05acbd84a43905832ec78e7b3873fb124ca190f574dca7389a87d",
+                "sha256:a305600e7a6b7b855cd798e00278161b681ad6e9b7eca94c721d5f588ab212af",
-                "sha256:ee77aa129f481be46f8d92a1a7db57269a2f23052d5f2433b4621bb457081cc9"
+                "sha256:cd65b60cfe004790c795cc35f272e41a3df4631e2fb6b35aa7ac6ef2859d554e",
                "sha256:d2a6e5ef66503da51d2110edf6c403dc6b494cc0082f85db12f54e9c5d4c3ec5",
                "sha256:d9ec0e67a14f9d1d48dd87a2531009a9b251c02ea42851c060b25c782516ff06",
                "sha256:f44d141b8c4ea5eb4dbc9b3ad992d45580c1d22bf5e24363f2fbf50c2d7ae8a7"
            ],
-            "version": "==3.4.7"
+            "version": "==3.4.8"
        },
        "dacite": {
            "hashes": [
@ -356,11 +357,11 @@
        },
        "django": {
            "hashes": [
-                "sha256:7f92413529aa0e291f3be78ab19be31aefb1e1c9a52cd59e130f505f27a51f13",
+                "sha256:95b318319d6997bac3595517101ad9cc83fe5672ac498ba48d1a410f47afecd2",
-                "sha256:f27f8544c9d4c383bbe007c57e3235918e258364577373d4920e9162837be022"
+                "sha256:e93c93565005b37ddebf2396b4dc4b6913c1838baa82efdfb79acedd5816c240"
            ],
            "index": "pypi",
-            "version": "==3.2.6"
+            "version": "==3.2.7"
        },
        "django-dbbackup": {
            "git": "https://github.com/django-dbbackup/django-dbbackup.git",
@ -392,11 +393,11 @@
        },
        "django-otp": {
            "hashes": [
-                "sha256:01b5888f0bde5125e139433aacb947e52d5c406fa56c9db43c3e8d75b5c323c4",
+                "sha256:0c03a471db9e876f3671314bc9a65bd56a5c3c108ee0562c473701310bba4a77",
-                "sha256:0d56dd2a7fbb6ee6e54557e036ca64add0bd3596f471794bad673b7637d5e935"
+                "sha256:4c90cdaed683d736b0efafc034a3c6b410e1be2a53c24da287165b1f371d8776"
            ],
            "index": "pypi",
-            "version": "==1.0.6"
+            "version": "==1.1.1"
        },
        "django-prometheus": {
            "hashes": [
@ -440,19 +441,19 @@
        },
        "docker": {
            "hashes": [
-                "sha256:3e8bc47534e0ca9331d72c32f2881bb13b93ded0bcdeab3c833fb7cf61c0a9a5",
+                "sha256:21ec4998e90dff7a7aaaa098ca8d839c7de412b89e6f6c30908372d58fecf663",
-                "sha256:fc961d622160e8021c10d1bcabc388c57d55fb1f917175afbe24af442e6879bd"
+                "sha256:9b17f0723d83c1f3418d2aa17bf90b24dbe97deda06208dd4262fa30a6ee87eb"
            ],
            "index": "pypi",
-            "version": "==5.0.0"
+            "version": "==5.0.2"
        },
        "drf-spectacular": {
            "hashes": [
-                "sha256:f080128c42183fcaed6b9e8e5afcd2e5cd68426b1f80bfc85938f25e62db7fe5",
+                "sha256:47ef6ec8ff48ac8aede6ec12450a55fee381cf84de969ef1724dcde5a93de6b8",
-                "sha256:fb19aa69fcfcd37b0c9dfb9989c0671e1bb47af332ca2171378c7f840263788c"
+                "sha256:d746b936cb4cddec380ea95bf91de6a6721777dfc42e0eea53b83c61a625e94e"
            ],
            "index": "pypi",
-            "version": "==0.17.3"
+            "version": "==0.18.2"
        },
        "duo-client": {
            "hashes": [
@ -487,11 +488,11 @@
        },
        "google-auth": {
            "hashes": [
-                "sha256:c012c8be7c442c8309ca8fa0876fef33f5fd977c467be1e1c1c2f721e8ebd73c",
+                "sha256:7ae5eda089d393ca01658b550df24913cbbbdd34e9e6dedc1cea747485ae0c04",
-                "sha256:ea1af050b3e06eb73e4470f704d23007307bc0e87c13e015f6b90460f1407bd3"
+                "sha256:bde03220ed56e4e147dec92339c90ce95159dce657e2cccd0ac1fe82f6a96284"
            ],
            "markers": "python_version >= '3.6'",
-            "version": "==2.0.1"
+            "version": "==2.1.0"
        },
        "gunicorn": {
            "hashes": [
@ -1105,11 +1106,11 @@
        },
        "sqlparse": {
            "hashes": [
-                "sha256:017cde379adbd6a1f15a61873f43e8274179378e95ef3fede90b5aa64d304ed0",
+                "sha256:0c00730c74263a94e5a9919ade150dfc3b19c574389985446148402998287dae",
-                "sha256:0f91fd2e829c44362cbcfab3e9ae12e22badaa8a29ad5ff599f9ec109f0454e8"
+                "sha256:48719e356bb8b42991bdbb1e8b83223757b93789c00910a616a071910ca4a64d"
            ],
            "markers": "python_version >= '3.5'",
-            "version": "==0.4.1"
+            "version": "==0.4.2"
        },
        "structlog": {
            "hashes": [
@ -1148,11 +1149,11 @@
        },
        "typing-extensions": {
            "hashes": [
-                "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
+                "sha256:49f75d16ff11f1cd258e1b988ccff82a3ca5570217d7ad8c5f48205dd99a677e",
-                "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
+                "sha256:d8226d10bc02a29bcc81df19a26e56a9647f8b0a6d4a83924139f4a8b01f17b7",
-                "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
+                "sha256:f1d25edafde516b146ecd0613dabcc61409817af4766fbbcfb8d1ad4ec441a34"
            ],
-            "version": "==3.10.0.0"
+            "version": "==3.10.0.2"
        },
        "ua-parser": {
            "hashes": [
@ -1253,58 +1254,50 @@
        },
        "websockets": {
            "hashes": [
-                "sha256:0dd4eb8e0bbf365d6f652711ce21b8fd2b596f873d32aabb0fbb53ec604418cc",
+                "sha256:01db0ecd1a0ca6702d02a5ed40413e18b7d22f94afb3bbe0d323bac86c42c1c8",
-                "sha256:1d0971cc7251aeff955aa742ec541ee8aaea4bb2ebf0245748fbec62f744a37e",
+                "sha256:085bb8a6e780d30eaa1ba48ac7f3a6707f925edea787cfb761ce5a39e77ac09b",
-                "sha256:1d6b4fddb12ab9adf87b843cd4316c4bd602db8d5efd2fb83147f0458fe85135",
+                "sha256:1ac35426fe3e7d3d0fac3d63c8965c76ed67a8fd713937be072bf0ce22808539",
-                "sha256:230a3506df6b5f446fed2398e58dcaafdff12d67fe1397dff196411a9e820d02",
+                "sha256:1f6b814cff6aadc4288297cb3a248614829c6e4ff5556593c44a115e9dd49939",
-                "sha256:276d2339ebf0df4f45df453923ebd2270b87900eda5dfd4a6b0cfa15f82111c3",
+                "sha256:2a43072e434c041a99f2e1eb9b692df0232a38c37c61d00e9f24db79474329e4",
-                "sha256:2cf04601633a4ec176b9cc3d3e73789c037641001dbfaf7c411f89cd3e04fcaf",
+                "sha256:5b2600e01c7ca6f840c42c747ffbe0254f319594ed108db847eb3d75f4aacb80",
-                "sha256:3ddff38894c7857c476feb3538dd847514379d6dc844961dc99f04b0384b1b1b",
+                "sha256:62160772314920397f9d219147f958b33fa27a12c662d4455c9ccbba9a07e474",
-                "sha256:48c222feb3ced18f3dc61168ca18952a22fb88e5eb8902d2bf1b50faefdc34a2",
+                "sha256:706e200fc7f03bed99ad0574cd1ea8b0951477dd18cc978ccb190683c69dba76",
-                "sha256:51d04df04ed9d08077d10ccbe21e6805791b78eac49d16d30a1f1fe2e44ba0af",
+                "sha256:71358c7816e2762f3e4af3adf0040f268e219f5a38cb3487a9d0fc2e554fef6a",
-                "sha256:597c28f3aa7a09e8c070a86b03107094ee5cdafcc0d55f2f2eac92faac8dc67d",
+                "sha256:7d2e12e4f901f1bc062dfdf91831712c4106ed18a9a4cdb65e2e5f502124ca37",
-                "sha256:5c8f0d82ea2468282e08b0cf5307f3ad022290ed50c45d5cb7767957ca782880",
+                "sha256:7f79f02c7f9a8320aff7d3321cd1c7e3a7dbc15d922ac996cca827301ee75238",
-                "sha256:7189e51955f9268b2bdd6cc537e0faa06f8fffda7fb386e5922c6391de51b077",
+                "sha256:82b17524b1ce6ae7f7dd93e4d18e9b9474071e28b65dbf1dfe9b5767778db379",
-                "sha256:7df3596838b2a0c07c6f6d67752c53859a54993d4f062689fdf547cb56d0f84f",
+                "sha256:82bd921885231f4a30d9bc550552495b3fc36b1235add6d374e7c65c3babd805",
-                "sha256:826ccf85d4514609219725ba4a7abd569228c2c9f1968e8be05be366f68291ec",
+                "sha256:8bbf8660c3f833ddc8b1afab90213f2e672a9ddac6eecb3cde968e6b2807c1c7",
-                "sha256:836d14eb53b500fd92bd5db2fc5894f7c72b634f9c2a28f546f75967503d8e25",
+                "sha256:9a4d889162bd48588e80950e07fa5e039eee9deb76a58092e8c3ece96d7ef537",
-                "sha256:85db8090ba94e22d964498a47fdd933b8875a1add6ebc514c7ac8703eb97bbf0",
+                "sha256:b4ade7569b6fd17912452f9c3757d96f8e4044016b6d22b3b8391e641ca50456",
-                "sha256:85e701a6c316b7067f1e8675c638036a796fe5116783a4c932e7eb8e305a3ffe",
+                "sha256:b8176deb6be540a46695960a765a77c28ac8b2e3ef2ec95d50a4f5df901edb1c",
-                "sha256:900589e19200be76dd7cbaa95e9771605b5ce3f62512d039fb3bc5da9014912a",
+                "sha256:c4fc9a1d242317892590abe5b61a9127f1a61740477bfb121743f290b8054002",
-                "sha256:9147868bb0cc01e6846606cd65cbf9c58598f187b96d14dd1ca17338b08793bb",
+                "sha256:c5880442f5fc268f1ef6d37b2c152c114deccca73f48e3a8c48004d2f16f4567",
-                "sha256:9e7fdc775fe7403dbd8bc883ba59576a6232eac96dacb56512daacf7af5d618d",
+                "sha256:cd8c6f2ec24aedace251017bc7a414525171d4e6578f914acab9349362def4da",
-                "sha256:ab5ee15d3462198c794c49ccd31773d8a2b8c17d622aa184f669d2b98c2f0857",
+                "sha256:d67646ddd17a86117ae21c27005d83c1895c0cef5d7be548b7549646372f868a",
-                "sha256:ad893d889bc700a5835e0a95a3e4f2c39e91577ab232a3dc03c262a0f8fc4b5c",
+                "sha256:e42a1f1e03437b017af341e9bbfdc09252cd48ef32a8c3c3ead769eab3b17368",
-                "sha256:b2e71c4670ebe1067fa8632f0d081e47254ee2d3d409de54168b43b0ba9147e0",
+                "sha256:eb282127e9c136f860c6068a4fba5756eb25e755baffb5940b6f1eae071928b2",
-                "sha256:b43b13e5622c5a53ab12f3272e6f42f1ce37cd5b6684b2676cb365403295cd40",
+                "sha256:fe83b3ec9ef34063d86dfe1029160a85f24a5a94271036e5714a57acfdd089a1",
-                "sha256:b4ad84b156cf50529b8ac5cc1638c2cf8680490e3fccb6121316c8c02620a2e4",
+                "sha256:ff59c6bdb87b31f7e2d596f09353d5a38c8c8ff571b0e2238e8ee2d55ad68465"
                "sha256:be5fd35e99970518547edc906efab29afd392319f020c3c58b0e1a158e16ed20",
                "sha256:caa68c95bc1776d3521f81eeb4d5b9438be92514ec2a79fececda814099c8314",
                "sha256:d144b350045c53c8ff09aa1cfa955012dd32f00c7e0862c199edcabb1a8b32da",
                "sha256:d2c2d9b24d3c65b5a02cac12cbb4e4194e590314519ed49db2f67ef561c3cf58",
                "sha256:e9e5fd6dbdf95d99bc03732ded1fc8ef22ebbc05999ac7e0c7bf57fe6e4e5ae2",
                "sha256:ebf459a1c069f9866d8569439c06193c586e72c9330db1390af7c6a0a32c4afd",
                "sha256:f31722f1c033c198aa4a39a01905951c00bd1c74f922e8afc1b1c62adbcdd56a",
                "sha256:f68c352a68e5fdf1e97288d5cec9296664c590c25932a8476224124aaf90dbcd"
            ],
-            "version": "==9.1"
+            "version": "==10.0"
        },
        "xmlsec": {
            "hashes": [
-                "sha256:23f209260b37bdc2fd96af837494c47dd1e67964f077442b63acd83c0f62e212",
+                "sha256:135724cdce60e6bbd072fca6f09a21f72e2cecc59eebb4eed7740c316ecabc7b",
-                "sha256:4fb38ab0bf3e47cbae136119674a869e09d61c939b510350f369c8ac46087373",
+                "sha256:1b4377f6d37ad714ba95a227ef40fb54ba1b22ef5170ce04c330fe45ee6ad184",
-                "sha256:705ab5b848afdf3a5c78b1322276054c885f44dc51601e14cb883a9c86cbe20f",
+                "sha256:2c86ac6ce570c9e04f04da0cd5e7d3db346e4b5b1d006311606368f17c756ef9",
-                "sha256:843d10bba4c480609da74ee11fff1ee0fc1c12821c656979f12a7a4ecb043e03",
+                "sha256:4e5f565de311afa33aaee4724566e685f951afe301212b6cf82f98cf9d8a1749",
-                "sha256:86d54b93f8278e2f0c504d0744e39a483c1c7ce9993f2ca70184cc7770faa982",
+                "sha256:9a2b8a780093b0fe8cecae53a81a8cd9edd50c08980d374c5317c91f065042d9",
-                "sha256:8922fba55a060ee81de4a7f5efc593c5bf121047763aecf0eead02e061c9d2db",
+                "sha256:ce9c681adbc87b4f06c2b16725d9b2edbdbd508117dae4288b5faf78c1406038",
-                "sha256:c7b49d4fce83186b89f7ce6cec765245d36a70d0acc2f3ed0ba95c735b3667da",
+                "sha256:d22da4d3dcc559fb2e54e782f39c9ddad5f8d5b356f86a79bbb80b0a45115c97",
-                "sha256:cd2eaaff7f31784a07dd99ce81fa767313df3ba1834faa4143ee2c07000cac7a",
+                "sha256:db3e18ca883c01bbe28c9f5197c66f676c9772cf2d85f667e6122fc4d0702225",
-                "sha256:dea5bef9b5830c36ccb7a68a0d94d49eaea4d03fbbd04179652bf661b7e6e30f",
+                "sha256:e4783f7814aa2a3e318385cce8ef87c82954b9a59535a48f67da4e2c21c08ce1",
-                "sha256:eadff662d89c80db409c69d82eb3e695e16d4a5e8ab56b5b22670a54e9c6ff20",
+                "sha256:f32e54065f0404ceff71388daa7fa7df10e1fb800051dfe302d63abb0acf0020",
-                "sha256:ee233d0bc27fb8f447ca2622b0de2ac2df45b8795f02ef263825912011fe4fe9"
+                "sha256:f5d242b1a19a36078608f5d7f4d561c5ca55cac8061a323a071c06275267dc19"
            ],
            "index": "pypi",
-            "version": "==1.3.11"
+            "version": "==1.3.12"
        },
        "yarl": {
            "hashes": [
@ -1417,11 +1410,11 @@
        },
        "astroid": {
            "hashes": [
-                "sha256:b6c2d75cd7c2982d09e7d41d70213e863b3ba34d3bd4014e08f167cee966e99e",
+                "sha256:3b680ce0419b8a771aba6190139a3998d14b413852506d99aff8dc2bf65ee67c",
-                "sha256:ecc50f9b3803ebf8ea19aa2c6df5622d8a5c31456a53c741d3be044d96ff0948"
+                "sha256:dc1e8b28427d6bbef6b8842b18765ab58f558c42bb80540bd7648c98412af25e"
            ],
            "markers": "python_version ~= '3.6'",
-            "version": "==2.7.2"
+            "version": "==2.7.3"
        },
        "attrs": {
            "hashes": [
@ -1464,11 +1457,11 @@
        },
        "charset-normalizer": {
            "hashes": [
-                "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
+                "sha256:7098e7e862f6370a2a8d1a6398cd359815c45d12626267652c3f13dec58e2367",
-                "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
+                "sha256:fa471a601dfea0f492e4f4fca035cd82155e65dc45c9b83bf4322dfab63755dd"
            ],
            "markers": "python_version >= '3'",
-            "version": "==2.0.4"
+            "version": "==2.0.5"
        },
        "click": {
            "hashes": [
@ -1579,7 +1572,7 @@
                "sha256:9c2ea1e62d871267b78307fe511c0838ba0da28698c5732d54e2790bf3ba9899",
                "sha256:e17d6e2b81095c9db0a03a8025a957f334d6ea30b26f9ec70805411e5c7c81f2"
            ],
-            "markers": "python_version < '4.0' and python_full_version >= '3.6.1'",
+            "markers": "python_version < '4' and python_full_version >= '3.6.1'",
            "version": "==5.9.3"
        },
        "lazy-object-proxy": {
@ -1649,19 +1642,19 @@
        },
        "platformdirs": {
            "hashes": [
-                "sha256:4666d822218db6a262bdfdc9c39d21f23b4cfdb08af331a81e92751daf6c866c",
+                "sha256:15b056538719b1c94bdaccb29e5f81879c7f7f0f4a153f46086d155dffcd4f0f",
-                "sha256:632daad3ab546bd8e6af0537d09805cec458dce201bccfe23012df73332e181e"
+                "sha256:8003ac87717ae2c7ee1ea5a84a1a61e87f3fbd16eb5aadba194ea30a9019f648"
            ],
            "markers": "python_version >= '3.6'",
-            "version": "==2.2.0"
+            "version": "==2.3.0"
        },
        "pluggy": {
            "hashes": [
-                "sha256:15b2acde666561e1298d71b523007ed7364de07029219b604cf808bfa1c765b0",
+                "sha256:4224373bacce55f955a878bf9cfa763c1e360858e330072059e10bad68531159",
-                "sha256:966c145cd83c96502c3c3868f50408687b38434af77734af1e9ca461a4081d2d"
+                "sha256:74134bbf457f031a36d68416e1509f34bd5ccc019f0bcc952c7b909d06b37bd3"
            ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "markers": "python_version >= '3.6'",
-            "version": "==0.13.1"
+            "version": "==1.0.0"
        },
        "py": {
            "hashes": [
@ -1704,11 +1697,11 @@
        },
        "pytest": {
            "hashes": [
-                "sha256:50bcad0a0b9c5a72c8e4e7c9855a3ad496ca6a881a3641b4260605450772c54b",
+                "sha256:131b36680866a76e6781d13f101efb86cf674ebb9762eb70d3082b6f29889e89",
-                "sha256:91ef2131a9bd6be8f76f1f08eac5c5317221d6ad1e143ae03894b862e8976890"
+                "sha256:7310f8d27bc79ced999e760ca304d69f6ba6c6649c0b60fb0e04a4a77cacc134"
            ],
            "index": "pypi",
-            "version": "==6.2.4"
+            "version": "==6.2.5"
        },
        "pytest-django": {
            "hashes": [
@ -1755,49 +1748,49 @@
        },
        "regex": {
            "hashes": [
-                "sha256:03840a07a402576b8e3a6261f17eb88abd653ad4e18ec46ef10c9a63f8c99ebd",
+                "sha256:04f6b9749e335bb0d2f68c707f23bb1773c3fb6ecd10edf0f04df12a8920d468",
-                "sha256:06ba444bbf7ede3890a912bd4904bb65bf0da8f0d8808b90545481362c978642",
+                "sha256:08d74bfaa4c7731b8dac0a992c63673a2782758f7cfad34cf9c1b9184f911354",
-                "sha256:1f9974826aeeda32a76648fc677e3125ade379869a84aa964b683984a2dea9f1",
+                "sha256:0fc1f8f06977c2d4f5e3d3f0d4a08089be783973fc6b6e278bde01f0544ff308",
-                "sha256:330836ad89ff0be756b58758878409f591d4737b6a8cef26a162e2a4961c3321",
+                "sha256:121f4b3185feaade3f85f70294aef3f777199e9b5c0c0245c774ae884b110a2d",
-                "sha256:38600fd58c2996829480de7d034fb2d3a0307110e44dae80b6b4f9b3d2eea529",
+                "sha256:1413b5022ed6ac0d504ba425ef02549a57d0f4276de58e3ab7e82437892704fc",
-                "sha256:3a195e26df1fbb40ebee75865f9b64ba692a5824ecb91c078cc665b01f7a9a36",
+                "sha256:1743345e30917e8c574f273f51679c294effba6ad372db1967852f12c76759d8",
-                "sha256:41acdd6d64cd56f857e271009966c2ffcbd07ec9149ca91f71088574eaa4278a",
+                "sha256:28fc475f560d8f67cc8767b94db4c9440210f6958495aeae70fac8faec631797",
-                "sha256:45f97ade892ace20252e5ccecdd7515c7df5feeb42c3d2a8b8c55920c3551c30",
+                "sha256:31a99a4796bf5aefc8351e98507b09e1b09115574f7c9dbb9cf2111f7220d2e2",
-                "sha256:4b0c211c55d4aac4309c3209833c803fada3fc21cdf7b74abedda42a0c9dc3ce",
+                "sha256:328a1fad67445550b982caa2a2a850da5989fd6595e858f02d04636e7f8b0b13",
-                "sha256:5d5209c3ba25864b1a57461526ebde31483db295fc6195fdfc4f8355e10f7376",
+                "sha256:473858730ef6d6ff7f7d5f19452184cd0caa062a20047f6d6f3e135a4648865d",
-                "sha256:615fb5a524cffc91ab4490b69e10ae76c1ccbfa3383ea2fad72e54a85c7d47dd",
+                "sha256:4cde065ab33bcaab774d84096fae266d9301d1a2f5519d7bd58fc55274afbf7a",
-                "sha256:61e734c2bcb3742c3f454dfa930ea60ea08f56fd1a0eb52d8cb189a2f6be9586",
+                "sha256:5f6a808044faae658f546dd5f525e921de9fa409de7a5570865467f03a626fc0",
-                "sha256:640ccca4d0a6fcc6590f005ecd7b16c3d8f5d52174e4854f96b16f34c39d6cb7",
+                "sha256:610b690b406653c84b7cb6091facb3033500ee81089867ee7d59e675f9ca2b73",
-                "sha256:6dbd51c3db300ce9d3171f4106da18fe49e7045232630fe3d4c6e37cb2b39ab9",
+                "sha256:66256b6391c057305e5ae9209941ef63c33a476b73772ca967d4a2df70520ec1",
-                "sha256:71a904da8c9c02aee581f4452a5a988c3003207cb8033db426f29e5b2c0b7aea",
+                "sha256:6eebf512aa90751d5ef6a7c2ac9d60113f32e86e5687326a50d7686e309f66ed",
-                "sha256:8021dee64899f993f4b5cca323aae65aabc01a546ed44356a0965e29d7893c94",
+                "sha256:79aef6b5cd41feff359acaf98e040844613ff5298d0d19c455b3d9ae0bc8c35a",
-                "sha256:8b8d551f1bd60b3e1c59ff55b9e8d74607a5308f66e2916948cafd13480b44a3",
+                "sha256:808ee5834e06f57978da3e003ad9d6292de69d2bf6263662a1a8ae30788e080b",
-                "sha256:93f9f720081d97acee38a411e861d4ce84cbc8ea5319bc1f8e38c972c47af49f",
+                "sha256:8e44769068d33e0ea6ccdf4b84d80c5afffe5207aa4d1881a629cf0ef3ec398f",
-                "sha256:96f0c79a70642dfdf7e6a018ebcbea7ea5205e27d8e019cad442d2acfc9af267",
+                "sha256:999ad08220467b6ad4bd3dd34e65329dd5d0df9b31e47106105e407954965256",
-                "sha256:9966337353e436e6ba652814b0a957a517feb492a98b8f9d3b6ba76d22301dcc",
+                "sha256:9b006628fe43aa69259ec04ca258d88ed19b64791693df59c422b607b6ece8bb",
-                "sha256:a34ba9e39f8269fd66ab4f7a802794ffea6d6ac500568ec05b327a862c21ce23",
+                "sha256:9d05ad5367c90814099000442b2125535e9d77581855b9bee8780f1b41f2b1a2",
-                "sha256:a49f85f0a099a5755d0a2cc6fc337e3cb945ad6390ec892332c691ab0a045882",
+                "sha256:a577a21de2ef8059b58f79ff76a4da81c45a75fe0bfb09bc8b7bb4293fa18983",
-                "sha256:a795829dc522227265d72b25d6ee6f6d41eb2105c15912c230097c8f5bfdbcdc",
+                "sha256:a617593aeacc7a691cc4af4a4410031654f2909053bd8c8e7db837f179a630eb",
-                "sha256:a89ca4105f8099de349d139d1090bad387fe2b208b717b288699ca26f179acbe",
+                "sha256:abb48494d88e8a82601af905143e0de838c776c1241d92021e9256d5515b3645",
-                "sha256:ac95101736239260189f426b1e361dc1b704513963357dc474beb0f39f5b7759",
+                "sha256:ac88856a8cbccfc14f1b2d0b829af354cc1743cb375e7f04251ae73b2af6adf8",
-                "sha256:ae87ab669431f611c56e581679db33b9a467f87d7bf197ac384e71e4956b4456",
+                "sha256:b4c220a1fe0d2c622493b0a1fd48f8f991998fb447d3cd368033a4b86cf1127a",
-                "sha256:b091dcfee169ad8de21b61eb2c3a75f9f0f859f851f64fdaf9320759a3244239",
+                "sha256:b844fb09bd9936ed158ff9df0ab601e2045b316b17aa8b931857365ea8586906",
-                "sha256:b511c6009d50d5c0dd0bab85ed25bc8ad6b6f5611de3a63a59786207e82824bb",
+                "sha256:bdc178caebd0f338d57ae445ef8e9b737ddf8fbc3ea187603f65aec5b041248f",
-                "sha256:b79dc2b2e313565416c1e62807c7c25c67a6ff0a0f8d83a318df464555b65948",
+                "sha256:c206587c83e795d417ed3adc8453a791f6d36b67c81416676cad053b4104152c",
-                "sha256:bca14dfcfd9aae06d7d8d7e105539bd77d39d06caaae57a1ce945670bae744e0",
+                "sha256:c61dcc1cf9fd165127a2853e2c31eb4fb961a4f26b394ac9fe5669c7a6592892",
-                "sha256:c835c30f3af5c63a80917b72115e1defb83de99c73bc727bddd979a3b449e183",
+                "sha256:c7cb4c512d2d3b0870e00fbbac2f291d4b4bf2634d59a31176a87afe2777c6f0",
-                "sha256:ccd721f1d4fc42b541b633d6e339018a08dd0290dc67269df79552843a06ca92",
+                "sha256:d4a332404baa6665b54e5d283b4262f41f2103c255897084ec8f5487ce7b9e8e",
-                "sha256:d6c2b1d78ceceb6741d703508cd0e9197b34f6bf6864dab30f940f8886e04ade",
+                "sha256:d5111d4c843d80202e62b4fdbb4920db1dcee4f9366d6b03294f45ed7b18b42e",
-                "sha256:d6ec4ae13760ceda023b2e5ef1f9bc0b21e4b0830458db143794a117fdbdc044",
+                "sha256:e1e8406b895aba6caa63d9fd1b6b1700d7e4825f78ccb1e5260551d168db38ed",
-                "sha256:d8b623fc429a38a881ab2d9a56ef30e8ea20c72a891c193f5ebbddc016e083ee",
+                "sha256:e8690ed94481f219a7a967c118abaf71ccc440f69acd583cab721b90eeedb77c",
-                "sha256:ea9753d64cba6f226947c318a923dadaf1e21cd8db02f71652405263daa1f033",
+                "sha256:ed283ab3a01d8b53de3a05bfdf4473ae24e43caee7dcb5584e86f3f3e5ab4374",
-                "sha256:ebbceefbffae118ab954d3cd6bf718f5790db66152f95202ebc231d58ad4e2c2",
+                "sha256:ed4b50355b066796dacdd1cf538f2ce57275d001838f9b132fab80b75e8c84dd",
-                "sha256:ecb6e7c45f9cd199c10ec35262b53b2247fb9a408803ed00ee5bb2b54aa626f5",
+                "sha256:ee329d0387b5b41a5dddbb6243a21cb7896587a651bebb957e2d2bb8b63c0791",
-                "sha256:ef9326c64349e2d718373415814e754183057ebc092261387a2c2f732d9172b2",
+                "sha256:f3bf1bc02bc421047bfec3343729c4bbbea42605bcfd6d6bfe2c07ade8b12d2a",
-                "sha256:f93a9d8804f4cec9da6c26c8cfae2c777028b4fdd9f49de0302e26e00bb86504",
+                "sha256:f585cbbeecb35f35609edccb95efd95a3e35824cd7752b586503f7e6087303f1",
-                "sha256:faf08b0341828f6a29b8f7dd94d5cf8cc7c39bfc3e67b78514c54b494b66915a"
+                "sha256:f60667673ff9c249709160529ab39667d1ae9fd38634e006bec95611f632e759"
            ],
-            "version": "==2021.8.21"
+            "version": "==2021.8.28"
        },
        "requests": {
            "hashes": [
--- a/README.md
+++ b/README.md
@ -4,14 +4,15 @@
 ---
-[![](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://discord.gg/jg33eMhnj6)
+[![Join Discord](https://img.shields.io/discord/809154715984199690?label=Discord&style=for-the-badge)](https://discord.gg/jg33eMhnj6)
-[![CI Build status](https://img.shields.io/azure-devops/build/beryjuorg/authentik/6?style=for-the-badge)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-main?label=core%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-main.yml)
-[![Tests](https://img.shields.io/azure-devops/tests/beryjuorg/authentik/6?compact_message&style=for-the-badge)](https://dev.azure.com/beryjuorg/authentik/_build?definitionId=6)
+[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-outpost?label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
 [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-web?label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
 [![Testspace tests](https://img.shields.io/testspace/total/goauthentik/goauthentik:authentik/master?style=for-the-badge)](https://goauthentik.testspace.com/)
 ![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=for-the-badge)
 ![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=for-the-badge)
-![LGTM Grade](https://img.shields.io/lgtm/grade/python/github/goauthentik/authentik?style=for-the-badge)
+[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/beryjuorg/authentik/)
 [Transifex](https://www.transifex.com/beryjuorg/authentik/)
 ## What is authentik?
--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,9 +6,8 @@
 | Version    | Supported          |
 | ---------- | ------------------ |
 | 2021.5.x   | :white_check_mark: |
 | 2021.6.x   | :white_check_mark: |
 | 2021.7.x   | :white_check_mark: |
 | 2021.8.x   | :white_check_mark: |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -1,3 +1,3 @@
 """authentik"""
-__version__ = "2021.8.1-rc2"
+__version__ = "2021.9.1-rc2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -6,12 +6,14 @@ from django.core.cache import cache
 from django.core.validators import URLValidator
 from packaging.version import parse
 from prometheus_client import Info
-from requests import RequestException, get
+from requests import RequestException
 from structlog.stdlib import get_logger
 from authentik import ENV_GIT_HASH_KEY, __version__
 from authentik.events.models import Event, EventAction
 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 LOGGER = get_logger()
@ -36,12 +38,17 @@ def _set_prom_info():
@CELERY_APP.task(bind=True, base=MonitoredTask)
 def update_latest_version(self: MonitoredTask):
    """Update latest version info"""
    if CONFIG.y_bool("disable_update_check"):
        cache.set(VERSION_CACHE_KEY, "0.0.0", VERSION_CACHE_TIMEOUT)
        self.set_status(TaskResult(TaskResultStatus.WARNING, messages=["Version check disabled."]))
        return
    try:
-        response = get("https://api.github.com/repos/goauthentik/authentik/releases/latest")
+        response = get_http_session().get(
            "https://version.goauthentik.io/version.json",
        )
        response.raise_for_status()
        data = response.json()
-        tag_name = data.get("tag_name")
+        upstream_version = data.get("stable", {}).get("version")
        upstream_version = tag_name.split("/")[1]
        cache.set(VERSION_CACHE_KEY, upstream_version, VERSION_CACHE_TIMEOUT)
        self.set_status(
            TaskResult(TaskResultStatus.SUCCESSFUL, ["Successfully updated latest Version"])
@ -58,7 +65,7 @@ def update_latest_version(self: MonitoredTask):
            ).exists():
                return
            event_dict = {"new_version": upstream_version}
-            if match := re.search(URL_FINDER, data.get("body", "")):
+            if match := re.search(URL_FINDER, data.get("stable", {}).get("changelog", "")):
                event_dict["message"] = f"Changelog: {match.group()}"
            Event.new(EventAction.UPDATE_AVAILABLE, **event_dict).save()
    except (RequestException, IndexError) as exc:
--- a/authentik/admin/tests/test_tasks.py
+++ b/authentik/admin/tests/test_tasks.py
@ -1,81 +1,58 @@
 """test admin tasks"""
 import json
 from dataclasses import dataclass
 from unittest.mock import Mock, patch
 from django.core.cache import cache
 from django.test import TestCase
-from requests.exceptions import RequestException
+from requests_mock import Mocker
 from authentik.admin.tasks import VERSION_CACHE_KEY, update_latest_version
 from authentik.events.models import Event, EventAction
-
+RESPONSE_VALID = {
-@dataclass
+    "$schema": "https://version.goauthentik.io/schema.json",
-class MockResponse:
+    "stable": {
-    """Mock class to emulate the methods of requests's Response we need"""
+        "version": "99999999.9999999",
-
+        "changelog": "See https://goauthentik.io/test",
-    status_code: int
+        "reason": "bugfix",
-    response: str
+    },
-
+}
    def json(self) -> dict:
        """Get json parsed response"""
        return json.loads(self.response)
    def raise_for_status(self):
        """raise RequestException if status code is 400 or more"""
        if self.status_code >= 400:
            raise RequestException
 REQUEST_MOCK_VALID = Mock(
    return_value=MockResponse(
        200,
        """{
            "tag_name": "version/99999999.9999999",
            "body": "https://goauthentik.io/test"
        }""",
    )
 )
 REQUEST_MOCK_INVALID = Mock(return_value=MockResponse(400, "{}"))
 class TestAdminTasks(TestCase):
    """test admin tasks"""
    @patch("authentik.admin.tasks.get", REQUEST_MOCK_VALID)
    def test_version_valid_response(self):
        """Test Update checker with valid response"""
-        update_latest_version.delay().get()
+        with Mocker() as mocker:
-        self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")
+            mocker.get("https://version.goauthentik.io/version.json", json=RESPONSE_VALID)
-        self.assertTrue(
+            update_latest_version.delay().get()
-            Event.objects.filter(
+            self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")
-                action=EventAction.UPDATE_AVAILABLE,
+            self.assertTrue(
                context__new_version="99999999.9999999",
                context__message="Changelog: https://goauthentik.io/test",
            ).exists()
        )
        # test that a consecutive check doesn't create a duplicate event
        update_latest_version.delay().get()
        self.assertEqual(
            len(
                Event.objects.filter(
                    action=EventAction.UPDATE_AVAILABLE,
                    context__new_version="99999999.9999999",
                    context__message="Changelog: https://goauthentik.io/test",
-                )
+                ).exists()
-            ),
+            )
-            1,
+            # test that a consecutive check doesn't create a duplicate event
-        )
+            update_latest_version.delay().get()
            self.assertEqual(
                len(
                    Event.objects.filter(
                        action=EventAction.UPDATE_AVAILABLE,
                        context__new_version="99999999.9999999",
                        context__message="Changelog: https://goauthentik.io/test",
                    )
                ),
                1,
            )
    @patch("authentik.admin.tasks.get", REQUEST_MOCK_INVALID)
    def test_version_error(self):
        """Test Update checker with invalid response"""
-        update_latest_version.delay().get()
+        with Mocker() as mocker:
-        self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
+            mocker.get("https://version.goauthentik.io/version.json", status_code=400)
-        self.assertFalse(
+            update_latest_version.delay().get()
-            Event.objects.filter(
+            self.assertEqual(cache.get(VERSION_CACHE_KEY), "0.0.0")
-                action=EventAction.UPDATE_AVAILABLE, context__new_version="0.0.0"
+            self.assertFalse(
-            ).exists()
+                Event.objects.filter(
-        )
+                    action=EventAction.UPDATE_AVAILABLE, context__new_version="0.0.0"
                ).exists()
            )
--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@ -31,7 +31,7 @@ VALIDATION_ERROR = build_object_type(
        "non_field_errors": build_array_type(build_standard_type(OpenApiTypes.STR)),
        "code": build_standard_type(OpenApiTypes.STR),
    },
-    required=["detail"],
+    required=[],
    additionalProperties={},
 )
--- a/authentik/api/tasks.py
+++ b/authentik/api/tasks.py
@ -0,0 +1,19 @@
 """API tasks"""
 from authentik.lib.utils.http import get_http_session
 from authentik.root.celery import CELERY_APP
 SENTRY_SESSION = get_http_session()
@CELERY_APP.task()
 def sentry_proxy(payload: str):
    """Relay data to sentry"""
    SENTRY_SESSION.post(
        "https://sentry.beryju.org/api/8/envelope/",
        data=payload,
        headers={
            "Content-Type": "application/octet-stream",
        },
        timeout=10,
    )
--- a/authentik/api/urls.py
+++ b/authentik/api/urls.py
@ -1,8 +1,10 @@
 """authentik api urls"""
 from django.urls import include, path
-from authentik.api.v2.urls import urlpatterns as v2_urls
+from authentik.api.v3.urls import urlpatterns as v3_urls
 urlpatterns = [
-    path("v2beta/", include(v2_urls)),
+    # Remove in 2022.1
    path("v2beta/", include(v3_urls)),
    path("v3/", include(v3_urls)),
 ]
--- a/authentik/api/v2/sentry.py
+++ b/authentik/api/v2/sentry.py
@ -1,38 +0,0 @@
 """Sentry tunnel"""
 from json import loads
 from django.conf import settings
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
 from django.views.generic.base import View
 from requests import post
 from requests.exceptions import RequestException
 from authentik.lib.config import CONFIG
 class SentryTunnelView(View):
    """Sentry tunnel, to prevent ad blockers from blocking sentry"""
    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Sentry tunnel, to prevent ad blockers from blocking sentry"""
        # Only allow usage of this endpoint when error reporting is enabled
        if not CONFIG.y_bool("error_reporting.enabled", False):
            return HttpResponse(status=400)
        # Body is 2 json objects separated by \n
        full_body = request.body
        header = loads(full_body.splitlines()[0])
        # Check that the DSN is what we expect
        dsn = header.get("dsn", "")
        if dsn != settings.SENTRY_DSN:
            return HttpResponse(status=400)
        response = post(
            "https://sentry.beryju.org/api/8/envelope/",
            data=full_body,
            headers={"Content-Type": "application/octet-stream"},
        )
        try:
            response.raise_for_status()
        except RequestException:
            return HttpResponse(status=500)
        return HttpResponse(status=response.status_code)
--- a/authentik/api/v3/init.py
+++ b/authentik/api/v3/init.py
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
--- a/authentik/api/v3/sentry.py
+++ b/authentik/api/v3/sentry.py
@ -0,0 +1,60 @@
 """Sentry tunnel"""
 from json import loads
 from django.conf import settings
 from django.http.request import HttpRequest
 from django.http.response import HttpResponse
 from rest_framework.authentication import SessionAuthentication
 from rest_framework.parsers import BaseParser
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.throttling import AnonRateThrottle
 from rest_framework.views import APIView
 from authentik.api.tasks import sentry_proxy
 from authentik.lib.config import CONFIG
 class PlainTextParser(BaseParser):
    """Plain text parser."""
    media_type = "text/plain"
    def parse(self, stream, media_type=None, parser_context=None) -> str:
        """Simply return a string representing the body of the request."""
        return stream.read()
 class CsrfExemptSessionAuthentication(SessionAuthentication):
    """CSRF-exempt Session authentication"""
    def enforce_csrf(self, request: Request):
        return  # To not perform the csrf check previously happening
 class SentryTunnelView(APIView):
    """Sentry tunnel, to prevent ad blockers from blocking sentry"""
    serializer_class = None
    parser_classes = [PlainTextParser]
    throttle_classes = [AnonRateThrottle]
    permission_classes = [AllowAny]
    authentication_classes = [CsrfExemptSessionAuthentication]
    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Sentry tunnel, to prevent ad blockers from blocking sentry"""
        # Only allow usage of this endpoint when error reporting is enabled
        if not CONFIG.y_bool("error_reporting.enabled", False):
            return HttpResponse(status=400)
        # Body is 2 json objects separated by \n
        full_body = request.body
        lines = full_body.splitlines()
        if len(lines) < 1:
            return HttpResponse(status=400)
        header = loads(lines[0])
        # Check that the DSN is what we expect
        dsn = header.get("dsn", "")
        if dsn != settings.SENTRY_DSN:
            return HttpResponse(status=400)
        sentry_proxy.delay(full_body.decode())
        return HttpResponse(status=204)
--- a/authentik/api/v3/urls.py
+++ b/authentik/api/v3/urls.py
@ -1,6 +1,6 @@
-"""api v2 urls"""
+"""api v3 urls"""
 from django.urls import path
-from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.cache import cache_page
 from drf_spectacular.views import SpectacularAPIView
 from rest_framework import routers
@ -10,8 +10,8 @@ from authentik.admin.api.system import SystemView
 from authentik.admin.api.tasks import TaskViewSet
 from authentik.admin.api.version import VersionView
 from authentik.admin.api.workers import WorkerView
-from authentik.api.v2.config import ConfigView
+from authentik.api.v3.config import ConfigView
-from authentik.api.v2.sentry import SentryTunnelView
+from authentik.api.v3.sentry import SentryTunnelView
 from authentik.api.views import APIBrowserView
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@ -24,6 +24,7 @@ from authentik.core.api.users import UserViewSet
 from authentik.crypto.api import CertificateKeyPairViewSet
 from authentik.events.api.event import EventViewSet
 from authentik.events.api.notification import NotificationViewSet
 from authentik.events.api.notification_mapping import NotificationWebhookMappingViewSet
 from authentik.events.api.notification_rule import NotificationRuleViewSet
 from authentik.events.api.notification_transport import NotificationTransportViewSet
 from authentik.flows.api.bindings import FlowStageBindingViewSet
@ -159,6 +160,7 @@ router.register("propertymappings/all", PropertyMappingViewSet)
 router.register("propertymappings/ldap", LDAPPropertyMappingViewSet)
 router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
 router.register("propertymappings/scope", ScopeMappingViewSet)
 router.register("propertymappings/notification", NotificationWebhookMappingViewSet)
 router.register("authenticators/duo", DuoDeviceViewSet)
 router.register("authenticators/static", StaticDeviceViewSet)
@ -225,7 +227,7 @@ urlpatterns = (
            FlowExecutorView.as_view(),
            name="flow-executor",
        ),
-        path("sentry/", csrf_exempt(SentryTunnelView.as_view()), name="sentry"),
+        path("sentry/", SentryTunnelView.as_view(), name="sentry"),
-        path("schema/", SpectacularAPIView.as_view(), name="schema"),
+        path("schema/", cache_page(86400)(SpectacularAPIView.as_view()), name="schema"),
    ]
 )
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -4,14 +4,9 @@ from django.db.models import QuerySet
 from django.http.response import HttpResponseBadRequest
 from django.shortcuts import get_object_or_404
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import (
+from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
    OpenApiParameter,
    OpenApiResponse,
    extend_schema,
    inline_serializer,
 )
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, CharField, FileField, ReadOnlyField
+from rest_framework.fields import ReadOnlyField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -24,6 +19,7 @@ from authentik.admin.api.metrics import CoordinateSerializer, get_events_per_1h
 from authentik.api.decorators import permission_required
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import FilePathSerializer, FileUploadSerializer
 from authentik.core.models import Application, User
 from authentik.events.models import EventAction
 from authentik.policies.api.exec import PolicyTestResultSerializer
@ -71,7 +67,7 @@ class ApplicationSerializer(ModelSerializer):
 class ApplicationViewSet(UsedByMixin, ModelViewSet):
    """Application Viewset"""
-    queryset = Application.objects.all()
+    queryset = Application.objects.all().prefetch_related("provider")
    serializer_class = ApplicationSerializer
    search_fields = [
        "name",
@ -180,13 +176,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_core.change_application")
    @extend_schema(
        request={
-            "multipart/form-data": inline_serializer(
+            "multipart/form-data": FileUploadSerializer,
                "SetIcon",
                fields={
                    "file": FileField(required=False),
                    "clear": BooleanField(default=False),
                },
            )
        },
        responses={
            200: OpenApiResponse(description="Success"),
@ -218,7 +208,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_core.change_application")
    @extend_schema(
-        request=inline_serializer("SetIconURL", fields={"url": CharField()}),
+        request=FilePathSerializer,
        responses={
            200: OpenApiResponse(description="Success"),
            400: OpenApiResponse(description="Bad request"),
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@ -11,6 +11,7 @@ from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
 from ua_parser import user_agent_parser
 from authentik.api.authorization import OwnerPermissions
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.models import AuthenticatedSession
 from authentik.events.geo import GEOIP_READER, GeoIPDict
@ -102,11 +103,8 @@ class AuthenticatedSessionViewSet(
    search_fields = ["user__username", "last_ip", "last_user_agent"]
    filterset_fields = ["user__username", "last_ip", "last_user_agent"]
    ordering = ["user__username"]
-    filter_backends = [
+    permission_classes = [OwnerPermissions]
-        DjangoFilterBackend,
+    filter_backends = [DjangoFilterBackend, OrderingFilter, SearchFilter]
        OrderingFilter,
        SearchFilter,
    ]
    def get_queryset(self):
        user = self.request.user if self.request else get_anonymous_user()
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -2,7 +2,7 @@
 from django.db.models.query import QuerySet
 from django_filters.filters import ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from rest_framework.fields import BooleanField, CharField, JSONField
+from rest_framework.fields import CharField, JSONField
 from rest_framework.serializers import ListSerializer, ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from rest_framework_guardian.filters import ObjectPermissionsFilter
@ -15,7 +15,6 @@ from authentik.core.models import Group, User
 class GroupMemberSerializer(ModelSerializer):
    """Stripped down user serializer to show relevant users for groups"""
    is_superuser = BooleanField(read_only=True)
    avatar = CharField(read_only=True)
    attributes = JSONField(validators=[is_dict], required=False)
    uid = CharField(read_only=True)
@ -29,7 +28,6 @@ class GroupMemberSerializer(ModelSerializer):
            "name",
            "is_active",
            "last_login",
            "is_superuser",
            "email",
            "avatar",
            "attributes",
@ -81,7 +79,7 @@ class GroupFilter(FilterSet):
 class GroupViewSet(UsedByMixin, ModelViewSet):
    """Group Viewset"""
-    queryset = Group.objects.all()
+    queryset = Group.objects.all().select_related("parent").prefetch_related("users")
    serializer_class = GroupSerializer
    search_fields = ["name", "is_superuser"]
    filterset_class = GroupFilter
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -95,7 +95,9 @@ class SourceViewSet(
    @action(detail=False, pagination_class=None, filter_backends=[])
    def user_settings(self, request: Request) -> Response:
        """Get all sources the user can configure"""
-        _all_sources: Iterable[Source] = Source.objects.filter(enabled=True).select_subclasses()
+        _all_sources: Iterable[Source] = (
            Source.objects.filter(enabled=True).select_subclasses().order_by("name")
        )
        matching_sources: list[UserSettingSerializer] = []
        for source in _all_sources:
            user_settings = source.ui_user_settings
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -23,10 +23,12 @@ from authentik.managed.api import ManagedSerializer
 class TokenSerializer(ManagedSerializer, ModelSerializer):
    """Token Serializer"""
-    user = UserSerializer(required=False)
+    user_obj = UserSerializer(required=False, source="user")
    def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
        """Ensure only API or App password tokens are created."""
        request: Request = self.context["request"]
        attrs.setdefault("user", request.user)
        attrs.setdefault("intent", TokenIntents.INTENT_API)
        if attrs.get("intent") not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
            raise ValidationError(f"Invalid intent {attrs.get('intent')}")
@ -41,11 +43,14 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
            "identifier",
            "intent",
            "user",
            "user_obj",
            "description",
            "expires",
            "expiring",
        ]
-        depth = 2
+        extra_kwargs = {
            "user": {"required": False},
        }
 class TokenViewSerializer(PassiveSerializer):
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -1,4 +1,5 @@
 """User API Views"""
 from datetime import timedelta
 from json import loads
 from typing import Optional
@ -7,6 +8,7 @@ from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
 from django.utils.http import urlencode
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
 from django_filters.filters import BooleanFilter, CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
@ -274,6 +276,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                    identifier=f"service-account-{username}-password",
                    intent=TokenIntents.INTENT_APP_PASSWORD,
                    user=user,
                    expires=now() + timedelta(days=360),
                )
                return Response({"username": user.username, "token": token.key})
            except (IntegrityError) as exc:
@ -310,7 +313,9 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        # since it caches the full object
        if SESSION_IMPERSONATE_USER in request.session:
            request.session[SESSION_IMPERSONATE_USER] = new_user
-        return self.me(request)
+        serializer = SessionUserSerializer(data={"user": UserSelfSerializer(request.user).data})
        serializer.is_valid()
        return Response(serializer.data)
    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
--- a/authentik/core/api/utils.py
+++ b/authentik/core/api/utils.py
@ -2,7 +2,7 @@
 from typing import Any
 from django.db.models import Model
-from rest_framework.fields import CharField, IntegerField
+from rest_framework.fields import BooleanField, CharField, FileField, IntegerField
 from rest_framework.serializers import Serializer, SerializerMethodField, ValidationError
@ -22,8 +22,18 @@ class PassiveSerializer(Serializer):
    def update(self, instance: Model, validated_data: dict) -> Model:  # pragma: no cover
        return Model()
-    class Meta:
+
-        model = Model
+class FileUploadSerializer(PassiveSerializer):
    """Serializer to upload file"""
    file = FileField(required=False)
    clear = BooleanField(default=False)
 class FilePathSerializer(PassiveSerializer):
    """Serializer to upload file"""
    url = CharField()
 class MetaNameSerializer(PassiveSerializer):
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -184,7 +184,7 @@ class SourceFlowManager:
        # Ensure redirect is carried through when user was trying to
        # authorize application
        final_redirect = self.request.session.get(SESSION_KEY_GET, {}).get(
-            NEXT_ARG_NAME, "authentik_core:if-admin"
+            NEXT_ARG_NAME, "authentik_core:if-user"
        )
        kwargs.update(
            {
@ -243,9 +243,9 @@ class SourceFlowManager:
            return self.handle_auth_user(connection)
        return redirect(
            reverse(
-                "authentik_core:if-admin",
+                "authentik_core:if-user",
            )
-            + f"#/user;page-{self.source.slug}"
+            + f"#/settings;page-{self.source.slug}"
        )
    def handle_enroll(
--- a/authentik/core/sources/stage.py
+++ b/authentik/core/sources/stage.py
@ -28,3 +28,7 @@ class PostUserEnrollmentStage(StageView):
            source=connection.source,
        ).from_http(self.request)
        return self.executor.stage_ok()
    def post(self, request: HttpRequest) -> HttpResponse:
        """Wrapper for post requests"""
        return self.get(request)
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -8,16 +8,15 @@
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
        <title>{% block title %}{% trans title|default:tenant.branding_title %}{% endblock %}</title>
-        <link rel="shortcut icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}?v={{ ak_version }}">
+        <link rel="shortcut icon" type="image/png" href="{% static 'dist/assets/icons/icon.png' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly-base.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/page.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/empty-state.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/empty-state.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/spinner.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/spinner.css' %}">
        {% block head_before %}
        {% endblock %}
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}?v={{ ak_version }}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <script src="{% static 'dist/poly.js' %}?v={{ ak_version }}" type="module"></script>
+        <script src="{% static 'dist/poly.js' %}" type="module"></script>
        <script>window["polymerSkipLoadingFontRoboto"] = true;</script>
        {% block head %}
        {% endblock %}
    </head>
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -4,7 +4,7 @@
 {% load i18n %}
 {% block head %}
-<script src="{% static 'dist/AdminInterface.js' %}?v={{ ak_version }}" type="module"></script>
+<script src="{% static 'dist/AdminInterface.js' %}" type="module"></script>
 {% endblock %}
 {% block body %}
--- a/authentik/core/templates/if/end_session.html
+++ b/authentik/core/templates/if/end_session.html
@ -21,7 +21,7 @@ You've logged out of {{ application }}.
        {% endblocktrans %}
    </p>
-    <a id="ak-back-home" href="{% url 'authentik_core:if-admin' %}" class="pf-c-button pf-m-primary">{% trans 'Go back to overview' %}</a>
+    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">{% trans 'Go back to overview' %}</a>
    <a id="logout" href="{% url 'authentik_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">{% trans 'Log out of authentik' %}</a>
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@ -4,13 +4,14 @@
 {% load i18n %}
 {% block head_before %}
 {{ block.super }}
 {% if flow.compatibility_mode %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
 {% endblock %}
 {% block head %}
-<script src="{% static 'dist/FlowInterface.js' %}?v={{ ak_version }}" type="module"></script>
+<script src="{% static 'dist/FlowInterface.js' %}" type="module"></script>
 <style>
 .pf-c-background-image::before {
    --ak-flow-background: url("{{ flow.background_url }}");
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -0,0 +1,28 @@
 {% extends "base/skeleton.html" %}
 {% load static %}
 {% load i18n %}
 {% block head %}
 <script src="{% static 'dist/UserInterface.js' %}" type="module"></script>
 {% endblock %}
 {% block body %}
 <ak-message-container></ak-message-container>
 <ak-interface-user>
    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
        <div class="pf-c-empty-state" style="height: 100vh;">
            <div class="pf-c-empty-state__content">
                <span class="pf-c-spinner pf-m-xl pf-c-empty-state__icon" role="progressbar" aria-valuetext="{% trans 'Loading...' %}">
                    <span class="pf-c-spinner__clipper"></span>
                    <span class="pf-c-spinner__lead-ball"></span>
                    <span class="pf-c-spinner__tail-ball"></span>
                </span>
                <h1 class="pf-c-title pf-m-lg">
                    {% trans "Loading..." %}
                </h1>
            </div>
        </div>
    </section>
 </ak-interface-user>
 {% endblock %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -4,7 +4,7 @@
 {% load i18n %}
 {% block head_before %}
-<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}?v={{ ak_version }}">
+<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 {% endblock %}
 {% block head %}
--- a/authentik/core/tests/test_impersonation.py
+++ b/authentik/core/tests/test_impersonation.py
@ -58,4 +58,4 @@ class TestImpersonation(TestCase):
        self.client.force_login(self.other_user)
        response = self.client.get(reverse("authentik_core:impersonate-end"))
-        self.assertRedirects(response, reverse("authentik_core:if-admin"))
+        self.assertRedirects(response, reverse("authentik_core:if-user"))
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -12,7 +12,7 @@ from authentik.core.views.session import EndSessionView
 urlpatterns = [
    path(
        "",
-        login_required(RedirectView.as_view(pattern_name="authentik_core:if-admin")),
+        login_required(RedirectView.as_view(pattern_name="authentik_core:if-user")),
        name="root-redirect",
    ),
    # Impersonation
@ -32,6 +32,11 @@ urlpatterns = [
        ensure_csrf_cookie(TemplateView.as_view(template_name="if/admin.html")),
        name="if-admin",
    ),
    path(
        "if/user/",
        ensure_csrf_cookie(TemplateView.as_view(template_name="if/user.html")),
        name="if-user",
    ),
    path(
        "if/flow/<slug:flow_slug>/",
        ensure_csrf_cookie(FlowInterfaceView.as_view()),
--- a/authentik/core/views/impersonate.py
+++ b/authentik/core/views/impersonate.py
@ -28,7 +28,7 @@ class ImpersonateInitView(View):
        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
-        return redirect("authentik_core:if-admin")
+        return redirect("authentik_core:if-user")
 class ImpersonateEndView(View):
@ -41,7 +41,7 @@ class ImpersonateEndView(View):
            or SESSION_IMPERSONATE_ORIGINAL_USER not in request.session
        ):
            LOGGER.debug("Can't end impersonation", user=request.user)
-            return redirect("authentik_core:if-admin")
+            return redirect("authentik_core:if-user")
        original_user = request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
--- a/authentik/crypto/models.py
+++ b/authentik/crypto/models.py
@ -78,9 +78,7 @@ class CertificateKeyPair(CreatedUpdatedModel):
    @property
    def kid(self):
        """Get Key ID used for JWKS"""
-        return "{0}".format(
+        return md5(self.key_data.encode("utf-8")).hexdigest() if self.key_data else ""  # nosec
            md5(self.key_data.encode("utf-8")).hexdigest() if self.key_data else ""  # nosec
        )
    def __str__(self) -> str:
        return f"Certificate-Key Pair {self.name}"
--- a/authentik/events/api/notification.py
+++ b/authentik/events/api/notification.py
@ -1,8 +1,13 @@
 """Notification API Views"""
 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework import mixins
 from rest_framework.decorators import action
 from rest_framework.fields import ReadOnlyField
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import GenericViewSet
@ -53,3 +58,18 @@ class NotificationViewSet(
    ]
    permission_classes = [OwnerPermissions]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
    @extend_schema(
        request=OpenApiTypes.NONE,
        responses={
            204: OpenApiResponse(description="Marked tasks as read successfully."),
        },
    )
    @action(detail=False, methods=["post"])
    def mark_all_seen(self, request: Request) -> Response:
        """Mark all the user's notifications as seen"""
        notifications = Notification.objects.filter(user=request.user)
        for notification in notifications:
            notification.seen = True
        Notification.objects.bulk_update(notifications, ["seen"])
        return Response({}, status=204)
--- a/authentik/events/api/notification_mapping.py
+++ b/authentik/events/api/notification_mapping.py
@ -0,0 +1,28 @@
 """NotificationWebhookMapping API Views"""
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.used_by import UsedByMixin
 from authentik.events.models import NotificationWebhookMapping
 class NotificationWebhookMappingSerializer(ModelSerializer):
    """NotificationWebhookMapping Serializer"""
    class Meta:
        model = NotificationWebhookMapping
        fields = [
            "pk",
            "name",
            "expression",
        ]
 class NotificationWebhookMappingViewSet(UsedByMixin, ModelViewSet):
    """NotificationWebhookMapping Viewset"""
    queryset = NotificationWebhookMapping.objects.all()
    serializer_class = NotificationWebhookMappingSerializer
    filterset_fields = ["name"]
    ordering = ["name"]
--- a/authentik/events/api/notification_transport.py
+++ b/authentik/events/api/notification_transport.py
@ -38,6 +38,7 @@ class NotificationTransportSerializer(ModelSerializer):
            "mode",
            "mode_verbose",
            "webhook_url",
            "webhook_mapping",
            "send_once",
        ]
--- a/authentik/events/apps.py
+++ b/authentik/events/apps.py
@ -1,10 +1,7 @@
 """authentik events app"""
 from datetime import timedelta
 from importlib import import_module
 from django.apps import AppConfig
 from django.db import ProgrammingError
 from django.utils.timezone import now
 class AuthentikEventsConfig(AppConfig):
@ -16,12 +13,3 @@ class AuthentikEventsConfig(AppConfig):
    def ready(self):
        import_module("authentik.events.signals")
        try:
            from authentik.events.models import Event
            date_from = now() - timedelta(days=1)
            for event in Event.objects.filter(created__gte=date_from):
                event._set_prom_metrics()
        except ProgrammingError:
            pass
--- a/authentik/events/migrations/0018_auto_20210911_2217.py
+++ b/authentik/events/migrations/0018_auto_20210911_2217.py
@ -0,0 +1,46 @@
 # Generated by Django 3.2.6 on 2021-09-11 22:17
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0028_alter_token_intent"),
        ("authentik_events", "0017_alter_event_action"),
    ]
    operations = [
        migrations.CreateModel(
            name="NotificationWebhookMapping",
            fields=[
                (
                    "propertymapping_ptr",
                    models.OneToOneField(
                        auto_created=True,
                        on_delete=django.db.models.deletion.CASCADE,
                        parent_link=True,
                        primary_key=True,
                        serialize=False,
                        to="authentik_core.propertymapping",
                    ),
                ),
            ],
            options={
                "verbose_name": "Notification Webhook Mapping",
                "verbose_name_plural": "Notification Webhook Mappings",
            },
            bases=("authentik_core.propertymapping",),
        ),
        migrations.AddField(
            model_name="notificationtransport",
            name="webhook_mapping",
            field=models.ForeignKey(
                default=None,
                null=True,
                on_delete=django.db.models.deletion.SET_DEFAULT,
                to="authentik_events.notificationwebhookmapping",
            ),
        ),
    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -2,25 +2,25 @@
 from datetime import timedelta
 from inspect import getmodule, stack
 from smtplib import SMTPException
-from typing import Optional, Union
+from typing import TYPE_CHECKING, Optional, Type, Union
 from uuid import uuid4
 from django.conf import settings
 from django.db import models
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
-from prometheus_client import Gauge
+from requests import RequestException
 from requests import RequestException, post
 from structlog.stdlib import get_logger
 from authentik import __version__
 from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
-from authentik.core.models import ExpiringModel, Group, User
+from authentik.core.models import ExpiringModel, Group, PropertyMapping, User
 from authentik.events.geo import GEOIP_READER
 from authentik.events.utils import cleanse_dict, get_user, model_to_dict, sanitize_dict
 from authentik.lib.sentry import SentryIgnoredException
-from authentik.lib.utils.http import get_client_ip
+from authentik.lib.utils.http import get_client_ip, get_http_session
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.stages.email.utils import TemplateEmailMessage
@ -28,11 +28,8 @@ from authentik.tenants.models import Tenant
 from authentik.tenants.utils import DEFAULT_TENANT
 LOGGER = get_logger("authentik.events")
-GAUGE_EVENTS = Gauge(
+if TYPE_CHECKING:
-    "authentik_events",
+    from rest_framework.serializers import Serializer
    "Events in authentik",
    ["action", "user_username", "app", "client_ip"],
 )
 def default_event_duration():
@ -143,8 +140,9 @@ class Event(ExpiringModel):
        `user` arguments optionally overrides user from requests."""
        if request:
            self.context["http_request"] = {
-                "path": request.get_full_path(),
+                "path": request.path,
                "method": request.method,
                "args": QueryDict(request.META.get("QUERY_STRING", "")),
            }
        if hasattr(request, "tenant"):
            tenant: Tenant = request.tenant
@ -182,14 +180,6 @@ class Event(ExpiringModel):
            return
        self.context["geo"] = city
    def _set_prom_metrics(self):
        GAUGE_EVENTS.labels(
            action=self.action,
            user_username=self.user.get("username"),
            app=self.app,
            client_ip=self.client_ip,
        ).set(self.created.timestamp())
    def save(self, *args, **kwargs):
        if self._state.adding:
            LOGGER.debug(
@ -200,7 +190,6 @@ class Event(ExpiringModel):
                user=self.user,
            )
        super().save(*args, **kwargs)
        self._set_prom_metrics()
    @property
    def summary(self) -> str:
@ -235,6 +224,9 @@ class NotificationTransport(models.Model):
    mode = models.TextField(choices=TransportMode.choices)
    webhook_url = models.TextField(blank=True)
    webhook_mapping = models.ForeignKey(
        "NotificationWebhookMapping", on_delete=models.SET_DEFAULT, null=True, default=None
    )
    send_once = models.BooleanField(
        default=False,
        help_text=_(
@ -254,15 +246,22 @@ class NotificationTransport(models.Model):
    def send_webhook(self, notification: "Notification") -> list[str]:
        """Send notification to generic webhook"""
        default_body = {
            "body": notification.body,
            "severity": notification.severity,
            "user_email": notification.user.email,
            "user_username": notification.user.username,
        }
        if self.webhook_mapping:
            default_body = self.webhook_mapping.evaluate(
                user=notification.user,
                request=None,
                notification=notification,
            )
        try:
-            response = post(
+            response = get_http_session().post(
                self.webhook_url,
-                json={
+                json=default_body,
                    "body": notification.body,
                    "severity": notification.severity,
                    "user_email": notification.user.email,
                    "user_username": notification.user.username,
                },
            )
            response.raise_for_status()
        except RequestException as exc:
@ -312,7 +311,7 @@ class NotificationTransport(models.Model):
        if notification.event:
            body["attachments"][0]["title"] = notification.event.action
        try:
-            response = post(self.webhook_url, json=body)
+            response = get_http_session().post(self.webhook_url, json=body)
            response.raise_for_status()
        except RequestException as exc:
            text = exc.response.text if exc.response else str(exc)
@ -429,3 +428,25 @@ class NotificationRule(PolicyBindingModel):
        verbose_name = _("Notification Rule")
        verbose_name_plural = _("Notification Rules")
 class NotificationWebhookMapping(PropertyMapping):
    """Modify the schema and layout of the webhook being sent"""
    @property
    def component(self) -> str:
        return "ak-property-mapping-notification-form"
    @property
    def serializer(self) -> Type["Serializer"]:
        from authentik.events.api.notification_mapping import NotificationWebhookMappingSerializer
        return NotificationWebhookMappingSerializer
    def __str__(self):
        return f"Notification Webhook Mapping {self.name}"
    class Meta:
        verbose_name = _("Notification Webhook Mapping")
        verbose_name_plural = _("Notification Webhook Mappings")
--- a/authentik/events/monitored_tasks.py
+++ b/authentik/events/monitored_tasks.py
@ -11,6 +11,7 @@ from django.core.cache import cache
 from prometheus_client import Gauge
 from authentik.events.models import Event, EventAction
 from authentik.lib.utils.errors import exception_to_string
 GAUGE_TASKS = Gauge(
    "authentik_system_tasks",
@ -174,9 +175,7 @@ class MonitoredTask(Task):
        ).save(self.result_timeout_hours)
        Event.new(
            EventAction.SYSTEM_TASK_EXCEPTION,
-            message=(
+            message=(f"Task {self.__name__} encountered an error: {exception_to_string(exc)}"),
                f"Task {self.__name__} encountered an error: " "\n".join(self._result.messages)
            ),
        ).save()
        return super().on_failure(exc, task_id, args, kwargs, einfo=einfo)
--- a/authentik/events/tests/test_api.py
+++ b/authentik/events/tests/test_api.py
@ -4,15 +4,15 @@ from django.urls import reverse
 from rest_framework.test import APITestCase
 from authentik.core.models import User
-from authentik.events.models import Event, EventAction
+from authentik.events.models import Event, EventAction, Notification, NotificationSeverity
 class TestEventsAPI(APITestCase):
    """Test Event API"""
    def setUp(self) -> None:
-        user = User.objects.get(username="akadmin")
+        self.user = User.objects.get(username="akadmin")
-        self.client.force_login(user)
+        self.client.force_login(self.user)
    def test_top_n(self):
        """Test top_per_user"""
@ -30,3 +30,14 @@ class TestEventsAPI(APITestCase):
            reverse("authentik_api:event-actions"),
        )
        self.assertEqual(response.status_code, 200)
    def test_notifications(self):
        """Test notifications"""
        notification = Notification.objects.create(
            user=self.user, severity=NotificationSeverity.ALERT, body="", seen=False
        )
        self.client.post(
            reverse("authentik_api:notification-mark-all-seen"),
        )
        notification.refresh_from_db()
        self.assertTrue(notification.seen)
--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@ -7,10 +7,10 @@ from django.http.response import HttpResponseBadRequest, JsonResponse
 from django.urls import reverse
 from django.utils.translation import gettext as _
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
+from drf_spectacular.utils import OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import BooleanField, FileField, ReadOnlyField
+from rest_framework.fields import ReadOnlyField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -20,7 +20,12 @@ from structlog.stdlib import get_logger
 from authentik.api.decorators import permission_required
 from authentik.core.api.used_by import UsedByMixin
-from authentik.core.api.utils import CacheSerializer, LinkSerializer
+from authentik.core.api.utils import (
    CacheSerializer,
    FilePathSerializer,
    FileUploadSerializer,
    LinkSerializer,
 )
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import Flow
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner, cache_key
@ -147,7 +152,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
        ],
    )
    @extend_schema(
-        request={"multipart/form-data": inline_serializer("SetIcon", fields={"file": FileField()})},
+        request={"multipart/form-data": FileUploadSerializer},
        responses={
            204: OpenApiResponse(description="Successfully imported flow"),
            400: OpenApiResponse(description="Bad request"),
@ -259,13 +264,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_flows.change_flow")
    @extend_schema(
        request={
-            "multipart/form-data": inline_serializer(
+            "multipart/form-data": FileUploadSerializer,
                "SetIcon",
                fields={
                    "file": FileField(required=False),
                    "clear": BooleanField(default=False),
                },
            )
        },
        responses={
            200: OpenApiResponse(description="Success"),
@ -301,7 +300,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
    @permission_required("authentik_core.change_application")
    @extend_schema(
-        request=inline_serializer("SetIconURL", fields={"url": CharField()}),
+        request=FilePathSerializer,
        responses={
            200: OpenApiResponse(description="Success"),
            400: OpenApiResponse(description="Bad request"),
--- a/authentik/flows/api/stages.py
+++ b/authentik/flows/api/stages.py
@ -86,7 +86,7 @@ class StageViewSet(
    @action(detail=False, pagination_class=None, filter_backends=[])
    def user_settings(self, request: Request) -> Response:
        """Get all stages the user can configure"""
-        _all_stages: Iterable[Stage] = Stage.objects.all().select_subclasses()
+        _all_stages: Iterable[Stage] = Stage.objects.all().select_subclasses().order_by("name")
        matching_stages: list[dict] = []
        for stage in _all_stages:
            user_settings = stage.ui_user_settings
--- a/authentik/flows/management/commands/benchmark.py
+++ b/authentik/flows/management/commands/benchmark.py
@ -31,6 +31,7 @@ class FlowPlanProcess(PROCESS_CLASS):  # pragma: no cover
        self.request = RequestFactory().get("/")
    def run(self):
        """Execute 1000 flow plans"""
        print(f"Proc {self.index} Running")
        def test_inner():
--- a/authentik/flows/migrations/0024_alter_flow_compatibility_mode.py
+++ b/authentik/flows/migrations/0024_alter_flow_compatibility_mode.py
@ -0,0 +1,21 @@
 # Generated by Django 3.2.6 on 2021-08-30 14:49
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_flows", "0023_alter_flow_background"),
    ]
    operations = [
        migrations.AlterField(
            model_name="flow",
            name="compatibility_mode",
            field=models.BooleanField(
                default=False,
                help_text="Enable compatibility mode, increases compatibility with password managers on mobile devices.",
            ),
        ),
    ]
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -125,7 +125,7 @@ class Flow(SerializerModel, PolicyBindingModel):
    )
    compatibility_mode = models.BooleanField(
-        default=True,
+        default=False,
        help_text=_(
            "Enable compatibility mode, increases compatibility with "
            "password managers on mobile devices."
--- a/authentik/flows/tests/test_stage_views.py
+++ b/authentik/flows/tests/test_stage_views.py
@ -0,0 +1,31 @@
 """stage view tests"""
 from typing import Callable, Type
 from django.test import RequestFactory, TestCase
 from authentik.flows.stage import StageView
 from authentik.flows.views import FlowExecutorView
 from authentik.lib.utils.reflection import all_subclasses
 class TestViews(TestCase):
    """Generic model properties tests"""
    def setUp(self) -> None:
        self.factory = RequestFactory()
        self.exec = FlowExecutorView(request=self.factory.get("/"))
 def view_tester_factory(view_class: Type[StageView]) -> Callable:
    """Test a form"""
    def tester(self: TestViews):
        model_class = view_class(self.exec)
        self.assertIsNotNone(model_class.post)
        self.assertIsNotNone(model_class.get)
    return tester
 for view in all_subclasses(StageView):
    setattr(TestViews, f"test_view_{view.__name__}", view_tester_factory(view))
--- a/authentik/flows/tests/test_views.py
+++ b/authentik/flows/tests/test_views.py
@ -2,10 +2,10 @@
 from unittest.mock import MagicMock, PropertyMock, patch
 from django.http import HttpRequest, HttpResponse
 from django.test import TestCase
 from django.test.client import RequestFactory
 from django.urls import reverse
 from django.utils.encoding import force_str
 from rest_framework.test import APITestCase
 from authentik.core.models import User
 from authentik.flows.challenge import ChallengeTypes
@ -37,7 +37,7 @@ def to_stage_response(request: HttpRequest, source: HttpResponse):
 TO_STAGE_RESPONSE_MOCK = MagicMock(side_effect=to_stage_response)
-class TestFlowExecutor(TestCase):
+class TestFlowExecutor(APITestCase):
    """Test views logic"""
    def setUp(self):
--- a/authentik/flows/tests/test_views_helper.py
+++ b/authentik/flows/tests/test_views_helper.py
@ -1,5 +1,5 @@
 """flow views tests"""
-from django.test import Client, TestCase
+from django.test import TestCase
 from django.urls import reverse
 from authentik.flows.models import Flow, FlowDesignation
@ -10,9 +10,6 @@ from authentik.flows.views import SESSION_KEY_PLAN
 class TestHelperView(TestCase):
    """Test helper views logic"""
    def setUp(self):
        self.client = Client()
    def test_default_view(self):
        """Test that ToDefaultFlow returns the expected URL"""
        flow = Flow.objects.filter(
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -9,7 +9,9 @@ postgresql:
 web:
  listen: 0.0.0.0:9000
  listen_tls: 0.0.0.0:9443
  listen_metrics: 0.0.0.0:9300
  load_local_files: false
  outpost_port_offset: 0
 redis:
  host: localhost
@ -54,6 +56,7 @@ outposts:
  # %(build_hash)s: Build hash if you're running a beta version
  docker_image_base: "ghcr.io/goauthentik/%(type)s:%(version)s"
 disable_update_check: false
 avatars: env://AUTHENTIK_AUTHENTIK__AVATARS?gravatar
 geoip: "./GeoLite2-City.mmdb"
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -4,13 +4,13 @@ from textwrap import indent
 from typing import Any, Iterable, Optional
 from django.core.exceptions import FieldError
 from requests import Session
 from rest_framework.serializers import ValidationError
 from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import get_logger
 from authentik.core.models import User
 from authentik.lib.utils.http import get_http_session
 LOGGER = get_logger()
@ -35,7 +35,7 @@ class BaseEvaluator:
            "ak_is_group_member": BaseEvaluator.expr_is_group_member,
            "ak_user_by": BaseEvaluator.expr_user_by,
            "ak_logger": get_logger(),
-            "requests": Session(),
+            "requests": get_http_session(),
        }
        self._context = {}
        self._filename = "BaseEvalautor"
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -1,9 +1,13 @@
 """http helpers"""
 from os import environ
 from typing import Any, Optional
 from django.http import HttpRequest
 from requests.sessions import Session
 from structlog.stdlib import get_logger
 from authentik import ENV_GIT_HASH_KEY, __version__
 OUTPOST_REMOTE_IP_HEADER = "HTTP_X_AUTHENTIK_REMOTE_IP"
 OUTPOST_TOKEN_HEADER = "HTTP_X_AUTHENTIK_OUTPOST_TOKEN"  # nosec
 DEFAULT_IP = "255.255.255.255"
@ -60,3 +64,16 @@ def get_client_ip(request: Optional[HttpRequest]) -> str:
    if override:
        return override
    return _get_client_ip_from_meta(request.META)
 def authentik_user_agent() -> str:
    """Get a common user agent"""
    build = environ.get(ENV_GIT_HASH_KEY, "tagged")
    return f"authentik@{__version__} (build={build})"
 def get_http_session() -> Session:
    """Get a requests session with common headers"""
    session = Session()
    session.headers["User-Agent"] = authentik_user_agent()
    return session
--- a/authentik/outposts/channels.py
+++ b/authentik/outposts/channels.py
@ -15,7 +15,7 @@ from authentik.core.channels import AuthJsonConsumer
 from authentik.outposts.models import OUTPOST_HELLO_INTERVAL, Outpost, OutpostState
 GAUGE_OUTPOSTS_CONNECTED = Gauge(
-    "authentik_outposts_connected", "Currently connected outposts", ["outpost", "uid"]
+    "authentik_outposts_connected", "Currently connected outposts", ["outpost", "uid", "expected"]
 )
 GAUGE_OUTPOSTS_LAST_UPDATE = Gauge(
    "authentik_outposts_last_update",
@ -76,6 +76,7 @@ class OutpostConsumer(AuthJsonConsumer):
            GAUGE_OUTPOSTS_CONNECTED.labels(
                outpost=self.outpost.name,
                uid=self.last_uid,
                expected=self.outpost.config.kubernetes_replicas,
            ).dec()
        LOGGER.debug(
            "removed outpost instance from cache",
@ -100,6 +101,7 @@ class OutpostConsumer(AuthJsonConsumer):
            GAUGE_OUTPOSTS_CONNECTED.labels(
                outpost=self.outpost.name,
                uid=self.last_uid,
                expected=self.outpost.config.kubernetes_replicas,
            ).inc()
            LOGGER.debug(
                "added outpost instace to cache",
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@ -29,7 +29,9 @@ class DockerController(BaseController):
            raise ControllerException from exc
    def _get_labels(self) -> dict[str, str]:
-        return {}
+        return {
            "io.goauthentik.outpost-uuid": self.outpost.pk.hex,
        }
    def _get_env(self) -> dict[str, str]:
        return {
@ -49,6 +51,17 @@ class DockerController(BaseController):
                return True
        return False
    def _comp_labels(self, container: Container) -> bool:
        """Check if container's labels is equal to what we would set. Return true if container needs
        to be rebuilt."""
        should_be = self._get_labels()
        for key, expected_value in should_be.items():
            if key not in container.labels:
                return True
            if container.labels[key] != expected_value:
                return True
        return False
    def _comp_ports(self, container: Container) -> bool:
        """Check that the container has the correct ports exposed. Return true if container needs
        to be rebuilt."""
@ -92,9 +105,11 @@ class DockerController(BaseController):
                "environment": self._get_env(),
                "labels": self._get_labels(),
                "restart_policy": {"Name": "unless-stopped"},
                "network": self.outpost.config.docker_network,
            }
            if settings.TEST:
                del container_args["ports"]
                del container_args["network"]
                container_args["network_mode"] = "host"
            return (
                self.client.containers.create(**container_args),
@ -133,6 +148,11 @@ class DockerController(BaseController):
                self.logger.info("Container has outdated config, re-creating...")
                self.down()
                return self.up(depth + 1)
            # Check that container values match our values
            if self._comp_labels(container):
                self.logger.info("Container has outdated labels, re-creating...")
                self.down()
                return self.up(depth + 1)
            if (
                container.attrs.get("HostConfig", {})
                .get("RestartPolicy", {})
--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@ -3,10 +3,11 @@ from typing import TYPE_CHECKING, Generic, TypeVar
 from django.utils.text import slugify
 from kubernetes.client import V1ObjectMeta
 from kubernetes.client.exceptions import ApiException, OpenApiException
 from kubernetes.client.models.v1_deployment import V1Deployment
 from kubernetes.client.models.v1_pod import V1Pod
 from kubernetes.client.rest import ApiException
 from structlog.stdlib import get_logger
 from urllib3.exceptions import HTTPError
 from authentik import __version__
 from authentik.lib.sentry import SentryIgnoredException
@ -72,8 +73,9 @@ class KubernetesObjectReconciler(Generic[T]):
        try:
            try:
                current = self.retrieve()
-            except ApiException as exc:
+            except (OpenApiException, HTTPError) as exc:
-                if exc.status == 404:
+                # pylint: disable=no-member
                if isinstance(exc, ApiException) and exc.status == 404:
                    self.logger.debug("Failed to get current, triggering recreate")
                    raise NeedsRecreate from exc
                self.logger.debug("Other unhandled error", exc=exc)
@ -104,8 +106,9 @@ class KubernetesObjectReconciler(Generic[T]):
            current = self.retrieve()
            self.delete(current)
            self.logger.debug("Removing")
-        except ApiException as exc:
+        except (OpenApiException, HTTPError) as exc:
-            if exc.status == 404:
+            # pylint: disable=no-member
            if isinstance(exc, ApiException) and exc.status == 404:
                self.logger.debug("Failed to get current, assuming non-existant")
                return
            self.logger.debug("Other unhandled error", exc=exc)
--- a/authentik/outposts/controllers/k8s/service.py
+++ b/authentik/outposts/controllers/k8s/service.py
@ -3,8 +3,8 @@ from typing import TYPE_CHECKING
 from kubernetes.client import CoreV1Api, V1Service, V1ServicePort, V1ServiceSpec
-from authentik.outposts.controllers.base import FIELD_MANAGER, DeploymentPort
+from authentik.outposts.controllers.base import FIELD_MANAGER
-from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler, NeedsUpdate
+from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler, NeedsRecreate
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 if TYPE_CHECKING:
@ -21,44 +21,13 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
    def reconcile(self, current: V1Service, reference: V1Service):
        super().reconcile(current, reference)
        if len(current.spec.ports) != len(reference.spec.ports):
-            raise NeedsUpdate()
+            raise NeedsRecreate()
        for port in reference.spec.ports:
            if port not in current.spec.ports:
-                raise NeedsUpdate()
+                raise NeedsRecreate()
    def get_embedded_reference_object(self) -> V1Service:
        """Get Service for embedded outpost"""
        selector_labels = {
            "app.kubernetes.io/name": "authentik",
            "app.kubernetes.io/component": "server",
        }
        meta = self.get_object_meta(name=self.name)
        ports = []
        for port in [
            DeploymentPort(9000, "http", "tcp"),
            DeploymentPort(9443, "https", "tcp"),
        ]:
            ports.append(
                V1ServicePort(
                    name=port.name,
                    port=port.port,
                    protocol=port.protocol.upper(),
                    target_port=port.inner_port or port.port,
                )
            )
        return V1Service(
            metadata=meta,
            spec=V1ServiceSpec(
                ports=ports,
                selector=selector_labels,
                type=self.controller.outpost.config.kubernetes_service_type,
            ),
        )
    def get_reference_object(self) -> V1Service:
        """Get deployment object for outpost"""
        if self.is_embedded:
            return self.get_embedded_reference_object()
        meta = self.get_object_meta(name=self.name)
        ports = []
        for port in self.controller.deployment_ports:
@ -70,7 +39,13 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
                    target_port=port.inner_port or port.port,
                )
            )
-        selector_labels = DeploymentReconciler(self.controller).get_pod_meta()
+        if self.is_embedded:
            selector_labels = {
                "app.kubernetes.io/name": "authentik",
                "app.kubernetes.io/component": "server",
            }
        else:
            selector_labels = DeploymentReconciler(self.controller).get_pod_meta()
        return V1Service(
            metadata=meta,
            spec=V1ServiceSpec(
--- a/authentik/outposts/controllers/k8s/service_monitor.py
+++ b/authentik/outposts/controllers/k8s/service_monitor.py
@ -0,0 +1,150 @@
 """Kubernetes Prometheus ServiceMonitor Reconciler"""
 from dataclasses import asdict, dataclass, field
 from typing import TYPE_CHECKING
 from dacite import from_dict
 from kubernetes.client import ApiextensionsV1Api, CustomObjectsApi
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 if TYPE_CHECKING:
    from authentik.outposts.controllers.kubernetes import KubernetesController
@dataclass
 class PrometheusServiceMonitorSpecEndpoint:
    """Prometheus ServiceMonitor endpoint spec"""
    port: str
    path: str = field(default="/metrics")
@dataclass
 class PrometheusServiceMonitorSpecSelector:
    """Prometheus ServiceMonitor selector spec"""
    # pylint: disable=invalid-name
    matchLabels: dict
@dataclass
 class PrometheusServiceMonitorSpec:
    """Prometheus ServiceMonitor spec"""
    endpoints: list[PrometheusServiceMonitorSpecEndpoint]
    # pylint: disable=invalid-name
    selector: PrometheusServiceMonitorSpecSelector
@dataclass
 class PrometheusServiceMonitorMetadata:
    """Prometheus ServiceMonitor metadata"""
    name: str
    namespace: str
    labels: dict = field(default_factory=dict)
@dataclass
 class PrometheusServiceMonitor:
    """Prometheus ServiceMonitor"""
    # pylint: disable=invalid-name
    apiVersion: str
    kind: str
    metadata: PrometheusServiceMonitorMetadata
    spec: PrometheusServiceMonitorSpec
 CRD_NAME = "servicemonitors.monitoring.coreos.com"
 CRD_GROUP = "monitoring.coreos.com"
 CRD_VERSION = "v1"
 CRD_PLURAL = "servicemonitors"
 class PrometheusServiceMonitorReconciler(KubernetesObjectReconciler[PrometheusServiceMonitor]):
    """Kubernetes Prometheus ServiceMonitor Reconciler"""
    def __init__(self, controller: "KubernetesController") -> None:
        super().__init__(controller)
        self.api_ex = ApiextensionsV1Api(controller.client)
        self.api = CustomObjectsApi(controller.client)
    @property
    def noop(self) -> bool:
        return (not self._crd_exists()) or (self.is_embedded)
    def _crd_exists(self) -> bool:
        """Check if the Prometheus ServiceMonitor exists"""
        return bool(
            len(
                self.api_ex.list_custom_resource_definition(
                    field_selector=f"metadata.name={CRD_NAME}"
                ).items
            )
        )
    def get_reference_object(self) -> PrometheusServiceMonitor:
        """Get service monitor object for outpost"""
        return PrometheusServiceMonitor(
            apiVersion=f"{CRD_GROUP}/{CRD_VERSION}",
            kind="ServiceMonitor",
            metadata=PrometheusServiceMonitorMetadata(
                name=self.name,
                namespace=self.namespace,
                labels=self.get_object_meta().labels,
            ),
            spec=PrometheusServiceMonitorSpec(
                endpoints=[
                    PrometheusServiceMonitorSpecEndpoint(
                        port="http-metrics",
                    )
                ],
                selector=PrometheusServiceMonitorSpecSelector(
                    matchLabels=self.get_object_meta(name=self.name).labels,
                ),
            ),
        )
    def create(self, reference: PrometheusServiceMonitor):
        return self.api.create_namespaced_custom_object(
            group=CRD_GROUP,
            version=CRD_VERSION,
            plural=CRD_PLURAL,
            namespace=self.namespace,
            body=asdict(reference),
            field_manager=FIELD_MANAGER,
        )
    def delete(self, reference: PrometheusServiceMonitor):
        return self.api.delete_namespaced_custom_object(
            group=CRD_GROUP,
            version=CRD_VERSION,
            namespace=self.namespace,
            plural=CRD_PLURAL,
            name=self.name,
        )
    def retrieve(self) -> PrometheusServiceMonitor:
        return from_dict(
            PrometheusServiceMonitor,
            self.api.get_namespaced_custom_object(
                group=CRD_GROUP,
                version=CRD_VERSION,
                namespace=self.namespace,
                plural=CRD_PLURAL,
                name=self.name,
            ),
        )
    def update(self, current: PrometheusServiceMonitor, reference: PrometheusServiceMonitor):
        return self.api.patch_namespaced_custom_object(
            group=CRD_GROUP,
            version=CRD_VERSION,
            namespace=self.namespace,
            plural=CRD_PLURAL,
            name=self.name,
            body=asdict(reference),
            field_manager=FIELD_MANAGER,
        )
--- a/authentik/outposts/controllers/kubernetes.py
+++ b/authentik/outposts/controllers/kubernetes.py
@ -3,8 +3,9 @@ from io import StringIO
 from typing import Type
 from kubernetes.client.api_client import ApiClient
-from kubernetes.client.exceptions import ApiException
+from kubernetes.client.exceptions import OpenApiException
 from structlog.testing import capture_logs
 from urllib3.exceptions import HTTPError
 from yaml import dump_all
 from authentik.outposts.controllers.base import BaseController, ControllerException
@ -12,7 +13,8 @@ from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.k8s.secret import SecretReconciler
 from authentik.outposts.controllers.k8s.service import ServiceReconciler
-from authentik.outposts.models import KubernetesServiceConnection, Outpost
+from authentik.outposts.controllers.k8s.service_monitor import PrometheusServiceMonitorReconciler
 from authentik.outposts.models import KubernetesServiceConnection, Outpost, ServiceConnectionInvalid
 class KubernetesController(BaseController):
@ -31,8 +33,9 @@ class KubernetesController(BaseController):
            "secret": SecretReconciler,
            "deployment": DeploymentReconciler,
            "service": ServiceReconciler,
            "prometheus servicemonitor": PrometheusServiceMonitorReconciler,
        }
-        self.reconcile_order = ["secret", "deployment", "service"]
+        self.reconcile_order = ["secret", "deployment", "service", "prometheus servicemonitor"]
    def up(self):
        try:
@ -40,7 +43,7 @@ class KubernetesController(BaseController):
                reconciler = self.reconcilers[reconcile_key](self)
                reconciler.up()
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
            raise ControllerException(str(exc)) from exc
    def up_with_logs(self) -> list[str]:
@ -55,7 +58,7 @@ class KubernetesController(BaseController):
                    reconciler.up()
                all_logs += [f"{reconcile_key.title()}: {x['event']}" for x in logs]
            return all_logs
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
            raise ControllerException(str(exc)) from exc
    def down(self):
@ -65,7 +68,7 @@ class KubernetesController(BaseController):
                self.logger.debug("Tearing down object", name=reconcile_key)
                reconciler.down()
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
            raise ControllerException(str(exc)) from exc
    def down_with_logs(self) -> list[str]:
@ -80,7 +83,7 @@ class KubernetesController(BaseController):
                    reconciler.down()
                all_logs += [f"{reconcile_key.title()}: {x['event']}" for x in logs]
            return all_logs
-        except ApiException as exc:
+        except (OpenApiException, HTTPError, ServiceConnectionInvalid) as exc:
            raise ControllerException(str(exc)) from exc
    def get_static_deployment(self) -> str:
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -56,6 +56,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
@dataclass
 # pylint: disable=too-many-instance-attributes
 class OutpostConfig:
    """Configuration an outpost uses to configure it self"""
@ -67,8 +68,10 @@ class OutpostConfig:
    log_level: str = CONFIG.y("log_level")
    error_reporting_enabled: bool = CONFIG.y_bool("error_reporting.enabled")
    error_reporting_environment: str = CONFIG.y("error_reporting.environment", "customer")
    object_naming_template: str = field(default="ak-outpost-%(name)s")
    docker_network: Optional[str] = field(default=None)
    kubernetes_replicas: int = field(default=1)
    kubernetes_namespace: str = field(default_factory=get_namespace)
    kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
@ -362,7 +365,7 @@ class Outpost(ManagedModel):
                    )
                    try:
                        assign_perm(code_name, user, model_or_perm)
-                    except Permission.DoesNotExist as exc:
+                    except (Permission.DoesNotExist, AttributeError) as exc:
                        LOGGER.warning(
                            "permission doesn't exist",
                            code_name=code_name,
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@ -100,7 +100,7 @@ def outpost_controller(
    if from_cache:
        outpost: Outpost = cache.get(CACHE_KEY_OUTPOST_DOWN % outpost_pk)
    else:
-        outpost: Outpost = Outpost.objects.get(pk=outpost_pk)
+        outpost: Outpost = Outpost.objects.filter(pk=outpost_pk).first()
    if not outpost:
        return
    self.set_uid(slugify(outpost.name))
@ -148,10 +148,7 @@ def outpost_post_save(model_class: str, model_pk: Any):
        return
    if isinstance(instance, Outpost):
-        LOGGER.debug("Ensuring token and permissions for outpost", instance=instance)
+        LOGGER.debug("Trigger reconcile for outpost", instance=instance)
        _ = instance.token
        _ = instance.user
        LOGGER.debug("Trigger reconcile for outpost")
        outpost_controller.delay(instance.pk)
    if isinstance(instance, (OutpostModel, Outpost)):
--- a/authentik/policies/engine.py
+++ b/authentik/policies/engine.py
@ -81,11 +81,11 @@ class PolicyEngine:
            .iterator()
        )
-    def _check_policy_type(self, policy: Policy):
+    def _check_policy_type(self, binding: PolicyBinding):
        """Check policy type, make sure it's not the root class as that has no logic implemented"""
        # pyright: reportGeneralTypeIssues=false
-        if policy.__class__ == Policy:
+        if binding.policy is not None and binding.policy.__class__ == Policy:
-            raise TypeError(f"Policy '{policy}' is root type")
+            raise TypeError(f"Policy '{binding.policy}' is root type")
    def build(self) -> "PolicyEngine":
        """Build wrapper which monitors performance"""
@ -102,7 +102,7 @@ class PolicyEngine:
            for binding in self._iter_bindings():
                self.__expected_result_count += 1
-                self._check_policy_type(binding.policy)
+                self._check_policy_type(binding)
                key = cache_key(binding, self.request)
                cached_policy = cache.get(key, None)
                if cached_policy and self.use_cache:
--- a/authentik/policies/hibp/models.py
+++ b/authentik/policies/hibp/models.py
@ -3,10 +3,10 @@ from hashlib import sha1
 from django.db import models
 from django.utils.translation import gettext as _
 from requests import get
 from rest_framework.serializers import BaseSerializer
 from structlog.stdlib import get_logger
 from authentik.lib.utils.http import get_http_session
 from authentik.policies.models import Policy, PolicyResult
 from authentik.policies.types import PolicyRequest
@ -49,7 +49,7 @@ class HaveIBeenPwendPolicy(Policy):
        pw_hash = sha1(password.encode("utf-8")).hexdigest()  # nosec
        url = f"https://api.pwnedpasswords.com/range/{pw_hash[:5]}"
-        result = get(url).text
+        result = get_http_session().get(url).text
        final_count = 0
        for line in result.split("\r\n"):
            full_hash, count = line.split(":")
--- a/authentik/policies/password/models.py
+++ b/authentik/policies/password/models.py
@ -8,8 +8,11 @@ from structlog.stdlib import get_logger
 from authentik.policies.models import Policy
 from authentik.policies.types import PolicyRequest, PolicyResult
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 LOGGER = get_logger()
 RE_LOWER = re.compile("[a-z]")
 RE_UPPER = re.compile("[A-Z]")
 class PasswordPolicy(Policy):
@ -38,31 +41,42 @@ class PasswordPolicy(Policy):
        return "ak-policy-password-form"
    def passes(self, request: PolicyRequest) -> PolicyResult:
-        if self.password_field not in request.context:
+        if (
            self.password_field not in request.context
            and self.password_field not in request.context.get(PLAN_CONTEXT_PROMPT, {})
        ):
            LOGGER.warning(
                "Password field not set in Policy Request",
                field=self.password_field,
                fields=request.context.keys(),
                prompt_fields=request.context.get(PLAN_CONTEXT_PROMPT, {}).keys(),
            )
            return PolicyResult(False, _("Password not set in context"))
        password = request.context[self.password_field]
-        filter_regex = []
+        if self.password_field in request.context:
-        if self.amount_lowercase > 0:
+            password = request.context[self.password_field]
-            filter_regex.append(r"[a-z]{%d,}" % self.amount_lowercase)
+        else:
-        if self.amount_uppercase > 0:
+            password = request.context[PLAN_CONTEXT_PROMPT][self.password_field]
-            filter_regex.append(r"[A-Z]{%d,}" % self.amount_uppercase)
+
        if len(password) < self.length_min:
            LOGGER.debug("password failed", reason="length")
            return PolicyResult(False, self.error_message)
        if self.amount_lowercase > 0 and len(RE_LOWER.findall(password)) < self.amount_lowercase:
            LOGGER.debug("password failed", reason="amount_lowercase")
            return PolicyResult(False, self.error_message)
        if self.amount_uppercase > 0 and len(RE_UPPER.findall(password)) < self.amount_lowercase:
            LOGGER.debug("password failed", reason="amount_uppercase")
            return PolicyResult(False, self.error_message)
        if self.amount_symbols > 0:
-            filter_regex.append(r"[%s]{%d,}" % (self.symbol_charset, self.amount_symbols))
+            count = 0
-        full_regex = "|".join(filter_regex)
+            for symbol in self.symbol_charset:
-        LOGGER.debug("Built regex", regexp=full_regex)
+                count += password.count(symbol)
-        result = bool(re.compile(full_regex).match(password))
+            if count < self.amount_symbols:
                LOGGER.debug("password failed", reason="amount_symbols")
                return PolicyResult(False, self.error_message)
-        result = result and len(password) >= self.length_min
+        return PolicyResult(True)
        if not result:
            return PolicyResult(result, self.error_message)
        return PolicyResult(result)
    class Meta:
--- a/authentik/policies/password/tests.py
+++ b/authentik/policies/password/tests.py
@ -1,57 +0,0 @@
 """Password Policy tests"""
 from django.test import TestCase
 from guardian.shortcuts import get_anonymous_user
 from authentik.policies.password.models import PasswordPolicy
 from authentik.policies.types import PolicyRequest, PolicyResult
 class TestPasswordPolicy(TestCase):
    """Test Password Policy"""
    def test_invalid(self):
        """Test without password"""
        policy = PasswordPolicy.objects.create(
            name="test_invalid",
            amount_uppercase=1,
            amount_lowercase=2,
            amount_symbols=3,
            length_min=24,
            error_message="test message",
        )
        request = PolicyRequest(get_anonymous_user())
        result: PolicyResult = policy.passes(request)
        self.assertFalse(result.passing)
        self.assertEqual(result.messages[0], "Password not set in context")
    def test_false(self):
        """Failing password case"""
        policy = PasswordPolicy.objects.create(
            name="test_false",
            amount_uppercase=1,
            amount_lowercase=2,
            amount_symbols=3,
            length_min=24,
            error_message="test message",
        )
        request = PolicyRequest(get_anonymous_user())
        request.context["password"] = "test"
        result: PolicyResult = policy.passes(request)
        self.assertFalse(result.passing)
        self.assertEqual(result.messages, ("test message",))
    def test_true(self):
        """Positive password case"""
        policy = PasswordPolicy.objects.create(
            name="test_true",
            amount_uppercase=1,
            amount_lowercase=2,
            amount_symbols=3,
            length_min=3,
            error_message="test message",
        )
        request = PolicyRequest(get_anonymous_user())
        request.context["password"] = "Test()!"
        result: PolicyResult = policy.passes(request)
        self.assertTrue(result.passing)
        self.assertEqual(result.messages, tuple())
--- a/authentik/policies/password/tests/init.py
+++ b/authentik/policies/password/tests/init.py
--- a/authentik/policies/password/tests/test_flows.py
+++ b/authentik/policies/password/tests/test_flows.py
@ -0,0 +1,80 @@
 """Password flow tests"""
 from django.urls.base import reverse
 from django.utils.encoding import force_str
 from rest_framework.test import APITestCase
 from authentik.core.models import User
 from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.policies.password.models import PasswordPolicy
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
 class TestPasswordPolicyFlow(APITestCase):
    """Test Password Policy"""
    def setUp(self) -> None:
        self.user = User.objects.create(username="unittest", email="test@beryju.org")
        self.flow = Flow.objects.create(
            name="test-prompt",
            slug="test-prompt",
            designation=FlowDesignation.AUTHENTICATION,
        )
        password_prompt = Prompt.objects.create(
            field_key="password",
            label="PASSWORD_LABEL",
            type=FieldTypes.PASSWORD,
            required=True,
            placeholder="PASSWORD_PLACEHOLDER",
        )
        self.policy = PasswordPolicy.objects.create(
            name="test_true",
            amount_uppercase=1,
            amount_lowercase=2,
            amount_symbols=3,
            length_min=3,
            error_message="test message",
        )
        stage = PromptStage.objects.create(name="prompt-stage")
        stage.validation_policies.set([self.policy])
        stage.fields.set(
            [
                password_prompt,
            ]
        )
        FlowStageBinding.objects.create(target=self.flow, stage=stage, order=2)
    def test_prompt_data(self):
        """Test policy attached to a prompt stage"""
        response = self.client.post(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
            {"password": "akadmin"},
        )
        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(
            force_str(response.content),
            {
                "component": "ak-stage-prompt",
                "fields": [
                    {
                        "field_key": "password",
                        "label": "PASSWORD_LABEL",
                        "order": 0,
                        "placeholder": "PASSWORD_PLACEHOLDER",
                        "required": True,
                        "type": "password",
                    }
                ],
                "flow_info": {
                    "background": self.flow.background_url,
                    "cancel_url": reverse("authentik_flows:cancel"),
                    "title": "",
                },
                "response_errors": {
                    "non_field_errors": [{"code": "invalid", "string": self.policy.error_message}]
                },
                "type": ChallengeTypes.NATIVE.value,
            },
        )
--- a/authentik/policies/password/tests/test_policy.py
+++ b/authentik/policies/password/tests/test_policy.py
@ -0,0 +1,68 @@
 """Password Policy tests"""
 from django.test import TestCase
 from guardian.shortcuts import get_anonymous_user
 from authentik.lib.generators import generate_key
 from authentik.policies.password.models import PasswordPolicy
 from authentik.policies.types import PolicyRequest, PolicyResult
 class TestPasswordPolicy(TestCase):
    """Test Password Policy"""
    def setUp(self) -> None:
        self.policy = PasswordPolicy.objects.create(
            name="test_false",
            amount_uppercase=1,
            amount_lowercase=2,
            amount_symbols=3,
            length_min=24,
            error_message="test message",
        )
    def test_invalid(self):
        """Test without password"""
        request = PolicyRequest(get_anonymous_user())
        result: PolicyResult = self.policy.passes(request)
        self.assertFalse(result.passing)
        self.assertEqual(result.messages[0], "Password not set in context")
    def test_failed_length(self):
        """Password too short"""
        request = PolicyRequest(get_anonymous_user())
        request.context["password"] = "test"
        result: PolicyResult = self.policy.passes(request)
        self.assertFalse(result.passing)
        self.assertEqual(result.messages, ("test message",))
    def test_failed_lowercase(self):
        """not enough lowercase"""
        request = PolicyRequest(get_anonymous_user())
        request.context["password"] = "TTTTTTTTTTTTTTTTTTTTTTTe"
        result: PolicyResult = self.policy.passes(request)
        self.assertFalse(result.passing)
        self.assertEqual(result.messages, ("test message",))
    def test_failed_uppercase(self):
        """not enough uppercase"""
        request = PolicyRequest(get_anonymous_user())
        request.context["password"] = "tttttttttttttttttttttttE"
        result: PolicyResult = self.policy.passes(request)
        self.assertFalse(result.passing)
        self.assertEqual(result.messages, ("test message",))
    def test_failed_symbols(self):
        """not enough uppercase"""
        request = PolicyRequest(get_anonymous_user())
        request.context["password"] = "TETETETETETETETETETETETETe!!!"
        result: PolicyResult = self.policy.passes(request)
        self.assertFalse(result.passing)
        self.assertEqual(result.messages, ("test message",))
    def test_true(self):
        """Positive password case"""
        request = PolicyRequest(get_anonymous_user())
        request.context["password"] = generate_key() + "ee!!!"
        result: PolicyResult = self.policy.passes(request)
        self.assertTrue(result.passing)
        self.assertEqual(result.messages, tuple())
--- a/authentik/providers/ldap/api.py
+++ b/authentik/providers/ldap/api.py
@ -29,7 +29,19 @@ class LDAPProviderViewSet(UsedByMixin, ModelViewSet):
    queryset = LDAPProvider.objects.all()
    serializer_class = LDAPProviderSerializer
-    filterset_fields = "__all__"
+    filterset_fields = {
        "application": ["isnull"],
        "name": ["iexact"],
        "authorization_flow__slug": ["iexact"],
        "base_dn": ["iexact"],
        "search_group__group_uuid": ["iexact"],
        "search_group__name": ["iexact"],
        "certificate__kp_uuid": ["iexact"],
        "certificate__name": ["iexact"],
        "tls_server_name": ["iexact"],
        "uid_start_number": ["iexact"],
        "gid_start_number": ["iexact"],
    }
    ordering = ["name"]
--- a/authentik/providers/ldap/controllers/docker.py
+++ b/authentik/providers/ldap/controllers/docker.py
@ -12,4 +12,5 @@ class LDAPDockerController(DockerController):
        self.deployment_ports = [
            DeploymentPort(389, "ldap", "tcp", 3389),
            DeploymentPort(636, "ldaps", "tcp", 6636),
            DeploymentPort(9300, "http-metrics", "tcp", 9300),
        ]
--- a/authentik/providers/ldap/controllers/kubernetes.py
+++ b/authentik/providers/ldap/controllers/kubernetes.py
@ -12,4 +12,5 @@ class LDAPKubernetesController(KubernetesController):
        self.deployment_ports = [
            DeploymentPort(389, "ldap", "tcp", 3389),
            DeploymentPort(636, "ldaps", "tcp", 6636),
            DeploymentPort(9300, "http-metrics", "tcp", 9300),
        ]
--- a/authentik/providers/oauth2/api/provider.py
+++ b/authentik/providers/oauth2/api/provider.py
@ -3,7 +3,7 @@ from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
-from rest_framework.fields import ReadOnlyField
+from rest_framework.fields import CharField
 from rest_framework.generics import get_object_or_404
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -49,12 +49,12 @@ class OAuth2ProviderSerializer(ProviderSerializer):
 class OAuth2ProviderSetupURLs(PassiveSerializer):
    """OAuth2 Provider Metadata serializer"""
-    issuer = ReadOnlyField()
+    issuer = CharField(read_only=True)
-    authorize = ReadOnlyField()
+    authorize = CharField(read_only=True)
-    token = ReadOnlyField()
+    token = CharField(read_only=True)
-    user_info = ReadOnlyField()
+    user_info = CharField(read_only=True)
-    provider_info = ReadOnlyField()
+    provider_info = CharField(read_only=True)
-    logout = ReadOnlyField()
+    logout = CharField(read_only=True)
 class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
--- a/authentik/providers/oauth2/api/scope.py
+++ b/authentik/providers/oauth2/api/scope.py
@ -1,6 +1,8 @@
 """OAuth2Provider API Views"""
 from django_filters.filters import AllValuesMultipleFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema_field
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.propertymappings import PropertyMappingSerializer
@ -23,7 +25,7 @@ class ScopeMappingSerializer(PropertyMappingSerializer):
 class ScopeMappingFilter(FilterSet):
    """Filter for ScopeMapping"""
-    managed = AllValuesMultipleFilter(field_name="managed")
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
    class Meta:
        model = ScopeMapping
--- a/authentik/providers/oauth2/errors.py
+++ b/authentik/providers/oauth2/errors.py
@ -151,12 +151,13 @@ class AuthorizeError(OAuth2Error):
        # http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthError
        hash_or_question = "#" if self.grant_type == GrantTypes.IMPLICIT else "?"
-        uri = "{0}{1}error={2}&error_description={3}".format(
+        uri = (
-            self.redirect_uri, hash_or_question, self.error, description
+            f"{self.redirect_uri}{hash_or_question}error="
            f"{self.error}&error_description={description}"
        )
        # Add state if present.
-        uri = uri + ("&state={0}".format(self.state) if self.state else "")
+        uri = uri + (f"&state={self.state}" if self.state else "")
        return uri
--- a/authentik/providers/oauth2/migrations/0017_alter_oauth2provider_token_validity.py
+++ b/authentik/providers/oauth2/migrations/0017_alter_oauth2provider_token_validity.py
@ -0,0 +1,24 @@
 # Generated by Django 3.2.6 on 2021-09-08 15:12
 from django.db import migrations, models
 import authentik.lib.utils.time
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_oauth2", "0016_alter_authorizationcode_nonce"),
    ]
    operations = [
        migrations.AlterField(
            model_name="oauth2provider",
            name="token_validity",
            field=models.TextField(
                default="days=30",
                help_text="Tokens not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3).",
                validators=[authentik.lib.utils.time.timedelta_string_validator],
            ),
        ),
    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -182,7 +182,7 @@ class OAuth2Provider(Provider):
        ),
    )
    token_validity = models.TextField(
-        default="minutes=10",
+        default="days=30",
        validators=[timedelta_string_validator],
        help_text=_(
            (
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -247,7 +247,7 @@ class TestAuthorize(OAuthTestCase):
                "to": (
                    f"http://localhost#access_token={token.access_token}"
                    f"&id_token={provider.encode(token.id_token.to_dict())}&token_type=bearer"
-                    f"&expires_in=600&state={state}"
+                    f"&expires_in=60&state={state}"
                ),
            },
        )
--- a/authentik/providers/oauth2/tests/test_token.py
+++ b/authentik/providers/oauth2/tests/test_token.py
@ -141,7 +141,7 @@ class TestToken(OAuthTestCase):
                "access_token": new_token.access_token,
                "refresh_token": new_token.refresh_token,
                "token_type": "bearer",
-                "expires_in": 600,
+                "expires_in": 2592000,
                "id_token": provider.encode(
                    new_token.id_token.to_dict(),
                ),
@ -190,7 +190,7 @@ class TestToken(OAuthTestCase):
                "access_token": new_token.access_token,
                "refresh_token": new_token.refresh_token,
                "token_type": "bearer",
-                "expires_in": 600,
+                "expires_in": 2592000,
                "id_token": provider.encode(
                    new_token.id_token.to_dict(),
                ),
@ -236,7 +236,7 @@ class TestToken(OAuthTestCase):
                "access_token": new_token.access_token,
                "refresh_token": new_token.refresh_token,
                "token_type": "bearer",
-                "expires_in": 600,
+                "expires_in": 2592000,
                "id_token": provider.encode(
                    new_token.id_token.to_dict(),
                ),
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -238,6 +238,10 @@ class OAuthFulfillmentStage(StageView):
        parsed = urlparse(uri)
        return HttpResponseRedirectScheme(uri, allowed_schemes=[parsed.scheme])
    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Wrapper when this stage gets hit with a post request"""
        return self.get(request, *args, **kwargs)
    # pylint: disable=unused-argument
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """final Stage of an OAuth2 Flow"""
@ -367,7 +371,7 @@ class OAuthFulfillmentStage(StageView):
        query_fragment["token_type"] = "bearer"
        query_fragment["expires_in"] = int(
-            timedelta_from_string(self.provider.token_validity).total_seconds()
+            timedelta_from_string(self.provider.access_code_validity).total_seconds()
        )
        query_fragment["state"] = self.params.state if self.params.state else ""
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@ -1,7 +1,7 @@
 """ProxyProvider API Views"""
 from typing import Any
-from drf_spectacular.utils import extend_schema_field, extend_schema_serializer
+from drf_spectacular.utils import extend_schema_field
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField, ListField, SerializerMethodField
 from rest_framework.serializers import ModelSerializer
@ -72,6 +72,7 @@ class ProxyProviderSerializer(ProviderSerializer):
            "mode",
            "redirect_uris",
            "cookie_domain",
            "token_validity",
        ]
@ -80,11 +81,27 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet):
    queryset = ProxyProvider.objects.all()
    serializer_class = ProxyProviderSerializer
-    filterset_fields = "__all__"
+    filterset_fields = {
        "application": ["isnull"],
        "name": ["iexact"],
        "authorization_flow__slug": ["iexact"],
        "property_mappings": ["iexact"],
        "internal_host": ["iexact"],
        "external_host": ["iexact"],
        "internal_host_ssl_validation": ["iexact"],
        "certificate__kp_uuid": ["iexact"],
        "certificate__name": ["iexact"],
        "skip_path_regex": ["iexact"],
        "basic_auth_enabled": ["iexact"],
        "basic_auth_password_attribute": ["iexact"],
        "basic_auth_user_attribute": ["iexact"],
        "mode": ["iexact"],
        "redirect_uris": ["iexact"],
        "cookie_domain": ["iexact"],
    }
    ordering = ["name"]
@extend_schema_serializer(deprecate_fields=["forward_auth_mode"])
 class ProxyOutpostConfigSerializer(ModelSerializer):
    """Proxy provider serializer for outposts"""
--- a/authentik/providers/proxy/controllers/docker.py
+++ b/authentik/providers/proxy/controllers/docker.py
@ -13,8 +13,9 @@ class ProxyDockerController(DockerController):
    def __init__(self, outpost: Outpost, connection: DockerServiceConnection):
        super().__init__(outpost, connection)
        self.deployment_ports = [
-            DeploymentPort(4180, "http", "tcp"),
+            DeploymentPort(9000, "http", "tcp"),
-            DeploymentPort(4443, "https", "tcp"),
+            DeploymentPort(9300, "http-metrics", "tcp"),
            DeploymentPort(9443, "https", "tcp"),
        ]
    def _get_labels(self) -> dict[str, str]:
@ -22,13 +23,13 @@ class ProxyDockerController(DockerController):
        for proxy_provider in ProxyProvider.objects.filter(outpost__in=[self.outpost]):
            proxy_provider: ProxyProvider
            external_host_name = urlparse(proxy_provider.external_host)
-            hosts.append(f"`{external_host_name}`")
+            hosts.append(f"`{external_host_name.netloc}`")
        traefik_name = f"ak-outpost-{self.outpost.pk.hex}"
-        return {
+        labels = super()._get_labels()
-            "traefik.enable": "true",
+        labels["traefik.enable"] = "true"
-            f"traefik.http.routers.{traefik_name}-router.rule": f"Host({','.join(hosts)})",
+        labels[f"traefik.http.routers.{traefik_name}-router.rule"] = f"Host({','.join(hosts)})"
-            f"traefik.http.routers.{traefik_name}-router.tls": "true",
+        labels[f"traefik.http.routers.{traefik_name}-router.tls"] = "true"
-            f"traefik.http.routers.{traefik_name}-router.service": f"{traefik_name}-service",
+        labels[f"traefik.http.routers.{traefik_name}-router.service"] = f"{traefik_name}-service"
-            f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.path": "/",
+        labels[f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.path"] = "/"
-            f"traefik.http.services.{traefik_name}-service.loadbalancer.server.port": "4180",
+        labels[f"traefik.http.services.{traefik_name}-service.loadbalancer.server.port"] = "9000"
-        }
+        return labels
--- a/authentik/providers/proxy/controllers/k8s/ingress.py
+++ b/authentik/providers/proxy/controllers/k8s/ingress.py
@ -61,9 +61,10 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
        have_hosts.sort()
        have_hosts_tls = []
-        for tls_config in current.spec.tls:
+        if current.spec.tls:
-            if tls_config and tls_config.hosts:
+            for tls_config in current.spec.tls:
-                have_hosts_tls += tls_config.hosts
+                if tls_config and tls_config.hosts:
                    have_hosts_tls += tls_config.hosts
        have_hosts_tls.sort()
        if have_hosts != expected_hosts:
--- a/authentik/providers/proxy/controllers/k8s/traefik.py
+++ b/authentik/providers/proxy/controllers/k8s/traefik.py
@ -106,7 +106,7 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
            ),
            spec=TraefikMiddlewareSpec(
                forwardAuth=TraefikMiddlewareSpecForwardAuth(
-                    address=f"http://{self.name}.{self.namespace}:4180/akprox/auth?traefik",
+                    address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
                    authResponseHeaders=[
                        "Set-Cookie",
                        "X-Auth-Username",
--- a/authentik/providers/proxy/controllers/kubernetes.py
+++ b/authentik/providers/proxy/controllers/kubernetes.py
@ -12,8 +12,9 @@ class ProxyKubernetesController(KubernetesController):
    def __init__(self, outpost: Outpost, connection: KubernetesServiceConnection):
        super().__init__(outpost, connection)
        self.deployment_ports = [
-            DeploymentPort(4180, "http", "tcp"),
+            DeploymentPort(9000, "http", "tcp"),
-            DeploymentPort(4443, "https", "tcp"),
+            DeploymentPort(9300, "http-metrics", "tcp"),
            DeploymentPort(9443, "https", "tcp"),
        ]
        self.reconcilers["ingress"] = IngressReconciler
        self.reconcilers["traefik middleware"] = TraefikMiddlewareReconciler
--- a/authentik/providers/proxy/migrations/0014_proxy_v2.py
+++ b/authentik/providers/proxy/migrations/0014_proxy_v2.py
@ -0,0 +1,23 @@
 # Generated by Django 3.2.6 on 2021-09-09 11:24
 from django.apps.registry import Apps
 from django.db import migrations
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def migrate_defaults(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    from authentik.providers.proxy.models import JWTAlgorithms, ProxyProvider
    db_alias = schema_editor.connection.alias
    for provider in ProxyProvider.objects.using(db_alias).filter(jwt_alg=JWTAlgorithms.RS256):
        provider.set_oauth_defaults()
        provider.save()
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_proxy", "0013_mode"),
    ]
    operations = [migrations.RunPython(migrate_defaults)]
--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@ -128,8 +128,8 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
    def set_oauth_defaults(self):
        """Ensure all OAuth2-related settings are correct"""
        self.client_type = ClientTypes.CONFIDENTIAL
-        self.jwt_alg = JWTAlgorithms.RS256
+        self.jwt_alg = JWTAlgorithms.HS256
-        self.rsa_key = CertificateKeyPair.objects.exclude(key_data__iexact="").first()
+        self.rsa_key = None
        scopes = ScopeMapping.objects.filter(
            scope_name__in=[
                SCOPE_OPENID,
@ -139,12 +139,7 @@ class ProxyProvider(OutpostModel, OAuth2Provider):
            ]
        )
        self.property_mappings.set(scopes)
-        self.redirect_uris = "\n".join(
+        self.redirect_uris = _get_callback_url(self.external_host)
            [
                _get_callback_url(self.external_host),
                _get_callback_url(self.internal_host),
            ]
        )
    def __str__(self):
        return f"Proxy Provider {self.name}"
--- a/authentik/providers/saml/api.py
+++ b/authentik/providers/saml/api.py
@ -9,9 +9,14 @@ from django.utils.translation import gettext_lazy as _
 from django_filters.filters import AllValuesMultipleFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from drf_spectacular.utils import (
    OpenApiParameter,
    OpenApiResponse,
    extend_schema,
    extend_schema_field,
 )
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, FileField, ReadOnlyField, SerializerMethodField
+from rest_framework.fields import CharField, FileField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.permissions import AllowAny
 from rest_framework.relations import SlugRelatedField
@ -70,8 +75,8 @@ class SAMLProviderSerializer(ProviderSerializer):
 class SAMLMetadataSerializer(PassiveSerializer):
    """SAML Provider Metadata serializer"""
-    metadata = ReadOnlyField()
+    metadata = CharField(read_only=True)
-    download_url = ReadOnlyField(required=False)
+    download_url = CharField(read_only=True, required=False)
 class SAMLProviderImportSerializer(PassiveSerializer):
@ -185,7 +190,7 @@ class SAMLPropertyMappingSerializer(PropertyMappingSerializer):
 class SAMLPropertyMappingFilter(FilterSet):
    """Filter for SAMLPropertyMapping"""
-    managed = AllValuesMultipleFilter(field_name="managed")
+    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
    class Meta:
        model = SAMLPropertyMapping
--- a/authentik/providers/saml/processors/request_parser.py
+++ b/authentik/providers/saml/processors/request_parser.py
@ -59,6 +59,10 @@ class AuthNRequestParser:
    ) -> AuthNRequest:
        root = ElementTree.fromstring(decoded_xml)
        if "AssertionConsumerServiceURL" not in root.attrib:
            msg = "Missing 'AssertionConsumerServiceURL' attribute"
            LOGGER.warning(msg)
            raise CannotHandleAssertion(msg)
        request_acs_url = root.attrib["AssertionConsumerServiceURL"]
        if self.provider.acs_url.lower() != request_acs_url.lower():
@ -66,7 +70,7 @@ class AuthNRequestParser:
                f"ACS URL of {request_acs_url} doesn't match Provider "
                f"ACS URL of {self.provider.acs_url}."
            )
-            LOGGER.info(msg)
+            LOGGER.warning(msg)
            raise CannotHandleAssertion(msg)
        auth_n_request = AuthNRequest(id=root.attrib["ID"], relay_state=relay_state)
--- a/Show More
+++ b/Show More