release: 2022.3.3

website/docs: prepare 2022.3.3
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-03-21 22:37:13 +01:00 · 2022-03-21 22:37:01 +01:00 · 2022-03-21 10:46:09 +01:00 · 2022-03-21 10:45:30 +01:00 · 2022-03-21 10:02:15 +01:00 · 2022-03-21 10:01:09 +01:00
312 changed files with 72170 additions and 7009 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2022.1.1
+current_version = 2022.3.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
--- a/.github/stale.yml
+++ b/.github/stale.yml
@ -7,7 +7,7 @@ exemptLabels:
  - pinned
  - security
  - pr_wanted
-  - enhancement/confirmed
+  - enhancement
 # Comment to post when marking an issue as stale. Set to `false` to disable
 markComment: >
  This issue has been automatically marked as stale because it has not had
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -31,16 +31,16 @@ jobs:
          - pending-migrations
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v3
+      - uses: actions/setup-node@v3.0.0
        with:
          node-version: '16'
      - id: cache-poetry
        uses: actions/cache@v2.1.7
        with:
          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v2-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
@ -50,13 +50,13 @@ jobs:
  test-migrations:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v3
      - id: cache-poetry
        uses: actions/cache@v2.1.7
        with:
          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v2-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
@ -66,10 +66,10 @@ jobs:
  test-migrations-from-stable:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
-      - uses: actions/setup-python@v2
+      - uses: actions/setup-python@v3
      - name: prepare variables
        id: ev
        run: |
@ -79,17 +79,16 @@ jobs:
        uses: actions/cache@v2.1.7
        with:
          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v2-${{ hashFiles('**/poetry.lock') }}
      - name: checkout stable
        run: |
          # Copy current, latest config to local
          cp authentik/lib/default.yml local.env.yml
          cp -R .github ..
          cp -R scripts ..
-          cp -R poetry.lock pyproject.toml ..
          git checkout $(git describe --abbrev=0 --match 'version/*')
          rm -rf .github/ scripts/
-          mv ../.github ../scripts ../poetry.lock ../pyproject.toml .
+          mv ../.github ../scripts .
      - name: prepare
        env:
          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
@ -115,13 +114,13 @@ jobs:
  test-unittest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v3
      - id: cache-poetry
        uses: actions/cache@v2.1.7
        with:
          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v2-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
@ -142,13 +141,13 @@ jobs:
  test-integration:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v3
      - id: cache-poetry
        uses: actions/cache@v2.1.7
        with:
          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v2-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
@ -171,9 +170,9 @@ jobs:
  test-e2e-provider:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v3
+      - uses: actions/setup-node@v3.0.0
        with:
          node-version: '16'
          cache: 'npm'
@ -185,7 +184,7 @@ jobs:
        uses: actions/cache@v2.1.7
        with:
          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v2-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
@ -216,9 +215,9 @@ jobs:
  test-e2e-rest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v3
+      - uses: actions/setup-node@v3.0.0
        with:
          node-version: '16'
          cache: 'npm'
@ -230,7 +229,7 @@ jobs:
        uses: actions/cache@v2.1.7
        with:
          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v2-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
@ -280,7 +279,7 @@ jobs:
        arch:
          - 'linux/amd64'
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1.2.0
      - name: Set up Docker Buildx
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -14,7 +14,7 @@ jobs:
  lint-golint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.17"
@ -30,9 +30,25 @@ jobs:
            -w /app \
            golangci/golangci-lint:v1.43 \
            golangci-lint run -v --timeout 200s
+  test-unittest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v2
+        with:
+          go-version: "^1.17"
+      - name: Get dependencies
+        run: |
+          go get github.com/axw/gocov/gocov
+          go get github.com/AlekSi/gocov-xml
+          go get github.com/jstemmer/go-junit-report
+      - name: Go unittests
+        run: |
+          go test -timeout 0 -v -race -coverprofile=coverage.out -covermode=atomic -cover ./... | go-junit-report > junit.xml
  ci-outpost-mark:
    needs:
      - lint-golint
+      - test-unittest
    runs-on: ubuntu-latest
    steps:
      - run: echo mark
@ -50,7 +66,7 @@ jobs:
          - 'linux/amd64'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1.2.0
      - name: Set up Docker Buildx
@ -94,11 +110,11 @@ jobs:
        goos: [linux]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.17"
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3.0.0
        with:
          node-version: '16'
          cache: 'npm'
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -14,8 +14,8 @@ jobs:
  lint-eslint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.0.0
        with:
          node-version: '16'
          cache: 'npm'
@ -32,8 +32,8 @@ jobs:
  lint-prettier:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.0.0
        with:
          node-version: '16'
          cache: 'npm'
@ -50,8 +50,8 @@ jobs:
  lint-lit-analyse:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.0.0
        with:
          node-version: '16'
          cache: 'npm'
@ -78,8 +78,8 @@ jobs:
      - ci-web-mark
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3.0.0
        with:
          node-version: '16'
          cache: 'npm'
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -28,7 +28,7 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -9,7 +9,7 @@ jobs:
  build-server:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1.2.0
      - name: Set up Docker Buildx
@ -30,21 +30,12 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik:2022.1.1,
+            beryju/authentik:2022.3.3,
            beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2022.1.1,
+            ghcr.io/goauthentik/server:2022.3.3,
            ghcr.io/goauthentik/server:latest
          platforms: linux/amd64,linux/arm64
          context: .
-      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2022.1.1', 'rc') }}
-        run: |
-          docker pull beryju/authentik:latest
-          docker tag beryju/authentik:latest beryju/authentik:stable
-          docker push beryju/authentik:stable
-          docker pull ghcr.io/goauthentik/server:latest
-          docker tag ghcr.io/goauthentik/server:latest ghcr.io/goauthentik/server:stable
-          docker push ghcr.io/goauthentik/server:stable
  build-outpost:
    runs-on: ubuntu-latest
    strategy:
@ -54,7 +45,7 @@ jobs:
          - proxy
          - ldap
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.17"
@ -78,21 +69,12 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik-${{ matrix.type }}:2022.1.1,
+            beryju/authentik-${{ matrix.type }}:2022.3.3,
            beryju/authentik-${{ matrix.type }}:latest,
-            ghcr.io/goauthentik/${{ matrix.type }}:2022.1.1,
+            ghcr.io/goauthentik/${{ matrix.type }}:2022.3.3,
            ghcr.io/goauthentik/${{ matrix.type }}:latest
          file: ${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
-      - name: Building Docker Image (stable)
-        if: ${{ github.event_name == 'release' && !contains('2022.1.1', 'rc') }}
-        run: |
-          docker pull beryju/authentik-${{ matrix.type }}:latest
-          docker tag beryju/authentik-${{ matrix.type }}:latest beryju/authentik-${{ matrix.type }}:stable
-          docker push beryju/authentik-${{ matrix.type }}:stable
-          docker pull ghcr.io/goauthentik/${{ matrix.type }}:latest
-          docker tag ghcr.io/goauthentik/${{ matrix.type }}:latest ghcr.io/goauthentik/${{ matrix.type }}:stable
-          docker push ghcr.io/goauthentik/${{ matrix.type }}:stable
  build-outpost-binary:
    timeout-minutes: 120
    runs-on: ubuntu-latest
@ -105,11 +87,11 @@ jobs:
        goos: [linux, darwin]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - uses: actions/setup-go@v2
        with:
          go-version: "^1.17"
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3.0.0
        with:
          node-version: '16'
          cache: 'npm'
@ -139,7 +121,7 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Run test suite in final docker images
        run: |
          echo "PG_PASS=$(openssl rand -base64 32)" >> .env
@ -155,7 +137,7 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Get static files from docker image
        run: |
          docker pull ghcr.io/goauthentik/server:latest
@ -170,7 +152,7 @@ jobs:
          SENTRY_PROJECT: authentik
          SENTRY_URL: https://sentry.beryju.org
        with:
-          version: authentik@2022.1.1
+          version: authentik@2022.3.3
          environment: beryjuorg-prod
          sourcemaps: './web/dist'
          url_prefix: '~/static/dist'
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@ -10,7 +10,7 @@ jobs:
    name: Create Release from Tag
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Pre-release test
        run: |
          echo "PG_PASS=$(openssl rand -base64 32)" >> .env
@ -27,7 +27,7 @@ jobs:
          docker-compose run -u root server test
      - name: Extract version number
        id: get_version
-        uses: actions/github-script@v5
+        uses: actions/github-script@v6
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
--- a/.github/workflows/translation-compile.yml
+++ b/.github/workflows/translation-compile.yml
@ -20,13 +20,13 @@ jobs:
  compile:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v3
      - id: cache-poetry
        uses: actions/cache@v2.1.7
        with:
          path: ~/.cache/pypoetry/virtualenvs
-          key: ${{ runner.os }}-poetry-cache-v3-${{ hashFiles('**/poetry.lock') }}
+          key: ${{ runner.os }}-poetry-cache-v2-${{ hashFiles('**/poetry.lock') }}
      - name: prepare
        env:
          INSTALL: ${{ steps.cache-poetry.outputs.cache-hit }}
--- a/.github/workflows/web-api-publish.yml
+++ b/.github/workflows/web-api-publish.yml
@ -8,9 +8,9 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3.0.0
        with:
          node-version: '16'
          registry-url: 'https://registry.npmjs.org'
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -12,7 +12,8 @@
        "totp",
        "webauthn",
        "traefik",
-        "passwordless"
+        "passwordless",
+        "kubernetes"
    ],
    "python.linting.pylintEnabled": true,
    "todo-tree.tree.showCountsInTree": true,
--- a/8
+++ b/8
@ -16,7 +16,7 @@ ENV NODE_ENV=production
 RUN cd /work/web && npm i && npm run build

 # Stage 3: Build go proxy
-FROM docker.io/golang:1.17.6-bullseye AS builder
+FROM docker.io/golang:1.18.0-bullseye AS builder

 WORKDIR /work

@ -32,7 +32,7 @@ COPY ./go.sum /work/go.sum
 RUN go build -o /work/authentik ./cmd/server/main.go

 # Stage 4: Run
-FROM docker.io/python:3.10.2-slim-bullseye
+FROM docker.io/python:3.10.3-slim-bullseye

 LABEL org.opencontainers.image.url https://goauthentik.io
 LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info.
@ -60,9 +60,9 @@ RUN apt-get update && \
    apt-get clean && \
    rm -rf /tmp/* /var/lib/apt/lists/* /var/tmp/ && \
    adduser --system --no-create-home --uid 1000 --group --home /authentik authentik && \
-    mkdir -p /backups /certs /media && \
+    mkdir -p /certs /media && \
    mkdir -p /authentik/.ssh && \
-    chown authentik:authentik /backups /certs /media /authentik/.ssh
+    chown authentik:authentik /certs /media /authentik/.ssh

 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
--- a/13
+++ b/13
@ -15,6 +15,9 @@ test-e2e-provider:
 test-e2e-rest:
 	coverage run manage.py test tests/e2e/test_flows* tests/e2e/test_source*

+test-go:
+	go test -timeout 0 -v -race -cover ./...
+
 test:
 	coverage run manage.py test authentik
 	coverage html
@ -127,3 +130,13 @@ ci-pyright: ci--meta-debug

 ci-pending-migrations: ci--meta-debug
 	./manage.py makemigrations --check
+
+install:
+	poetry install
+	cd web && npm i
+	cd website && npm i
+
+a: install
+	tmux \
+		new-session 'make run' \; \
+		split-window 'make web-watch'
--- a/README.md
+++ b/README.md
@ -57,4 +57,4 @@ DigitalOcean provides development and testing resources for authentik.
    </a>
 </p>

-Netlify hosts the [goauthentik.io](goauthentik.io) site.
+Netlify hosts the [goauthentik.io](https://goauthentik.io) site.
--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,8 +6,8 @@

 | Version    | Supported          |
 | ---------- | ------------------ |
-| 2021.10.x  | :white_check_mark: |
-| 2021.12.x  | :white_check_mark: |
+| 2022.2.x   | :white_check_mark: |
+| 2022.3.x   | :white_check_mark: |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional

-__version__ = "2022.1.1"
+__version__ = "2022.3.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/api/tasks.py
+++ b/authentik/admin/api/tasks.py
@ -12,10 +12,13 @@ from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet
+from structlog.stdlib import get_logger

 from authentik.core.api.utils import PassiveSerializer
 from authentik.events.monitored_tasks import TaskInfo, TaskResultStatus

+LOGGER = get_logger()
+

 class TaskSerializer(PassiveSerializer):
    """Serialize TaskInfo and TaskResult"""
@ -89,6 +92,7 @@ class TaskViewSet(ViewSet):
        try:
            task_module = import_module(task.task_call_module)
            task_func = getattr(task_module, task.task_call_func)
+            LOGGER.debug("Running task", task=task_func)
            task_func.delay(*task.task_call_args, **task.task_call_kwargs)
            messages.success(
                self.request,
@ -96,6 +100,7 @@ class TaskViewSet(ViewSet):
            )
            return Response(status=204)
        except (ImportError, AttributeError):  # pragma: no cover
+            LOGGER.warning("Failed to run task, remove state", task=task)
            # if we get an import error, the module path has probably changed
            task.delete()
            return Response(status=500)
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@ -1,10 +1,9 @@
 """core Configs API"""
-from os import environ, path
+from os import path

 from django.conf import settings
 from django.db import models
 from drf_spectacular.utils import extend_schema
-from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
 from rest_framework.fields import (
    BooleanField,
    CharField,
@ -28,7 +27,6 @@ class Capabilities(models.TextChoices):

    CAN_SAVE_MEDIA = "can_save_media"
    CAN_GEO_IP = "can_geo_ip"
-    CAN_BACKUP = "can_backup"


 class ErrorReportingConfigSerializer(PassiveSerializer):
@ -65,13 +63,6 @@ class ConfigView(APIView):
            caps.append(Capabilities.CAN_SAVE_MEDIA)
        if GEOIP_READER.enabled:
            caps.append(Capabilities.CAN_GEO_IP)
-        if SERVICE_HOST_ENV_NAME in environ:
-            # Running in k8s, only s3 backup is supported
-            if CONFIG.y("postgresql.s3_backup"):
-                caps.append(Capabilities.CAN_BACKUP)
-        else:
-            # Running in compose, backup is always supported
-            caps.append(Capabilities.CAN_BACKUP)
        return caps

    @extend_schema(responses={200: ConfigSerializer(many=False)})
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -1,4 +1,6 @@
 """Application API Views"""
+from typing import Optional
+
 from django.core.cache import cache
 from django.db.models import QuerySet
 from django.http.response import HttpResponseBadRequest
@ -7,7 +9,7 @@ from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
 from guardian.shortcuts import get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import ReadOnlyField
+from rest_framework.fields import ReadOnlyField, SerializerMethodField
 from rest_framework.parsers import MultiPartParser
 from rest_framework.request import Request
 from rest_framework.response import Response
@ -39,11 +41,16 @@ def user_app_cache_key(user_pk: str) -> str:
 class ApplicationSerializer(ModelSerializer):
    """Application Serializer"""

-    launch_url = ReadOnlyField(source="get_launch_url")
+    launch_url = SerializerMethodField()
    provider_obj = ProviderSerializer(source="get_provider", required=False)

    meta_icon = ReadOnlyField(source="get_meta_icon")

+    def get_launch_url(self, app: Application) -> Optional[str]:
+        """Allow formatting of launch URL"""
+        user = self.context["request"].user
+        return app.get_launch_url(user)
+
    class Meta:

        model = Application
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -3,7 +3,7 @@ from typing import Any

 from django_filters.rest_framework import DjangoFilterBackend
 from drf_spectacular.utils import OpenApiResponse, extend_schema
-from guardian.shortcuts import get_anonymous_user
+from guardian.shortcuts import assign_perm, get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import CharField
@ -95,10 +95,12 @@ class TokenViewSet(UsedByMixin, ModelViewSet):

    def perform_create(self, serializer: TokenSerializer):
        if not self.request.user.is_superuser:
-            return serializer.save(
+            instance = serializer.save(
                user=self.request.user,
                expiring=self.request.user.attributes.get(USER_ATTRIBUTE_TOKEN_EXPIRING, True),
            )
+            assign_perm("authentik_core.view_token_key", self.request.user, instance)
+            return instance
        return super().perform_create(serializer)

    @permission_required("authentik_core.view_token_key")
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -24,7 +24,6 @@ from drf_spectacular.utils import (
 from guardian.shortcuts import get_anonymous_user, get_objects_for_user
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, DictField, JSONField, SerializerMethodField
-from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
@ -46,9 +45,6 @@ from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
 from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
 from authentik.core.models import (
-    USER_ATTRIBUTE_CHANGE_EMAIL,
-    USER_ATTRIBUTE_CHANGE_NAME,
-    USER_ATTRIBUTE_CHANGE_USERNAME,
    USER_ATTRIBUTE_SA,
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    Group,
@ -57,7 +53,6 @@ from authentik.core.models import (
    User,
 )
 from authentik.events.models import EventAction
-from authentik.lib.config import CONFIG
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@ -126,43 +121,6 @@ class UserSelfSerializer(ModelSerializer):
                "pk": group.pk,
            }

-    def validate_email(self, email: str):
-        """Check if the user is allowed to change their email"""
-        if self.instance.group_attributes().get(
-            USER_ATTRIBUTE_CHANGE_EMAIL, CONFIG.y_bool("default_user_change_email", True)
-        ):
-            return email
-        if email != self.instance.email:
-            raise ValidationError("Not allowed to change email.")
-        return email
-
-    def validate_name(self, name: str):
-        """Check if the user is allowed to change their name"""
-        if self.instance.group_attributes().get(
-            USER_ATTRIBUTE_CHANGE_NAME, CONFIG.y_bool("default_user_change_name", True)
-        ):
-            return name
-        if name != self.instance.name:
-            raise ValidationError("Not allowed to change name.")
-        return name
-
-    def validate_username(self, username: str):
-        """Check if the user is allowed to change their username"""
-        if self.instance.group_attributes().get(
-            USER_ATTRIBUTE_CHANGE_USERNAME, CONFIG.y_bool("default_user_change_username", True)
-        ):
-            return username
-        if username != self.instance.username:
-            raise ValidationError("Not allowed to change username.")
-        return username
-
-    def save(self, **kwargs):
-        if self.instance:
-            attributes: dict = self.instance.attributes
-            attributes.update(self.validated_data.get("attributes", {}))
-            self.validated_data["attributes"] = attributes
-        return super().save(**kwargs)
-
    class Meta:

        model = User
@ -241,6 +199,7 @@ class UsersFilter(FilterSet):
    )

    is_superuser = BooleanFilter(field_name="ak_groups", lookup_expr="is_superuser")
+    uuid = CharFilter(field_name="uuid")

    groups_by_name = ModelMultipleChoiceFilter(
        field_name="ak_groups__name",
@ -290,7 +249,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    queryset = User.objects.none()
    ordering = ["username"]
    serializer_class = UserSerializer
-    search_fields = ["username", "name", "is_active", "email"]
+    search_fields = ["username", "name", "is_active", "email", "uuid"]
    filterset_class = UsersFilter

    def get_queryset(self):  # pragma: no cover
@ -407,26 +366,6 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            update_session_auth_hash(self.request, user)
        return Response(status=204)

-    @extend_schema(request=UserSelfSerializer, responses={200: SessionUserSerializer(many=False)})
-    @action(
-        methods=["PUT"],
-        detail=False,
-        pagination_class=None,
-        filter_backends=[],
-        permission_classes=[IsAuthenticated],
-    )
-    def update_self(self, request: Request) -> Response:
-        """Allow users to change information on their own profile"""
-        data = UserSelfSerializer(instance=User.objects.get(pk=request.user.pk), data=request.data)
-        if not data.is_valid():
-            return Response(data.errors, status=400)
-        new_user = data.save()
-        # If we're impersonating, we need to update that user object
-        # since it caches the full object
-        if SESSION_IMPERSONATE_USER in request.session:
-            request.session[SESSION_IMPERSONATE_USER] = new_user
-        return Response({"user": data.data})
-
    @permission_required("authentik_core.view_user", ["authentik_events.view_event"])
    @extend_schema(responses={200: UserMetricsSerializer(many=False)})
    @action(detail=True, pagination_class=None, filter_backends=[])
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@ -30,7 +30,7 @@ class InbuiltBackend(ModelBackend):
            return
        # Since we can't directly pass other variables to signals, and we want to log the method
        # and the token used, we assume we're running in a flow and set a variable in the context
-        flow_plan: FlowPlan = request.session[SESSION_KEY_PLAN]
+        flow_plan: FlowPlan = request.session.get(SESSION_KEY_PLAN, FlowPlan(""))
        flow_plan.context[PLAN_CONTEXT_METHOD] = method
        flow_plan.context[PLAN_CONTEXT_METHOD_ARGS] = cleanse_dict(sanitize_dict(kwargs))
        request.session[SESSION_KEY_PLAN] = flow_plan
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -14,7 +14,7 @@ from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.http import HttpRequest
 from django.templatetags.static import static
-from django.utils.functional import cached_property
+from django.utils.functional import SimpleLazyObject, cached_property
 from django.utils.html import escape
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
@ -284,13 +284,24 @@ class Application(PolicyBindingModel):
            return self.meta_icon.name
        return self.meta_icon.url

-    def get_launch_url(self) -> Optional[str]:
+    def get_launch_url(self, user: Optional["User"] = None) -> Optional[str]:
        """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
-        if self.meta_launch_url:
-            return self.meta_launch_url
+        url = None
        if provider := self.get_provider():
-            return provider.launch_url
-        return None
+            url = provider.launch_url
+        if self.meta_launch_url:
+            url = self.meta_launch_url
+        if user and url:
+            if isinstance(user, SimpleLazyObject):
+                user._setup()
+                user = user._wrapped
+            try:
+                return url % user.__dict__
+            # pylint: disable=broad-except
+            except Exception as exc:
+                LOGGER.warning("Failed to format launch url", exc=exc)
+                return url
+        return url

    def get_provider(self) -> Optional[Provider]:
        """Get casted provider instance"""
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@ -1,17 +1,7 @@
 """authentik core tasks"""
-from datetime import datetime
-from io import StringIO
-from os import environ
-
-from boto3.exceptions import Boto3Error
-from botocore.exceptions import BotoCoreError, ClientError
-from dbbackup.db.exceptions import CommandConnectorError
-from django.contrib.humanize.templatetags.humanize import naturaltime
 from django.contrib.sessions.backends.cache import KEY_PREFIX
-from django.core import management
 from django.core.cache import cache
 from django.utils.timezone import now
-from kubernetes.config.incluster_config import SERVICE_HOST_ENV_NAME
 from structlog.stdlib import get_logger

 from authentik.core.models import AuthenticatedSession, ExpiringModel
@ -21,7 +11,6 @@ from authentik.events.monitored_tasks import (
    TaskResultStatus,
    prefill_task,
 )
-from authentik.lib.config import CONFIG
 from authentik.root.celery import CELERY_APP

 LOGGER = get_logger()
@ -53,46 +42,3 @@ def clean_expired_models(self: MonitoredTask):
    LOGGER.debug("Expired sessions", model=AuthenticatedSession, amount=amount)
    messages.append(f"Expired {amount} {AuthenticatedSession._meta.verbose_name_plural}")
    self.set_status(TaskResult(TaskResultStatus.SUCCESSFUL, messages))
-
-
-def should_backup() -> bool:
-    """Check if we should be doing backups"""
-    if SERVICE_HOST_ENV_NAME in environ and not CONFIG.y("postgresql.s3_backup.bucket"):
-        LOGGER.info("Running in k8s and s3 backups are not configured, skipping")
-        return False
-    if not CONFIG.y_bool("postgresql.backup.enabled"):
-        return False
-    return True
-
-
-@CELERY_APP.task(bind=True, base=MonitoredTask)
-@prefill_task
-def backup_database(self: MonitoredTask):  # pragma: no cover
-    """Database backup"""
-    self.result_timeout_hours = 25
-    if not should_backup():
-        self.set_status(TaskResult(TaskResultStatus.UNKNOWN, ["Backups are not configured."]))
-        return
-    try:
-        start = datetime.now()
-        out = StringIO()
-        management.call_command("dbbackup", quiet=True, stdout=out)
-        self.set_status(
-            TaskResult(
-                TaskResultStatus.SUCCESSFUL,
-                [
-                    f"Successfully finished database backup {naturaltime(start)} {out.getvalue()}",
-                ],
-            )
-        )
-        LOGGER.info("Successfully backed up database.")
-    except (
-        IOError,
-        BotoCoreError,
-        ClientError,
-        Boto3Error,
-        PermissionError,
-        CommandConnectorError,
-        ValueError,
-    ) as exc:
-        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -16,6 +16,7 @@
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}">
        <script src="{% static 'dist/poly.js' %}" type="module"></script>
        {% block head %}
        {% endblock %}
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@ -10,8 +10,8 @@
 {% endblock %}

 {% block body %}
-<ak-message-container></ak-message-container>
-<ak-interface-admin>
+<ak-message-container data-refresh-on-locale="true"></ak-message-container>
+<ak-interface-admin data-refresh-on-locale="true">
    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
        <div class="pf-c-empty-state" style="height: 100vh;">
            <div class="pf-c-empty-state__content">
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@ -20,8 +20,8 @@
 {% endblock %}

 {% block body %}
-<ak-message-container></ak-message-container>
-<ak-flow-executor>
+<ak-message-container data-refresh-on-locale="true"></ak-message-container>
+<ak-flow-executor data-refresh-on-locale="true">
    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
        <div class="pf-c-empty-state" style="height: 100vh;">
            <div class="pf-c-empty-state__content">
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@ -10,8 +10,8 @@
 {% endblock %}

 {% block body %}
-<ak-message-container></ak-message-container>
-<ak-interface-user>
+<ak-message-container data-refresh-on-locale="true"></ak-message-container>
+<ak-interface-user data-refresh-on-locale="true">
    <section class="ak-static-page pf-c-page__main-section pf-m-no-padding-mobile pf-m-xl">
        <div class="pf-c-empty-state" style="height: 100vh;">
            <div class="pf-c-empty-state__content">
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -4,8 +4,10 @@ from rest_framework.test import APITestCase

 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user
+from authentik.flows.models import Flow
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
+from authentik.providers.oauth2.models import OAuth2Provider


 class TestApplicationsAPI(APITestCase):
@ -13,7 +15,20 @@ class TestApplicationsAPI(APITestCase):

    def setUp(self) -> None:
        self.user = create_test_admin_user()
-        self.allowed = Application.objects.create(name="allowed", slug="allowed")
+        self.provider = OAuth2Provider.objects.create(
+            name="test",
+            redirect_uris="http://some-other-domain",
+            authorization_flow=Flow.objects.create(
+                name="test",
+                slug="test",
+            ),
+        )
+        self.allowed = Application.objects.create(
+            name="allowed",
+            slug="allowed",
+            meta_launch_url="https://goauthentik.io/%(username)s",
+            provider=self.provider,
+        )
        self.denied = Application.objects.create(name="denied", slug="denied")
        PolicyBinding.objects.create(
            target=self.denied,
@ -62,10 +77,21 @@ class TestApplicationsAPI(APITestCase):
                        "pk": str(self.allowed.pk),
                        "name": "allowed",
                        "slug": "allowed",
-                        "provider": None,
-                        "provider_obj": None,
-                        "launch_url": None,
-                        "meta_launch_url": "",
+                        "provider": self.provider.pk,
+                        "provider_obj": {
+                            "assigned_application_name": "allowed",
+                            "assigned_application_slug": "allowed",
+                            "authorization_flow": str(self.provider.authorization_flow.pk),
+                            "component": "ak-provider-oauth2-form",
+                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
+                            "name": self.provider.name,
+                            "pk": self.provider.pk,
+                            "property_mappings": [],
+                            "verbose_name": "OAuth2/OpenID Provider",
+                            "verbose_name_plural": "OAuth2/OpenID Providers",
+                        },
+                        "launch_url": f"https://goauthentik.io/{self.user.username}",
+                        "meta_launch_url": "https://goauthentik.io/%(username)s",
                        "meta_icon": None,
                        "meta_description": "",
                        "meta_publisher": "",
@ -98,10 +124,21 @@ class TestApplicationsAPI(APITestCase):
                        "pk": str(self.allowed.pk),
                        "name": "allowed",
                        "slug": "allowed",
-                        "provider": None,
-                        "provider_obj": None,
-                        "launch_url": None,
-                        "meta_launch_url": "",
+                        "provider": self.provider.pk,
+                        "provider_obj": {
+                            "assigned_application_name": "allowed",
+                            "assigned_application_slug": "allowed",
+                            "authorization_flow": str(self.provider.authorization_flow.pk),
+                            "component": "ak-provider-oauth2-form",
+                            "meta_model_name": "authentik_providers_oauth2.oauth2provider",
+                            "name": self.provider.name,
+                            "pk": self.provider.pk,
+                            "property_mappings": [],
+                            "verbose_name": "OAuth2/OpenID Provider",
+                            "verbose_name_plural": "OAuth2/OpenID Providers",
+                        },
+                        "launch_url": f"https://goauthentik.io/{self.user.username}",
+                        "meta_launch_url": "https://goauthentik.io/%(username)s",
                        "meta_icon": None,
                        "meta_description": "",
                        "meta_publisher": "",
--- a/authentik/core/tests/test_applications_views.py
+++ b/authentik/core/tests/test_applications_views.py
@ -0,0 +1,67 @@
+"""Test Applications API"""
+from unittest.mock import MagicMock, patch
+
+from django.urls import reverse
+
+from authentik.core.models import Application
+from authentik.core.tests.utils import create_test_admin_user, create_test_tenant
+from authentik.flows.models import Flow, FlowDesignation
+from authentik.flows.tests import FlowTestCase
+from authentik.tenants.models import Tenant
+
+
+class TestApplicationsViews(FlowTestCase):
+    """Test applications Views"""
+
+    def setUp(self) -> None:
+        self.user = create_test_admin_user()
+        self.allowed = Application.objects.create(
+            name="allowed", slug="allowed", meta_launch_url="https://goauthentik.io/%(username)s"
+        )
+
+    def test_check_redirect(self):
+        """Test redirect"""
+        empty_flow = Flow.objects.create(
+            name="foo",
+            slug="foo",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        tenant: Tenant = create_test_tenant()
+        tenant.flow_authentication = empty_flow
+        tenant.save()
+        response = self.client.get(
+            reverse(
+                "authentik_core:application-launch",
+                kwargs={"application_slug": self.allowed.slug},
+            ),
+            follow=True,
+        )
+        self.assertEqual(response.status_code, 200)
+        with patch(
+            "authentik.flows.stage.StageView.get_pending_user", MagicMock(return_value=self.user)
+        ):
+            response = self.client.post(
+                reverse("authentik_api:flow-executor", kwargs={"flow_slug": empty_flow.slug})
+            )
+            self.assertEqual(response.status_code, 200)
+            self.assertStageRedirects(response, f"https://goauthentik.io/{self.user.username}")
+
+    def test_check_redirect_auth(self):
+        """Test redirect"""
+        self.client.force_login(self.user)
+        empty_flow = Flow.objects.create(
+            name="foo",
+            slug="foo",
+            designation=FlowDesignation.AUTHENTICATION,
+        )
+        tenant: Tenant = create_test_tenant()
+        tenant.flow_authentication = empty_flow
+        tenant.save()
+        response = self.client.get(
+            reverse(
+                "authentik_core:application-launch",
+                kwargs={"application_slug": self.allowed.slug},
+            ),
+        )
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response.url, f"https://goauthentik.io/{self.user.username}")
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@ -30,6 +30,7 @@ class TestTokenAPI(APITestCase):
        self.assertEqual(token.user, self.user)
        self.assertEqual(token.intent, TokenIntents.INTENT_API)
        self.assertEqual(token.expiring, True)
+        self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token))

    def test_token_create_invalid(self):
        """Test token creation endpoint (invalid data)"""
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -2,12 +2,7 @@
 from django.urls.base import reverse
 from rest_framework.test import APITestCase

-from authentik.core.models import (
-    USER_ATTRIBUTE_CHANGE_EMAIL,
-    USER_ATTRIBUTE_CHANGE_NAME,
-    USER_ATTRIBUTE_CHANGE_USERNAME,
-    User,
-)
+from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
 from authentik.flows.models import FlowDesignation
 from authentik.lib.generators import generate_key
@ -22,51 +17,6 @@ class TestUsersAPI(APITestCase):
        self.admin = create_test_admin_user()
        self.user = User.objects.create(username="test-user")

-    def test_update_self(self):
-        """Test update_self"""
-        self.admin.attributes["foo"] = "bar"
-        self.admin.save()
-        self.admin.refresh_from_db()
-        self.client.force_login(self.admin)
-        response = self.client.put(
-            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
-        )
-        self.admin.refresh_from_db()
-        self.assertEqual(response.status_code, 200)
-        self.assertEqual(self.admin.attributes["foo"], "bar")
-        self.assertEqual(self.admin.username, "foo")
-        self.assertEqual(self.admin.name, "foo")
-
-    def test_update_self_name_denied(self):
-        """Test update_self"""
-        self.admin.attributes[USER_ATTRIBUTE_CHANGE_NAME] = False
-        self.admin.save()
-        self.client.force_login(self.admin)
-        response = self.client.put(
-            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
-        )
-        self.assertEqual(response.status_code, 400)
-
-    def test_update_self_username_denied(self):
-        """Test update_self"""
-        self.admin.attributes[USER_ATTRIBUTE_CHANGE_USERNAME] = False
-        self.admin.save()
-        self.client.force_login(self.admin)
-        response = self.client.put(
-            reverse("authentik_api:user-update-self"), data={"username": "foo", "name": "foo"}
-        )
-        self.assertEqual(response.status_code, 400)
-
-    def test_update_self_email_denied(self):
-        """Test update_self"""
-        self.admin.attributes[USER_ATTRIBUTE_CHANGE_EMAIL] = False
-        self.admin.save()
-        self.client.force_login(self.admin)
-        response = self.client.put(
-            reverse("authentik_api:user-update-self"), data={"email": "foo", "name": "foo"}
-        )
-        self.assertEqual(response.status_code, 400)
-
    def test_metrics(self):
        """Test user's metrics"""
        self.client.force_login(self.admin)
--- a/authentik/core/types.py
+++ b/authentik/core/types.py
@ -29,4 +29,4 @@ class UserSettingSerializer(PassiveSerializer):
    component = CharField()
    title = CharField()
    configure_url = CharField(required=False)
-    icon_url = CharField()
+    icon_url = CharField(required=False)
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -5,7 +5,7 @@ from django.views.decorators.csrf import ensure_csrf_cookie
 from django.views.generic import RedirectView
 from django.views.generic.base import TemplateView

-from authentik.core.views import impersonate
+from authentik.core.views import apps, impersonate
 from authentik.core.views.interface import FlowInterfaceView
 from authentik.core.views.session import EndSessionView

@ -15,6 +15,12 @@ urlpatterns = [
        login_required(RedirectView.as_view(pattern_name="authentik_core:if-user")),
        name="root-redirect",
    ),
+    path(
+        # We have to use this format since everything else uses applications/o or applications/saml
+        "application/launch/<slug:application_slug>/",
+        apps.RedirectToAppLaunch.as_view(),
+        name="application-launch",
+    ),
    # Impersonation
    path(
        "-/impersonation/<int:user_id>/",
--- a/authentik/core/views/apps.py
+++ b/authentik/core/views/apps.py
@ -0,0 +1,75 @@
+"""app views"""
+from django.http import Http404, HttpRequest, HttpResponse, HttpResponseRedirect
+from django.shortcuts import get_object_or_404
+from django.utils.translation import gettext_lazy as _
+from django.views import View
+
+from authentik.core.models import Application
+from authentik.flows.challenge import (
+    ChallengeResponse,
+    ChallengeTypes,
+    HttpChallengeResponse,
+    RedirectChallenge,
+)
+from authentik.flows.models import in_memory_stage
+from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
+from authentik.flows.stage import ChallengeStageView
+from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.utils.urls import redirect_with_qs
+from authentik.stages.consent.stage import (
+    PLAN_CONTEXT_CONSENT_HEADER,
+    PLAN_CONTEXT_CONSENT_PERMISSIONS,
+)
+from authentik.tenants.models import Tenant
+
+
+class RedirectToAppLaunch(View):
+    """Application launch view, redirect to the launch URL"""
+
+    def dispatch(self, request: HttpRequest, application_slug: str) -> HttpResponse:
+        app = get_object_or_404(Application, slug=application_slug)
+        # Check here if the application has any launch URL set, if not 404
+        launch = app.get_launch_url()
+        if not launch:
+            raise Http404
+        # Check if we're authenticated already, saves us the flow run
+        if request.user.is_authenticated:
+            return HttpResponseRedirect(app.get_launch_url(request.user))
+        # otherwise, do a custom flow plan that includes the application that's
+        # being accessed, to improve usability
+        tenant: Tenant = request.tenant
+        flow = tenant.flow_authentication
+        planner = FlowPlanner(flow)
+        planner.allow_empty_flows = True
+        plan = planner.plan(
+            request,
+            {
+                PLAN_CONTEXT_APPLICATION: app,
+                PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
+                % {"application": app.name},
+                PLAN_CONTEXT_CONSENT_PERMISSIONS: [],
+            },
+        )
+        plan.insert_stage(in_memory_stage(RedirectToAppStage))
+        request.session[SESSION_KEY_PLAN] = plan
+        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)
+
+
+class RedirectToAppStage(ChallengeStageView):
+    """Final stage to be inserted after the user logs in"""
+
+    def get_challenge(self, *args, **kwargs) -> RedirectChallenge:
+        app = self.executor.plan.context[PLAN_CONTEXT_APPLICATION]
+        launch = app.get_launch_url(self.get_pending_user())
+        # sanity check to ensure launch is still set
+        if not launch:
+            raise Http404
+        return RedirectChallenge(
+            instance={
+                "type": ChallengeTypes.REDIRECT.value,
+                "to": launch,
+            }
+        )
+
+    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        return HttpChallengeResponse(self.get_challenge())
--- a/authentik/crypto/tasks.py
+++ b/authentik/crypto/tasks.py
@ -61,7 +61,7 @@ def certificate_discovery(self: MonitoredTask):
        else:
            cert_name = path.name.replace(path.suffix, "")
        try:
-            with open(path, "r+", encoding="utf-8") as _file:
+            with open(path, "r", encoding="utf-8") as _file:
                body = _file.read()
                if "PRIVATE KEY" in body:
                    private_keys[cert_name] = ensure_private_key_valid(body)
--- a/authentik/events/geo.py
+++ b/authentik/events/geo.py
@ -1,7 +1,5 @@
 """events GeoIP Reader"""
-from datetime import datetime
 from os import stat
-from time import time
 from typing import Optional, TypedDict

 from geoip2.database import Reader
@ -46,14 +44,18 @@ class GeoIPReader:
            LOGGER.warning("Failed to load GeoIP database", exc=exc)

    def __check_expired(self):
-        """Check if the geoip database has been opened longer than 8 hours,
-        and re-open it, as it will probably will have been re-downloaded"""
-        now = time()
-        diff = datetime.fromtimestamp(now) - datetime.fromtimestamp(self.__last_mtime)
-        diff_hours = diff.total_seconds() // 3600
-        if diff_hours >= 8:
-            LOGGER.info("GeoIP databased loaded too long, re-opening", diff=diff)
-            self.__open()
+        """Check if the modification date of the GeoIP database has
+        changed, and reload it if so"""
+        path = CONFIG.y("geoip")
+        try:
+            mtime = stat(path).st_mtime
+            diff = self.__last_mtime < mtime
+            if diff > 0:
+                LOGGER.info("Found new GeoIP Database, reopening", diff=diff)
+                self.__open()
+        except OSError as exc:
+            LOGGER.warning("Failed to check GeoIP age", exc=exc)
+            return

    @property
    def enabled(self) -> bool:
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -13,7 +13,7 @@ from authentik.core.models import User
 from authentik.events.models import cleanse_dict
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.markers import ReevaluateMarker, StageMarker
-from authentik.flows.models import Flow, FlowStageBinding, Stage
+from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, Stage
 from authentik.lib.config import CONFIG
 from authentik.policies.engine import PolicyEngine

@ -156,14 +156,15 @@ class FlowPlanner:
            # User is passing so far, check if we have a cached plan
            cached_plan_key = cache_key(self.flow, user)
            cached_plan = cache.get(cached_plan_key, None)
-            if cached_plan and self.use_cache:
-                self._logger.debug(
-                    "f(plan): taking plan from cache",
-                    key=cached_plan_key,
-                )
-                # Reset the context as this isn't factored into caching
-                cached_plan.context = default_context or {}
-                return cached_plan
+            if self.flow.designation not in [FlowDesignation.STAGE_CONFIGURATION]:
+                if cached_plan and self.use_cache:
+                    self._logger.debug(
+                        "f(plan): taking plan from cache",
+                        key=cached_plan_key,
+                    )
+                    # Reset the context as this isn't factored into caching
+                    cached_plan.context = default_context or {}
+                    return cached_plan
            self._logger.debug(
                "f(plan): building plan",
            )
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -5,16 +5,6 @@ postgresql:
  user: authentik
  port: 5432
  password: 'env://POSTGRES_PASSWORD'
-  backup:
-    enabled: true
-  s3_backup:
-    access_key: ""
-    secret_key: ""
-    bucket: ""
-    region: eu-central-1
-    host: ""
-    location: ""
-    insecure_skip_verify: false

 web:
  listen: 0.0.0.0:9000
@ -46,7 +36,7 @@ error_reporting:
  enabled: false
  environment: customer
  send_pii: false
-  sample_rate: 0.5
+  sample_rate: 0.3

 # Global email settings
 email:
@ -65,18 +55,15 @@ outposts:
  # %(version)s: Current version; 2021.4.1
  # %(build_hash)s: Build hash if you're running a beta version
  container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
+  discover: true

 cookie_domain: null
 disable_update_check: false
 disable_startup_analytics: false
 avatars: env://AUTHENTIK_AUTHENTIK__AVATARS?gravatar
-geoip: "./GeoLite2-City.mmdb"
+geoip: "/geoip/GeoLite2-City.mmdb"

-footer_links:
-  - name: Documentation
-    href: https://goauthentik.io/docs/?utm_source=authentik
-  - name: authentik Website
-    href: https://goauthentik.io/?utm_source=authentik
+footer_links: []

 default_user_change_name: true
 default_user_change_email: true
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -32,6 +32,7 @@ class BaseEvaluator:
        self._globals = {
            "regex_match": BaseEvaluator.expr_regex_match,
            "regex_replace": BaseEvaluator.expr_regex_replace,
+            "list_flatten": BaseEvaluator.expr_flatten,
            "ak_is_group_member": BaseEvaluator.expr_is_group_member,
            "ak_user_by": BaseEvaluator.expr_user_by,
            "ak_logger": get_logger(),
@ -40,6 +41,15 @@ class BaseEvaluator:
        self._context = {}
        self._filename = "BaseEvalautor"

+    @staticmethod
+    def expr_flatten(value: list[Any] | Any) -> Optional[Any]:
+        """Flatten `value` if its a list"""
+        if isinstance(value, list):
+            if len(value) < 1:
+                return None
+            return value[0]
+        return value
+
    @staticmethod
    def expr_regex_match(value: Any, regex: str) -> bool:
        """Expression Filter to run re.search"""
--- a/authentik/lib/merge.py
+++ b/authentik/lib/merge.py
@ -0,0 +1,6 @@
+"""merge utils"""
+from deepmerge import Merger
+
+MERGE_LIST_UNIQUE = Merger(
+    [(list, ["append_unique"]), (dict, ["merge"]), (set, ["union"])], ["override"], ["override"]
+)
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -3,8 +3,6 @@ from typing import Optional

 from aioredis.errors import ConnectionClosedError, ReplyError
 from billiard.exceptions import SoftTimeLimitExceeded, WorkerLostError
-from botocore.client import ClientError
-from botocore.exceptions import BotoCoreError
 from celery.exceptions import CeleryError
 from channels.middleware import BaseMiddleware
 from channels_redis.core import ChannelFull
@ -81,9 +79,6 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
        WorkerLostError,
        CeleryError,
        SoftTimeLimitExceeded,
-        # S3 errors
-        BotoCoreError,
-        ClientError,
        # custom baseclass
        SentryIgnoredException,
        # ldap errors
@ -101,8 +96,6 @@ def before_send(event: dict, hint: dict) -> Optional[dict]:
            return None
    if "logger" in event:
        if event["logger"] in [
-            "dbbackup",
-            "botocore",
            "kombu",
            "asyncio",
            "multiprocessing",
--- a/authentik/outposts/channels.py
+++ b/authentik/outposts/channels.py
@ -55,6 +55,10 @@ class OutpostConsumer(AuthJsonConsumer):

    first_msg = False

+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.logger = get_logger()
+
    def connect(self):
        super().connect()
        uuid = self.scope["url_route"]["kwargs"]["pk"]
@ -65,7 +69,7 @@ class OutpostConsumer(AuthJsonConsumer):
        )
        if not outpost:
            raise DenyConnection()
-        self.logger = get_logger().bind(outpost=outpost)
+        self.logger = self.logger.bind(outpost=outpost)
        try:
            self.accept()
        except RuntimeError as exc:
--- a/authentik/outposts/controllers/docker.py
+++ b/authentik/outposts/controllers/docker.py
@ -106,9 +106,12 @@ class DockerController(BaseController):
        ).lower()

    def _get_labels(self) -> dict[str, str]:
-        return {
+        labels = {
            "io.goauthentik.outpost-uuid": self.outpost.pk.hex,
        }
+        if self.outpost.config.docker_labels:
+            labels.update(self.outpost.config.docker_labels)
+        return labels

    def _get_env(self) -> dict[str, str]:
        return {
--- a/authentik/outposts/controllers/k8s/utils.py
+++ b/authentik/outposts/controllers/k8s/utils.py
@ -2,6 +2,7 @@
 from pathlib import Path

 from kubernetes.client.models.v1_container_port import V1ContainerPort
+from kubernetes.client.models.v1_service_port import V1ServicePort
 from kubernetes.config.incluster_config import SERVICE_TOKEN_FILENAME

 from authentik.outposts.controllers.k8s.triggers import NeedsRecreate
@ -16,10 +17,31 @@ def get_namespace() -> str:
    return "default"


-def compare_ports(current: list[V1ContainerPort], reference: list[V1ContainerPort]):
+def compare_port(
+    current: V1ServicePort | V1ContainerPort, reference: V1ServicePort | V1ContainerPort
+) -> bool:
+    """Compare a single port"""
+    if current.name != reference.name:
+        return False
+    if current.protocol != reference.protocol:
+        return False
+    if isinstance(current, V1ServicePort) and isinstance(reference, V1ServicePort):
+        # We only care about the target port
+        if current.target_port != reference.target_port:
+            return False
+    if isinstance(current, V1ContainerPort) and isinstance(reference, V1ContainerPort):
+        # We only care about the target port
+        if current.container_port != reference.container_port:
+            return False
+    return True
+
+
+def compare_ports(
+    current: list[V1ServicePort | V1ContainerPort], reference: list[V1ServicePort | V1ContainerPort]
+):
    """Compare ports of a list"""
    if len(current) != len(reference):
        raise NeedsRecreate()
    for port in reference:
-        if port not in current:
+        if not any(compare_port(port, current_port) for current_port in current):
            raise NeedsRecreate()
--- a/authentik/outposts/docker_ssh.py
+++ b/authentik/outposts/docker_ssh.py
@ -3,6 +3,8 @@ import os
 from pathlib import Path
 from tempfile import gettempdir

+from docker.errors import DockerException
+
 from authentik.crypto.models import CertificateKeyPair

 HEADER = "### Managed by authentik"
@ -27,6 +29,8 @@ class DockerInlineSSH:
    def __init__(self, host: str, keypair: CertificateKeyPair) -> None:
        self.host = host
        self.keypair = keypair
+        if not self.keypair:
+            raise DockerException("keypair must be set for SSH connections")
        self.config_path = Path("~/.ssh/config").expanduser()
        self.header = f"{HEADER} - {self.host}\n"

--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -60,6 +60,7 @@ class OutpostConfig:

    docker_network: Optional[str] = field(default=None)
    docker_map_ports: bool = field(default=True)
+    docker_labels: Optional[dict[str, str]] = field(default=None)

    container_image: Optional[str] = field(default=None)

--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@ -23,6 +23,7 @@ from authentik.events.monitored_tasks import (
    TaskResultStatus,
    prefill_task,
 )
+from authentik.lib.config import CONFIG
 from authentik.lib.utils.reflection import path_to_class
 from authentik.outposts.controllers.base import BaseController, ControllerException
 from authentik.outposts.controllers.docker import DockerClient
@ -231,6 +232,9 @@ def _outpost_single_update(outpost: Outpost, layer=None):
@CELERY_APP.task()
 def outpost_local_connection():
    """Checks the local environment and create Service connections."""
+    if not CONFIG.y_bool("outposts.discover"):
+        LOGGER.debug("outpost integration discovery is disabled")
+        return
    # Explicitly check against token filename, as that's
    # only present when the integration is enabled
    if Path(SERVICE_TOKEN_FILENAME).exists():
--- a/authentik/policies/hibp/models.py
+++ b/authentik/policies/hibp/models.py
@ -45,7 +45,7 @@ class HaveIBeenPwendPolicy(Policy):
                fields=request.context.keys(),
            )
            return PolicyResult(False, _("Password not set in context"))
-        password = request.context[self.password_field]
+        password = str(request.context[self.password_field])

        pw_hash = sha1(password.encode("utf-8")).hexdigest()  # nosec
        url = f"https://api.pwnedpasswords.com/range/{pw_hash[:5]}"
--- a/authentik/providers/oauth2/constants.py
+++ b/authentik/providers/oauth2/constants.py
@ -2,9 +2,12 @@

 GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"
 GRANT_TYPE_REFRESH_TOKEN = "refresh_token"  # nosec
+GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
+
 PROMPT_NONE = "none"
 PROMPT_CONSNET = "consent"
 PROMPT_LOGIN = "login"
+
 SCOPE_OPENID = "openid"
 SCOPE_OPENID_PROFILE = "profile"
 SCOPE_OPENID_EMAIL = "email"
--- a/authentik/providers/oauth2/errors.py
+++ b/authentik/providers/oauth2/errors.py
@ -168,7 +168,7 @@ class TokenError(OAuth2Error):
    https://tools.ietf.org/html/rfc6749#section-5.2
    """

-    _errors = {
+    errors = {
        "invalid_request": "The request is otherwise malformed",
        "invalid_client": "Client authentication failed (e.g., unknown client, "
        "no client authentication included, or unsupported "
@ -188,7 +188,7 @@ class TokenError(OAuth2Error):
    def __init__(self, error):
        super().__init__()
        self.error = error
-        self.description = self._errors[error]
+        self.description = self.errors[error]


 class BearerTokenError(OAuth2Error):
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -7,7 +7,7 @@ from dataclasses import asdict, dataclass, field
 from datetime import datetime
 from hashlib import sha256
 from typing import Any, Optional
-from urllib.parse import urlparse
+from urllib.parse import urlparse, urlunparse

 from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePrivateKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey
@ -45,6 +45,13 @@ class GrantTypes(models.TextChoices):
    HYBRID = "hybrid"


+class ResponseMode(models.TextChoices):
+    """https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#OAuth.Post"""
+
+    QUERY = "query"
+    FRAGMENT = "fragment"
+
+
 class SubModes(models.TextChoices):
    """Mode after which 'sub' attribute is generateed, for compatibility reasons"""

@ -259,8 +266,8 @@ class OAuth2Provider(Provider):
        if self.redirect_uris == "":
            return None
        main_url = self.redirect_uris.split("\n", maxsplit=1)[0]
-        launch_url = urlparse(main_url)
-        return main_url.replace(launch_url.path, "")
+        launch_url = urlparse(main_url)._replace(path="")
+        return urlunparse(launch_url)

    @property
    def component(self) -> str:
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -43,7 +43,7 @@ class TestAuthorize(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris="http://local.invalid/Foo",
        )
        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
@ -51,7 +51,7 @@ class TestAuthorize(OAuthTestCase):
                data={
                    "response_type": "code",
                    "client_id": "test",
-                    "redirect_uri": "http://local.invalid",
+                    "redirect_uri": "http://local.invalid/Foo",
                    "request": "foo",
                },
            )
@ -105,26 +105,30 @@ class TestAuthorize(OAuthTestCase):
            name="test",
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris="http://local.invalid",
+            redirect_uris="http://local.invalid/Foo",
        )
        request = self.factory.get(
            "/",
            data={
                "response_type": "code",
                "client_id": "test",
-                "redirect_uri": "http://local.invalid",
+                "redirect_uri": "http://local.invalid/Foo",
            },
        )
        self.assertEqual(
            OAuthAuthorizationParams.from_request(request).grant_type,
            GrantTypes.AUTHORIZATION_CODE,
        )
+        self.assertEqual(
+            OAuthAuthorizationParams.from_request(request).redirect_uri,
+            "http://local.invalid/Foo",
+        )
        request = self.factory.get(
            "/",
            data={
                "response_type": "id_token",
                "client_id": "test",
-                "redirect_uri": "http://local.invalid",
+                "redirect_uri": "http://local.invalid/Foo",
                "scope": "openid",
                "state": "foo",
            },
@ -140,7 +144,7 @@ class TestAuthorize(OAuthTestCase):
                data={
                    "response_type": "id_token",
                    "client_id": "test",
-                    "redirect_uri": "http://local.invalid",
+                    "redirect_uri": "http://local.invalid/Foo",
                    "state": "foo",
                },
            )
@ -153,7 +157,7 @@ class TestAuthorize(OAuthTestCase):
            data={
                "response_type": "code token",
                "client_id": "test",
-                "redirect_uri": "http://local.invalid",
+                "redirect_uri": "http://local.invalid/Foo",
                "scope": "openid",
                "state": "foo",
            },
@ -167,7 +171,7 @@ class TestAuthorize(OAuthTestCase):
                data={
                    "response_type": "invalid",
                    "client_id": "test",
-                    "redirect_uri": "http://local.invalid",
+                    "redirect_uri": "http://local.invalid/Foo",
                },
            )
            OAuthAuthorizationParams.from_request(request)
--- a/authentik/providers/oauth2/tests/test_token_client_credentials.py
+++ b/authentik/providers/oauth2/tests/test_token_client_credentials.py
@ -0,0 +1,174 @@
+"""Test token view"""
+from json import loads
+
+from django.test import RequestFactory
+from django.urls import reverse
+from jwt import decode
+
+from authentik.core.models import USER_ATTRIBUTE_SA, Application, Group, Token, TokenIntents
+from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
+from authentik.lib.generators import generate_id, generate_key
+from authentik.managed.manager import ObjectManager
+from authentik.policies.models import PolicyBinding
+from authentik.providers.oauth2.constants import (
+    GRANT_TYPE_CLIENT_CREDENTIALS,
+    SCOPE_OPENID,
+    SCOPE_OPENID_EMAIL,
+    SCOPE_OPENID_PROFILE,
+)
+from authentik.providers.oauth2.errors import TokenError
+from authentik.providers.oauth2.models import OAuth2Provider, ScopeMapping
+from authentik.providers.oauth2.tests.utils import OAuthTestCase
+
+
+class TestTokenClientCredentials(OAuthTestCase):
+    """Test token (client_credentials) view"""
+
+    def setUp(self) -> None:
+        super().setUp()
+        ObjectManager().run()
+        self.factory = RequestFactory()
+        self.provider = OAuth2Provider.objects.create(
+            name="test",
+            client_id=generate_id(),
+            client_secret=generate_key(),
+            authorization_flow=create_test_flow(),
+            redirect_uris="http://testserver",
+            signing_key=create_test_cert(),
+        )
+        self.provider.property_mappings.set(ScopeMapping.objects.all())
+        self.app = Application.objects.create(name="test", slug="test", provider=self.provider)
+        self.user = create_test_admin_user("sa")
+        self.user.attributes[USER_ATTRIBUTE_SA] = True
+        self.user.save()
+        self.token = Token.objects.create(
+            identifier="sa-token",
+            user=self.user,
+            intent=TokenIntents.INTENT_APP_PASSWORD,
+            expiring=False,
+        )
+
+    def test_wrong_user(self):
+        """test invalid username"""
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            {
+                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
+                "scope": SCOPE_OPENID,
+                "client_id": self.provider.client_id,
+                "username": "saa",
+                "password": self.token.key,
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content.decode(),
+            {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
+        )
+
+    def test_wrong_token(self):
+        """test invalid token"""
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            {
+                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
+                "scope": SCOPE_OPENID,
+                "client_id": self.provider.client_id,
+                "username": "sa",
+                "password": self.token.key + "foo",
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content.decode(),
+            {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
+        )
+
+    def test_non_sa(self):
+        """test non service-account"""
+        self.user.attributes[USER_ATTRIBUTE_SA] = False
+        self.user.save()
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            {
+                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
+                "scope": SCOPE_OPENID,
+                "client_id": self.provider.client_id,
+                "username": "sa",
+                "password": self.token.key,
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content.decode(),
+            {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
+        )
+
+    def test_no_provider(self):
+        """test no provider"""
+        self.app.provider = None
+        self.app.save()
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            {
+                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
+                "scope": SCOPE_OPENID,
+                "client_id": self.provider.client_id,
+                "username": "sa",
+                "password": self.token.key,
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content.decode(),
+            {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
+        )
+
+    def test_permission_denied(self):
+        """test permission denied"""
+        group = Group.objects.create(name="foo")
+        PolicyBinding.objects.create(
+            group=group,
+            target=self.app,
+            order=0,
+        )
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            {
+                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
+                "scope": SCOPE_OPENID,
+                "client_id": self.provider.client_id,
+                "username": "sa",
+                "password": self.token.key,
+            },
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertJSONEqual(
+            response.content.decode(),
+            {"error": "invalid_grant", "error_description": TokenError.errors["invalid_grant"]},
+        )
+
+    def test_successful(self):
+        """test successful"""
+        response = self.client.post(
+            reverse("authentik_providers_oauth2:token"),
+            {
+                "grant_type": GRANT_TYPE_CLIENT_CREDENTIALS,
+                "scope": f"{SCOPE_OPENID} {SCOPE_OPENID_EMAIL} {SCOPE_OPENID_PROFILE}",
+                "client_id": self.provider.client_id,
+                "username": "sa",
+                "password": self.token.key,
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+        body = loads(response.content.decode())
+        self.assertEqual(body["token_type"], "bearer")
+        _, alg = self.provider.get_jwt_key()
+        jwt = decode(
+            body["access_token"],
+            key=self.provider.signing_key.public_key,
+            algorithms=[alg],
+            audience=self.provider.client_id,
+        )
+        self.assertEqual(jwt["given_name"], self.user.name)
+        self.assertEqual(jwt["preferred_username"], self.user.username)
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -44,6 +44,7 @@ from authentik.providers.oauth2.models import (
    AuthorizationCode,
    GrantTypes,
    OAuth2Provider,
+    ResponseMode,
    ResponseTypes,
 )
 from authentik.providers.oauth2.utils import HttpResponseRedirectScheme
@ -99,7 +100,7 @@ class OAuthAuthorizationParams:
        # and POST request.
        query_dict = request.POST if request.method == "POST" else request.GET
        state = query_dict.get("state")
-        redirect_uri = query_dict.get("redirect_uri", "").lower()
+        redirect_uri = query_dict.get("redirect_uri", "")

        response_type = query_dict.get("response_type", "")
        grant_type = None
@ -153,7 +154,10 @@ class OAuthAuthorizationParams:
    def check_redirect_uri(self):
        """Redirect URI validation."""
        allowed_redirect_urls = self.provider.redirect_uris.split()
-        if not self.redirect_uri:
+        # We don't want to actually lowercase the final URL we redirect to,
+        # we only lowercase it for comparison
+        redirect_uri = self.redirect_uri.lower()
+        if not redirect_uri:
            LOGGER.warning("Missing redirect uri.")
            raise RedirectUriError("", allowed_redirect_urls)

@ -169,7 +173,7 @@ class OAuthAuthorizationParams:
                allow=self.redirect_uri,
            )
            return
-        if self.redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
+        if redirect_uri not in [x.lower() for x in allowed_redirect_urls]:
            LOGGER.warning(
                "Invalid redirect uri",
                redirect_uri=self.redirect_uri,
@ -299,13 +303,23 @@ class OAuthFulfillmentStage(StageView):
                code = self.params.create_code(self.request)
                code.save(force_insert=True)

-            if self.params.grant_type == GrantTypes.AUTHORIZATION_CODE:
+            query_dict = self.request.POST if self.request.method == "POST" else self.request.GET
+            response_mode = ResponseMode.QUERY
+            # Get response mode from url param, otherwise decide based on grant type
+            if "response_mode" in query_dict:
+                response_mode = query_dict["response_mode"]
+            elif self.params.grant_type == GrantTypes.AUTHORIZATION_CODE:
+                response_mode = ResponseMode.QUERY
+            elif self.params.grant_type in [GrantTypes.IMPLICIT, GrantTypes.HYBRID]:
+                response_mode = ResponseMode.FRAGMENT
+
+            if response_mode == ResponseMode.QUERY:
                query_params["code"] = code.code
                query_params["state"] = [str(self.params.state) if self.params.state else ""]

                uri = uri._replace(query=urlencode(query_params, doseq=True))
                return urlunsplit(uri)
-            if self.params.grant_type in [GrantTypes.IMPLICIT, GrantTypes.HYBRID]:
+            if response_mode == ResponseMode.FRAGMENT:
                query_fragment = self.create_implicit_response(code)

                uri = uri._replace(
--- a/authentik/providers/oauth2/views/provider.py
+++ b/authentik/providers/oauth2/views/provider.py
@ -10,6 +10,7 @@ from authentik.core.models import Application
 from authentik.providers.oauth2.constants import (
    ACR_AUTHENTIK_DEFAULT,
    GRANT_TYPE_AUTHORIZATION_CODE,
+    GRANT_TYPE_CLIENT_CREDENTIALS,
    GRANT_TYPE_REFRESH_TOKEN,
    SCOPE_OPENID,
 )
@ -78,6 +79,7 @@ class ProviderInfoView(View):
                GRANT_TYPE_AUTHORIZATION_CODE,
                GRANT_TYPE_REFRESH_TOKEN,
                GrantTypes.IMPLICIT,
+                GRANT_TYPE_CLIENT_CREDENTIALS,
            ],
            "id_token_signing_alg_values_supported": [supported_alg],
            # See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -8,10 +8,13 @@ from django.http import HttpRequest, HttpResponse
 from django.views import View
 from structlog.stdlib import get_logger

+from authentik.core.models import USER_ATTRIBUTE_SA, Application, Token, TokenIntents, User
 from authentik.events.models import Event, EventAction
 from authentik.lib.utils.time import timedelta_from_string
+from authentik.policies.engine import PolicyEngine
 from authentik.providers.oauth2.constants import (
    GRANT_TYPE_AUTHORIZATION_CODE,
+    GRANT_TYPE_CLIENT_CREDENTIALS,
    GRANT_TYPE_REFRESH_TOKEN,
 )
 from authentik.providers.oauth2.errors import TokenError, UserAuthError
@ -42,6 +45,7 @@ class TokenParams:

    authorization_code: Optional[AuthorizationCode] = None
    refresh_token: Optional[RefreshToken] = None
+    user: Optional[User] = None

    code_verifier: Optional[str] = None

@ -75,50 +79,23 @@ class TokenParams:
        )

    def __post_init__(self, raw_code: str, raw_token: str, request: HttpRequest):
-        if self.provider.client_type == ClientTypes.CONFIDENTIAL:
-            if self.provider.client_secret != self.client_secret:
+        if self.grant_type in [GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_REFRESH_TOKEN]:
+            if (
+                self.provider.client_type == ClientTypes.CONFIDENTIAL
+                and self.provider.client_secret != self.client_secret
+            ):
                LOGGER.warning(
-                    "Invalid client secret: client does not have secret",
+                    "Invalid client secret",
                    client_id=self.provider.client_id,
-                    secret=self.provider.client_secret,
                )
                raise TokenError("invalid_client")

        if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
            self.__post_init_code(raw_code)
        elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN:
-            if not raw_token:
-                LOGGER.warning("Missing refresh token")
-                raise TokenError("invalid_grant")
-
-            try:
-                self.refresh_token = RefreshToken.objects.get(
-                    refresh_token=raw_token, provider=self.provider
-                )
-                if self.refresh_token.is_expired:
-                    LOGGER.warning(
-                        "Refresh token is expired",
-                        token=raw_token,
-                    )
-                    raise TokenError("invalid_grant")
-                # https://tools.ietf.org/html/rfc6749#section-6
-                # Fallback to original token's scopes when none are given
-                if not self.scope:
-                    self.scope = self.refresh_token.scope
-            except RefreshToken.DoesNotExist:
-                LOGGER.warning(
-                    "Refresh token does not exist",
-                    token=raw_token,
-                )
-                raise TokenError("invalid_grant")
-            if self.refresh_token.revoked:
-                LOGGER.warning("Refresh token is revoked", token=raw_token)
-                Event.new(
-                    action=EventAction.SUSPICIOUS_REQUEST,
-                    message="Revoked refresh token was used",
-                    token=raw_token,
-                ).from_http(request)
-                raise TokenError("invalid_grant")
+            self.__post_init_refresh(raw_token, request)
+        elif self.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS:
+            self.__post_init_client_credentials(request)
        else:
            LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
            raise TokenError("unsupported_grant_type")
@ -175,6 +152,77 @@ class TokenParams:
                LOGGER.warning("Code challenge not matching")
                raise TokenError("invalid_grant")

+    def __post_init_refresh(self, raw_token: str, request: HttpRequest):
+        if not raw_token:
+            LOGGER.warning("Missing refresh token")
+            raise TokenError("invalid_grant")
+
+        try:
+            self.refresh_token = RefreshToken.objects.get(
+                refresh_token=raw_token, provider=self.provider
+            )
+            if self.refresh_token.is_expired:
+                LOGGER.warning(
+                    "Refresh token is expired",
+                    token=raw_token,
+                )
+                raise TokenError("invalid_grant")
+            # https://tools.ietf.org/html/rfc6749#section-6
+            # Fallback to original token's scopes when none are given
+            if not self.scope:
+                self.scope = self.refresh_token.scope
+        except RefreshToken.DoesNotExist:
+            LOGGER.warning(
+                "Refresh token does not exist",
+                token=raw_token,
+            )
+            raise TokenError("invalid_grant")
+        if self.refresh_token.revoked:
+            LOGGER.warning("Refresh token is revoked", token=raw_token)
+            Event.new(
+                action=EventAction.SUSPICIOUS_REQUEST,
+                message="Revoked refresh token was used",
+                token=raw_token,
+            ).from_http(request)
+            raise TokenError("invalid_grant")
+
+    def __post_init_client_credentials(self, request: HttpRequest):
+        # Authenticate user based on credentials
+        username = request.POST.get("username")
+        password = request.POST.get("password")
+        user = User.objects.filter(username=username).first()
+        if not user:
+            raise TokenError("invalid_grant")
+        token: Token = Token.filter_not_expired(
+            key=password, intent=TokenIntents.INTENT_APP_PASSWORD
+        ).first()
+        if not token or token.user.uid != user.uid:
+            raise TokenError("invalid_grant")
+        self.user = user
+        if not self.user.attributes.get(USER_ATTRIBUTE_SA, False):
+            # Non-service accounts are not allowed
+            LOGGER.info("Non-service-account tried to use client credentials", user=self.user)
+            raise TokenError("invalid_grant")
+
+        Event.new(
+            action=EventAction.LOGIN,
+            PLAN_CONTEXT_METHOD="token",
+            PLAN_CONTEXT_METHOD_ARGS={
+                "identifier": token.identifier,
+            },
+        ).from_http(request, user=user)
+
+        # Authorize user access
+        app = Application.objects.filter(provider=self.provider).first()
+        if not app or not app.provider:
+            raise TokenError("invalid_grant")
+        engine = PolicyEngine(app, self.user, request)
+        engine.build()
+        result = engine.result
+        if not result.passing:
+            LOGGER.info("User not authenticated for application", user=self.user, app=app)
+            raise TokenError("invalid_grant")
+

 class TokenView(View):
    """Generate tokens for clients"""
@ -208,11 +256,14 @@ class TokenView(View):
            self.params = TokenParams.parse(request, self.provider, client_id, client_secret)

            if self.params.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
-                LOGGER.info("Converting authorization code to refresh token")
+                LOGGER.debug("Converting authorization code to refresh token")
                return TokenResponse(self.create_code_response())
            if self.params.grant_type == GRANT_TYPE_REFRESH_TOKEN:
-                LOGGER.info("Refreshing refresh token")
+                LOGGER.debug("Refreshing refresh token")
                return TokenResponse(self.create_refresh_response())
+            if self.params.grant_type == GRANT_TYPE_CLIENT_CREDENTIALS:
+                LOGGER.debug("Client credentials grant")
+                return TokenResponse(self.create_client_credentials_response())
            raise ValueError(f"Invalid grant_type: {self.params.grant_type}")
        except TokenError as error:
            return TokenResponse(error.create_dict(), status=400)
@ -292,3 +343,30 @@ class TokenView(View):
            ),
            "id_token": self.params.provider.encode(refresh_token.id_token.to_dict()),
        }
+
+    def create_client_credentials_response(self) -> dict[str, Any]:
+        """See https://datatracker.ietf.org/doc/html/rfc6749#section-4.4"""
+        provider: OAuth2Provider = self.params.provider
+
+        refresh_token: RefreshToken = provider.create_refresh_token(
+            user=self.params.user,
+            scope=self.params.scope,
+            request=self.request,
+        )
+        refresh_token.id_token = refresh_token.create_id_token(
+            user=self.params.user,
+            request=self.request,
+        )
+        refresh_token.id_token.at_hash = refresh_token.at_hash
+
+        # Store the refresh_token.
+        refresh_token.save()
+
+        return {
+            "access_token": refresh_token.access_token,
+            "token_type": "bearer",
+            "expires_in": int(
+                timedelta_from_string(refresh_token.provider.token_validity).total_seconds()
+            ),
+            "id_token": self.params.provider.encode(refresh_token.id_token.to_dict()),
+        }
--- a/authentik/providers/proxy/apps.py
+++ b/authentik/providers/proxy/apps.py
@ -12,4 +12,8 @@ class AuthentikProviderProxyConfig(AppConfig):
    verbose_name = "authentik Providers.Proxy"

    def ready(self) -> None:
+        from authentik.providers.proxy.tasks import proxy_set_defaults
+
        import_module("authentik.providers.proxy.managed")
+
+        proxy_set_defaults.delay()
--- a/authentik/providers/proxy/controllers/docker.py
+++ b/authentik/providers/proxy/controllers/docker.py
@ -23,15 +23,17 @@ class ProxyDockerController(DockerController):
            proxy_provider: ProxyProvider
            external_host_name = urlparse(proxy_provider.external_host)
            hosts.append(f"`{external_host_name.netloc}`")
-        traefik_name = f"ak-outpost-{self.outpost.pk.hex}"
+        traefik_name = self.name
        labels = super()._get_labels()
        labels["traefik.enable"] = "true"
-        labels[f"traefik.http.routers.{traefik_name}-router.rule"] = f"Host({','.join(hosts)})"
+        labels[
+            f"traefik.http.routers.{traefik_name}-router.rule"
+        ] = f"Host({','.join(hosts)}) && PathPrefix(`/outpost.goauthentik.io`)"
        labels[f"traefik.http.routers.{traefik_name}-router.tls"] = "true"
        labels[f"traefik.http.routers.{traefik_name}-router.service"] = f"{traefik_name}-service"
        labels[
            f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.path"
-        ] = "/akprox/ping"
+        ] = "/outpost.goauthentik.io/ping"
        labels[
            f"traefik.http.services.{traefik_name}-service.loadbalancer.healthcheck.port"
        ] = "9300"
--- a/authentik/providers/proxy/controllers/k8s/ingress.py
+++ b/authentik/providers/proxy/controllers/k8s/ingress.py
@ -92,6 +92,8 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
            # Buffer sizes for large headers with JWTs
            "nginx.ingress.kubernetes.io/proxy-buffers-number": "4",
            "nginx.ingress.kubernetes.io/proxy-buffer-size": "16k",
+            # Enable TLS in traefik
+            "traefik.ingress.kubernetes.io/router.tls": "true",
        }
        annotations.update(self.controller.outpost.config.kubernetes_ingress_annotations)
        return annotations
@ -126,8 +128,8 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
                                        port=V1ServiceBackendPort(name="http"),
                                    ),
                                ),
-                                path="/akprox",
-                                path_type="ImplementationSpecific",
+                                path="/outpost.goauthentik.io",
+                                path_type="Prefix",
                            )
                        ]
                    ),
@ -145,7 +147,7 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
                                    ),
                                ),
                                path="/",
-                                path_type="ImplementationSpecific",
+                                path_type="Prefix",
                            )
                        ]
                    ),
--- a/authentik/providers/proxy/controllers/k8s/traefik.py
+++ b/authentik/providers/proxy/controllers/k8s/traefik.py
@ -119,7 +119,10 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
            ),
            spec=TraefikMiddlewareSpec(
                forwardAuth=TraefikMiddlewareSpecForwardAuth(
-                    address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
+                    address=(
+                        f"http://{self.name}.{self.namespace}:9000/"
+                        "outpost.goauthentik.io/auth/traefik"
+                    ),
                    authResponseHeaders=[
                        "X-authentik-username",
                        "X-authentik-groups",
--- a/authentik/providers/proxy/models.py
+++ b/authentik/providers/proxy/models.py
@ -27,7 +27,7 @@ def get_cookie_secret():


 def _get_callback_url(uri: str) -> str:
-    return urljoin(uri, "/akprox/callback")
+    return urljoin(uri, "outpost.goauthentik.io/callback")


 class ProxyMode(models.TextChoices):
--- a/authentik/providers/proxy/tasks.py
+++ b/authentik/providers/proxy/tasks.py
@ -0,0 +1,11 @@
+"""proxy provider tasks"""
+from authentik.providers.proxy.models import ProxyProvider
+from authentik.root.celery import CELERY_APP
+
+
+@CELERY_APP.task()
+def proxy_set_defaults():
+    """Ensure correct defaults are set for all providers"""
+    for provider in ProxyProvider.objects.all():
+        provider.set_oauth_defaults()
+        provider.save()
--- a/authentik/providers/saml/tests/test_auth_n_request.py
+++ b/authentik/providers/saml/tests/test_auth_n_request.py
@ -15,6 +15,7 @@ from authentik.providers.saml.processors.request_parser import AuthNRequestParse
 from authentik.sources.saml.exceptions import MismatchedRequestID
 from authentik.sources.saml.models import SAMLSource
 from authentik.sources.saml.processors.constants import (
+    SAML_BINDING_REDIRECT,
    SAML_NAME_ID_FORMAT_EMAIL,
    SAML_NAME_ID_FORMAT_UNSPECIFIED,
 )
@ -98,6 +99,9 @@ class TestAuthNRequest(TestCase):

        # First create an AuthNRequest
        request_proc = RequestProcessor(self.source, http_request, "test_state")
+        auth_n = request_proc.get_auth_n()
+        self.assertEqual(auth_n.attrib["ProtocolBinding"], SAML_BINDING_REDIRECT)
+
        request = request_proc.build_auth_n()
        # Now we check the ID and signature
        parsed_request = AuthNRequestParser(self.provider).parse(
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -1,14 +1,4 @@
-"""
-Django settings for authentik project.
-
-Generated by 'django-admin startproject' using Django 2.1.3.
-
-For more information on this file, see
-https://docs.djangoproject.com/en/2.1/topics/settings/
-
-For the full list of settings and their values, see
-https://docs.djangoproject.com/en/2.1/ref/settings/
-"""
+"""root settings for authentik"""

 import importlib
 import logging
@ -16,26 +6,23 @@ import os
 import sys
 from hashlib import sha512
 from json import dumps
-from tempfile import gettempdir
 from time import time
-from urllib.parse import quote
+from urllib.parse import quote_plus

 import structlog
 from celery.schedules import crontab
 from sentry_sdk import init as sentry_init
 from sentry_sdk.api import set_tag
-from sentry_sdk.integrations.boto3 import Boto3Integration
 from sentry_sdk.integrations.celery import CeleryIntegration
 from sentry_sdk.integrations.django import DjangoIntegration
 from sentry_sdk.integrations.redis import RedisIntegration
 from sentry_sdk.integrations.threading import ThreadingIntegration

-from authentik import ENV_GIT_HASH_KEY, __version__, get_build_hash, get_full_version
+from authentik import ENV_GIT_HASH_KEY, __version__, get_build_hash
 from authentik.core.middleware import structlog_add_request_id
 from authentik.lib.config import CONFIG
 from authentik.lib.logging import add_process_id
 from authentik.lib.sentry import before_send
-from authentik.lib.utils.http import get_http_session
 from authentik.lib.utils.reflection import get_env
 from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT, BACKEND_LDAP

@ -149,7 +136,6 @@ INSTALLED_APPS = [
    "guardian",
    "django_prometheus",
    "channels",
-    "dbbackup",
 ]

 GUARDIAN_MONKEY_PATCH = False
@ -220,7 +206,7 @@ if CONFIG.y_bool("redis.tls", False):
    REDIS_CELERY_TLS_REQUIREMENTS = f"?ssl_cert_reqs={CONFIG.y('redis.tls_reqs')}"
 _redis_url = (
    f"{REDIS_PROTOCOL_PREFIX}:"
-    f"{quote(CONFIG.y('redis.password'))}@{quote(CONFIG.y('redis.host'))}:"
+    f"{quote_plus(CONFIG.y('redis.password'))}@{quote_plus(CONFIG.y('redis.host'))}:"
    f"{int(CONFIG.y('redis.port'))}"
 )

@ -347,6 +333,7 @@ LOCALE_PATHS = ["./locale"]
 # Celery settings
 # Add a 10 minute timeout to all Celery tasks.
 CELERY_TASK_SOFT_TIME_LIMIT = 600
+CELERY_WORKER_MAX_TASKS_PER_CHILD = 50
 CELERY_BEAT_SCHEDULE = {
    "clean_expired_models": {
        "task": "authentik.core.tasks.clean_expired_models",
@ -368,32 +355,6 @@ CELERY_RESULT_BACKEND = (
    f"{_redis_url}/{CONFIG.y('redis.message_queue_db')}{REDIS_CELERY_TLS_REQUIREMENTS}"
 )

-# Database backup
-DBBACKUP_STORAGE = "django.core.files.storage.FileSystemStorage"
-DBBACKUP_STORAGE_OPTIONS = {"location": "./backups" if DEBUG else "/backups"}
-DBBACKUP_FILENAME_TEMPLATE = f"authentik-backup-{__version__}-{{datetime}}.sql"
-DBBACKUP_CONNECTOR_MAPPING = {
-    "django_prometheus.db.backends.postgresql": "dbbackup.db.postgresql.PgDumpConnector",
-}
-DBBACKUP_TMP_DIR = gettempdir() if DEBUG else "/tmp"  # nosec
-DBBACKUP_CLEANUP_KEEP = 10
-if CONFIG.y("postgresql.s3_backup.bucket", "") != "":
-    DBBACKUP_STORAGE = "storages.backends.s3boto3.S3Boto3Storage"
-    DBBACKUP_STORAGE_OPTIONS = {
-        "access_key": CONFIG.y("postgresql.s3_backup.access_key"),
-        "secret_key": CONFIG.y("postgresql.s3_backup.secret_key"),
-        "bucket_name": CONFIG.y("postgresql.s3_backup.bucket"),
-        "region_name": CONFIG.y("postgresql.s3_backup.region", "eu-central-1"),
-        "default_acl": "private",
-        "endpoint_url": CONFIG.y("postgresql.s3_backup.host"),
-        "location": CONFIG.y("postgresql.s3_backup.location", ""),
-        "verify": not CONFIG.y_bool("postgresql.s3_backup.insecure_skip_verify", False),
-    }
-    j_print(
-        "Database backup to S3 is configured",
-        host=CONFIG.y("postgresql.s3_backup.host"),
-    )
-
 # Sentry integration
 SENTRY_DSN = "https://a579bb09306d4f8b8d8847c052d3a1d3@sentry.beryju.org/8"

@ -407,7 +368,6 @@ if _ERROR_REPORTING:
            DjangoIntegration(transaction_style="function_name"),
            CeleryIntegration(),
            RedisIntegration(),
-            Boto3Integration(),
            ThreadingIntegration(propagate_hub=True),
        ],
        before_send=before_send,
@ -424,29 +384,6 @@ if _ERROR_REPORTING:
        "Error reporting is enabled",
        env=CONFIG.y("error_reporting.environment", "customer"),
    )
-if not CONFIG.y_bool("disable_startup_analytics", False):
-    should_send = env not in ["dev", "ci"]
-    if should_send:
-        try:
-            get_http_session().post(
-                "https://goauthentik.io/api/event",
-                json={
-                    "domain": "authentik",
-                    "name": "pageview",
-                    "referrer": get_full_version(),
-                    "url": (
-                        f"http://localhost/{env}?utm_source={get_full_version()}&utm_medium={env}"
-                    ),
-                },
-                headers={
-                    "User-Agent": sha512(str(SECRET_KEY).encode("ascii")).hexdigest()[:16],
-                    "Content-Type": "application/json",
-                },
-                timeout=5,
-            )
-        # pylint: disable=bare-except
-        except:  # nosec
-            pass

 # Static files (CSS, JavaScript, Images)
 # https://docs.djangoproject.com/en/2.1/howto/static-files/
@ -528,12 +465,9 @@ _LOGGING_HANDLER_MAP = {
    "urllib3": "WARNING",
    "websockets": "WARNING",
    "daphne": "WARNING",
-    "dbbackup": "ERROR",
    "kubernetes": "INFO",
    "asyncio": "WARNING",
    "aioredis": "WARNING",
-    "s3transfer": "WARNING",
-    "botocore": "WARNING",
 }
 for handler_name, level in _LOGGING_HANDLER_MAP.items():
    # pyright: reportGeneralTypeIssues=false
--- a/authentik/sources/ldap/managed.py
+++ b/authentik/sources/ldap/managed.py
@ -35,21 +35,21 @@ class LDAPProviderManager(ObjectManager):
                "goauthentik.io/sources/ldap/ms-userprincipalname",
                name="authentik default Active Directory Mapping: userPrincipalName",
                object_field="attributes.upn",
-                expression="return ldap.get('userPrincipalName')",
+                expression="return list_flatten(ldap.get('userPrincipalName'))",
            ),
            EnsureExists(
                LDAPPropertyMapping,
                "goauthentik.io/sources/ldap/ms-givenName",
                name="authentik default Active Directory Mapping: givenName",
                object_field="attributes.givenName",
-                expression="return ldap.get('givenName')",
+                expression="return list_flatten(ldap.get('givenName'))",
            ),
            EnsureExists(
                LDAPPropertyMapping,
                "goauthentik.io/sources/ldap/ms-sn",
                name="authentik default Active Directory Mapping: sn",
                object_field="attributes.sn",
-                expression="return ldap.get('sn')",
+                expression="return list_flatten(ldap.get('sn'))",
            ),
            # OpenLDAP specific mappings
            EnsureExists(
--- a/authentik/sources/ldap/sync/base.py
+++ b/authentik/sources/ldap/sync/base.py
@ -1,13 +1,13 @@
 """Sync LDAP Users and groups into authentik"""
 from typing import Any

-from deepmerge import always_merger
 from django.db.models.base import Model
 from django.db.models.query import QuerySet
 from structlog.stdlib import BoundLogger, get_logger

 from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.events.models import Event, EventAction
+from authentik.lib.merge import MERGE_LIST_UNIQUE
 from authentik.sources.ldap.auth import LDAP_DISTINGUISHED_NAME
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource

@ -123,8 +123,8 @@ class BaseLDAPSynchronizer:
                continue
            setattr(instance, key, value)
        final_atttributes = {}
-        always_merger.merge(final_atttributes, instance.attributes)
-        always_merger.merge(final_atttributes, data.get("attributes", {}))
+        MERGE_LIST_UNIQUE.merge(final_atttributes, instance.attributes)
+        MERGE_LIST_UNIQUE.merge(final_atttributes, data.get("attributes", {}))
        instance.attributes = final_atttributes
        instance.save()
        return (instance, False)
--- a/authentik/sources/ldap/sync/groups.py
+++ b/authentik/sources/ldap/sync/groups.py
@ -37,6 +37,7 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
            uniq = self._flatten(attributes[self._source.object_uniqueness_field])
            try:
                defaults = self.build_group_properties(group_dn, **attributes)
+                defaults["parent"] = self._source.sync_parent_group
                self._logger.debug("Creating group with attributes", **defaults)
                if "name" not in defaults:
                    raise IntegrityError("Name was not set by propertymappings")
@ -47,7 +48,6 @@ class GroupLDAPSynchronizer(BaseLDAPSynchronizer):
                    Group,
                    {
                        f"attributes__{LDAP_UNIQUENESS}": uniq,
-                        "parent": self._source.sync_parent_group,
                    },
                    defaults,
                )
--- a/authentik/sources/ldap/tasks.py
+++ b/authentik/sources/ldap/tasks.py
@ -3,6 +3,7 @@ from ldap3.core.exceptions import LDAPException
 from structlog.stdlib import get_logger

 from authentik.events.monitored_tasks import MonitoredTask, TaskResult, TaskResultStatus
+from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.reflection import class_to_path, path_to_class
 from authentik.root.celery import CELERY_APP
 from authentik.sources.ldap.models import LDAPSource
@ -52,5 +53,5 @@ def ldap_sync(self: MonitoredTask, source_pk: str, sync_class: str):
        )
    except LDAPException as exc:
        # No explicit event is created here as .set_status with an error will do that
-        LOGGER.debug(exc)
+        LOGGER.warning(exception_to_string(exc))
        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
--- a/authentik/sources/ldap/tests/test_sync.py
+++ b/authentik/sources/ldap/tests/test_sync.py
@ -5,6 +5,7 @@ from django.db.models import Q
 from django.test import TestCase

 from authentik.core.models import Group, User
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_key
 from authentik.managed.manager import ObjectManager
@ -24,7 +25,7 @@ class LDAPSyncTests(TestCase):

    def setUp(self):
        ObjectManager().run()
-        self.source = LDAPSource.objects.create(
+        self.source: LDAPSource = LDAPSource.objects.create(
            name="ldap",
            slug="ldap",
            base_dn="dc=goauthentik,dc=io",
@ -120,6 +121,9 @@ class LDAPSyncTests(TestCase):
        self.source.property_mappings_group.set(
            LDAPPropertyMapping.objects.filter(managed="goauthentik.io/sources/ldap/default-name")
        )
+        _user = create_test_admin_user()
+        parent_group = Group.objects.get(name=_user.username)
+        self.source.sync_parent_group = parent_group
        connection = PropertyMock(return_value=mock_ad_connection(LDAP_PASSWORD))
        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
            self.source.save()
@ -127,8 +131,9 @@ class LDAPSyncTests(TestCase):
            group_sync.sync()
            membership_sync = MembershipLDAPSynchronizer(self.source)
            membership_sync.sync()
-            group = Group.objects.filter(name="test-group")
-            self.assertTrue(group.exists())
+            group: Group = Group.objects.filter(name="test-group").first()
+            self.assertIsNotNone(group)
+            self.assertEqual(group.parent, parent_group)

    def test_sync_groups_openldap(self):
        """Test group sync"""
--- a/authentik/sources/oauth/apps.py
+++ b/authentik/sources/oauth/apps.py
@ -17,6 +17,7 @@ AUTHENTIK_SOURCES_OAUTH_TYPES = [
    "authentik.sources.oauth.types.okta",
    "authentik.sources.oauth.types.reddit",
    "authentik.sources.oauth.types.twitter",
+    "authentik.sources.oauth.types.mailcow",
 ]


--- a/authentik/sources/oauth/clients/base.py
+++ b/authentik/sources/oauth/clients/base.py
@ -44,7 +44,7 @@ class BaseOAuthClient:
            response = self.do_request("get", profile_url, token=token)
            response.raise_for_status()
        except RequestException as exc:
-            LOGGER.warning("Unable to fetch user profile", exc=exc)
+            LOGGER.warning("Unable to fetch user profile", exc=exc, body=response.text)
            return None
        else:
            return response.json()
--- a/authentik/sources/oauth/migrations/0004_auto_20210417_1900.py
+++ b/authentik/sources/oauth/migrations/0004_auto_20210417_1900.py
@ -11,7 +11,7 @@ def update_empty_urls(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):

    for source in OAuthSource.objects.using(db_alias).all():
        changed = False
-        if source.access_token_url == "":
+        if source.access_token_url == "":  # nosec
            source.access_token_url = None
            changed = True
        if source.authorization_url == "":
@ -20,7 +20,7 @@ def update_empty_urls(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
        if source.profile_url == "":
            source.profile_url = None
            changed = True
-        if source.request_token_url == "":
+        if source.request_token_url == "":  # nosec
            source.request_token_url = None
            changed = True

--- a/authentik/sources/oauth/models.py
+++ b/authentik/sources/oauth/models.py
@ -111,6 +111,16 @@ class GitHubOAuthSource(OAuthSource):
        verbose_name_plural = _("GitHub OAuth Sources")


+class MailcowOAuthSource(OAuthSource):
+    """Social Login using Mailcow."""
+
+    class Meta:
+
+        abstract = True
+        verbose_name = _("Mailcow OAuth Source")
+        verbose_name_plural = _("Mailcow OAuth Sources")
+
+
 class TwitterOAuthSource(OAuthSource):
    """Social Login using Twitter.com"""

--- a/authentik/sources/oauth/tests/test_type_mailcow.py
+++ b/authentik/sources/oauth/tests/test_type_mailcow.py
@ -0,0 +1,38 @@
+"""Mailcow Type tests"""
+from django.test import TestCase
+
+from authentik.sources.oauth.models import OAuthSource
+from authentik.sources.oauth.types.mailcow import MailcowOAuth2Callback
+
+# https://community.mailcow.email/d/13-mailcow-oauth-json-format/2
+MAILCOW_USER = {
+    "success": True,
+    "username": "email@example.com",
+    "identifier": "email@example.com",
+    "email": "email@example.com",
+    "full_name": "Example User",
+    "displayName": "Example User",
+    "created": "2020-05-15 11:33:08",
+    "modified": "2020-05-15 12:23:31",
+    "active": 1,
+}
+
+
+class TestTypeMailcow(TestCase):
+    """OAuth Source tests"""
+
+    def setUp(self):
+        self.source = OAuthSource.objects.create(
+            name="test",
+            slug="test",
+            provider_type="mailcow",
+            authorization_url="",
+            profile_url="",
+            consumer_key="",
+        )
+
+    def test_enroll_context(self):
+        """Test mailcow Enrollment context"""
+        ak_context = MailcowOAuth2Callback().get_user_enroll_context(MAILCOW_USER)
+        self.assertEqual(ak_context["email"], MAILCOW_USER["email"])
+        self.assertEqual(ak_context["name"], MAILCOW_USER["full_name"])
--- a/authentik/sources/oauth/types/azure_ad.py
+++ b/authentik/sources/oauth/types/azure_ad.py
@ -37,7 +37,7 @@ class AzureADClient(OAuth2Client):
            )
            response.raise_for_status()
        except RequestException as exc:
-            LOGGER.warning("Unable to fetch user profile", exc=exc)
+            LOGGER.warning("Unable to fetch user profile", exc=exc, body=response.text)
            return None
        else:
            return response.json()
--- a/authentik/sources/oauth/types/mailcow.py
+++ b/authentik/sources/oauth/types/mailcow.py
@ -0,0 +1,69 @@
+"""Mailcow OAuth Views"""
+from typing import Any, Optional
+
+from requests.exceptions import RequestException
+from structlog.stdlib import get_logger
+
+from authentik.sources.oauth.clients.oauth2 import OAuth2Client
+from authentik.sources.oauth.types.manager import MANAGER, SourceType
+from authentik.sources.oauth.views.callback import OAuthCallback
+from authentik.sources.oauth.views.redirect import OAuthRedirect
+
+LOGGER = get_logger()
+
+
+class MailcowOAuthRedirect(OAuthRedirect):
+    """Mailcow OAuth2 Redirect"""
+
+    def get_additional_parameters(self, source):  # pragma: no cover
+        return {
+            "scope": ["profile"],
+        }
+
+
+class MailcowOAuth2Client(OAuth2Client):
+    """MailcowOAuth2Client, for some reason, mailcow does not like the default headers"""
+
+    def get_profile_info(self, token: dict[str, str]) -> Optional[dict[str, Any]]:
+        "Fetch user profile information."
+        profile_url = self.source.type.profile_url or ""
+        if self.source.type.urls_customizable and self.source.profile_url:
+            profile_url = self.source.profile_url
+        try:
+            response = self.session.request(
+                "get",
+                f"{profile_url}?access_token={token['access_token']}",
+            )
+            response.raise_for_status()
+        except RequestException as exc:
+            LOGGER.warning("Unable to fetch user profile", exc=exc, body=response.text)
+            return None
+        else:
+            return response.json()
+
+
+class MailcowOAuth2Callback(OAuthCallback):
+    """Mailcow OAuth2 Callback"""
+
+    client_class = MailcowOAuth2Client
+
+    def get_user_enroll_context(
+        self,
+        info: dict[str, Any],
+    ) -> dict[str, Any]:
+        return {
+            "email": info.get("email"),
+            "name": info.get("full_name"),
+        }
+
+
+@MANAGER.type()
+class MailcowType(SourceType):
+    """Mailcow Type definition"""
+
+    callback_view = MailcowOAuth2Callback
+    redirect_view = MailcowOAuthRedirect
+    name = "Mailcow"
+    slug = "mailcow"
+
+    urls_customizable = True
--- a/authentik/sources/saml/models.py
+++ b/authentik/sources/saml/models.py
@ -18,6 +18,8 @@ from authentik.sources.saml.processors.constants import (
    RSA_SHA256,
    RSA_SHA384,
    RSA_SHA512,
+    SAML_BINDING_POST,
+    SAML_BINDING_REDIRECT,
    SAML_NAME_ID_FORMAT_EMAIL,
    SAML_NAME_ID_FORMAT_PERSISTENT,
    SAML_NAME_ID_FORMAT_TRANSIENT,
@ -37,6 +39,15 @@ class SAMLBindingTypes(models.TextChoices):
    POST = "POST", _("POST Binding")
    POST_AUTO = "POST_AUTO", _("POST Binding with auto-confirmation")

+    @property
+    def uri(self) -> str:
+        """Convert database field to URI"""
+        return {
+            SAMLBindingTypes.POST: SAML_BINDING_POST,
+            SAMLBindingTypes.POST_AUTO: SAML_BINDING_POST,
+            SAMLBindingTypes.REDIRECT: SAML_BINDING_REDIRECT,
+        }[self]
+

 class SAMLNameIDPolicy(models.TextChoices):
    """SAML NameID Policies"""
--- a/authentik/sources/saml/processors/request.py
+++ b/authentik/sources/saml/processors/request.py
@ -10,7 +10,7 @@ from lxml.etree import Element  # nosec
 from authentik.providers.saml.utils import get_random_id
 from authentik.providers.saml.utils.encoding import deflate_and_base64_encode
 from authentik.providers.saml.utils.time import get_time_string
-from authentik.sources.saml.models import SAMLSource
+from authentik.sources.saml.models import SAMLBindingTypes, SAMLSource
 from authentik.sources.saml.processors.constants import (
    DIGEST_ALGORITHM_TRANSLATION_MAP,
    NS_MAP,
@ -62,7 +62,7 @@ class RequestProcessor:
        auth_n_request.attrib["Destination"] = self.source.sso_url
        auth_n_request.attrib["ID"] = self.request_id
        auth_n_request.attrib["IssueInstant"] = self.issue_instant
-        auth_n_request.attrib["ProtocolBinding"] = self.source.binding_type
+        auth_n_request.attrib["ProtocolBinding"] = SAMLBindingTypes(self.source.binding_type).uri
        auth_n_request.attrib["Version"] = "2.0"
        # Create issuer object
        auth_n_request.append(self.get_issuer())
--- a/authentik/stages/authenticator_static/api.py
+++ b/authentik/stages/authenticator_static/api.py
@ -61,7 +61,7 @@ class StaticDeviceViewSet(
 ):
    """Viewset for static authenticator devices"""

-    queryset = StaticDevice.objects.all()
+    queryset = StaticDevice.objects.filter(confirmed=True)
    serializer_class = StaticDeviceSerializer
    permission_classes = [OwnerPermissions]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
--- a/authentik/stages/authenticator_static/stage.py
+++ b/authentik/stages/authenticator_static/stage.py
@ -55,7 +55,7 @@ class AuthenticatorStaticStageView(ChallengeStageView):
        stage: AuthenticatorStaticStage = self.executor.current_stage

        if SESSION_STATIC_DEVICE not in self.request.session:
-            device = StaticDevice(user=user, confirmed=True, name="Static Token")
+            device = StaticDevice(user=user, confirmed=False, name="Static Token")
            tokens = []
            for _ in range(0, stage.token_count):
                tokens.append(StaticToken(device=device, token=StaticToken.random_token()))
@ -66,6 +66,7 @@ class AuthenticatorStaticStageView(ChallengeStageView):
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
        """Verify OTP Token"""
        device: StaticDevice = self.request.session[SESSION_STATIC_DEVICE]
+        device.confirmed = True
        device.save()
        for token in self.request.session[SESSION_STATIC_TOKENS]:
            token.save()
--- a/authentik/stages/authenticator_totp/api.py
+++ b/authentik/stages/authenticator_totp/api.py
@ -54,7 +54,7 @@ class TOTPDeviceViewSet(
 ):
    """Viewset for totp authenticator devices"""

-    queryset = TOTPDevice.objects.all()
+    queryset = TOTPDevice.objects.filter(confirmed=True)
    serializer_class = TOTPDeviceSerializer
    permission_classes = [OwnerPermissions]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
--- a/authentik/stages/authenticator_totp/stage.py
+++ b/authentik/stages/authenticator_totp/stage.py
@ -42,6 +42,7 @@ class AuthenticatorTOTPChallengeResponse(ChallengeResponse):
        """Validate totp code"""
        if self.device is not None:
            if not self.device.verify_token(code):
+                self.device.confirmed = False
                raise ValidationError(_("Code does not match"))
        return code

@ -82,7 +83,7 @@ class AuthenticatorTOTPStageView(ChallengeStageView):

        if SESSION_TOTP_DEVICE not in self.request.session:
            device = TOTPDevice(
-                user=user, confirmed=True, digits=stage.digits, name="TOTP Authenticator"
+                user=user, confirmed=False, digits=stage.digits, name="TOTP Authenticator"
            )

            self.request.session[SESSION_TOTP_DEVICE] = device
@ -91,6 +92,7 @@ class AuthenticatorTOTPStageView(ChallengeStageView):
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
        """TOTP Token is validated by challenge"""
        device: TOTPDevice = self.request.session[SESSION_TOTP_DEVICE]
+        device.confirmed = True
        device.save()
        del self.request.session[SESSION_TOTP_DEVICE]
        return self.executor.stage_ok()
--- a/authentik/stages/authenticator_validate/api.py
+++ b/authentik/stages/authenticator_validate/api.py
@ -13,8 +13,8 @@ class AuthenticatorValidateStageSerializer(StageSerializer):

    def validate_not_configured_action(self, value):
        """Ensure that a configuration stage is set when not_configured_action is configure"""
-        configuration_stage = self.initial_data.get("configuration_stage")
-        if value == NotConfiguredAction.CONFIGURE and configuration_stage is None:
+        configuration_stages = self.initial_data.get("configuration_stages")
+        if value == NotConfiguredAction.CONFIGURE and configuration_stages is None:
            raise ValidationError(
                (
                    'When "Not configured action" is set to "Configure", '
@ -29,7 +29,7 @@ class AuthenticatorValidateStageSerializer(StageSerializer):
        fields = StageSerializer.Meta.fields + [
            "not_configured_action",
            "device_classes",
-            "configuration_stage",
+            "configuration_stages",
        ]


@ -38,5 +38,5 @@ class AuthenticatorValidateStageViewSet(UsedByMixin, ModelViewSet):

    queryset = AuthenticatorValidateStage.objects.all()
    serializer_class = AuthenticatorValidateStageSerializer
-    filterset_fields = ["name", "not_configured_action", "configuration_stage"]
+    filterset_fields = ["name", "not_configured_action", "configuration_stages"]
    ordering = ["name"]
--- a/authentik/stages/authenticator_validate/migrations/0010_remove_authenticatorvalidatestage_configuration_stage_and_more.py
+++ b/authentik/stages/authenticator_validate/migrations/0010_remove_authenticatorvalidatestage_configuration_stage_and_more.py
@ -0,0 +1,44 @@
+# Generated by Django 4.0.1 on 2022-01-05 22:09
+
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+
+def migrate_configuration_stage(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    db_alias = schema_editor.connection.alias
+    AuthenticatorValidateStage = apps.get_model(
+        "authentik_stages_authenticator_validate", "AuthenticatorValidateStage"
+    )
+
+    for stage in AuthenticatorValidateStage.objects.using(db_alias).all():
+        if stage.configuration_stage:
+            stage.configuration_stages.set([stage.configuration_stage])
+            stage.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_flows", "0021_auto_20211227_2103"),
+        ("authentik_stages_authenticator_validate", "0009_default_stage"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="authenticatorvalidatestage",
+            name="configuration_stages",
+            field=models.ManyToManyField(
+                blank=True,
+                default=None,
+                help_text="Stages used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again.",
+                related_name="+",
+                to="authentik_flows.Stage",
+            ),
+        ),
+        migrations.RunPython(migrate_configuration_stage),
+        migrations.RemoveField(
+            model_name="authenticatorvalidatestage",
+            name="configuration_stage",
+        ),
+    ]
--- a/authentik/stages/authenticator_validate/models.py
+++ b/authentik/stages/authenticator_validate/models.py
@ -38,16 +38,14 @@ class AuthenticatorValidateStage(Stage):
        choices=NotConfiguredAction.choices, default=NotConfiguredAction.SKIP
    )

-    configuration_stage = models.ForeignKey(
+    configuration_stages = models.ManyToManyField(
        Stage,
-        null=True,
        blank=True,
        default=None,
-        on_delete=models.SET_DEFAULT,
        related_name="+",
        help_text=_(
            (
-                "Stage used to configure Authenticator when user doesn't have any compatible "
+                "Stages used to configure Authenticator when user doesn't have any compatible "
                "devices. After this configuration Stage passes, the user is not prompted again."
            )
        ),
--- a/authentik/stages/authenticator_validate/stage.py
+++ b/authentik/stages/authenticator_validate/stage.py
@ -1,10 +1,12 @@
 """Authenticator Validation"""
 from django.http import HttpRequest, HttpResponse
 from django_otp import devices_for_user
-from rest_framework.fields import CharField, IntegerField, JSONField, ListField
+from rest_framework.fields import CharField, IntegerField, JSONField, ListField, UUIDField
 from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger

+from authentik.core.api.utils import PassiveSerializer
+from authentik.core.models import User
 from authentik.events.models import Event, EventAction
 from authentik.events.utils import cleanse_dict, sanitize_dict
 from authentik.flows.challenge import ChallengeResponse, ChallengeTypes, WithUserInfoChallenge
@ -26,6 +28,18 @@ from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
 from authentik.stages.password.stage import PLAN_CONTEXT_METHOD, PLAN_CONTEXT_METHOD_ARGS

 LOGGER = get_logger()
+SESSION_STAGES = "goauthentik.io/stages/authenticator_validate/stages"
+SESSION_SELECTED_STAGE = "goauthentik.io/stages/authenticator_validate/selected_stage"
+SESSION_DEVICE_CHALLENGES = "goauthentik.io/stages/authenticator_validate/device_challenges"
+
+
+class SelectableStageSerializer(PassiveSerializer):
+    """Serializer for stages which can be selected by users"""
+
+    pk = UUIDField()
+    name = CharField()
+    verbose_name = CharField()
+    meta_model_name = CharField()


 class AuthenticatorValidationChallenge(WithUserInfoChallenge):
@ -33,12 +47,14 @@ class AuthenticatorValidationChallenge(WithUserInfoChallenge):

    device_challenges = ListField(child=DeviceChallenge())
    component = CharField(default="ak-stage-authenticator-validate")
+    configuration_stages = ListField(child=SelectableStageSerializer())


 class AuthenticatorValidationChallengeResponse(ChallengeResponse):
    """Challenge used for Code-based and WebAuthn authenticators"""

    selected_challenge = DeviceChallenge(required=False)
+    selected_stage = CharField(required=False)

    code = CharField(required=False)
    webauthn = JSONField(required=False)
@ -46,7 +62,7 @@ class AuthenticatorValidationChallengeResponse(ChallengeResponse):
    component = CharField(default="ak-stage-authenticator-validate")

    def _challenge_allowed(self, classes: list):
-        device_challenges: list[dict] = self.stage.request.session.get("device_challenges")
+        device_challenges: list[dict] = self.stage.request.session.get(SESSION_DEVICE_CHALLENGES)
        if not any(x["device_class"] in classes for x in device_challenges):
            raise ValidationError("No compatible device class allowed")

@ -71,19 +87,32 @@ class AuthenticatorValidationChallengeResponse(ChallengeResponse):
    def validate_selected_challenge(self, challenge: dict) -> dict:
        """Check which challenge the user has selected. Actual logic only used for SMS stage."""
        # First check if the challenge is valid
-        for device_challenge in self.stage.request.session.get("device_challenges"):
-            if device_challenge.get("device_class", "") != challenge.get("device_class", ""):
-                raise ValidationError("invalid challenge selected")
-            if device_challenge.get("device_uid", "") != challenge.get("device_uid", ""):
-                raise ValidationError("invalid challenge selected")
+        allowed = False
+        for device_challenge in self.stage.request.session.get(SESSION_DEVICE_CHALLENGES):
+            if device_challenge.get("device_class", "") == challenge.get(
+                "device_class", ""
+            ) and device_challenge.get("device_uid", "") == challenge.get("device_uid", ""):
+                allowed = True
+        if not allowed:
+            raise ValidationError("invalid challenge selected")
+
        if challenge.get("device_class", "") != "sms":
            return challenge
        devices = SMSDevice.objects.filter(pk=int(challenge.get("device_uid", "0")))
        if not devices.exists():
-            raise ValidationError("device does not exist")
+            raise ValidationError("invalid challenge selected")
        select_challenge(self.stage.request, devices.first())
        return challenge

+    def validate_selected_stage(self, stage_pk: str) -> str:
+        """Check that the selected stage is valid"""
+        stages = self.stage.request.session.get(SESSION_STAGES, [])
+        if not any(str(stage.pk) == stage_pk for stage in stages):
+            raise ValidationError("Selected stage is invalid")
+        LOGGER.debug("Setting selected stage to ", stage=stage_pk)
+        self.stage.request.session[SESSION_SELECTED_STAGE] = stage_pk
+        return stage_pk
+
    def validate(self, attrs: dict):
        # Checking if the given data is from a valid device class is done above
        # Here we only check if the any data was sent at all
@ -164,7 +193,7 @@ class AuthenticatorValidateStageView(ChallengeStageView):
            else:
                LOGGER.debug("No pending user, continuing")
                return self.executor.stage_ok()
-        self.request.session["device_challenges"] = challenges
+        self.request.session[SESSION_DEVICE_CHALLENGES] = challenges

        # No allowed devices
        if len(challenges) < 1:
@ -175,32 +204,74 @@ class AuthenticatorValidateStageView(ChallengeStageView):
                LOGGER.debug("Authenticator not configured, denying")
                return self.executor.stage_invalid()
            if stage.not_configured_action == NotConfiguredAction.CONFIGURE:
-                if not stage.configuration_stage:
-                    Event.new(
-                        EventAction.CONFIGURATION_ERROR,
-                        message=(
-                            "Authenticator validation stage is set to configure user "
-                            "but no configuration flow is set."
-                        ),
-                        stage=self,
-                    ).from_http(self.request).set_user(user).save()
-                    return self.executor.stage_invalid()
-                LOGGER.debug("Authenticator not configured, sending user to configure")
-                # Because the foreign key to stage.configuration_stage points to
-                # a base stage class, we need to do another lookup
-                stage = Stage.objects.get_subclass(pk=stage.configuration_stage.pk)
-                # plan.insert inserts at 1 index, so when stage_ok pops 0,
-                # the configuration stage is next
-                self.executor.plan.insert_stage(stage)
-                return self.executor.stage_ok()
+                LOGGER.debug("Authenticator not configured, forcing configure")
+                return self.prepare_stages(user)
        return super().get(request, *args, **kwargs)

+    def prepare_stages(self, user: User, *args, **kwargs) -> HttpResponse:
+        """Check how the user can configure themselves. If no stages are set, return an error.
+        If a single stage is set, insert that stage directly. If multiple are selected, include
+        them in the challenge."""
+        stage: AuthenticatorValidateStage = self.executor.current_stage
+        if not stage.configuration_stages.exists():
+            Event.new(
+                EventAction.CONFIGURATION_ERROR,
+                message=(
+                    "Authenticator validation stage is set to configure user "
+                    "but no configuration flow is set."
+                ),
+                stage=self,
+            ).from_http(self.request).set_user(user).save()
+            return self.executor.stage_invalid()
+        if stage.configuration_stages.count() == 1:
+            next_stage = Stage.objects.get_subclass(pk=stage.configuration_stages.first().pk)
+            LOGGER.debug("Single stage configured, auto-selecting", stage=next_stage)
+            self.request.session[SESSION_SELECTED_STAGE] = next_stage
+            # Because that normal insetion only happens on post, we directly inject it here and
+            # return it
+            self.executor.plan.insert_stage(next_stage)
+            return self.executor.stage_ok()
+        stages = Stage.objects.filter(pk__in=stage.configuration_stages.all()).select_subclasses()
+        self.request.session[SESSION_STAGES] = stages
+        return super().get(self.request, *args, **kwargs)
+
+    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
+        res = super().post(request, *args, **kwargs)
+        if (
+            SESSION_SELECTED_STAGE in self.request.session
+            and self.executor.current_stage.not_configured_action == NotConfiguredAction.CONFIGURE
+        ):
+            LOGGER.debug("Got selected stage in session, running that")
+            stage_pk = self.request.session.get(SESSION_SELECTED_STAGE)
+            # Because the foreign key to stage.configuration_stage points to
+            # a base stage class, we need to do another lookup
+            stage = Stage.objects.get_subclass(pk=stage_pk)
+            # plan.insert inserts at 1 index, so when stage_ok pops 0,
+            # the configuration stage is next
+            self.executor.plan.insert_stage(stage)
+            return self.executor.stage_ok()
+        return res
+
    def get_challenge(self) -> AuthenticatorValidationChallenge:
-        challenges = self.request.session["device_challenges"]
+        challenges = self.request.session.get(SESSION_DEVICE_CHALLENGES, [])
+        stages = self.request.session.get(SESSION_STAGES, [])
+        stage_challenges = []
+        for stage in stages:
+            serializer = SelectableStageSerializer(
+                data={
+                    "pk": stage.pk,
+                    "name": stage.name,
+                    "verbose_name": str(stage._meta.verbose_name),
+                    "meta_model_name": f"{stage._meta.app_label}.{stage._meta.model_name}",
+                }
+            )
+            serializer.is_valid()
+            stage_challenges.append(serializer.data)
        return AuthenticatorValidationChallenge(
            data={
                "type": ChallengeTypes.NATIVE.value,
                "device_challenges": challenges,
+                "configuration_stages": stage_challenges,
            }
        )

--- a/authentik/stages/authenticator_validate/tests.py
+++ b/authentik/stages/authenticator_validate/tests.py
@ -1,6 +1,7 @@
 """Test validator stage"""
 from unittest.mock import MagicMock, patch

+from django.contrib.sessions.middleware import SessionMiddleware
 from django.test.client import RequestFactory
 from django.urls.base import reverse
 from django_otp.plugins.otp_totp.models import TOTPDevice
@ -9,9 +10,11 @@ from webauthn.helpers import bytes_to_base64url

 from authentik.core.tests.utils import create_test_admin_user
 from authentik.flows.models import Flow, FlowStageBinding, NotConfiguredAction
+from authentik.flows.stage import StageView
 from authentik.flows.tests import FlowTestCase
+from authentik.flows.views.executor import FlowExecutorView
 from authentik.lib.generators import generate_id, generate_key
-from authentik.lib.tests.utils import get_request
+from authentik.lib.tests.utils import dummy_get_response, get_request
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
 from authentik.stages.authenticator_validate.challenge import (
@ -21,6 +24,10 @@ from authentik.stages.authenticator_validate.challenge import (
    validate_challenge_webauthn,
 )
 from authentik.stages.authenticator_validate.models import AuthenticatorValidateStage
+from authentik.stages.authenticator_validate.stage import (
+    SESSION_DEVICE_CHALLENGES,
+    AuthenticatorValidationChallengeResponse,
+)
 from authentik.stages.authenticator_webauthn.models import WebAuthnDevice
 from authentik.stages.identification.models import IdentificationStage, UserFields

@ -43,8 +50,8 @@ class AuthenticatorValidateStageTests(FlowTestCase):
        stage = AuthenticatorValidateStage.objects.create(
            name="foo",
            not_configured_action=NotConfiguredAction.CONFIGURE,
-            configuration_stage=conf_stage,
        )
+        stage.configuration_stages.set([conf_stage])
        flow = Flow.objects.create(name="test", slug="test", title="test")
        FlowStageBinding.objects.create(target=flow, stage=conf_stage, order=0)
        FlowStageBinding.objects.create(target=flow, stage=stage, order=1)
@ -159,3 +166,39 @@ class AuthenticatorValidateStageTests(FlowTestCase):
        ):
            with self.assertRaises(ValidationError):
                validate_challenge_duo(duo_device.pk, request, self.user)
+
+    def test_validate_selected_challenge(self):
+        """Test validate_selected_challenge"""
+        # Prepare request with session
+        request = self.request_factory.get("/")
+
+        middleware = SessionMiddleware(dummy_get_response)
+        middleware.process_request(request)
+        request.session[SESSION_DEVICE_CHALLENGES] = [
+            {
+                "device_class": "static",
+                "device_uid": "1",
+            },
+            {
+                "device_class": "totp",
+                "device_uid": "2",
+            },
+        ]
+        request.session.save()
+
+        res = AuthenticatorValidationChallengeResponse()
+        res.stage = StageView(FlowExecutorView())
+        res.stage.request = request
+        with self.assertRaises(ValidationError):
+            res.validate_selected_challenge(
+                {
+                    "device_class": "baz",
+                    "device_uid": "quox",
+                }
+            )
+        res.validate_selected_challenge(
+            {
+                "device_class": "static",
+                "device_uid": "1",
+            }
+        )
--- a/authentik/stages/prompt/api.py
+++ b/authentik/stages/prompt/api.py
@ -49,6 +49,7 @@ class PromptSerializer(ModelSerializer):
            "order",
            "promptstage_set",
            "sub_text",
+            "placeholder_expression",
        ]


--- a/authentik/stages/prompt/migrations/0007_prompt_placeholder_expression.py
+++ b/authentik/stages/prompt/migrations/0007_prompt_placeholder_expression.py
@ -0,0 +1,49 @@
+# Generated by Django 4.0.2 on 2022-02-27 19:19
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_prompt", "0006_alter_prompt_type"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="prompt",
+            name="placeholder_expression",
+            field=models.BooleanField(default=False),
+        ),
+        migrations.AlterField(
+            model_name="prompt",
+            name="type",
+            field=models.CharField(
+                choices=[
+                    ("text", "Text: Simple Text input"),
+                    (
+                        "text_read_only",
+                        "Text (read-only): Simple Text input, but cannot be edited.",
+                    ),
+                    (
+                        "username",
+                        "Username: Same as Text input, but checks for and prevents duplicate usernames.",
+                    ),
+                    ("email", "Email: Text field with Email type."),
+                    (
+                        "password",
+                        "Password: Masked input, password is validated against sources. Policies still have to be applied to this Stage. If two of these are used in the same stage, they are ensured to be identical.",
+                    ),
+                    ("number", "Number"),
+                    ("checkbox", "Checkbox"),
+                    ("date", "Date"),
+                    ("date-time", "Date Time"),
+                    ("separator", "Separator: Static Separator Line"),
+                    ("hidden", "Hidden: Hidden field, can be used to insert data into form."),
+                    ("static", "Static: Static value, displayed as-is."),
+                    ("ak-locale", "authentik: Selection of locales authentik supports"),
+                ],
+                max_length=100,
+            ),
+        ),
+    ]
--- a/authentik/stages/prompt/models.py
+++ b/authentik/stages/prompt/models.py
@ -3,6 +3,7 @@ from typing import Any, Optional
 from uuid import uuid4

 from django.db import models
+from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from django.views import View
 from rest_framework.fields import (
@ -16,15 +17,23 @@ from rest_framework.fields import (
    ReadOnlyField,
 )
 from rest_framework.serializers import BaseSerializer
+from structlog.stdlib import get_logger

+from authentik.core.exceptions import PropertyMappingExpressionException
+from authentik.core.expression import PropertyMappingEvaluator
+from authentik.core.models import User
 from authentik.flows.models import Stage
 from authentik.lib.models import SerializerModel
 from authentik.policies.models import Policy

+LOGGER = get_logger()
+

 class FieldTypes(models.TextChoices):
    """Field types an Prompt can be"""

+    # update website/docs/flow/stages/prompt.index.md
+
    # Simple text field
    TEXT = "text", _("Text: Simple Text input")
    # Simple text field
@ -56,6 +65,8 @@ class FieldTypes(models.TextChoices):
    HIDDEN = "hidden", _("Hidden: Hidden field, can be used to insert data into form.")
    STATIC = "static", _("Static: Static value, displayed as-is.")

+    AK_LOCALE = "ak-locale", _("authentik: Selection of locales authentik supports")
+

 class Prompt(SerializerModel):
    """Single Prompt, part of a prompt stage."""
@ -73,12 +84,33 @@ class Prompt(SerializerModel):

    order = models.IntegerField(default=0)

+    placeholder_expression = models.BooleanField(default=False)
+
    @property
    def serializer(self) -> BaseSerializer:
        from authentik.stages.prompt.api import PromptSerializer

        return PromptSerializer

+    def get_placeholder(self, prompt_context: dict, user: User, request: HttpRequest) -> str:
+        """Get fully interpolated placeholder"""
+        if self.field_key in prompt_context:
+            # We don't want to parse this as an expression since a user will
+            # be able to control the input
+            return prompt_context[self.field_key]
+
+        if self.placeholder_expression:
+            evaluator = PropertyMappingEvaluator()
+            evaluator.set_context(user, request, self, prompt_context=prompt_context)
+            try:
+                return evaluator.evaluate(self.placeholder)
+            except Exception as exc:  # pylint:disable=broad-except
+                LOGGER.warning(
+                    "failed to evaluate prompt placeholder",
+                    exc=PropertyMappingExpressionException(str(exc)),
+                )
+        return self.placeholder
+
    def field(self, default: Optional[Any]) -> CharField:
        """Get field type for Challenge and response"""
        field_class = CharField
@ -93,10 +125,6 @@ class Prompt(SerializerModel):
            field_class = EmailField
        if self.type == FieldTypes.NUMBER:
            field_class = IntegerField
-        if self.type == FieldTypes.HIDDEN:
-            field_class = HiddenField
-            kwargs["required"] = False
-            kwargs["default"] = self.placeholder
        if self.type == FieldTypes.CHECKBOX:
            field_class = BooleanField
            kwargs["required"] = False
@ -104,13 +132,22 @@ class Prompt(SerializerModel):
            field_class = DateField
        if self.type == FieldTypes.DATE_TIME:
            field_class = DateTimeField
+
+        if self.type == FieldTypes.SEPARATOR:
+            kwargs["required"] = False
+            kwargs["label"] = ""
+        if self.type == FieldTypes.HIDDEN:
+            field_class = HiddenField
+            kwargs["required"] = False
+            kwargs["default"] = self.placeholder
        if self.type == FieldTypes.STATIC:
            kwargs["default"] = self.placeholder
            kwargs["required"] = False
            kwargs["label"] = ""
-        if self.type == FieldTypes.SEPARATOR:
-            kwargs["required"] = False
-            kwargs["label"] = ""
+
+        if self.type == FieldTypes.AK_LOCALE:
+            kwargs["allow_blank"] = True
+
        if default:
            kwargs["default"] = default
        # May not set both `required` and `default`
--- a/authentik/stages/prompt/stage.py
+++ b/authentik/stages/prompt/stage.py
@ -165,13 +165,14 @@ class PromptStageView(ChallengeStageView):
    response_class = PromptChallengeResponse

    def get_challenge(self, *args, **kwargs) -> Challenge:
-        fields = list(self.executor.current_stage.fields.all().order_by("order"))
+        fields: list[Prompt] = list(self.executor.current_stage.fields.all().order_by("order"))
        serializers = []
        context_prompt = self.executor.plan.context.get(PLAN_CONTEXT_PROMPT, {})
        for field in fields:
            data = StagePromptSerializer(field).data
-            if field.field_key in context_prompt:
-                data["placeholder"] = context_prompt.get(field.field_key)
+            data["placeholder"] = field.get_placeholder(
+                context_prompt, self.get_pending_user(), self.request
+            )
            serializers.append(data)
        challenge = PromptChallenge(
            data={
--- a/authentik/stages/prompt/tests.py
+++ b/authentik/stages/prompt/tests.py
@ -1,16 +1,17 @@
 """Prompt tests"""
 from unittest.mock import MagicMock, patch

+from django.test import RequestFactory
 from django.urls import reverse
 from rest_framework.exceptions import ErrorDetail

-from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.flows.markers import StageMarker
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.flows.planner import FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import SESSION_KEY_PLAN
+from authentik.lib.generators import generate_id
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT, PromptChallengeResponse
@ -21,8 +22,8 @@ class TestPromptStage(FlowTestCase):

    def setUp(self):
        super().setUp()
-        self.user = User.objects.create(username="unittest", email="test@beryju.org")
-
+        self.user = create_test_admin_user()
+        self.factory = RequestFactory()
        self.flow = Flow.objects.create(
            name="test-prompt",
            slug="test-prompt",
@ -219,3 +220,95 @@ class TestPromptStage(FlowTestCase):
        self.assertNotEqual(challenge_response.validated_data["hidden_prompt"], "foo")
        self.assertEqual(challenge_response.validated_data["hidden_prompt"], "hidden")
        self.assertNotEqual(challenge_response.validated_data["static_prompt"], "foo")
+
+    def test_prompt_placeholder(self):
+        """Test placeholder and expression"""
+        context = {
+            "foo": generate_id(),
+        }
+        prompt: Prompt = Prompt(
+            field_key="text_prompt_expression",
+            label="TEXT_LABEL",
+            type=FieldTypes.TEXT,
+            placeholder="return prompt_context['foo']",
+            placeholder_expression=True,
+        )
+        self.assertEqual(
+            prompt.get_placeholder(context, self.user, self.factory.get("/")), context["foo"]
+        )
+        context["text_prompt_expression"] = generate_id()
+        self.assertEqual(
+            prompt.get_placeholder(context, self.user, self.factory.get("/")),
+            context["text_prompt_expression"],
+        )
+        self.assertNotEqual(
+            prompt.get_placeholder(context, self.user, self.factory.get("/")), context["foo"]
+        )
+
+    def test_prompt_placeholder_error(self):
+        """Test placeholder and expression"""
+        context = {}
+        prompt: Prompt = Prompt(
+            field_key="text_prompt_expression",
+            label="TEXT_LABEL",
+            type=FieldTypes.TEXT,
+            placeholder="something invalid dunno",
+            placeholder_expression=True,
+        )
+        self.assertEqual(
+            prompt.get_placeholder(context, self.user, self.factory.get("/")),
+            "something invalid dunno",
+        )
+
+    def test_prompt_placeholder_disabled(self):
+        """Test placeholder and expression"""
+        context = {}
+        prompt: Prompt = Prompt(
+            field_key="text_prompt_expression",
+            label="TEXT_LABEL",
+            type=FieldTypes.TEXT,
+            placeholder="return prompt_context['foo']",
+            placeholder_expression=False,
+        )
+        self.assertEqual(
+            prompt.get_placeholder(context, self.user, self.factory.get("/")), prompt.placeholder
+        )
+
+    def test_field_types(self):
+        """Ensure all field types can successfully be created"""
+
+    def test_invalid_save(self):
+        """Ensure field can't be saved with invalid type"""
+        prompt: Prompt = Prompt(
+            field_key="text_prompt_expression",
+            label="TEXT_LABEL",
+            type="foo",
+            placeholder="foo",
+            placeholder_expression=False,
+            sub_text="test",
+            order=123,
+        )
+        with self.assertRaises(ValueError):
+            prompt.save()
+
+
+def field_type_tester_factory(field_type: FieldTypes):
+    """Test field for field_type"""
+
+    def tester(self: TestPromptStage):
+        prompt: Prompt = Prompt(
+            field_key="text_prompt_expression",
+            label="TEXT_LABEL",
+            type=field_type,
+            placeholder="foo",
+            placeholder_expression=False,
+            sub_text="test",
+            order=123,
+        )
+        self.assertIsNotNone(prompt.field("foo"))
+
+    return tester
+
+
+for _type in FieldTypes:
+    setattr(TestPromptStage, f"test_field_type_{_type}", field_type_tester_factory(_type))
--- a/authentik/stages/user_write/stage.py
+++ b/authentik/stages/user_write/stage.py
@ -25,15 +25,16 @@ LOGGER = get_logger()
 class UserWriteStageView(StageView):
    """Finalise Enrollment flow by creating a user object."""

-    def write_attribute(self, user: User, key: str, value: Any):
+    @staticmethod
+    def write_attribute(user: User, key: str, value: Any):
        """Allow use of attributes.foo.bar when writing to a user, with full
        recursion"""
        parts = key.replace("_", ".").split(".")
        if len(parts) < 1:  # pragma: no cover
            return
-        # Function will always be called with a key like attribute.
+        # Function will always be called with a key like attributes.
        # this is just a sanity check to ensure that is removed
-        if parts[0] == "attribute":
+        if parts[0] == "attributes":
            parts = parts[1:]
        attrs = user.attributes
        for comp in parts[:-1]:
@ -84,16 +85,20 @@ class UserWriteStageView(StageView):
                setter = getattr(user, setter_name)
                if callable(setter):
                    setter(value)
+            # For exact attributes match, update the dictionary in place
+            elif key == "attributes":
+                user.attributes.update(value)
            # User has this key already
-            elif hasattr(user, key):
+            elif hasattr(user, key) and not key.startswith("attributes."):
                setattr(user, key, value)
            # Otherwise we just save it as custom attribute, but only if the value is prefixed with
            # `attribute_`, to prevent accidentally saving values
            else:
-                if not key.startswith("attribute.") and not key.startswith("attribute_"):
+                if not key.startswith("attributes.") and not key.startswith("attributes_"):
                    LOGGER.debug("discarding key", key=key)
                    continue
-                self.write_attribute(user, key, value)
+                UserWriteStageView.write_attribute(user, key, value)
+        print(user.attributes)
        # Extra check to prevent flows from saving a user with a blank username
        if user.username == "":
            LOGGER.warning("Aborting write to empty username", user=user)
--- a/authentik/stages/user_write/tests.py
+++ b/authentik/stages/user_write/tests.py
@ -16,6 +16,7 @@ from authentik.flows.tests.test_executor import TO_STAGE_RESPONSE_MOCK
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.models import UserWriteStage
+from authentik.stages.user_write.stage import UserWriteStageView


 class TestUserWriteStage(FlowTestCase):
@ -77,7 +78,7 @@ class TestUserWriteStage(FlowTestCase):
        plan.context[PLAN_CONTEXT_PROMPT] = {
            "username": "test-user-new",
            "password": new_password,
-            "attribute.some.custom-attribute": "test",
+            "attributes.some.custom-attribute": "test",
            "some_ignored_attribute": "bar",
        }
        session = self.client.session
@ -172,3 +173,43 @@ class TestUserWriteStage(FlowTestCase):
            self.flow,
            component="ak-stage-access-denied",
        )
+
+    def test_write_attribute(self):
+        """Test write_attribute"""
+        user = create_test_admin_user()
+        user.attributes = {
+            "foo": "bar",
+            "baz": {
+                "qwer": [
+                    "quox",
+                ]
+            },
+        }
+        user.save()
+        UserWriteStageView.write_attribute(user, "attributes.foo", "baz")
+        self.assertEqual(
+            user.attributes,
+            {
+                "foo": "baz",
+                "baz": {
+                    "qwer": [
+                        "quox",
+                    ]
+                },
+            },
+        )
+        UserWriteStageView.write_attribute(user, "attributes.foob.bar", "baz")
+        self.assertEqual(
+            user.attributes,
+            {
+                "foo": "baz",
+                "foob": {
+                    "bar": "baz",
+                },
+                "baz": {
+                    "qwer": [
+                        "quox",
+                    ]
+                },
+            },
+        )
--- a/authentik/tenants/api.py
+++ b/authentik/tenants/api.py
@ -50,6 +50,7 @@ class TenantSerializer(ModelSerializer):
            "flow_invalidation",
            "flow_recovery",
            "flow_unenrollment",
+            "flow_user_settings",
            "event_retention",
            "web_certificate",
        ]
@ -72,6 +73,7 @@ class CurrentTenantSerializer(PassiveSerializer):
    flow_invalidation = CharField(source="flow_invalidation.slug", required=False)
    flow_recovery = CharField(source="flow_recovery.slug", required=False)
    flow_unenrollment = CharField(source="flow_unenrollment.slug", required=False)
+    flow_user_settings = CharField(source="flow_user_settings.slug", required=False)


 class TenantViewSet(UsedByMixin, ModelViewSet):
--- a/authentik/tenants/migrations/0002_tenant_flow_user_settings.py
+++ b/authentik/tenants/migrations/0002_tenant_flow_user_settings.py
@ -0,0 +1,181 @@
+# Generated by Django 4.0.2 on 2022-02-26 21:14
+
+import django.db.models.deletion
+from django.apps.registry import Apps
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+
+from authentik.flows.models import FlowDesignation
+from authentik.stages.identification.models import UserFields
+from authentik.stages.password import BACKEND_APP_PASSWORD, BACKEND_INBUILT, BACKEND_LDAP
+
+AUTHORIZATION_POLICY = """from authentik.lib.config import CONFIG
+from authentik.core.models import (
+    USER_ATTRIBUTE_CHANGE_EMAIL,
+    USER_ATTRIBUTE_CHANGE_NAME,
+    USER_ATTRIBUTE_CHANGE_USERNAME
+)
+prompt_data = request.context.get("prompt_data")
+
+if not request.user.group_attributes().get(
+    USER_ATTRIBUTE_CHANGE_EMAIL, CONFIG.y_bool("default_user_change_email", True)
+):
+    if prompt_data.get("email") != request.user.email:
+        ak_message("Not allowed to change email address.")
+        return False
+
+if not request.user.group_attributes().get(
+    USER_ATTRIBUTE_CHANGE_NAME, CONFIG.y_bool("default_user_change_name", True)
+):
+    if prompt_data.get("name") != request.user.name:
+        ak_message("Not allowed to change name.")
+        return False
+
+if not request.user.group_attributes().get(
+    USER_ATTRIBUTE_CHANGE_USERNAME, CONFIG.y_bool("default_user_change_username", True)
+):
+    if prompt_data.get("username") != request.user.username:
+        ak_message("Not allowed to change username.")
+        return False
+
+return True
+"""
+
+
+def create_default_user_settings_flow(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
+    from authentik.stages.prompt.models import FieldTypes
+
+    db_alias = schema_editor.connection.alias
+
+    Tenant = apps.get_model("authentik_tenants", "Tenant")
+
+    Flow = apps.get_model("authentik_flows", "Flow")
+    FlowStageBinding = apps.get_model("authentik_flows", "FlowStageBinding")
+
+    ExpressionPolicy = apps.get_model("authentik_policies_expression", "ExpressionPolicy")
+
+    UserWriteStage = apps.get_model("authentik_stages_user_write", "UserWriteStage")
+    PromptStage = apps.get_model("authentik_stages_prompt", "PromptStage")
+    Prompt = apps.get_model("authentik_stages_prompt", "Prompt")
+
+    prompt_username, _ = Prompt.objects.using(db_alias).update_or_create(
+        field_key="username",
+        order=200,
+        defaults={
+            "label": "Username",
+            "type": FieldTypes.TEXT,
+            "placeholder": """try:
+    return user.username
+except:
+    return ''""",
+            "placeholder_expression": True,
+        },
+    )
+    prompt_name, _ = Prompt.objects.using(db_alias).update_or_create(
+        field_key="name",
+        order=201,
+        defaults={
+            "label": "Name",
+            "type": FieldTypes.TEXT,
+            "placeholder": """try:
+    return user.name
+except:
+    return ''""",
+            "placeholder_expression": True,
+        },
+    )
+    prompt_email, _ = Prompt.objects.using(db_alias).update_or_create(
+        field_key="email",
+        order=202,
+        defaults={
+            "label": "Email",
+            "type": FieldTypes.EMAIL,
+            "placeholder": """try:
+    return user.email
+except:
+    return ''""",
+            "placeholder_expression": True,
+        },
+    )
+    prompt_locale, _ = Prompt.objects.using(db_alias).update_or_create(
+        field_key="attributes.settings.locale",
+        order=203,
+        defaults={
+            "label": "Locale",
+            "type": FieldTypes.AK_LOCALE,
+            "placeholder": """try:
+    return user.attributes.get("settings", {}).get("locale", "")
+except:
+    return ''""",
+            "placeholder_expression": True,
+            "required": True,
+        },
+    )
+
+    validation_policy, _ = ExpressionPolicy.objects.using(db_alias).update_or_create(
+        name="default-user-settings-authorization",
+        defaults={
+            "expression": AUTHORIZATION_POLICY,
+        },
+    )
+    prompt_stage, _ = PromptStage.objects.using(db_alias).update_or_create(
+        name="default-user-settings",
+    )
+    prompt_stage.validation_policies.set([validation_policy])
+    prompt_stage.fields.set([prompt_username, prompt_name, prompt_email, prompt_locale])
+    prompt_stage.save()
+    user_write, _ = UserWriteStage.objects.using(db_alias).update_or_create(
+        name="default-user-settings-write"
+    )
+
+    flow, _ = Flow.objects.using(db_alias).update_or_create(
+        slug="default-user-settings-flow",
+        designation=FlowDesignation.STAGE_CONFIGURATION,
+        defaults={
+            "name": "Update your info",
+        },
+    )
+    FlowStageBinding.objects.using(db_alias).update_or_create(
+        target=flow,
+        stage=prompt_stage,
+        defaults={
+            "order": 20,
+        },
+    )
+    FlowStageBinding.objects.using(db_alias).update_or_create(
+        target=flow,
+        stage=user_write,
+        defaults={
+            "order": 100,
+        },
+    )
+
+    tenant = Tenant.objects.using(db_alias).filter(default=True).first()
+    if not tenant:
+        return
+    tenant.flow_user_settings = flow
+    tenant.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_policies_expression", "__latest__"),
+        ("authentik_stages_prompt", "0007_prompt_placeholder_expression"),
+        ("authentik_flows", "0021_auto_20211227_2103"),
+        ("authentik_tenants", "0001_squashed_0005_tenant_web_certificate"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="tenant",
+            name="flow_user_settings",
+            field=models.ForeignKey(
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                related_name="tenant_user_settings",
+                to="authentik_flows.flow",
+            ),
+        ),
+        migrations.RunPython(create_default_user_settings_flow),
+    ]
--- a/authentik/tenants/models.py
+++ b/authentik/tenants/models.py
@ -40,6 +40,9 @@ class Tenant(models.Model):
    flow_unenrollment = models.ForeignKey(
        Flow, null=True, on_delete=models.SET_NULL, related_name="tenant_unenrollment"
    )
+    flow_user_settings = models.ForeignKey(
+        Flow, null=True, on_delete=models.SET_NULL, related_name="tenant_user_settings"
+    )

    event_retention = models.TextField(
        default="days=365",
--- a/cmd/ldap/server.go
+++ b/cmd/ldap/server.go
@ -8,6 +8,7 @@ import (
 	log "github.com/sirupsen/logrus"

 	"goauthentik.io/internal/common"
+	"goauthentik.io/internal/debug"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/ldap"
 )
@ -27,6 +28,7 @@ func main() {
 			log.FieldKeyTime: "timestamp",
 		},
 	})
+	go debug.EnableDebugServer()
 	akURL, found := os.LookupEnv("AUTHENTIK_HOST")
 	if !found {
 		fmt.Println("env AUTHENTIK_HOST not set!")
--- a/cmd/proxy/server.go
+++ b/cmd/proxy/server.go
@ -9,6 +9,7 @@ import (
 	log "github.com/sirupsen/logrus"

 	"goauthentik.io/internal/common"
+	"goauthentik.io/internal/debug"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/proxyv2"
 )
@ -32,6 +33,7 @@ func main() {
 			log.FieldKeyTime: "timestamp",
 		},
 	})
+	go debug.EnableDebugServer()
 	akURL, found := os.LookupEnv("AUTHENTIK_HOST")
 	if !found {
 		fmt.Println("env AUTHENTIK_HOST not set!")
--- a/Show More
+++ b/Show More