stages/consent: fix error when requests with identical empty permissions

closes #3280 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
root: use updated schema
2022-08-01 20:58:25 +02:00 · 2022-08-01 10:11:06 +02:00 · 2022-08-01 09:59:57 +02:00 · 2022-07-31 23:54:29 +02:00 · 2022-07-31 23:53:06 +02:00 · 2022-07-20 09:37:43 +02:00
699 changed files with 22917 additions and 10555 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,30 +1,18 @@
 [bumpversion]
-current_version = 2022.5.2
+current_version = 2022.7.3
 tag = True
 commit = True
-parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-?(?P<release>.*)
+parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
-serialize = 
+serialize = {major}.{minor}.{patch}
 	{major}.{minor}.{patch}-{release}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}
 [bumpversion:part:release]
 optional_value = stable
 first_value = beta
 values = 
 	alpha
 	beta
 	stable
 [bumpversion:file:pyproject.toml]
 [bumpversion:file:docker-compose.yml]
 [bumpversion:file:schema.yml]
 [bumpversion:file:.github/workflows/release-publish.yml]
 [bumpversion:file:authentik/__init__.py]
 [bumpversion:file:internal/constants/constants.go]
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@ -17,6 +17,12 @@ outputs:
  sha:
    description: "sha"
    value: ${{ steps.ev.outputs.sha }}
  version:
    description: "version"
    value: ${{ steps.ev.outputs.version }}
  versionFamily:
    description: "versionFamily"
    value: ${{ steps.ev.outputs.versionFamily }}
 runs:
  using: "composite"
@ -47,3 +53,11 @@ runs:
        print("##[set-output name=timestamp]%s" % int(time()))
        print("##[set-output name=sha]%s" % os.environ[sha])
        print("##[set-output name=shouldBuild]%s" % should_build)
        import configparser
        parser = configparser.ConfigParser()
        parser.read(".bumpversion.cfg")
        version = parser.get("bumpversion", "current_version")
        version_family = ".".join(version.split(".")[:-1])
        print("##[set-output name=version]%s" % version)
        print("##[set-output name=versionFamily]%s" % version_family)
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,50 +1,62 @@
 version: 2
 updates:
- package-ecosystem: "github-actions"
+    - package-ecosystem: "github-actions"
-  directory: "/"
+      directory: "/"
-  schedule:
+      schedule:
-    interval: daily
+          interval: daily
-    time: "04:00"
+          time: "04:00"
-  open-pull-requests-limit: 10
+      open-pull-requests-limit: 10
-  assignees:
+      reviewers:
-  - BeryJu
+          - "@goauthentik/core"
- package-ecosystem: gomod
+      commit-message:
-  directory: "/"
+          prefix: "ci:"
-  schedule:
+    - package-ecosystem: gomod
-    interval: daily
+      directory: "/"
-    time: "04:00"
+      schedule:
-  open-pull-requests-limit: 10
+          interval: daily
-  assignees:
+          time: "04:00"
-  - BeryJu
+      open-pull-requests-limit: 10
- package-ecosystem: npm
+      reviewers:
-  directory: "/web"
+          - "@goauthentik/core"
-  schedule:
+      commit-message:
-    interval: daily
+          prefix: "core:"
-    time: "04:00"
+    - package-ecosystem: npm
-  open-pull-requests-limit: 10
+      directory: "/web"
-  assignees:
+      schedule:
-  - BeryJu
+          interval: daily
- package-ecosystem: npm
+          time: "04:00"
-  directory: "/website"
+      open-pull-requests-limit: 10
-  schedule:
+      reviewers:
-    interval: daily
+          - "@goauthentik/core"
-    time: "04:00"
+      commit-message:
-  open-pull-requests-limit: 10
+          prefix: "web:"
-  assignees:
+    - package-ecosystem: npm
-  - BeryJu
+      directory: "/website"
- package-ecosystem: pip
+      schedule:
-  directory: "/"
+          interval: daily
-  schedule:
+          time: "04:00"
-    interval: daily
+      open-pull-requests-limit: 10
-    time: "04:00"
+      reviewers:
-  open-pull-requests-limit: 10
+          - "@goauthentik/core"
-  assignees:
+      commit-message:
-  - BeryJu
+          prefix: "website:"
- package-ecosystem: docker
+    - package-ecosystem: pip
-  directory: "/"
+      directory: "/"
-  schedule:
+      schedule:
-    interval: daily
+          interval: daily
-    time: "04:00"
+          time: "04:00"
-  open-pull-requests-limit: 10
+      open-pull-requests-limit: 10
-  assignees:
+      reviewers:
-  - BeryJu
+          - "@goauthentik/core"
      commit-message:
          prefix: "core:"
    - package-ecosystem: docker
      directory: "/"
      schedule:
          interval: daily
          time: "04:00"
      open-pull-requests-limit: 10
      reviewers:
          - "@goauthentik/core"
      commit-message:
          prefix: "core:"
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,7 +1,7 @@
 <!--
 👋 Hello there! Welcome.
-Please check the [Contributing guidelines](https://github.com/goauthentik/authentik/blob/master/CONTRIBUTING.md#how-can-i-contribute).
+Please check the [Contributing guidelines](https://github.com/goauthentik/authentik/blob/main/CONTRIBUTING.md#how-can-i-contribute).
 -->
 # Details
--- a/.github/stale.yml
+++ b/.github/stale.yml
@ -10,6 +10,7 @@ exemptLabels:
  - enhancement
  - bug/confirmed
  - enhancement/confirmed
  - question
 # Comment to post when marking an issue as stale. Set to `false` to disable
 markComment: >
  This issue has been automatically marked as stale because it has not had
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -3,14 +3,14 @@ name: authentik-ci-main
 on:
  push:
    branches:
-      - master
+      - main
      - next
      - version-*
    paths-ignore:
      - website
  pull_request:
    branches:
-      - master
+      - main
 env:
  POSTGRES_DB: authentik
@ -106,7 +106,7 @@ jobs:
        with:
          domain: ${{github.repository_owner}}
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@v1.2.0
+        uses: helm/kind-action@v1.3.0
      - name: run integration
        run: |
          poetry run make test-integration
@ -133,12 +133,13 @@ jobs:
        uses: actions/cache@v3
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
        run: |
          npm ci
          make -C .. gen-client-web
          npm run build
      - name: run e2e
        run: |
@ -166,12 +167,13 @@ jobs:
        uses: actions/cache@v3
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/**') }}
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**') }}
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web/
        run: |
          npm ci
          make -C .. gen-client-web
          npm run build
      - name: run e2e
        run: |
@ -211,10 +213,10 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
        uses: ./.github/actions/docker-setup
      - name: Login to Container Registry
        uses: docker/login-action@v2
        if: ${{ steps.ev.outputs.shouldBuild == 'true' }}
@ -231,4 +233,5 @@ jobs:
            ghcr.io/goauthentik/dev-server:gh-${{ steps.ev.outputs.branchNameContainer }}-${{ steps.ev.outputs.timestamp }}-${{ steps.ev.outputs.sha }}
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
          platforms: ${{ matrix.arch }}
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -3,12 +3,12 @@ name: authentik-ci-outpost
 on:
  push:
    branches:
-      - master
+      - main
      - next
      - version-*
  pull_request:
    branches:
-      - master
+      - main
 jobs:
  lint-golint:
@ -67,8 +67,8 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
        uses: ./.github/actions/docker-setup
        env:
          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
      - name: Login to Container Registry
@ -91,6 +91,7 @@ jobs:
          file: ${{ matrix.type }}.Dockerfile
          build-args: |
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
            VERSION_FAMILY=${{ steps.ev.outputs.versionFamily }}
          platforms: ${{ matrix.arch }}
  build-outpost-binary:
    timeout-minutes: 120
@ -110,7 +111,7 @@ jobs:
      - uses: actions/setup-go@v3
        with:
          go-version: "^1.17"
-      - uses: actions/setup-node@v3.2.0
+      - uses: actions/setup-node@v3.4.1
        with:
          node-version: '16'
          cache: 'npm'
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@ -3,19 +3,19 @@ name: authentik-ci-web
 on:
  push:
    branches:
-      - master
+      - main
      - next
      - version-*
  pull_request:
    branches:
-      - master
+      - main
 jobs:
  lint-eslint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.2.0
+      - uses: actions/setup-node@v3.4.1
        with:
          node-version: '16'
          cache: 'npm'
@ -31,7 +31,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.2.0
+      - uses: actions/setup-node@v3.4.1
        with:
          node-version: '16'
          cache: 'npm'
@ -47,13 +47,18 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.2.0
+      - uses: actions/setup-node@v3.4.1
        with:
          node-version: '16'
          cache: 'npm'
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
-        run: npm ci
+        run: |
          npm ci
          # lit-analyse doesn't understand path rewrites, so make it
          # belive it's an actual module
          cd node_modules/@goauthentik
          ln -s ../../src/ web
      - name: Generate API
        run: make gen-client-web
      - name: lit-analyse
@ -73,7 +78,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.2.0
+      - uses: actions/setup-node@v3.4.1
        with:
          node-version: '16'
          cache: 'npm'
--- a/.github/workflows/ci-website.yml
+++ b/.github/workflows/ci-website.yml
@ -3,19 +3,19 @@ name: authentik-ci-website
 on:
  push:
    branches:
-      - master
+      - main
      - next
      - version-*
  pull_request:
    branches:
-      - master
+      - main
 jobs:
  lint-prettier:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.2.0
+      - uses: actions/setup-node@v3.4.1
        with:
          node-version: '16'
          cache: 'npm'
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -2,10 +2,10 @@ name: "CodeQL"
 on:
  push:
-    branches: [ master, '*', next, version* ]
+    branches: [ main, '*', next, version* ]
  pull_request:
    # The branches below must be a subset of the branches above
-    branches: [ master ]
+    branches: [ main ]
  schedule:
    - cron: '30 6 * * 5'
--- a/.github/workflows/ghcr-retention.yml
+++ b/.github/workflows/ghcr-retention.yml
@ -19,4 +19,4 @@ jobs:
          org-name: goauthentik
          untagged-only: false
          token: ${{ secrets.GHCR_CLEANUP_TOKEN }}
-          skip-tags: gh-next,gh-master
+          skip-tags: gh-next,gh-main
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -5,7 +5,6 @@ on:
    types: [published, created]
 jobs:
  # Build
  build-server:
    runs-on: ubuntu-latest
    steps:
@ -14,6 +13,9 @@ jobs:
        uses: docker/setup-qemu-action@v2.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
      - name: Docker Login Registry
        uses: docker/login-action@v2
        with:
@ -30,9 +32,11 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik:2022.5.2,
+            beryju/authentik:${{ steps.ev.outputs.version }},
            beryju/authentik:${{ steps.ev.outputs.versionFamily }},
            beryju/authentik:latest,
-            ghcr.io/goauthentik/server:2022.5.2,
+            ghcr.io/goauthentik/server:${{ steps.ev.outputs.version }},
            ghcr.io/goauthentik/server:${{ steps.ev.outputs.versionFamily }},
            ghcr.io/goauthentik/server:latest
          platforms: linux/amd64,linux/arm64
          context: .
@ -53,6 +57,9 @@ jobs:
        uses: docker/setup-qemu-action@v2.0.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
      - name: Docker Login Registry
        uses: docker/login-action@v2
        with:
@ -69,9 +76,11 @@ jobs:
        with:
          push: ${{ github.event_name == 'release' }}
          tags: |
-            beryju/authentik-${{ matrix.type }}:2022.5.2,
+            beryju/authentik-${{ matrix.type }}:${{ steps.ev.outputs.version }},
            beryju/authentik-${{ matrix.type }}:${{ steps.ev.outputs.versionFamily }},
            beryju/authentik-${{ matrix.type }}:latest,
-            ghcr.io/goauthentik/${{ matrix.type }}:2022.5.2,
+            ghcr.io/goauthentik/${{ matrix.type }}:${{ steps.ev.outputs.version }},
            ghcr.io/goauthentik/${{ matrix.type }}:${{ steps.ev.outputs.versionFamily }},
            ghcr.io/goauthentik/${{ matrix.type }}:latest
          file: ${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
@ -91,7 +100,7 @@ jobs:
      - uses: actions/setup-go@v3
        with:
          go-version: "^1.17"
-      - uses: actions/setup-node@v3.2.0
+      - uses: actions/setup-node@v3.4.1
        with:
          node-version: '16'
          cache: 'npm'
@ -138,6 +147,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
      - name: Get static files from docker image
        run: |
          docker pull ghcr.io/goauthentik/server:latest
@ -152,7 +164,7 @@ jobs:
          SENTRY_PROJECT: authentik
          SENTRY_URL: https://sentry.beryju.org
        with:
-          version: authentik@2022.5.2
+          version: authentik@${{ steps.ev.outputs.version }}
          environment: beryjuorg-prod
          sourcemaps: './web/dist'
          url_prefix: '~/static/dist'
--- a/.github/workflows/translation-compile.yml
+++ b/.github/workflows/translation-compile.yml
@ -1,7 +1,7 @@
 name: authentik-backend-translate-compile
 on:
  push:
-    branches: [ master ]
+    branches: [ main ]
    paths:
      - '/locale/'
  pull_request:
--- a/.github/workflows/web-api-publish.yml
+++ b/.github/workflows/web-api-publish.yml
@ -1,7 +1,7 @@
 name: authentik-web-api-publish
 on:
  push:
-    branches: [ master ]
+    branches: [ main ]
    paths:
      - 'schema.yml'
  workflow_dispatch:
@ -11,7 +11,7 @@ jobs:
    steps:
      - uses: actions/checkout@v3
      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@v3.2.0
+      - uses: actions/setup-node@v3.4.1
        with:
          node-version: '16'
          registry-url: 'https://registry.npmjs.org'
--- a/.gitignore
+++ b/.gitignore
@ -193,7 +193,6 @@ pip-selfcheck.json
 # End of https://www.gitignore.io/api/python,django
 /static/
 local.env.yml
 .vscode/
 # Selenium Screenshots
 selenium_screenshots/
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,5 +1,6 @@
 {
    "cSpell.words": [
        "akadmin",
        "asgi",
        "authentik",
        "authn",
@ -21,5 +22,9 @@
    "python.formatting.provider": "black",
    "files.associations": {
        "*.akflow": "json"
-    }
+    },
    "typescript.preferences.importModuleSpecifier": "non-relative",
    "typescript.preferences.importModuleSpecifierEnding": "index",
    "typescript.tsdk": "./web/node_modules/typescript/lib",
    "typescript.enablePromptUseWorkspaceTsdk": true
 }
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@ -0,0 +1,86 @@
 {
    "version": "2.0.0",
    "tasks": [
        {
            "label": "authentik[core]: format & test",
            "command": "poetry",
            "args": [
                "run",
                "make"
            ],
            "group": "build",
        },
        {
            "label": "authentik[core]: run",
            "command": "poetry",
            "args": [
                "run",
                "make",
                "run",
            ],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
                "group": "running"
            },
        },
        {
            "label": "authentik[web]: format",
            "command": "make",
            "args": ["web"],
            "group": "build",
        },
        {
            "label": "authentik[web]: watch",
            "command": "make",
            "args": ["web-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
                "group": "running"
            },
        },
        {
            "label": "authentik: install",
            "command": "make",
            "args": ["install"],
            "group": "build",
        },
        {
            "label": "authentik: i18n-extract",
            "command": "poetry",
            "args": [
                "run",
                "make",
                "i18n-extract"
            ],
            "group": "build",
        },
        {
            "label": "authentik[website]: format",
            "command": "make",
            "args": ["website"],
            "group": "build",
        },
        {
            "label": "authentik[website]: watch",
            "command": "make",
            "args": ["website-watch"],
            "group": "build",
            "presentation": {
                "panel": "dedicated",
                "group": "running"
            },
        },
        {
            "label": "authentik[api]: generate",
            "command": "poetry",
            "args": [
                "run",
                "make",
                "gen"
            ],
            "group": "build"
        },
    ]
 }
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -60,7 +60,7 @@ representative at an online or offline event.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement at
-hello@beryju.org.
+hello@goauthentik.io.
 All complaints will be reviewed and investigated promptly and fairly.
 All community leaders are obligated to respect the privacy and security of the
--- a/6
+++ b/6
@ -18,7 +18,7 @@ WORKDIR /work/web
 RUN npm ci && npm run build
 # Stage 3: Poetry to requirements.txt export
-FROM docker.io/python:3.10.4-slim-bullseye AS poetry-locker
+FROM docker.io/python:3.10.5-slim-bullseye AS poetry-locker
 WORKDIR /work
 COPY ./pyproject.toml /work
@ -29,7 +29,7 @@ RUN pip install --no-cache-dir poetry && \
    poetry export -f requirements.txt --dev --output requirements-dev.txt
 # Stage 4: Build go proxy
-FROM docker.io/golang:1.18.2-bullseye AS builder
+FROM docker.io/golang:1.18.4-bullseye AS builder
 WORKDIR /work
@ -45,7 +45,7 @@ COPY ./go.sum /work/go.sum
 RUN go build -o /work/authentik ./cmd/server/main.go
 # Stage 5: Run
-FROM docker.io/python:3.10.4-slim-bullseye
+FROM docker.io/python:3.10.5-slim-bullseye
 LABEL org.opencontainers.image.url https://goauthentik.io
 LABEL org.opencontainers.image.description goauthentik.io Main server image, see https://goauthentik.io for more info.
--- a/21
+++ b/21
@ -45,8 +45,8 @@ lint-fix:
 		website/developer-docs
 lint:
 	bandit -r authentik tests lifecycle -x node_modules
 	pylint authentik tests lifecycle
 	bandit -r authentik tests lifecycle -x node_modules
 	golangci-lint run -v
 i18n-extract: i18n-extract-core web-extract
@ -55,7 +55,7 @@ i18n-extract-core:
 	./manage.py makemessages --ignore web --ignore internal --ignore web --ignore web-api --ignore website -l en
 gen-build:
-	./manage.py spectacular --file schema.yml
+	AUTHENTIK_DEBUG=true ./manage.py spectacular --file schema.yml
 gen-clean:
 	rm -rf web/api/src/
@ -65,7 +65,7 @@ gen-client-web:
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		openapitools/openapi-generator-cli:v6.0.0-beta generate \
+		openapitools/openapi-generator-cli:v6.0.0 generate \
 		-i /local/schema.yml \
 		-g typescript-fetch \
 		-o /local/gen-ts-api \
@ -83,7 +83,7 @@ gen-client-go:
 	docker run \
 		--rm -v ${PWD}:/local \
 		--user ${UID}:${GID} \
-		openapitools/openapi-generator-cli:v5.2.1 generate \
+		openapitools/openapi-generator-cli:v6.0.0 generate \
 		-i /local/schema.yml \
 		-g go \
 		-o /local/gen-go-api \
@ -103,12 +103,18 @@ run:
 ## Web
 #########################
-web: web-lint-fix web-lint web-extract
+web-build: web-install
 	cd web && npm run build
 web: web-lint-fix web-lint
 web-install:
 	cd web && npm ci
 web-watch:
 	rm -rf web/dist/
 	mkdir web/dist/
 	touch web/dist/.gitkeep
 	cd web && npm run watch
 web-lint-fix:
@ -163,8 +169,3 @@ ci-pending-migrations: ci--meta-debug
 install: web-install website-install
 	poetry install
 a: install
 	tmux \
 		new-session 'make run' \; \
 		split-window 'make web-watch'
--- a/README.md
+++ b/README.md
@ -9,7 +9,7 @@
 [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-outpost?label=outpost%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-outpost.yml)
 [![GitHub Workflow Status](https://img.shields.io/github/workflow/status/goauthentik/authentik/authentik-ci-web?label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
-[![Testspace tests](https://img.shields.io/testspace/total/goauthentik/goauthentik:authentik/master?style=for-the-badge)](https://goauthentik.testspace.com/)
+[![Testspace tests](https://img.shields.io/testspace/total/goauthentik/goauthentik:authentik/main?style=for-the-badge)](https://goauthentik.testspace.com/)
 ![Docker pulls](https://img.shields.io/docker/pulls/beryju/authentik.svg?style=for-the-badge)
 ![Latest version](https://img.shields.io/docker/v/beryju/authentik?sort=semver&style=for-the-badge)
 [![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/beryjuorg/authentik/)
--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,9 +6,10 @@
 | Version    | Supported          |
 | ---------- | ------------------ |
-| 2022.3.x   | :white_check_mark: |
+| 2022.5.x   | :white_check_mark: |
-| 2022.4.x   | :white_check_mark: |
+| 2022.6.x   | :white_check_mark: |
 | 2022.7.x   | :white_check_mark: |
 ## Reporting a Vulnerability
-To report a vulnerability, send an email to [security@beryju.org](mailto:security@beryju.org)
+To report a vulnerability, send an email to [security@goauthentik.io](mailto:security@goauthentik.io)
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
-__version__ = "2022.5.2"
+__version__ = "2022.7.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/api/workers.py
+++ b/authentik/admin/api/workers.py
@ -1,7 +1,6 @@
 """authentik administration overview"""
 from django.conf import settings
 from drf_spectacular.utils import extend_schema, inline_serializer
 from prometheus_client import Gauge
 from rest_framework.fields import IntegerField
 from rest_framework.permissions import IsAdminUser
 from rest_framework.request import Request
@ -10,8 +9,6 @@ from rest_framework.views import APIView
 from authentik.root.celery import CELERY_APP
 GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
 class WorkerView(APIView):
    """Get currently connected worker count."""
--- a/authentik/admin/apps.py
+++ b/authentik/admin/apps.py
@ -2,6 +2,10 @@
 from importlib import import_module
 from django.apps import AppConfig
 from prometheus_client import Gauge, Info
 PROM_INFO = Info("authentik_version", "Currently running authentik version")
 GAUGE_WORKERS = Gauge("authentik_admin_workers", "Currently connected workers")
 class AuthentikAdminConfig(AppConfig):
@ -12,7 +16,4 @@ class AuthentikAdminConfig(AppConfig):
    verbose_name = "authentik Admin"
    def ready(self):
        from authentik.admin.tasks import clear_update_notifications
        clear_update_notifications.delay()
        import_module("authentik.admin.signals")
--- a/authentik/admin/signals.py
+++ b/authentik/admin/signals.py
@ -2,7 +2,7 @@
 from django.dispatch import receiver
 from authentik.admin.api.tasks import TaskInfo
-from authentik.admin.api.workers import GAUGE_WORKERS
+from authentik.admin.apps import GAUGE_WORKERS
 from authentik.root.celery import CELERY_APP
 from authentik.root.monitoring import monitoring_set
--- a/authentik/admin/tasks.py
+++ b/authentik/admin/tasks.py
@ -4,11 +4,11 @@ import re
 from django.core.cache import cache
 from django.core.validators import URLValidator
 from packaging.version import parse
 from prometheus_client import Info
 from requests import RequestException
 from structlog.stdlib import get_logger
 from authentik import __version__, get_build_hash
 from authentik.admin.apps import PROM_INFO
 from authentik.events.models import Event, EventAction, Notification
 from authentik.events.monitored_tasks import (
    MonitoredTask,
@ -25,7 +25,6 @@ VERSION_CACHE_KEY = "authentik_latest_version"
 VERSION_CACHE_TIMEOUT = 8 * 60 * 60  # 8 hours
 # Chop of the first ^ because we want to search the entire string
 URL_FINDER = URLValidator.regex.pattern[1:]
 PROM_INFO = Info("authentik_version", "Currently running authentik version")
 LOCAL_VERSION = parse(__version__)
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@ -10,6 +10,8 @@ from structlog.stdlib import get_logger
 from authentik.core.middleware import KEY_AUTH_VIA, LOCAL
 from authentik.core.models import Token, TokenIntents, User
 from authentik.outposts.models import Outpost
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 from authentik.providers.oauth2.models import RefreshToken
 LOGGER = get_logger()
@ -24,7 +26,7 @@ def validate_auth(header: bytes) -> str:
    if auth_type.lower() != "bearer":
        LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())
        raise AuthenticationFailed("Unsupported authentication type")
-    if auth_credentials == "":  # nosec
+    if auth_credentials == "":  # nosec # noqa
        raise AuthenticationFailed("Malformed header")
    return auth_credentials
@ -34,14 +36,30 @@ def bearer_auth(raw_header: bytes) -> Optional[User]:
    auth_credentials = validate_auth(raw_header)
    if not auth_credentials:
        return None
    if not hasattr(LOCAL, "authentik"):
        LOCAL.authentik = {}
    # first, check traditional tokens
-    token = Token.filter_not_expired(key=auth_credentials, intent=TokenIntents.INTENT_API).first()
+    key_token = Token.filter_not_expired(
-    if hasattr(LOCAL, "authentik"):
+        key=auth_credentials, intent=TokenIntents.INTENT_API
    ).first()
    if key_token:
        LOCAL.authentik[KEY_AUTH_VIA] = "api_token"
-    if token:
+        return key_token.user
-        return token.user
+    # then try to auth via JWT
    jwt_token = RefreshToken.filter_not_expired(
        refresh_token=auth_credentials, _scope__icontains=SCOPE_AUTHENTIK_API
    ).first()
    if jwt_token:
        # Double-check scopes, since they are saved in a single string
        # we want to check the parsed version too
        if SCOPE_AUTHENTIK_API not in jwt_token.scope:
            raise AuthenticationFailed("Token invalid/expired")
        LOCAL.authentik[KEY_AUTH_VIA] = "jwt"
        return jwt_token.user
    # then try to auth via secret key (for embedded outpost/etc)
    user = token_secret_key(auth_credentials)
    if user:
        LOCAL.authentik[KEY_AUTH_VIA] = "secret_key"
        return user
    raise AuthenticationFailed("Token invalid/expired")
@ -56,8 +74,6 @@ def token_secret_key(value: str) -> Optional[User]:
    outposts = Outpost.objects.filter(managed=MANAGED_OUTPOST)
    if not outposts:
        return None
    if hasattr(LOCAL, "authentik"):
        LOCAL.authentik[KEY_AUTH_VIA] = "secret_key"
    outpost = outposts.first()
    return outpost.user
--- a/authentik/api/templates/api/browser.html
+++ b/authentik/api/templates/api/browser.html
@ -8,9 +8,6 @@ API Browser - {{ tenant.branding_title }}
 {% block head %}
 <script type="module" src="{% static 'dist/rapidoc-min.js' %}"></script>
 {% endblock %}
 {% block body %}
 <script>
 function getCookie(name) {
    let cookieValue = "";
@ -34,16 +31,58 @@ window.addEventListener('DOMContentLoaded', (event) => {
    });
 });
 </script>
 <style>
    img.logo {
        width: 100%;
        padding: 1rem 0.5rem 1.5rem 0.5rem;
        min-height: 48px;
    }
 </style>
 {% endblock %}
 {% block body %}
 <rapi-doc
    spec-url="{{ path }}"
-    heading-text="authentik"
+    heading-text=""
-    theme="dark"
+    theme="light"
-    render-style="view"
+    render-style="read"
    default-schema-tab="schema"
    primary-color="#fd4b2d"
    nav-bg-color="#212427"
    bg-color="#000000"
    text-color="#000000"
    nav-text-color="#ffffff"
    nav-hover-bg-color="#3c3f42"
    nav-accent-color="#4f5255"
    nav-hover-text-color="#ffffff"
    use-path-in-nav-bar="true"
    nav-item-spacing="relaxed"
    allow-server-selection="false"
    show-header="false"
    allow-spec-url-load="false"
    allow-spec-file-load="false">
-    <div slot="logo">
+    <div slot="nav-logo">
-        <img src="{% static 'dist/assets/icons/icon.png' %}" style="width:50px; height:50px" />
+        <img class="logo" src="{% static 'dist/assets/icons/icon_left_brand.png' %}" />
    </div>
 </rapi-doc>
 <script>
 const rapidoc = document.querySelector("rapi-doc");
 const matcher = window.matchMedia("(prefers-color-scheme: light)");
 const changer = (ev) => {
    const style = getComputedStyle(document.documentElement);
    let bg, text = "";
    if (matcher.matches) {
        bg = style.getPropertyValue('--pf-global--BackgroundColor--light-300');
        text = style.getPropertyValue('--pf-global--Color--300');
    } else {
        bg = style.getPropertyValue('--ak-dark-background');
        text = style.getPropertyValue('--ak-dark-foreground');
    }
    rapidoc.attributes.getNamedItem("bg-color").value = bg.trim();
    rapidoc.attributes.getNamedItem("text-color").value = text.trim();
    rapidoc.requestUpdate();
 };
 matcher.addEventListener("change", changer);
 window.addEventListener("load", changer);
 </script>
 {% endblock %}
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@ -8,28 +8,37 @@ from rest_framework.exceptions import AuthenticationFailed
 from authentik.api.authentication import bearer_auth
 from authentik.core.models import USER_ATTRIBUTE_SA, Token, TokenIntents
 from authentik.core.tests.utils import create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.managed import OutpostManager
 from authentik.providers.oauth2.constants import SCOPE_AUTHENTIK_API
 from authentik.providers.oauth2.models import OAuth2Provider, RefreshToken
 class TestAPIAuth(TestCase):
    """Test API Authentication"""
    def test_valid_bearer(self):
        """Test valid token"""
        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=get_anonymous_user())
        self.assertEqual(bearer_auth(f"Bearer {token.key}".encode()), token.user)
    def test_invalid_type(self):
        """Test invalid type"""
        with self.assertRaises(AuthenticationFailed):
            bearer_auth("foo bar".encode())
    def test_invalid_empty(self):
        """Test invalid type"""
        self.assertIsNone(bearer_auth("Bearer ".encode()))
        self.assertIsNone(bearer_auth("".encode()))
    def test_invalid_no_token(self):
        """Test invalid with no token"""
        with self.assertRaises(AuthenticationFailed):
            auth = b64encode(":abc".encode()).decode()
            self.assertIsNone(bearer_auth(f"Basic :{auth}".encode()))
    def test_bearer_valid(self):
        """Test valid token"""
        token = Token.objects.create(intent=TokenIntents.INTENT_API, user=get_anonymous_user())
        self.assertEqual(bearer_auth(f"Bearer {token.key}".encode()), token.user)
    def test_managed_outpost(self):
        """Test managed outpost"""
        with self.assertRaises(AuthenticationFailed):
@ -38,3 +47,30 @@ class TestAPIAuth(TestCase):
        OutpostManager().run()
        user = bearer_auth(f"Bearer {settings.SECRET_KEY}".encode())
        self.assertEqual(user.attributes[USER_ATTRIBUTE_SA], True)
    def test_jwt_valid(self):
        """Test valid JWT"""
        provider = OAuth2Provider.objects.create(
            name=generate_id(), client_id=generate_id(), authorization_flow=create_test_flow()
        )
        refresh = RefreshToken.objects.create(
            user=get_anonymous_user(),
            provider=provider,
            refresh_token=generate_id(),
            _scope=SCOPE_AUTHENTIK_API,
        )
        self.assertEqual(bearer_auth(f"Bearer {refresh.refresh_token}".encode()), refresh.user)
    def test_jwt_missing_scope(self):
        """Test valid JWT"""
        provider = OAuth2Provider.objects.create(
            name=generate_id(), client_id=generate_id(), authorization_flow=create_test_flow()
        )
        refresh = RefreshToken.objects.create(
            user=get_anonymous_user(),
            provider=provider,
            refresh_token=generate_id(),
            _scope="",
        )
        with self.assertRaises(AuthenticationFailed):
            self.assertEqual(bearer_auth(f"Bearer {refresh.refresh_token}".encode()), refresh.user)
--- a/authentik/api/tests/test_viewsets.py
+++ b/authentik/api/tests/test_viewsets.py
@ -0,0 +1,29 @@
 """authentik API Modelviewset tests"""
 from typing import Callable
 from django.test import TestCase
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
 from authentik.api.v3.urls import router
 class TestModelViewSets(TestCase):
    """Test Viewset"""
 def viewset_tester_factory(test_viewset: type[ModelViewSet]) -> Callable:
    """Test Viewset"""
    def tester(self: TestModelViewSets):
        self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
        filterset_class = getattr(test_viewset, "filterset_class", None)
        if not filterset_class:
            self.assertIsNotNone(getattr(test_viewset, "filterset_fields", None))
    return tester
 for _, viewset, _ in router.registry:
    if not issubclass(viewset, (ModelViewSet, ReadOnlyModelViewSet)):
        continue
    setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}", viewset_tester_factory(viewset))
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@ -74,7 +74,7 @@ class ConfigView(APIView):
        config = ConfigSerializer(
            {
                "error_reporting": {
-                    "enabled": CONFIG.y("error_reporting.enabled") and not settings.DEBUG,
+                    "enabled": CONFIG.y("error_reporting.enabled"),
                    "environment": CONFIG.y("error_reporting.environment"),
                    "send_pii": CONFIG.y("error_reporting.send_pii"),
                    "traces_sample_rate": float(CONFIG.y("error_reporting.sample_rate", 0.4)),
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -63,6 +63,7 @@ class ApplicationSerializer(ModelSerializer):
            "provider",
            "provider_obj",
            "launch_url",
            "open_in_new_tab",
            "meta_launch_url",
            "meta_icon",
            "meta_description",
@ -88,7 +89,16 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        "meta_publisher",
        "group",
    ]
    filterset_fields = [
        "name",
        "slug",
        "meta_launch_url",
        "meta_description",
        "meta_publisher",
        "group",
    ]
    lookup_field = "slug"
    filterset_fields = ["name", "slug"]
    ordering = ["name"]
    def _filter_queryset_for_list(self, queryset: QuerySet) -> QuerySet:
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -8,7 +8,7 @@ from rest_framework.decorators import action
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.request import Request
 from rest_framework.response import Response
-from rest_framework.serializers import ModelSerializer, SerializerMethodField
+from rest_framework.serializers import ModelSerializer, ReadOnlyField, SerializerMethodField
 from rest_framework.viewsets import GenericViewSet
 from structlog.stdlib import get_logger
@ -26,6 +26,7 @@ LOGGER = get_logger()
 class SourceSerializer(ModelSerializer, MetaNameSerializer):
    """Source Serializer"""
    managed = ReadOnlyField()
    component = SerializerMethodField()
    def get_component(self, obj: Source) -> str:
@ -51,6 +52,8 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
            "meta_model_name",
            "policy_engine_mode",
            "user_matching_mode",
            "managed",
            "user_path_template",
        ]
@ -66,6 +69,8 @@ class SourceViewSet(
    queryset = Source.objects.none()
    serializer_class = SourceSerializer
    lookup_field = "slug"
    search_fields = ["slug", "name"]
    filterset_fields = ["slug", "name", "managed"]
    def get_queryset(self):  # pragma: no cover
        return Source.objects.select_subclasses()
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -24,7 +24,13 @@ from drf_spectacular.utils import (
 )
 from guardian.shortcuts import get_anonymous_user, get_objects_for_user
 from rest_framework.decorators import action
-from rest_framework.fields import CharField, JSONField, SerializerMethodField
+from rest_framework.fields import (
    CharField,
    IntegerField,
    JSONField,
    ListField,
    SerializerMethodField,
 )
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
@ -43,16 +49,23 @@ from authentik.api.decorators import permission_required
 from authentik.core.api.groups import GroupSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import LinkSerializer, PassiveSerializer, is_dict
-from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
+from authentik.core.middleware import (
    SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
    SESSION_KEY_IMPERSONATE_USER,
 )
 from authentik.core.models import (
    USER_ATTRIBUTE_SA,
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    USER_PATH_SERVICE_ACCOUNT,
    Group,
    Token,
    TokenIntents,
    User,
 )
 from authentik.events.models import EventAction
 from authentik.flows.models import FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
 from authentik.stages.email.models import EmailStage
 from authentik.stages.email.tasks import send_mails
 from authentik.stages.email.utils import TemplateEmailMessage
@ -72,6 +85,16 @@ class UserSerializer(ModelSerializer):
    )
    groups_obj = ListSerializer(child=GroupSerializer(), read_only=True, source="ak_groups")
    uid = CharField(read_only=True)
    username = CharField(max_length=150)
    def validate_path(self, path: str) -> str:
        """Validate path"""
        if path[:1] == "/" or path[-1] == "/":
            raise ValidationError(_("No leading or trailing slashes allowed."))
        for segment in path.split("/"):
            if segment == "":
                raise ValidationError(_("No empty segments in user path allowed."))
        return path
    class Meta:
@ -89,6 +112,7 @@ class UserSerializer(ModelSerializer):
            "avatar",
            "attributes",
            "uid",
            "path",
        ]
        extra_kwargs = {
            "name": {"allow_blank": True},
@ -204,6 +228,11 @@ class UsersFilter(FilterSet):
    is_superuser = BooleanFilter(field_name="ak_groups", lookup_expr="is_superuser")
    uuid = CharFilter(field_name="uuid")
    path = CharFilter(
        field_name="path",
    )
    path_startswith = CharFilter(field_name="path", lookup_expr="startswith")
    groups_by_name = ModelMultipleChoiceFilter(
        field_name="ak_groups__name",
        to_field_name="name",
@ -268,12 +297,23 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            LOGGER.debug("No recovery flow set")
            return None, None
        user: User = self.get_object()
-        token, __ = Token.objects.get_or_create(
+        planner = FlowPlanner(flow)
-            identifier=f"{user.uid}-password-reset",
+        planner.allow_empty_flows = True
-            user=user,
+        plan = planner.plan(
-            intent=TokenIntents.INTENT_RECOVERY,
+            self.request._request,
            {
                PLAN_CONTEXT_PENDING_USER: user,
            },
        )
-        querystring = urlencode({"token": token.key})
+        token, __ = FlowToken.objects.update_or_create(
            identifier=f"{user.uid}-password-reset",
            defaults={
                "user": user,
                "flow": flow,
                "_plan": FlowToken.pickle(plan),
            },
        )
        querystring = urlencode({QS_KEY_TOKEN: token.key})
        link = self.request.build_absolute_uri(
            reverse_lazy("authentik_core:if-flow", kwargs={"flow_slug": flow.slug})
            + f"?{querystring}"
@ -295,6 +335,9 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                {
                    "username": CharField(required=True),
                    "token": CharField(required=True),
                    "user_uid": CharField(required=True),
                    "user_pk": IntegerField(required=True),
                    "group_pk": CharField(required=False),
                },
            )
        },
@ -310,19 +353,27 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                    username=username,
                    name=username,
                    attributes={USER_ATTRIBUTE_SA: True, USER_ATTRIBUTE_TOKEN_EXPIRING: False},
                    path=USER_PATH_SERVICE_ACCOUNT,
                )
                response = {
                    "username": user.username,
                    "user_uid": user.uid,
                    "user_pk": user.pk,
                }
                if create_group and self.request.user.has_perm("authentik_core.add_group"):
                    group = Group.objects.create(
                        name=username,
                    )
                    group.users.add(user)
                    response["group_pk"] = str(group.pk)
                token = Token.objects.create(
                    identifier=slugify(f"service-account-{username}-password"),
                    intent=TokenIntents.INTENT_APP_PASSWORD,
                    user=user,
                    expires=now() + timedelta(days=360),
                )
-                return Response({"username": user.username, "token": token.key})
+                response["token"] = token.key
                return Response(response)
            except (IntegrityError) as exc:
                return Response(data={"non_field_errors": [str(exc)]}, status=400)
@ -335,11 +386,12 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        serializer = SessionUserSerializer(
            data={"user": UserSelfSerializer(instance=request.user, context=context).data}
        )
-        if SESSION_IMPERSONATE_USER in request._request.session:
+        if SESSION_KEY_IMPERSONATE_USER in request._request.session:
            serializer.initial_data["original"] = UserSelfSerializer(
-                instance=request._request.session[SESSION_IMPERSONATE_ORIGINAL_USER],
+                instance=request._request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER],
                context=context,
            ).data
        self.request.session.modified = True
        return Response(serializer.initial_data)
    @permission_required("authentik_core.reset_user_password")
@ -366,7 +418,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        except (ValidationError, IntegrityError) as exc:
            LOGGER.debug("Failed to set password", exc=exc)
            return Response(status=400)
-        if user.pk == request.user.pk and SESSION_IMPERSONATE_USER not in self.request.session:
+        if user.pk == request.user.pk and SESSION_KEY_IMPERSONATE_USER not in self.request.session:
            LOGGER.debug("Updating session hash after password change")
            update_session_auth_hash(self.request, user)
        return Response(status=204)
@ -459,3 +511,32 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        if self.request.user.has_perm("authentik_core.view_user"):
            return self._filter_queryset_for_list(queryset)
        return super().filter_queryset(queryset)
    @extend_schema(
        responses={
            200: inline_serializer(
                "UserPathSerializer", {"paths": ListField(child=CharField(), read_only=True)}
            )
        },
        parameters=[
            OpenApiParameter(
                name="search",
                location=OpenApiParameter.QUERY,
                type=OpenApiTypes.STR,
            )
        ],
    )
    @action(detail=False, pagination_class=None)
    def paths(self, request: Request) -> Response:
        """Get all user paths"""
        return Response(
            data={
                "paths": list(
                    self.filter_queryset(self.get_queryset())
                    .values("path")
                    .distinct()
                    .order_by("path")
                    .values_list("path", flat=True)
                )
            }
        )
--- a/authentik/core/apps.py
+++ b/authentik/core/apps.py
@ -2,10 +2,7 @@
 from importlib import import_module
 from django.apps import AppConfig
-from django.db import ProgrammingError
+from django.conf import settings
 from authentik.core.signals import GAUGE_MODELS
 from authentik.lib.utils.reflection import get_apps
 class AuthentikCoreConfig(AppConfig):
@ -19,12 +16,7 @@ class AuthentikCoreConfig(AppConfig):
    def ready(self):
        import_module("authentik.core.signals")
        import_module("authentik.core.managed")
-        try:
+        if settings.DEBUG:
-            for app in get_apps():
+            from authentik.root.celery import worker_ready_hook
-                for model in app.get_models():
+
-                    GAUGE_MODELS.labels(
+            worker_ready_hook()
                        model_name=model._meta.model_name,
                        app=model._meta.app_label,
                    ).set(model.objects.count())
        except ProgrammingError:
            pass
--- a/authentik/core/managed.py
+++ b/authentik/core/managed.py
@ -12,5 +12,6 @@ class CoreManager(ObjectManager):
                Source,
                "goauthentik.io/sources/inbuilt",
                name="authentik Built-in",
                slug="authentik-built-in",
            ),
        ]
--- a/authentik/core/management/commands/bootstrap_tasks.py
+++ b/authentik/core/management/commands/bootstrap_tasks.py
@ -0,0 +1,13 @@
 """Run bootstrap tasks"""
 from django.core.management.base import BaseCommand
 from authentik.root.celery import _get_startup_tasks
 class Command(BaseCommand):  # pragma: no cover
    """Run bootstrap tasks to ensure certain objects are created"""
    def handle(self, **options):
        tasks = _get_startup_tasks()
        for task in tasks:
            task()
--- a/authentik/outposts/management/commands/repair_permissions.py
+++ b/authentik/outposts/management/commands/repair_permissions.py
@ -2,6 +2,7 @@
 from django.apps import apps
 from django.contrib.auth.management import create_permissions
 from django.core.management.base import BaseCommand, no_translations
 from guardian.management import create_anonymous_user
 class Command(BaseCommand):  # pragma: no cover
@ -13,3 +14,4 @@ class Command(BaseCommand):  # pragma: no cover
        for app in apps.get_app_configs():
            self.stdout.write(f"Checking app {app.name} ({app.label})\n")
            create_permissions(app, verbosity=0)
        create_anonymous_user(None, using="default")
--- a/authentik/core/middleware.py
+++ b/authentik/core/middleware.py
@ -7,8 +7,8 @@ from uuid import uuid4
 from django.http import HttpRequest, HttpResponse
 from sentry_sdk.api import set_tag
-SESSION_IMPERSONATE_USER = "authentik_impersonate_user"
+SESSION_KEY_IMPERSONATE_USER = "authentik/impersonate/user"
-SESSION_IMPERSONATE_ORIGINAL_USER = "authentik_impersonate_original_user"
+SESSION_KEY_IMPERSONATE_ORIGINAL_USER = "authentik/impersonate/original_user"
 LOCAL = local()
 RESPONSE_HEADER_ID = "X-authentik-id"
 KEY_AUTH_VIA = "auth_via"
@ -25,10 +25,10 @@ class ImpersonateMiddleware:
    def __call__(self, request: HttpRequest) -> HttpResponse:
        # No permission checks are done here, they need to be checked before
-        # SESSION_IMPERSONATE_USER is set.
+        # SESSION_KEY_IMPERSONATE_USER is set.
-        if SESSION_IMPERSONATE_USER in request.session:
+        if SESSION_KEY_IMPERSONATE_USER in request.session:
-            request.user = request.session[SESSION_IMPERSONATE_USER]
+            request.user = request.session[SESSION_KEY_IMPERSONATE_USER]
            # Ensure that the user is active, otherwise nothing will work
            request.user.is_active = True
@ -56,7 +56,7 @@ class RequestIDMiddleware:
        response[RESPONSE_HEADER_ID] = request.request_id
        setattr(response, "ak_context", {})
        response.ak_context.update(LOCAL.authentik)
-        response.ak_context[KEY_USER] = request.user.username
+        response.ak_context.setdefault(KEY_USER, request.user.username)
        for key in list(LOCAL.authentik.keys()):
            del LOCAL.authentik[key]
        return response
--- a/authentik/core/migrations/0002_auto_20200523_1133_squashed_0011_provider_name_temp.py
+++ b/authentik/core/migrations/0002_auto_20200523_1133_squashed_0011_provider_name_temp.py
@ -12,18 +12,25 @@ import authentik.core.models
 def create_default_user(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    # We have to use a direct import here, otherwise we get an object manager error
+    from django.contrib.auth.hashers import make_password
    from authentik.core.models import User
    User = apps.get_model("authentik_core", "User")
    db_alias = schema_editor.connection.alias
    akadmin, _ = User.objects.using(db_alias).get_or_create(
        username="akadmin", email="root@localhost", name="authentik Default Admin"
    )
-    if "TF_BUILD" in environ or "AK_ADMIN_PASS" in environ or settings.TEST:
+    password = None
-        akadmin.set_password(environ.get("AK_ADMIN_PASS", "akadmin"), signal=False)  # noqa # nosec
+    if "TF_BUILD" in environ or settings.TEST:
        password = "akadmin"  # noqa # nosec
    if "AK_ADMIN_PASS" in environ:
        password = environ["AK_ADMIN_PASS"]
    if "AUTHENTIK_BOOTSTRAP_PASSWORD" in environ:
        password = environ["AUTHENTIK_BOOTSTRAP_PASSWORD"]
    if password:
        akadmin.password = make_password(password)
    else:
-        akadmin.set_unusable_password()
+        akadmin.password = make_password(None)
    akadmin.save()
--- a/authentik/core/migrations/0003_default_user.py
+++ b/authentik/core/migrations/0003_default_user.py
@ -8,18 +8,25 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def create_default_user(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    # We have to use a direct import here, otherwise we get an object manager error
+    from django.contrib.auth.hashers import make_password
    from authentik.core.models import User
    User = apps.get_model("authentik_core", "User")
    db_alias = schema_editor.connection.alias
    akadmin, _ = User.objects.using(db_alias).get_or_create(
        username="akadmin", email="root@localhost", name="authentik Default Admin"
    )
-    if "TF_BUILD" in environ or "AK_ADMIN_PASS" in environ or settings.TEST:
+    password = None
-        akadmin.set_password(environ.get("AK_ADMIN_PASS", "akadmin"), signal=False)  # noqa # nosec
+    if "TF_BUILD" in environ or settings.TEST:
        password = "akadmin"  # noqa # nosec
    if "AK_ADMIN_PASS" in environ:
        password = environ["AK_ADMIN_PASS"]
    if "AUTHENTIK_BOOTSTRAP_PASSWORD" in environ:
        password = environ["AUTHENTIK_BOOTSTRAP_PASSWORD"]
    if password:
        akadmin.password = make_password(password)
    else:
-        akadmin.set_unusable_password()
+        akadmin.password = make_password(None)
    akadmin.save()
--- a/authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py
+++ b/authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py
@ -36,22 +36,29 @@ def fix_duplicates(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
 def create_default_user_token(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    # We have to use a direct import here, otherwise we get an object manager error
+    from authentik.core.models import TokenIntents
-    from authentik.core.models import Token, TokenIntents, User
+
    User = apps.get_model("authentik_core", "User")
    Token = apps.get_model("authentik_core", "Token")
    db_alias = schema_editor.connection.alias
    akadmin = User.objects.using(db_alias).filter(username="akadmin")
    if not akadmin.exists():
        return
-    if "AK_ADMIN_TOKEN" not in environ:
+    key = None
    if "AK_ADMIN_TOKEN" in environ:
        key = environ["AK_ADMIN_TOKEN"]
    if "AUTHENTIK_BOOTSTRAP_TOKEN" in environ:
        key = environ["AUTHENTIK_BOOTSTRAP_TOKEN"]
    if not key:
        return
    Token.objects.using(db_alias).create(
-        identifier="authentik-boostrap-token",
+        identifier="authentik-bootstrap-token",
        user=akadmin.first(),
        intent=TokenIntents.INTENT_API,
        expiring=False,
-        key=environ["AK_ADMIN_TOKEN"],
+        key=key,
    )
--- a/authentik/core/migrations/0020_application_open_in_new_tab.py
+++ b/authentik/core/migrations/0020_application_open_in_new_tab.py
@ -0,0 +1,20 @@
 # Generated by Django 4.0.5 on 2022-06-04 06:54
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0019_application_group"),
    ]
    operations = [
        migrations.AddField(
            model_name="application",
            name="open_in_new_tab",
            field=models.BooleanField(
                default=False, help_text="Open launch URL in a new browser tab or window."
            ),
        ),
    ]
--- a/authentik/core/migrations/0021_source_user_path_user_path.py
+++ b/authentik/core/migrations/0021_source_user_path_user_path.py
@ -0,0 +1,23 @@
 # Generated by Django 4.0.5 on 2022-06-13 18:51
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0020_application_open_in_new_tab"),
    ]
    operations = [
        migrations.AddField(
            model_name="source",
            name="user_path_template",
            field=models.TextField(default="goauthentik.io/sources/%(slug)s"),
        ),
        migrations.AddField(
            model_name="user",
            name="path",
            field=models.TextField(default="users"),
        ),
    ]
--- a/authentik/core/migrations/0027_bootstrap_token.py
+++ b/authentik/core/migrations/0027_bootstrap_token.py
@ -7,22 +7,29 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def create_default_user_token(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    # We have to use a direct import here, otherwise we get an object manager error
+    from authentik.core.models import TokenIntents
-    from authentik.core.models import Token, TokenIntents, User
+
    User = apps.get_model("authentik_core", "User")
    Token = apps.get_model("authentik_core", "Token")
    db_alias = schema_editor.connection.alias
    akadmin = User.objects.using(db_alias).filter(username="akadmin")
    if not akadmin.exists():
        return
-    if "AK_ADMIN_TOKEN" not in environ:
+    key = None
    if "AK_ADMIN_TOKEN" in environ:
        key = environ["AK_ADMIN_TOKEN"]
    if "AUTHENTIK_BOOTSTRAP_TOKEN" in environ:
        key = environ["AUTHENTIK_BOOTSTRAP_TOKEN"]
    if not key:
        return
    Token.objects.using(db_alias).create(
-        identifier="authentik-boostrap-token",
+        identifier="authentik-bootstrap-token",
        user=akadmin.first(),
        intent=TokenIntents.INTENT_API,
        expiring=False,
-        key=environ["AK_ADMIN_TOKEN"],
+        key=key,
    )
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -46,6 +46,9 @@ USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
 USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_ATTRIBUTE_CAN_OVERRIDE_IP = "goauthentik.io/user/override-ips"
 USER_PATH_SYSTEM_PREFIX = "goauthentik.io"
 USER_PATH_SERVICE_ACCOUNT = USER_PATH_SYSTEM_PREFIX + "/service-accounts"
 GRAVATAR_URL = "https://secure.gravatar.com"
 DEFAULT_AVATAR = static("dist/assets/images/user_default.png")
@ -103,7 +106,10 @@ class Group(models.Model):
            SELECT authentik_core_group.*, parents.relative_depth - 1
            FROM authentik_core_group,parents
-            WHERE authentik_core_group.parent_id = parents.group_uuid
+            WHERE (
                authentik_core_group.parent_id = parents.group_uuid and
                parents.relative_depth > -20
            )
        )
        SELECT group_uuid
        FROM parents
@ -138,6 +144,7 @@ class User(GuardianUserMixin, AbstractUser):
    uuid = models.UUIDField(default=uuid4, editable=False)
    name = models.TextField(help_text=_("User's display name."))
    path = models.TextField(default="users")
    sources = models.ManyToManyField("Source", through="UserSourceConnection")
    ak_groups = models.ManyToManyField("Group", related_name="users")
@ -147,6 +154,11 @@ class User(GuardianUserMixin, AbstractUser):
    objects = UserManager()
    @staticmethod
    def default_path() -> str:
        """Get the default user path"""
        return User._meta.get_field("path").default
    def group_attributes(self, request: Optional[HttpRequest] = None) -> dict[str, Any]:
        """Get a dictionary containing the attributes from all groups the user belongs to,
        including the users attributes"""
@ -192,7 +204,7 @@ class User(GuardianUserMixin, AbstractUser):
    @property
    def uid(self) -> str:
-        """Generate a globall unique UID, based on the user ID and the hashed secret key"""
+        """Generate a globally unique UID, based on the user ID and the hashed secret key"""
        return sha256(f"{self.id}-{settings.SECRET_KEY}".encode("ascii")).hexdigest()
    @property
@ -278,6 +290,11 @@ class Application(PolicyBindingModel):
    meta_launch_url = models.TextField(
        default="", blank=True, validators=[DomainlessURLValidator()]
    )
    open_in_new_tab = models.BooleanField(
        default=False, help_text=_("Open launch URL in a new browser tab or window.")
    )
    # For template applications, this can be set to /static/authentik/applications/*
    meta_icon = models.FileField(
        upload_to="application-icons/",
@ -368,6 +385,8 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    name = models.TextField(help_text=_("Source's display Name."))
    slug = models.SlugField(help_text=_("Internal source name, used in URLs."), unique=True)
    user_path_template = models.TextField(default="goauthentik.io/sources/%(slug)s")
    enabled = models.BooleanField(default=True)
    property_mappings = models.ManyToManyField("PropertyMapping", default=None, blank=True)
@ -403,6 +422,17 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    objects = InheritanceManager()
    def get_user_path(self) -> str:
        """Get user path, fallback to default for formatting errors"""
        try:
            return self.user_path_template % {
                "slug": self.slug,
            }
        # pylint: disable=broad-except
        except Exception as exc:
            LOGGER.warning("Failed to template user path", exc=exc, source=self)
            return User.default_path()
    @property
    def component(self) -> str:
        """Return component used to edit this object"""
@ -452,8 +482,9 @@ class ExpiringModel(models.Model):
    def filter_not_expired(cls, **kwargs) -> QuerySet:
        """Filer for tokens which are not expired yet or are not expiring,
        and match filters in `kwargs`"""
-        expired = Q(expires__lt=now(), expiring=True)
+        for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):
-        return cls.objects.exclude(expired).filter(**kwargs)
+            obj.delete()
        return cls.objects.filter(**kwargs)
    @property
    def is_expired(self) -> bool:
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -1,7 +1,6 @@
 """authentik core signals"""
 from typing import TYPE_CHECKING
 from django.apps import apps
 from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
@ -10,30 +9,16 @@ from django.db.models import Model
 from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http.request import HttpRequest
 from prometheus_client import Gauge
 from authentik.root.monitoring import monitoring_set
 # Arguments: user: User, password: str
 password_changed = Signal()
-
+# Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
-GAUGE_MODELS = Gauge("authentik_models", "Count of various objects", ["model_name", "app"])
+login_failed = Signal()
 if TYPE_CHECKING:
    from authentik.core.models import AuthenticatedSession, User
@receiver(monitoring_set)
 # pylint: disable=unused-argument
 def monitoring_set_models(sender, **kwargs):
    """set models gauges"""
    for model in apps.get_models():
        GAUGE_MODELS.labels(
            model_name=model._meta.model_name,
            app=model._meta.app_label,
        ).set(model.objects.count())
@receiver(post_save)
 # pylint: disable=unused-argument
 def post_save_application(sender: type[Model], instance, created: bool, **_):
--- a/authentik/core/sources/flow_manager.py
+++ b/authentik/core/sources/flow_manager.py
@ -26,11 +26,11 @@ from authentik.flows.planner import (
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_GET, SESSION_KEY_PLAN
 from authentik.lib.utils.urls import redirect_with_qs
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.types import PolicyResult
 from authentik.policies.utils import delete_none_keys
 from authentik.stages.password import BACKEND_INBUILT
 from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 from authentik.stages.user_write.stage import PLAN_CONTEXT_USER_PATH
 class Action(Enum):
@ -165,9 +165,9 @@ class SourceFlowManager:
                    return self.handle_enroll(connection)
        except FlowNonApplicableException as exc:
            self._logger.warning("Flow non applicable", exc=exc)
-            return self.error_handler(exc, exc.policy_result)
+            return self.error_handler(exc)
        # Default case, assume deny
-        error = (
+        error = Exception(
            _(
                (
                    "Request to authenticate with %(source)s has been denied. Please authenticate "
@ -178,14 +178,13 @@ class SourceFlowManager:
        )
        return self.error_handler(error)
-    def error_handler(
+    def error_handler(self, error: Exception) -> HttpResponse:
        self, error: Exception, policy_result: Optional[PolicyResult] = None
    ) -> HttpResponse:
        """Handle any errors by returning an access denied stage"""
        response = AccessDeniedResponse(self.request)
        response.error_message = str(error)
-        if policy_result:
+        if isinstance(error, FlowNonApplicableException):
-            response.policy_result = policy_result
+            response.policy_result = error.policy_result
            response.error_message = error.messages
        return response
    # pylint: disable=unused-argument
@ -291,5 +290,6 @@ class SourceFlowManager:
            connection,
            **{
                PLAN_CONTEXT_PROMPT: delete_none_keys(self.enroll_info),
                PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
            },
        )
--- a/authentik/core/templates/if/flow.html
+++ b/authentik/core/templates/if/flow.html
@ -5,11 +5,14 @@
 {% block head_before %}
 {{ block.super }}
 <link rel="prefetch" href="{{ flow.background_url }}" />
 {% if flow.compatibility_mode and not inspector %}
 <script>ShadyDOM = { force: !navigator.webdriver };</script>
 {% endif %}
 <script>
-window.authentik = {};
+window.authentik = {
    "locale": "{{ tenant.default_locale }}",
 };
 window.authentik.flow = {
    "layout": "{{ flow.layout }}",
 };
@ -19,7 +22,7 @@ window.authentik.flow = {
 {% block head %}
 <script src="{% static 'dist/flow/FlowInterface.js' %}" type="module"></script>
 <style>
-.pf-c-background-image::before {
+:root {
    --ak-flow-background: url("{{ flow.background_url }}");
 }
 </style>
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@ -4,13 +4,19 @@
 {% load i18n %}
 {% block head_before %}
 <link rel="prefetch" href="/static/dist/assets/images/flow_background.jpg" />
 <link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
 {% endblock %}
 {% block head %}
 <style>
-.pf-c-background-image::before {
+:root {
    --ak-flow-background: url("/static/dist/assets/images/flow_background.jpg");
    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
 }
 /* Form with user */
 .form-control-static {
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -29,6 +29,7 @@ class TestApplicationsAPI(APITestCase):
            name="allowed",
            slug="allowed",
            meta_launch_url="https://goauthentik.io/%(username)s",
            open_in_new_tab=True,
            provider=self.provider,
        )
        self.denied = Application.objects.create(name="denied", slug="denied")
@ -100,6 +101,7 @@ class TestApplicationsAPI(APITestCase):
                        },
                        "launch_url": f"https://goauthentik.io/{self.user.username}",
                        "meta_launch_url": "https://goauthentik.io/%(username)s",
                        "open_in_new_tab": True,
                        "meta_icon": None,
                        "meta_description": "",
                        "meta_publisher": "",
@ -148,6 +150,7 @@ class TestApplicationsAPI(APITestCase):
                        },
                        "launch_url": f"https://goauthentik.io/{self.user.username}",
                        "meta_launch_url": "https://goauthentik.io/%(username)s",
                        "open_in_new_tab": True,
                        "meta_icon": None,
                        "meta_description": "",
                        "meta_publisher": "",
@ -158,6 +161,7 @@ class TestApplicationsAPI(APITestCase):
                        "meta_description": "",
                        "meta_icon": None,
                        "meta_launch_url": "",
                        "open_in_new_tab": False,
                        "meta_publisher": "",
                        "group": "",
                        "name": "denied",
--- a/authentik/core/tests/test_groups.py
+++ b/authentik/core/tests/test_groups.py
@ -2,6 +2,7 @@
 from django.test.testcases import TestCase
 from authentik.core.models import Group, User
 from authentik.lib.generators import generate_id
 class TestGroups(TestCase):
@ -9,32 +10,43 @@ class TestGroups(TestCase):
    def test_group_membership_simple(self):
        """Test simple membership"""
-        user = User.objects.create(username="user")
+        user = User.objects.create(username=generate_id())
-        user2 = User.objects.create(username="user2")
+        user2 = User.objects.create(username=generate_id())
-        group = Group.objects.create(name="group")
+        group = Group.objects.create(name=generate_id())
        group.users.add(user)
        self.assertTrue(group.is_member(user))
        self.assertFalse(group.is_member(user2))
    def test_group_membership_parent(self):
        """Test parent membership"""
-        user = User.objects.create(username="user")
+        user = User.objects.create(username=generate_id())
-        user2 = User.objects.create(username="user2")
+        user2 = User.objects.create(username=generate_id())
-        first = Group.objects.create(name="first")
+        first = Group.objects.create(name=generate_id())
-        second = Group.objects.create(name="second", parent=first)
+        second = Group.objects.create(name=generate_id(), parent=first)
        second.users.add(user)
        self.assertTrue(first.is_member(user))
        self.assertFalse(first.is_member(user2))
    def test_group_membership_parent_extra(self):
        """Test parent membership"""
-        user = User.objects.create(username="user")
+        user = User.objects.create(username=generate_id())
-        user2 = User.objects.create(username="user2")
+        user2 = User.objects.create(username=generate_id())
-        first = Group.objects.create(name="first")
+        first = Group.objects.create(name=generate_id())
-        second = Group.objects.create(name="second", parent=first)
+        second = Group.objects.create(name=generate_id(), parent=first)
-        third = Group.objects.create(name="third", parent=second)
+        third = Group.objects.create(name=generate_id(), parent=second)
        second.users.add(user)
        self.assertTrue(first.is_member(user))
        self.assertFalse(first.is_member(user2))
        self.assertFalse(third.is_member(user))
        self.assertFalse(third.is_member(user2))
    def test_group_membership_recursive(self):
        """Test group membership (recursive)"""
        user = User.objects.create(username=generate_id())
        group = Group.objects.create(name=generate_id())
        group2 = Group.objects.create(name=generate_id(), parent=group)
        group.users.add(user)
        group.parent = group2
        group.save()
        self.assertTrue(group.is_member(user))
        self.assertTrue(group2.is_member(user))
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -5,7 +5,7 @@ from rest_framework.test import APITestCase
 from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
 from authentik.flows.models import FlowDesignation
-from authentik.lib.generators import generate_key
+from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.email.models import EmailStage
 from authentik.tenants.models import Tenant
@ -149,3 +149,65 @@ class TestUsersAPI(APITestCase):
            },
        )
        self.assertEqual(response.status_code, 400)
    def test_paths(self):
        """Test path"""
        self.client.force_login(self.admin)
        response = self.client.get(
            reverse("authentik_api:user-paths"),
        )
        print(response.content)
        self.assertEqual(response.status_code, 200)
        self.assertJSONEqual(response.content.decode(), {"paths": ["users"]})
    def test_path_valid(self):
        """Test path"""
        self.client.force_login(self.admin)
        response = self.client.post(
            reverse("authentik_api:user-list"),
            data={"name": generate_id(), "username": generate_id(), "groups": [], "path": "foo"},
        )
        self.assertEqual(response.status_code, 201)
    def test_path_invalid(self):
        """Test path (invalid)"""
        self.client.force_login(self.admin)
        response = self.client.post(
            reverse("authentik_api:user-list"),
            data={"name": generate_id(), "username": generate_id(), "groups": [], "path": "/foo"},
        )
        self.assertEqual(response.status_code, 400)
        self.assertJSONEqual(
            response.content.decode(), {"path": ["No leading or trailing slashes allowed."]}
        )
        self.client.force_login(self.admin)
        response = self.client.post(
            reverse("authentik_api:user-list"),
            data={"name": generate_id(), "username": generate_id(), "groups": [], "path": ""},
        )
        self.assertEqual(response.status_code, 400)
        self.assertJSONEqual(response.content.decode(), {"path": ["This field may not be blank."]})
        response = self.client.post(
            reverse("authentik_api:user-list"),
            data={"name": generate_id(), "username": generate_id(), "groups": [], "path": "foo/"},
        )
        self.assertEqual(response.status_code, 400)
        self.assertJSONEqual(
            response.content.decode(), {"path": ["No leading or trailing slashes allowed."]}
        )
        response = self.client.post(
            reverse("authentik_api:user-list"),
            data={
                "name": generate_id(),
                "username": generate_id(),
                "groups": [],
                "path": "fos//o",
            },
        )
        self.assertEqual(response.status_code, 400)
        self.assertJSONEqual(
            response.content.decode(), {"path": ["No empty segments in user path allowed."]}
        )
--- a/authentik/core/tests/utils.py
+++ b/authentik/core/tests/utils.py
@ -11,14 +11,13 @@ from authentik.lib.generators import generate_id
 from authentik.tenants.models import Tenant
-def create_test_flow(designation: FlowDesignation = FlowDesignation.STAGE_CONFIGURATION) -> Flow:
+def create_test_flow(
    designation: FlowDesignation = FlowDesignation.STAGE_CONFIGURATION, **kwargs
 ) -> Flow:
    """Generate a flow that can be used for testing"""
    uid = generate_id(10)
    return Flow.objects.create(
-        name=uid,
+        name=uid, title=uid, slug=slugify(uid), designation=designation, **kwargs
        title=uid,
        slug=slugify(uid),
        designation=designation,
    )
@ -47,11 +46,11 @@ def create_test_tenant() -> Tenant:
 def create_test_cert() -> CertificateKeyPair:
    """Generate a certificate for testing"""
    CertificateKeyPair.objects.filter(name="goauthentik.io").delete()
    builder = CertificateBuilder()
    builder.common_name = "goauthentik.io"
    builder.build(
        subject_alt_names=["goauthentik.io"],
        validity_days=360,
    )
    builder.name = generate_id()
    return builder.save()
--- a/authentik/core/urls.py
+++ b/authentik/core/urls.py
@ -14,7 +14,9 @@ from authentik.core.views.session import EndSessionView
 urlpatterns = [
    path(
        "",
-        login_required(RedirectView.as_view(pattern_name="authentik_core:if-user")),
+        login_required(
            RedirectView.as_view(pattern_name="authentik_core:if-user", query_string=True)
        ),
        name="root-redirect",
    ),
    path(
--- a/authentik/core/views/impersonate.py
+++ b/authentik/core/views/impersonate.py
@ -5,7 +5,10 @@ from django.shortcuts import get_object_or_404, redirect
 from django.views import View
 from structlog.stdlib import get_logger
-from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
+from authentik.core.middleware import (
    SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
    SESSION_KEY_IMPERSONATE_USER,
 )
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
 from authentik.lib.config import CONFIG
@ -27,8 +30,8 @@ class ImpersonateInitView(View):
        user_to_be = get_object_or_404(User, pk=user_id)
-        request.session[SESSION_IMPERSONATE_ORIGINAL_USER] = request.user
+        request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER] = request.user
-        request.session[SESSION_IMPERSONATE_USER] = user_to_be
+        request.session[SESSION_KEY_IMPERSONATE_USER] = user_to_be
        Event.new(EventAction.IMPERSONATION_STARTED).from_http(request, user_to_be)
@ -41,16 +44,16 @@ class ImpersonateEndView(View):
    def get(self, request: HttpRequest) -> HttpResponse:
        """End Impersonation handler"""
        if (
-            SESSION_IMPERSONATE_USER not in request.session
+            SESSION_KEY_IMPERSONATE_USER not in request.session
-            or SESSION_IMPERSONATE_ORIGINAL_USER not in request.session
+            or SESSION_KEY_IMPERSONATE_ORIGINAL_USER not in request.session
        ):
            LOGGER.debug("Can't end impersonation", user=request.user)
            return redirect("authentik_core:if-user")
-        original_user = request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
+        original_user = request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER]
-        del request.session[SESSION_IMPERSONATE_USER]
+        del request.session[SESSION_KEY_IMPERSONATE_USER]
-        del request.session[SESSION_IMPERSONATE_ORIGINAL_USER]
+        del request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER]
        Event.new(EventAction.IMPERSONATION_ENDED).from_http(request, original_user)
--- a/authentik/crypto/builder.py
+++ b/authentik/crypto/builder.py
@ -53,10 +53,7 @@ class CertificateBuilder:
            .subject_name(
                x509.Name(
                    [
-                        x509.NameAttribute(
+                        x509.NameAttribute(NameOID.COMMON_NAME, self.common_name),
                            NameOID.COMMON_NAME,
                            self.common_name,
                        ),
                        x509.NameAttribute(NameOID.ORGANIZATION_NAME, "authentik"),
                        x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"),
                    ]
@ -65,10 +62,7 @@ class CertificateBuilder:
            .issuer_name(
                x509.Name(
                    [
-                        x509.NameAttribute(
+                        x509.NameAttribute(NameOID.COMMON_NAME, f"authentik {__version__}"),
                            NameOID.COMMON_NAME,
                            f"authentik {__version__}",
                        ),
                    ]
                )
            )
--- a/authentik/crypto/migrations/0002_create_self_signed_kp.py
+++ b/authentik/crypto/migrations/0002_create_self_signed_kp.py
@ -2,6 +2,8 @@
 from django.db import migrations
 from authentik.lib.generators import generate_id
 def create_self_signed(apps, schema_editor):
    CertificateKeyPair = apps.get_model("authentik_crypto", "CertificateKeyPair")
@ -9,7 +11,7 @@ def create_self_signed(apps, schema_editor):
    from authentik.crypto.builder import CertificateBuilder
    builder = CertificateBuilder()
-    builder.build()
+    builder.build(subject_alt_names=[f"{generate_id()}.self-signed.goauthentik.io"])
    CertificateKeyPair.objects.using(db_alias).create(
        name="authentik Self-signed Certificate",
        certificate_data=builder.certificate,
--- a/authentik/events/api/notification_mappings.py
+++ b/authentik/events/api/notification_mappings.py
@ -26,3 +26,4 @@ class NotificationWebhookMappingViewSet(UsedByMixin, ModelViewSet):
    serializer_class = NotificationWebhookMappingSerializer
    filterset_fields = ["name"]
    ordering = ["name"]
    search_fields = ["name"]
--- a/authentik/events/api/notification_rules.py
+++ b/authentik/events/api/notification_rules.py
@ -32,3 +32,4 @@ class NotificationRuleViewSet(UsedByMixin, ModelViewSet):
    serializer_class = NotificationRuleSerializer
    filterset_fields = ["name", "severity", "group__name"]
    ordering = ["name"]
    search_fields = ["name", "group__name"]
--- a/authentik/events/api/notification_transports.py
+++ b/authentik/events/api/notification_transports.py
@ -68,6 +68,7 @@ class NotificationTransportViewSet(UsedByMixin, ModelViewSet):
    queryset = NotificationTransport.objects.all()
    serializer_class = NotificationTransportSerializer
    filterset_fields = ["name", "mode", "webhook_url", "send_once"]
    search_fields = ["name", "mode", "webhook_url"]
    ordering = ["name"]
    @permission_required("authentik_events.change_notificationtransport")
--- a/authentik/events/apps.py
+++ b/authentik/events/apps.py
@ -2,6 +2,13 @@
 from importlib import import_module
 from django.apps import AppConfig
 from prometheus_client import Gauge
 GAUGE_TASKS = Gauge(
    "authentik_system_tasks",
    "System tasks and their status",
    ["task_name", "task_uid", "status"],
 )
 class AuthentikEventsConfig(AppConfig):
--- a/authentik/events/geo.py
+++ b/authentik/events/geo.py
@ -76,11 +76,8 @@ class GeoIPReader:
            except (GeoIP2Error, ValueError):
                return None
-    def city_dict(self, ip_address: str) -> Optional[GeoIPDict]:
+    def city_to_dict(self, city: City) -> GeoIPDict:
-        """Wrapper for self.city that returns a dict"""
+        """Convert City to dict"""
        city = self.city(ip_address)
        if not city:
            return None
        city_dict: GeoIPDict = {
            "continent": city.continent.code,
            "country": city.country.iso_code,
@ -92,5 +89,12 @@ class GeoIPReader:
            city_dict["city"] = city.city.name
        return city_dict
    def city_dict(self, ip_address: str) -> Optional[GeoIPDict]:
        """Wrapper for self.city that returns a dict"""
        city = self.city(ip_address)
        if not city:
            return None
        return self.city_to_dict(city)
 GEOIP_READER = GeoIPReader()
--- a/authentik/events/middleware.py
+++ b/authentik/events/middleware.py
@ -3,6 +3,7 @@ from functools import partial
 from typing import Callable
 from django.conf import settings
 from django.contrib.sessions.models import Session
 from django.core.exceptions import SuspiciousOperation
 from django.db.models import Model
 from django.db.models.signals import post_save, pre_delete
@ -15,6 +16,7 @@ from authentik.core.models import AuthenticatedSession, User
 from authentik.events.models import Event, EventAction, Notification
 from authentik.events.signals import EventNewThread
 from authentik.events.utils import model_to_dict
 from authentik.flows.models import FlowToken
 from authentik.lib.sentry import before_send
 from authentik.lib.utils.errors import exception_to_string
@ -24,11 +26,13 @@ IGNORED_MODELS = [
    UserObjectPermission,
    AuthenticatedSession,
    StaticToken,
    Session,
    FlowToken,
 ]
 if settings.DEBUG:
-    from silk.models import Request, Response
+    from silk.models import Request, Response, SQLQuery
-    IGNORED_MODELS += [Request, Response]
+    IGNORED_MODELS += [Request, Response, SQLQuery]
 IGNORED_MODELS = tuple(IGNORED_MODELS)
--- a/authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py
+++ b/authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py
@ -383,6 +383,7 @@ class Migration(migrations.Migration):
                    models.ManyToManyField(
                        help_text="Select which transports should be used to notify the user. If none are selected, the notification will only be shown in the authentik UI.",
                        to="authentik_events.NotificationTransport",
                        blank=True,
                    ),
                ),
            ],
--- a/authentik/events/migrations/0002_alter_notificationtransport_mode.py
+++ b/authentik/events/migrations/0002_alter_notificationtransport_mode.py
@ -0,0 +1,50 @@
 # Generated by Django 4.0.4 on 2022-05-30 18:08
 from django.apps.registry import Apps
 from django.db import migrations, models
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 from authentik.events.models import TransportMode
 def notify_local_transport(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    db_alias = schema_editor.connection.alias
    NotificationTransport = apps.get_model("authentik_events", "NotificationTransport")
    NotificationRule = apps.get_model("authentik_events", "NotificationRule")
    local_transport, _ = NotificationTransport.objects.using(db_alias).update_or_create(
        name="default-local-transport",
        defaults={"mode": TransportMode.LOCAL},
    )
    for trigger in NotificationRule.objects.using(db_alias).filter(
        name__in=[
            "default-notify-configuration-error",
            "default-notify-exception",
            "default-notify-update",
        ]
    ):
        trigger.transports.add(local_transport)
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_events", "0001_squashed_0019_alter_notificationtransport_webhook_url"),
    ]
    operations = [
        migrations.AlterField(
            model_name="notificationtransport",
            name="mode",
            field=models.TextField(
                choices=[
                    ("local", "authentik inbuilt notifications"),
                    ("webhook", "Generic Webhook"),
                    ("webhook_slack", "Slack Webhook (Slack/Discord)"),
                    ("email", "Email"),
                ],
                default="local",
            ),
        ),
        migrations.RunPython(notify_local_transport),
    ]
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@ -23,7 +23,10 @@ from requests import RequestException
 from structlog.stdlib import get_logger
 from authentik import __version__
-from authentik.core.middleware import SESSION_IMPERSONATE_ORIGINAL_USER, SESSION_IMPERSONATE_USER
+from authentik.core.middleware import (
    SESSION_KEY_IMPERSONATE_ORIGINAL_USER,
    SESSION_KEY_IMPERSONATE_USER,
 )
 from authentik.core.models import ExpiringModel, Group, PropertyMapping, User
 from authentik.events.geo import GEOIP_READER
 from authentik.events.utils import cleanse_dict, get_user, model_to_dict, sanitize_dict
@ -233,15 +236,15 @@ class Event(ExpiringModel):
        if hasattr(request, "user"):
            original_user = None
            if hasattr(request, "session"):
-                original_user = request.session.get(SESSION_IMPERSONATE_ORIGINAL_USER, None)
+                original_user = request.session.get(SESSION_KEY_IMPERSONATE_ORIGINAL_USER, None)
            self.user = get_user(request.user, original_user)
        if user:
            self.user = get_user(user)
        # Check if we're currently impersonating, and add that user
        if hasattr(request, "session"):
-            if SESSION_IMPERSONATE_ORIGINAL_USER in request.session:
+            if SESSION_KEY_IMPERSONATE_ORIGINAL_USER in request.session:
-                self.user = get_user(request.session[SESSION_IMPERSONATE_ORIGINAL_USER])
+                self.user = get_user(request.session[SESSION_KEY_IMPERSONATE_ORIGINAL_USER])
-                self.user["on_behalf_of"] = get_user(request.session[SESSION_IMPERSONATE_USER])
+                self.user["on_behalf_of"] = get_user(request.session[SESSION_KEY_IMPERSONATE_USER])
        # User 255.255.255.255 as fallback if IP cannot be determined
        self.client_ip = get_client_ip(request)
        # Apply GeoIP Data, when enabled
@ -289,6 +292,7 @@ class Event(ExpiringModel):
 class TransportMode(models.TextChoices):
    """Modes that a notification transport can send a notification"""
    LOCAL = "local", _("authentik inbuilt notifications")
    WEBHOOK = "webhook", _("Generic Webhook")
    WEBHOOK_SLACK = "webhook_slack", _("Slack Webhook (Slack/Discord)")
    EMAIL = "email", _("Email")
@ -300,7 +304,7 @@ class NotificationTransport(models.Model):
    uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
    name = models.TextField(unique=True)
-    mode = models.TextField(choices=TransportMode.choices)
+    mode = models.TextField(choices=TransportMode.choices, default=TransportMode.LOCAL)
    webhook_url = models.TextField(blank=True, validators=[DomainlessURLValidator()])
    webhook_mapping = models.ForeignKey(
@ -315,6 +319,8 @@ class NotificationTransport(models.Model):
    def send(self, notification: "Notification") -> list[str]:
        """Send notification to user, called from async task"""
        if self.mode == TransportMode.LOCAL:
            return self.send_local(notification)
        if self.mode == TransportMode.WEBHOOK:
            return self.send_webhook(notification)
        if self.mode == TransportMode.WEBHOOK_SLACK:
@ -323,6 +329,17 @@ class NotificationTransport(models.Model):
            return self.send_email(notification)
        raise ValueError(f"Invalid mode {self.mode} set")
    def send_local(self, notification: "Notification") -> list[str]:
        """Local notification delivery"""
        if self.webhook_mapping:
            self.webhook_mapping.evaluate(
                user=notification.user,
                request=None,
                notification=notification,
            )
        notification.save()
        return []
    def send_webhook(self, notification: "Notification") -> list[str]:
        """Send notification to generic webhook"""
        default_body = {
@ -481,6 +498,7 @@ class NotificationRule(PolicyBindingModel):
                "selected, the notification will only be shown in the authentik UI."
            )
        ),
        blank=True,
    )
    severity = models.TextField(
        choices=NotificationSeverity.choices,
--- a/authentik/events/monitored_tasks.py
+++ b/authentik/events/monitored_tasks.py
@ -8,18 +8,12 @@ from typing import Any, Optional
 from celery import Task
 from django.core.cache import cache
 from django.utils.translation import gettext_lazy as _
 from prometheus_client import Gauge
 from structlog.stdlib import get_logger
 from authentik.events.apps import GAUGE_TASKS
 from authentik.events.models import Event, EventAction
 from authentik.lib.utils.errors import exception_to_string
 GAUGE_TASKS = Gauge(
    "authentik_system_tasks",
    "System tasks and their status",
    ["task_name", "task_uid", "status"],
 )
 LOGGER = get_logger()
--- a/authentik/events/signals.py
+++ b/authentik/events/signals.py
@ -2,15 +2,16 @@
 from threading import Thread
 from typing import Any, Optional
-from django.contrib.auth.signals import user_logged_in, user_logged_out, user_login_failed
+from django.contrib.auth.signals import user_logged_in, user_logged_out
 from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http import HttpRequest
 from authentik.core.models import User
-from authentik.core.signals import password_changed
+from authentik.core.signals import login_failed, password_changed
 from authentik.events.models import Event, EventAction
 from authentik.events.tasks import event_notification_handler, gdpr_cleanup
 from authentik.flows.models import Stage
 from authentik.flows.planner import PLAN_CONTEXT_SOURCE, FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.stages.invitation.models import Invitation
@ -77,11 +78,18 @@ def on_user_write(sender, request: HttpRequest, user: User, data: dict[str, Any]
    thread.run()
-@receiver(user_login_failed)
+@receiver(login_failed)
 # pylint: disable=unused-argument
-def on_user_login_failed(sender, credentials: dict[str, str], request: HttpRequest, **_):
+def on_login_failed(
-    """Failed Login"""
+    signal,
-    thread = EventNewThread(EventAction.LOGIN_FAILED, request, **credentials)
+    sender,
    credentials: dict[str, str],
    request: HttpRequest,
    stage: Optional[Stage] = None,
    **kwargs,
 ):
    """Failed Login, authentik custom event"""
    thread = EventNewThread(EventAction.LOGIN_FAILED, request, **credentials, stage=stage, **kwargs)
    thread.run()
--- a/authentik/events/tasks.py
+++ b/authentik/events/tasks.py
@ -1,8 +1,11 @@
 """Event notification tasks"""
 from typing import Optional
 from django.db.models.query_utils import Q
 from guardian.shortcuts import get_anonymous_user
 from structlog.stdlib import get_logger
 from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.core.models import User
 from authentik.events.models import (
    Event,
@ -39,10 +42,9 @@ def event_trigger_handler(event_uuid: str, trigger_name: str):
        LOGGER.warning("event doesn't exist yet or anymore", event_uuid=event_uuid)
        return
    event: Event = events.first()
-    triggers: NotificationRule = NotificationRule.objects.filter(name=trigger_name)
+    trigger: Optional[NotificationRule] = NotificationRule.objects.filter(name=trigger_name).first()
-    if not triggers.exists():
+    if not trigger:
        return
    trigger = triggers.first()
    if "policy_uuid" in event.context:
        policy_uuid = event.context["policy_uuid"]
@ -81,11 +83,14 @@ def event_trigger_handler(event_uuid: str, trigger_name: str):
    for transport in trigger.transports.all():
        for user in trigger.group.users.all():
            LOGGER.debug("created notification")
            notification = Notification.objects.create(
                severity=trigger.severity, body=event.summary, event=event, user=user
            )
            notification_transport.apply_async(
-                args=[notification.pk, transport.pk], queue="authentik_events"
+                args=[
                    transport.pk,
                    str(event.pk),
                    user.pk,
                    str(trigger.pk),
                ],
                queue="authentik_events",
            )
            if transport.send_once:
                break
@ -97,19 +102,30 @@ def event_trigger_handler(event_uuid: str, trigger_name: str):
    retry_backoff=True,
    base=MonitoredTask,
 )
-def notification_transport(self: MonitoredTask, notification_pk: int, transport_pk: int):
+def notification_transport(
    self: MonitoredTask, transport_pk: int, event_pk: str, user_pk: int, trigger_pk: str
 ):
    """Send notification over specified transport"""
    self.save_on_success = False
    try:
-        notification: Notification = Notification.objects.filter(pk=notification_pk).first()
+        event = Event.objects.filter(pk=event_pk).first()
-        if not notification:
+        if not event:
            return
        user = User.objects.filter(pk=user_pk).first()
        if not user:
            return
        trigger = NotificationRule.objects.filter(pk=trigger_pk).first()
        if not trigger:
            return
        notification = Notification(
            severity=trigger.severity, body=event.summary, event=event, user=user
        )
        transport = NotificationTransport.objects.filter(pk=transport_pk).first()
        if not transport:
            return
        transport.send(notification)
        self.set_status(TaskResult(TaskResultStatus.SUCCESSFUL))
-    except NotificationTransportError as exc:
+    except (NotificationTransportError, PropertyMappingExpressionException) as exc:
        self.set_status(TaskResult(TaskResultStatus.ERROR).with_error(exc))
        raise exc
--- a/authentik/events/tests/test_notifications.py
+++ b/authentik/events/tests/test_notifications.py
@ -11,7 +11,10 @@ from authentik.events.models import (
    Notification,
    NotificationRule,
    NotificationTransport,
    NotificationWebhookMapping,
    TransportMode,
 )
 from authentik.lib.generators import generate_id
 from authentik.policies.event_matcher.models import EventMatcherPolicy
 from authentik.policies.exceptions import PolicyException
 from authentik.policies.models import PolicyBinding
@ -105,4 +108,26 @@ class TestEventsNotifications(TestCase):
        execute_mock = MagicMock()
        with patch("authentik.events.models.NotificationTransport.send", execute_mock):
            Event.new(EventAction.CUSTOM_PREFIX).save()
-        self.assertEqual(Notification.objects.count(), 1)
+        self.assertEqual(execute_mock.call_count, 1)
    def test_transport_mapping(self):
        """Test transport mapping"""
        mapping = NotificationWebhookMapping.objects.create(
            name=generate_id(),
            expression="""notification.body = 'foo'""",
        )
        transport = NotificationTransport.objects.create(
            name="transport", webhook_mapping=mapping, mode=TransportMode.LOCAL
        )
        NotificationRule.objects.filter(name__startswith="default").delete()
        trigger = NotificationRule.objects.create(name="trigger", group=self.group)
        trigger.transports.add(transport)
        matcher = EventMatcherPolicy.objects.create(
            name="matcher", action=EventAction.CUSTOM_PREFIX
        )
        PolicyBinding.objects.create(target=trigger, policy=matcher, order=0)
        Notification.objects.all().delete()
        Event.new(EventAction.CUSTOM_PREFIX).save()
        self.assertEqual(Notification.objects.first().body, "foo")
--- a/authentik/events/utils.py
+++ b/authentik/events/utils.py
@ -10,9 +10,11 @@ from django.db import models
 from django.db.models.base import Model
 from django.http.request import HttpRequest
 from django.views.debug import SafeExceptionReporterFilter
 from geoip2.models import City
 from guardian.utils import get_anonymous_user
 from authentik.core.models import User
 from authentik.events.geo import GEOIP_READER
 from authentik.policies.types import PolicyRequest
 # Special keys which are *not* cleaned, even when the default filter
@ -93,6 +95,8 @@ def sanitize_dict(source: dict[Any, Any]) -> dict[Any, Any]:
            final_dict[key] = value.hex
        elif isinstance(value, (HttpRequest, WSGIRequest)):
            continue
        elif isinstance(value, City):
            final_dict[key] = GEOIP_READER.city_to_dict(value)
        elif isinstance(value, type):
            final_dict[key] = {
                "type": value.__name__,
--- a/authentik/flows/api/bindings.py
+++ b/authentik/flows/api/bindings.py
@ -35,3 +35,4 @@ class FlowStageBindingViewSet(UsedByMixin, ModelViewSet):
    queryset = FlowStageBinding.objects.all()
    serializer_class = FlowStageBindingSerializer
    filterset_fields = "__all__"
    search_fields = ["stage__name"]
--- a/authentik/flows/api/flows.py
+++ b/authentik/flows/api/flows.py
@ -73,6 +73,7 @@ class FlowSerializer(ModelSerializer):
            "compatibility_mode",
            "export_url",
            "layout",
            "denied_action",
        ]
        extra_kwargs = {
            "background": {"read_only": True},
@ -110,8 +111,8 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
    serializer_class = FlowSerializer
    lookup_field = "slug"
    ordering = ["slug", "name"]
-    search_fields = ["name", "slug", "designation", "title"]
+    search_fields = ["name", "slug", "designation", "title", "denied_action"]
-    filterset_fields = ["flow_uuid", "name", "slug", "designation"]
+    filterset_fields = ["flow_uuid", "name", "slug", "designation", "denied_action"]
    @permission_required(None, ["authentik_flows.view_flow_cache"])
    @extend_schema(responses={200: CacheSerializer(many=False)})
@ -371,7 +372,7 @@ class FlowViewSet(UsedByMixin, ModelViewSet):
                request,
                _(
                    "Flow not applicable to current user/request: %(messages)s"
-                    % {"messages": str(exc)}
+                    % {"messages": exc.messages}
                ),
            )
        return Response(
--- a/authentik/flows/apps.py
+++ b/authentik/flows/apps.py
@ -3,9 +3,20 @@ from importlib import import_module
 from django.apps import AppConfig
 from django.db.utils import ProgrammingError
 from prometheus_client import Gauge, Histogram
 from authentik.lib.utils.reflection import all_subclasses
 GAUGE_FLOWS_CACHED = Gauge(
    "authentik_flows_cached",
    "Cached flows",
 )
 HIST_FLOWS_PLAN_TIME = Histogram(
    "authentik_flows_plan_time",
    "Duration to build a plan for a flow",
    ["flow_slug"],
 )
 class AuthentikFlowsConfig(AppConfig):
    """authentik flows app config"""
--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -1,6 +1,6 @@
 """Challenge helpers"""
 from enum import Enum
-from typing import TYPE_CHECKING, Optional
+from typing import TYPE_CHECKING, Optional, TypedDict
 from django.db import models
 from django.http import JsonResponse
@ -95,6 +95,13 @@ class AccessDeniedChallenge(WithUserInfoChallenge):
    component = CharField(default="ak-stage-access-denied")
 class PermissionDict(TypedDict):
    """Consent Permission"""
    id: str
    name: str
 class PermissionSerializer(PassiveSerializer):
    """Permission used for consent"""
--- a/authentik/flows/exceptions.py
+++ b/authentik/flows/exceptions.py
@ -1,4 +1,5 @@
 """flow exceptions"""
 from django.utils.translation import gettext_lazy as _
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.policies.types import PolicyResult
@ -9,6 +10,13 @@ class FlowNonApplicableException(SentryIgnoredException):
    policy_result: PolicyResult
    @property
    def messages(self) -> str:
        """Get messages from policy result, fallback to generic reason"""
        if len(self.policy_result.messages) < 1:
            return _("Flow does not apply to current user (denied by policy).")
        return "\n".join(self.policy_result.messages)
 class EmptyFlowException(SentryIgnoredException):
    """Flow has no stages."""
--- a/authentik/flows/management/commands/benchmark.py
+++ b/authentik/flows/management/commands/benchmark.py
@ -94,9 +94,9 @@ class Command(BaseCommand):  # pragma: no cover
    def output_overview(self, values):
        """Output results human readable"""
-        total_max: int = max([max(inner) for inner in values])
+        total_max: int = max(max(inner) for inner in values)
-        total_min: int = min([min(inner) for inner in values])
+        total_min: int = min(min(inner) for inner in values)
-        total_avg = sum([sum(inner) for inner in values]) / sum([len(inner) for inner in values])
+        total_avg = sum(sum(inner) for inner in values) / sum(len(inner) for inner in values)
        print(f"Version: {__version__}")
        print(f"Processes: {len(values)}")
--- a/authentik/flows/markers.py
+++ b/authentik/flows/markers.py
@ -47,7 +47,8 @@ class ReevaluateMarker(StageMarker):
        from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
        LOGGER.debug(
-            "f(plan_inst)[re-eval marker]: running re-evaluation",
+            "f(plan_inst): running re-evaluation",
            marker="ReevaluateMarker",
            binding=binding,
            policy_binding=self.binding,
        )
@ -56,13 +57,15 @@ class ReevaluateMarker(StageMarker):
        )
        engine.use_cache = False
        engine.request.set_http_request(http_request)
-        engine.request.context = plan.context
+        engine.request.context["flow_plan"] = plan
        engine.request.context.update(plan.context)
        engine.build()
        result = engine.result
        if result.passing:
            return binding
        LOGGER.warning(
-            "f(plan_inst)[re-eval marker]: binding failed re-evaluation",
+            "f(plan_inst): binding failed re-evaluation",
            marker="ReevaluateMarker",
            binding=binding,
            messages=result.messages,
        )
--- a/authentik/flows/migrations/0018_oob_flows.py
+++ b/authentik/flows/migrations/0018_oob_flows.py
@ -14,7 +14,7 @@ return not akadmin.has_usable_password()"""
 PREFILL_POLICY_EXPRESSION = """# This policy sets the user for the currently running flow
 # by injecting "pending_user"
 akadmin = ak_user_by(username="akadmin")
-context["pending_user"] = akadmin
+context["flow_plan"].context["pending_user"] = akadmin
 return True"""
--- a/authentik/flows/migrations/0023_flow_denied_action.py
+++ b/authentik/flows/migrations/0023_flow_denied_action.py
@ -0,0 +1,26 @@
 # Generated by Django 4.0.5 on 2022-07-02 12:42
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_flows", "0022_flow_layout"),
    ]
    operations = [
        migrations.AddField(
            model_name="flow",
            name="denied_action",
            field=models.TextField(
                choices=[
                    ("message_continue", "Message Continue"),
                    ("message", "Message"),
                    ("continue", "Continue"),
                ],
                default="message_continue",
                help_text="Configure what should happen when a flow denies access to a user.",
            ),
        ),
    ]
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -5,7 +5,6 @@ from typing import TYPE_CHECKING, Optional
 from uuid import uuid4
 from django.db import models
 from django.http import HttpRequest
 from django.utils.translation import gettext_lazy as _
 from model_utils.managers import InheritanceManager
 from rest_framework.serializers import BaseSerializer
@ -40,6 +39,14 @@ class InvalidResponseAction(models.TextChoices):
    RESTART_WITH_CONTEXT = "restart_with_context"
 class FlowDeniedAction(models.TextChoices):
    """Configure what response is given to denied flow executions"""
    MESSAGE_CONTINUE = "message_continue"
    MESSAGE = "message"
    CONTINUE = "continue"
 class FlowDesignation(models.TextChoices):
    """Designation of what a Flow should be used for. At a later point, this
    should be replaced by a database entry."""
@ -87,13 +94,15 @@ class Stage(SerializerModel):
        return f"Stage {self.name}"
-def in_memory_stage(view: type["StageView"]) -> Stage:
+def in_memory_stage(view: type["StageView"], **kwargs) -> Stage:
    """Creates an in-memory stage instance, based on a `view` as view."""
    stage = Stage()
    # Because we can't pickle a locally generated function,
    # we set the view as a separate property and reference a generic function
    # that returns that member
    setattr(stage, "__in_memory_type", view)
    for key, value in kwargs.items():
        setattr(stage, key, value)
    return stage
@ -137,6 +146,12 @@ class Flow(SerializerModel, PolicyBindingModel):
        ),
    )
    denied_action = models.TextField(
        choices=FlowDeniedAction.choices,
        default=FlowDeniedAction.MESSAGE_CONTINUE,
        help_text=_("Configure what should happen when a flow denies access to a user."),
    )
    @property
    def background_url(self) -> str:
        """Get the URL to the background image. If the name is /static or starts with http
@ -155,23 +170,6 @@ class Flow(SerializerModel, PolicyBindingModel):
        return FlowSerializer
    @staticmethod
    def with_policy(request: HttpRequest, **flow_filter) -> Optional["Flow"]:
        """Get a Flow by `**flow_filter` and check if the request from `request` can access it."""
        from authentik.policies.engine import PolicyEngine
        flows = Flow.objects.filter(**flow_filter).order_by("slug")
        for flow in flows:
            engine = PolicyEngine(flow, request.user, request)
            engine.build()
            result = engine.result
            if result.passing:
                LOGGER.debug("with_policy: flow passing", flow=flow)
                return flow
            LOGGER.warning("with_policy: flow not passing", flow=flow, messages=result.messages)
        LOGGER.debug("with_policy: no flow found", filters=flow_filter)
        return None
    def __str__(self) -> str:
        return f"Flow {self.name} ({self.slug})"
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -4,16 +4,16 @@ from typing import Any, Optional
 from django.core.cache import cache
 from django.http import HttpRequest
 from prometheus_client import Gauge, Histogram
 from sentry_sdk.hub import Hub
 from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.models import User
 from authentik.events.models import cleanse_dict
 from authentik.flows.apps import HIST_FLOWS_PLAN_TIME
 from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableException
 from authentik.flows.markers import ReevaluateMarker, StageMarker
-from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, Stage
+from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, Stage, in_memory_stage
 from authentik.lib.config import CONFIG
 from authentik.policies.engine import PolicyEngine
@ -26,15 +26,6 @@ PLAN_CONTEXT_SOURCE = "source"
 # Is set by the Flow Planner when a FlowToken was used, and the currently active flow plan
 # was restored.
 PLAN_CONTEXT_IS_RESTORED = "is_restored"
 GAUGE_FLOWS_CACHED = Gauge(
    "authentik_flows_cached",
    "Cached flows",
 )
 HIST_FLOWS_PLAN_TIME = Histogram(
    "authentik_flows_plan_time",
    "Duration to build a plan for a flow",
    ["flow_slug"],
 )
 CACHE_TIMEOUT = int(CONFIG.y("redis.cache_timeout_flows"))
@ -71,6 +62,12 @@ class FlowPlan:
        self.bindings.insert(1, FlowStageBinding(stage=stage, order=0))
        self.markers.insert(1, marker or StageMarker())
    def redirect(self, destination: str):
        """Insert a redirect stage as next stage"""
        from authentik.flows.stage import RedirectStage
        self.insert_stage(in_memory_stage(RedirectStage, destination=destination))
    def next(self, http_request: Optional[HttpRequest]) -> Optional[FlowStageBinding]:
        """Return next pending stage from the bottom of the list"""
        if not self.has_stages:
@ -117,7 +114,7 @@ class FlowPlanner:
        self.use_cache = True
        self.allow_empty_flows = False
        self.flow = flow
-        self._logger = get_logger().bind(flow=flow)
+        self._logger = get_logger().bind(flow_slug=flow.slug)
    def plan(
        self, request: HttpRequest, default_context: Optional[dict[str, Any]] = None
@ -146,11 +143,11 @@ class FlowPlanner:
            engine = PolicyEngine(self.flow, user, request)
            if default_context:
                span.set_data("default_context", cleanse_dict(default_context))
-                engine.request.context = default_context
+                engine.request.context.update(default_context)
            engine.build()
            result = engine.result
            if not result.passing:
-                exc = FlowNonApplicableException(",".join(result.messages))
+                exc = FlowNonApplicableException()
                exc.policy_result = result
                raise exc
            # User is passing so far, check if we have a cached plan
@ -207,7 +204,8 @@ class FlowPlanner:
                        stage=binding.stage,
                    )
                    engine = PolicyEngine(binding, user, request)
-                    engine.request.context = plan.context
+                    engine.request.context["flow_plan"] = plan
                    engine.request.context.update(plan.context)
                    engine.build()
                    if engine.passing:
                        self._logger.debug(
--- a/authentik/flows/signals.py
+++ b/authentik/flows/signals.py
@ -4,7 +4,7 @@ from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from structlog.stdlib import get_logger
-from authentik.flows.planner import GAUGE_FLOWS_CACHED
+from authentik.flows.apps import GAUGE_FLOWS_CACHED
 from authentik.root.monitoring import monitoring_set
 LOGGER = get_logger()
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -9,7 +9,7 @@ from django.urls import reverse
 from django.views.generic.base import View
 from rest_framework.request import Request
 from sentry_sdk.hub import Hub
-from structlog.stdlib import get_logger
+from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.models import DEFAULT_AVATAR, User
 from authentik.flows.challenge import (
@ -19,27 +19,35 @@ from authentik.flows.challenge import (
    ChallengeTypes,
    ContextualFlowInfo,
    HttpChallengeResponse,
    RedirectChallenge,
    WithUserInfoChallenge,
 )
 from authentik.flows.models import InvalidResponseAction
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_PENDING_USER
 from authentik.lib.utils.reflection import class_to_path
 if TYPE_CHECKING:
    from authentik.flows.views.executor import FlowExecutorView
 PLAN_CONTEXT_PENDING_USER_IDENTIFIER = "pending_user_identifier"
 LOGGER = get_logger()
 class StageView(View):
-    """Abstract Stage, inherits TemplateView but can be combined with FormView"""
+    """Abstract Stage"""
    executor: "FlowExecutorView"
    request: HttpRequest = None
    logger: BoundLogger
    def __init__(self, executor: "FlowExecutorView", **kwargs):
        self.executor = executor
        current_stage = getattr(self.executor, "current_stage", None)
        self.logger = get_logger().bind(
            stage=getattr(current_stage, "name", None),
            stage_view=class_to_path(type(self)),
        )
        super().__init__(**kwargs)
    def get_pending_user(self, for_display=False) -> User:
@ -60,6 +68,9 @@ class StageView(View):
            return self.executor.plan.context[PLAN_CONTEXT_PENDING_USER]
        return self.request.user
    def cleanup(self):
        """Cleanup session"""
 class ChallengeStageView(StageView):
    """Stage view which response with a challenge"""
@ -74,12 +85,9 @@ class ChallengeStageView(StageView):
        """Return a challenge for the frontend to solve"""
        challenge = self._get_challenge(*args, **kwargs)
        if not challenge.is_valid():
-            LOGGER.warning(
+            self.logger.warning(
                "f(ch): Invalid challenge",
                binding=self.executor.current_binding,
                errors=challenge.errors,
                stage_view=self,
                challenge=challenge,
            )
        return HttpChallengeResponse(challenge)
@ -96,10 +104,8 @@ class ChallengeStageView(StageView):
                    self.executor.current_binding.invalid_response_action
                    == InvalidResponseAction.RESTART_WITH_CONTEXT
                )
-                LOGGER.debug(
+                self.logger.debug(
                    "f(ch): Invalid response, restarting flow",
                    binding=self.executor.current_binding,
                    stage_view=self,
                    keep_context=keep_context,
                )
                return self.executor.restart_flow(keep_context)
@ -125,7 +131,7 @@ class ChallengeStageView(StageView):
            }
        # pylint: disable=broad-except
        except Exception as exc:
-            LOGGER.warning("failed to template title", exc=exc)
+            self.logger.warning("failed to template title", exc=exc)
            return self.executor.flow.title
    def _get_challenge(self, *args, **kwargs) -> Challenge:
@ -185,11 +191,9 @@ class ChallengeStageView(StageView):
                )
        challenge_response.initial_data["response_errors"] = full_errors
        if not challenge_response.is_valid():
-            LOGGER.error(
+            self.logger.error(
                "f(ch): invalid challenge response",
                binding=self.executor.current_binding,
                errors=challenge_response.errors,
                stage_view=self,
            )
        return HttpChallengeResponse(challenge_response)
@ -216,3 +220,21 @@ class AccessDeniedChallengeView(ChallengeStageView):
    # .get() method is called
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:  # pragma: no cover
        return self.executor.cancel()
 class RedirectStage(ChallengeStageView):
    """Redirect to any URL"""
    def get_challenge(self, *args, **kwargs) -> RedirectChallenge:
        destination = getattr(
            self.executor.current_stage, "destination", reverse("authentik_core:root-redirect")
        )
        return RedirectChallenge(
            data={
                "type": ChallengeTypes.REDIRECT.value,
                "to": destination,
            }
        )
    def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
        return HttpChallengeResponse(self.get_challenge())
--- a/authentik/flows/tests/test_executor.py
+++ b/authentik/flows/tests/test_executor.py
@ -6,14 +6,20 @@ from django.test.client import RequestFactory
 from django.urls import reverse
 from authentik.core.models import User
-from authentik.flows.exceptions import FlowNonApplicableException
+from authentik.core.tests.utils import create_test_flow
 from authentik.flows.markers import ReevaluateMarker, StageMarker
-from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, InvalidResponseAction
+from authentik.flows.models import (
    FlowDeniedAction,
    FlowDesignation,
    FlowStageBinding,
    InvalidResponseAction,
 )
 from authentik.flows.planner import FlowPlan, FlowPlanner
 from authentik.flows.stage import PLAN_CONTEXT_PENDING_USER_IDENTIFIER, StageView
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import NEXT_ARG_NAME, SESSION_KEY_PLAN, FlowExecutorView
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.policies.reputation.models import ReputationPolicy
@ -22,7 +28,7 @@ from authentik.stages.deny.models import DenyStage
 from authentik.stages.dummy.models import DummyStage
 from authentik.stages.identification.models import IdentificationStage, UserFields
-POLICY_RETURN_FALSE = PropertyMock(return_value=PolicyResult(False))
+POLICY_RETURN_FALSE = PropertyMock(return_value=PolicyResult(False, "foo"))
 POLICY_RETURN_TRUE = MagicMock(return_value=PolicyResult(True))
@ -47,12 +53,10 @@ class TestFlowExecutor(FlowTestCase):
    )
    def test_existing_plan_diff_flow(self):
        """Check that a plan for a different flow cancels the current plan"""
-        flow = Flow.objects.create(
+        flow = create_test_flow(
-            name="test-existing-plan-diff",
+            FlowDesignation.AUTHENTICATION,
            slug="test-existing-plan-diff",
            designation=FlowDesignation.AUTHENTICATION,
        )
-        stage = DummyStage.objects.create(name="dummy")
+        stage = DummyStage.objects.create(name=generate_id())
        binding = FlowStageBinding(target=flow, stage=stage, order=0)
        plan = FlowPlan(flow_pk=flow.pk.hex + "a", bindings=[binding], markers=[StageMarker()])
        session = self.client.session
@ -77,10 +81,8 @@ class TestFlowExecutor(FlowTestCase):
    )
    def test_invalid_non_applicable_flow(self):
        """Tests that a non-applicable flow returns the correct error message"""
-        flow = Flow.objects.create(
+        flow = create_test_flow(
-            name="test-non-applicable",
+            FlowDesignation.AUTHENTICATION,
            slug="test-non-applicable",
            designation=FlowDesignation.AUTHENTICATION,
        )
        CONFIG.update_from_dict({"domain": "testserver"})
@ -90,7 +92,7 @@ class TestFlowExecutor(FlowTestCase):
        self.assertStageResponse(
            response,
            flow=flow,
-            error_message=FlowNonApplicableException.__doc__,
+            error_message="foo",
            component="ak-stage-access-denied",
        )
@ -98,12 +100,15 @@ class TestFlowExecutor(FlowTestCase):
        "authentik.flows.views.executor.to_stage_response",
        TO_STAGE_RESPONSE_MOCK,
    )
-    def test_invalid_empty_flow(self):
+    @patch(
-        """Tests that an empty flow returns the correct error message"""
+        "authentik.policies.engine.PolicyEngine.result",
-        flow = Flow.objects.create(
+        POLICY_RETURN_FALSE,
-            name="test-empty",
+    )
-            slug="test-empty",
+    def test_invalid_non_applicable_flow_continue(self):
-            designation=FlowDesignation.AUTHENTICATION,
+        """Tests that a non-applicable flow that should redirect"""
        flow = create_test_flow(
            FlowDesignation.AUTHENTICATION,
            denied_action=FlowDeniedAction.CONTINUE,
        )
        CONFIG.update_from_dict({"domain": "testserver"})
@ -119,10 +124,8 @@ class TestFlowExecutor(FlowTestCase):
    )
    def test_invalid_flow_redirect(self):
        """Tests that an invalid flow still redirects"""
-        flow = Flow.objects.create(
+        flow = create_test_flow(
-            name="test-empty",
+            FlowDesignation.AUTHENTICATION,
            slug="test-empty",
            designation=FlowDesignation.AUTHENTICATION,
        )
        CONFIG.update_from_dict({"domain": "testserver"})
@ -132,18 +135,33 @@ class TestFlowExecutor(FlowTestCase):
        self.assertEqual(response.status_code, 302)
        self.assertEqual(response.url, reverse("authentik_core:root-redirect"))
    @patch(
        "authentik.flows.views.executor.to_stage_response",
        TO_STAGE_RESPONSE_MOCK,
    )
    def test_invalid_empty_flow(self):
        """Tests that an empty flow returns the correct error message"""
        flow = create_test_flow(
            FlowDesignation.AUTHENTICATION,
        )
        CONFIG.update_from_dict({"domain": "testserver"})
        response = self.client.get(
            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
        )
        self.assertEqual(response.status_code, 302)
        self.assertEqual(response.url, reverse("authentik_core:root-redirect"))
    def test_multi_stage_flow(self):
        """Test a full flow with multiple stages"""
-        flow = Flow.objects.create(
+        flow = create_test_flow(
-            name="test-full",
+            FlowDesignation.AUTHENTICATION,
            slug="test-full",
            designation=FlowDesignation.AUTHENTICATION,
        )
        FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy1"), order=0
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
        )
        FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy2"), order=1
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=1
        )
        exec_url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})
@ -170,19 +188,19 @@ class TestFlowExecutor(FlowTestCase):
    )
    def test_reevaluate_remove_last(self):
        """Test planner with re-evaluate (last stage is removed)"""
-        flow = Flow.objects.create(
+        flow = create_test_flow(
-            name="test-default-context",
+            FlowDesignation.AUTHENTICATION,
-            slug="test-default-context",
+        )
-            designation=FlowDesignation.AUTHENTICATION,
+        false_policy = DummyPolicy.objects.create(
            name=generate_id(), result=False, wait_min=1, wait_max=2
        )
        false_policy = DummyPolicy.objects.create(result=False, wait_min=1, wait_max=2)
        binding = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy1"), order=0
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
-            stage=DummyStage.objects.create(name="dummy2"),
+            stage=DummyStage.objects.create(name=generate_id()),
            order=1,
            re_evaluate_policies=True,
        )
@ -217,24 +235,24 @@ class TestFlowExecutor(FlowTestCase):
    def test_reevaluate_remove_middle(self):
        """Test planner with re-evaluate (middle stage is removed)"""
-        flow = Flow.objects.create(
+        flow = create_test_flow(
-            name="test-default-context",
+            FlowDesignation.AUTHENTICATION,
-            slug="test-default-context",
+        )
-            designation=FlowDesignation.AUTHENTICATION,
+        false_policy = DummyPolicy.objects.create(
            name=generate_id(), result=False, wait_min=1, wait_max=2
        )
        false_policy = DummyPolicy.objects.create(result=False, wait_min=1, wait_max=2)
        binding = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy1"), order=0
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
-            stage=DummyStage.objects.create(name="dummy2"),
+            stage=DummyStage.objects.create(name=generate_id()),
            order=1,
            re_evaluate_policies=True,
        )
        binding3 = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy3"), order=2
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=2
        )
        PolicyBinding.objects.create(policy=false_policy, target=binding2, order=0)
@ -277,24 +295,24 @@ class TestFlowExecutor(FlowTestCase):
    def test_reevaluate_keep(self):
        """Test planner with re-evaluate (everything is kept)"""
-        flow = Flow.objects.create(
+        flow = create_test_flow(
-            name="test-default-context",
+            FlowDesignation.AUTHENTICATION,
-            slug="test-default-context",
+        )
-            designation=FlowDesignation.AUTHENTICATION,
+        true_policy = DummyPolicy.objects.create(
            name=generate_id(), result=True, wait_min=1, wait_max=2
        )
        true_policy = DummyPolicy.objects.create(result=True, wait_min=1, wait_max=2)
        binding = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy1"), order=0
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
-            stage=DummyStage.objects.create(name="dummy2"),
+            stage=DummyStage.objects.create(name=generate_id()),
            order=1,
            re_evaluate_policies=True,
        )
        binding3 = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy3"), order=2
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=2
        )
        PolicyBinding.objects.create(policy=true_policy, target=binding2, order=0)
@ -347,30 +365,30 @@ class TestFlowExecutor(FlowTestCase):
    def test_reevaluate_remove_consecutive(self):
        """Test planner with re-evaluate (consecutive stages are removed)"""
-        flow = Flow.objects.create(
+        flow = create_test_flow(
-            name="test-default-context",
+            FlowDesignation.AUTHENTICATION,
-            slug="test-default-context",
+        )
-            designation=FlowDesignation.AUTHENTICATION,
+        false_policy = DummyPolicy.objects.create(
            name=generate_id(), result=False, wait_min=1, wait_max=2
        )
        false_policy = DummyPolicy.objects.create(result=False, wait_min=1, wait_max=2)
        binding = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy1"), order=0
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
        )
        binding2 = FlowStageBinding.objects.create(
            target=flow,
-            stage=DummyStage.objects.create(name="dummy2"),
+            stage=DummyStage.objects.create(name=generate_id()),
            order=1,
            re_evaluate_policies=True,
        )
        binding3 = FlowStageBinding.objects.create(
            target=flow,
-            stage=DummyStage.objects.create(name="dummy3"),
+            stage=DummyStage.objects.create(name=generate_id()),
            order=2,
            re_evaluate_policies=True,
        )
        binding4 = FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy4"), order=2
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=2
        )
        PolicyBinding.objects.create(policy=false_policy, target=binding2, order=0)
@ -415,13 +433,11 @@ class TestFlowExecutor(FlowTestCase):
    def test_stageview_user_identifier(self):
        """Test PLAN_CONTEXT_PENDING_USER_IDENTIFIER"""
-        flow = Flow.objects.create(
+        flow = create_test_flow(
-            name="test-default-context",
+            FlowDesignation.AUTHENTICATION,
            slug="test-default-context",
            designation=FlowDesignation.AUTHENTICATION,
        )
        FlowStageBinding.objects.create(
-            target=flow, stage=DummyStage.objects.create(name="dummy"), order=0
+            target=flow, stage=DummyStage.objects.create(name=generate_id()), order=0
        )
        ident = "test-identifier"
@ -443,10 +459,8 @@ class TestFlowExecutor(FlowTestCase):
    def test_invalid_restart(self):
        """Test flow that restarts on invalid entry"""
-        flow = Flow.objects.create(
+        flow = create_test_flow(
-            name="restart-on-invalid",
+            FlowDesignation.AUTHENTICATION,
            slug="restart-on-invalid",
            designation=FlowDesignation.AUTHENTICATION,
        )
        # Stage 0 is a deny stage that is added dynamically
        # when the reputation policy says so
--- a/authentik/flows/tests/test_inspector.py
+++ b/authentik/flows/tests/test_inspector.py
@ -9,6 +9,7 @@ from rest_framework.test import APITestCase
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.flows.challenge import ChallengeTypes
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding, InvalidResponseAction
 from authentik.lib.generators import generate_id
 from authentik.stages.dummy.models import DummyStage
 from authentik.stages.identification.models import IdentificationStage, UserFields
@ -24,8 +25,8 @@ class TestFlowInspector(APITestCase):
    def test(self):
        """test inspector"""
        flow = Flow.objects.create(
-            name="test-full",
+            name=generate_id(),
-            slug="test-full",
+            slug=generate_id(),
            designation=FlowDesignation.AUTHENTICATION,
        )
--- a/authentik/flows/tests/test_transfer.py
+++ b/authentik/flows/tests/test_transfer.py
@ -13,6 +13,26 @@ from authentik.policies.models import PolicyBinding
 from authentik.stages.prompt.models import FieldTypes, Prompt, PromptStage
 from authentik.stages.user_login.models import UserLoginStage
 STATIC_PROMPT_EXPORT = """{
    "version": 1,
    "entries": [
        {
            "identifiers": {
                "pk": "cb954fd4-65a5-4ad9-b1ee-180ee9559cf4"
            },
            "model": "authentik_stages_prompt.prompt",
            "attrs": {
                "field_key": "username",
                "label": "Username",
                "type": "username",
                "required": true,
                "placeholder": "Username",
                "order": 0
            }
        }
    ]
 }"""
 class TestFlowTransfer(TransactionTestCase):
    """Test flow transfer"""
@ -58,6 +78,22 @@ class TestFlowTransfer(TransactionTestCase):
        self.assertTrue(Flow.objects.filter(slug=flow_slug).exists())
    def test_export_validate_import_re_import(self):
        """Test export and import it twice"""
        count_initial = Prompt.objects.filter(field_key="username").count()
        importer = FlowImporter(STATIC_PROMPT_EXPORT)
        self.assertTrue(importer.validate())
        self.assertTrue(importer.apply())
        count_before = Prompt.objects.filter(field_key="username").count()
        self.assertEqual(count_initial + 1, count_before)
        importer = FlowImporter(STATIC_PROMPT_EXPORT)
        self.assertTrue(importer.apply())
        self.assertEqual(Prompt.objects.filter(field_key="username").count(), count_before)
    def test_export_validate_import_policies(self):
        """Test export and validate it"""
        flow_slug = generate_id()
--- a/authentik/flows/transfer/common.py
+++ b/authentik/flows/transfer/common.py
@ -27,6 +27,7 @@ def get_attrs(obj: SerializerModel) -> dict[str, Any]:
        "promptstage_set",
        "policybindingmodel_ptr_id",
        "export_url",
        "meta_model_name",
    )
    for to_remove_name in to_remove:
        if to_remove_name in data:
--- a/authentik/flows/transfer/importer.py
+++ b/authentik/flows/transfer/importer.py
@ -28,6 +28,7 @@ ALLOWED_MODELS = (Flow, FlowStageBinding, Stage, Policy, PolicyBinding, Prompt)
 def transaction_rollback():
    """Enters an atomic transaction and always triggers a rollback at the end of the block."""
    atomic = transaction.atomic()
    # pylint: disable=unnecessary-dunder-call
    atomic.__enter__()
    yield
    atomic.__exit__(IntegrityError, None, None)
@ -115,6 +116,11 @@ class FlowImporter:
            serializer_kwargs["instance"] = model_instance
        else:
            self.logger.debug("initialise new instance", model=model, **updated_identifiers)
            model_instance = model()
            # pk needs to be set on the model instance otherwise a new one will be generated
            if "pk" in updated_identifiers:
                model_instance.pk = updated_identifiers["pk"]
            serializer_kwargs["instance"] = model_instance
        full_data = self.__update_pks_for_attrs(entry.attrs)
        full_data.update(updated_identifiers)
        serializer_kwargs["data"] = full_data
@ -167,7 +173,7 @@ class FlowImporter:
    def validate(self) -> bool:
        """Validate loaded flow export, ensure all models are allowed
        and serializers have no errors"""
-        self.logger.debug("Starting flow import validaton")
+        self.logger.debug("Starting flow import validation")
        if self.__import.version != 1:
            self.logger.warning("Invalid bundle version")
            return False
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -10,6 +10,7 @@ from django.http import Http404, HttpRequest, HttpResponse, HttpResponseRedirect
 from django.http.request import QueryDict
 from django.shortcuts import get_object_or_404, redirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.views.decorators.clickjacking import xframe_options_sameorigin
 from django.views.generic import View
@ -37,6 +38,7 @@ from authentik.flows.exceptions import EmptyFlowException, FlowNonApplicableExce
 from authentik.flows.models import (
    ConfigurableStage,
    Flow,
    FlowDeniedAction,
    FlowDesignation,
    FlowStageBinding,
    FlowToken,
@ -49,21 +51,22 @@ from authentik.flows.planner import (
    FlowPlan,
    FlowPlanner,
 )
-from authentik.flows.stage import AccessDeniedChallengeView
+from authentik.flows.stage import AccessDeniedChallengeView, StageView
 from authentik.lib.sentry import SentryIgnoredException
 from authentik.lib.utils.errors import exception_to_string
 from authentik.lib.utils.reflection import all_subclasses, class_to_path
 from authentik.lib.utils.urls import is_url_absolute, redirect_with_qs
 from authentik.policies.engine import PolicyEngine
 from authentik.tenants.models import Tenant
 LOGGER = get_logger()
 # Argument used to redirect user after login
 NEXT_ARG_NAME = "next"
-SESSION_KEY_PLAN = "authentik_flows_plan"
+SESSION_KEY_PLAN = "authentik/flows/plan"
-SESSION_KEY_APPLICATION_PRE = "authentik_flows_application_pre"
+SESSION_KEY_APPLICATION_PRE = "authentik/flows/application_pre"
-SESSION_KEY_GET = "authentik_flows_get"
+SESSION_KEY_GET = "authentik/flows/get"
-SESSION_KEY_POST = "authentik_flows_post"
+SESSION_KEY_POST = "authentik/flows/post"
-SESSION_KEY_HISTORY = "authentik_flows_history"
+SESSION_KEY_HISTORY = "authentik/flows/history"
 QS_KEY_TOKEN = "flow_token"  # nosec
@ -129,21 +132,27 @@ class FlowExecutorView(APIView):
        self._logger = get_logger().bind(flow_slug=flow_slug)
        set_tag("authentik.flow", self.flow.slug)
-    def handle_invalid_flow(self, exc: BaseException) -> HttpResponse:
+    def handle_invalid_flow(self, exc: FlowNonApplicableException) -> HttpResponse:
        """When a flow is non-applicable check if user is on the correct domain"""
-        if NEXT_ARG_NAME in self.request.GET:
+        if self.flow.denied_action in [
-            if not is_url_absolute(self.request.GET.get(NEXT_ARG_NAME)):
+            FlowDeniedAction.CONTINUE,
            FlowDeniedAction.MESSAGE_CONTINUE,
        ]:
            next_url = self.request.GET.get(NEXT_ARG_NAME)
            if next_url and not is_url_absolute(next_url):
                self._logger.debug("f(exec): Redirecting to next on fail")
-                return redirect(self.request.GET.get(NEXT_ARG_NAME))
+                return to_stage_response(self.request, redirect(next_url))
-        message = exc.__doc__ if exc.__doc__ else str(exc)
+        if self.flow.denied_action == FlowDeniedAction.CONTINUE:
-        return self.stage_invalid(error_message=message)
+            return to_stage_response(
                self.request, redirect(reverse("authentik_core:root-redirect"))
            )
        return to_stage_response(self.request, self.stage_invalid(error_message=exc.messages))
-    def _check_flow_token(self, get_params: QueryDict):
+    def _check_flow_token(self, key: str) -> Optional[FlowPlan]:
        """Check if the user is using a flow token to restore a plan"""
-        tokens = FlowToken.filter_not_expired(key=get_params[QS_KEY_TOKEN])
+        token: Optional[FlowToken] = FlowToken.filter_not_expired(key=key).first()
-        if not tokens.exists():
+        if not token:
-            return False
+            return None
        token: FlowToken = tokens.first()
        try:
            plan = token.plan
        except (AttributeError, EOFError, ImportError, IndexError) as exc:
@ -164,7 +173,7 @@ class FlowExecutorView(APIView):
            span.set_data("authentik Flow", self.flow.slug)
            get_params = QueryDict(request.GET.get("query", ""))
            if QS_KEY_TOKEN in get_params:
-                plan = self._check_flow_token(get_params)
+                plan = self._check_flow_token(get_params[QS_KEY_TOKEN])
                if plan:
                    self.request.session[SESSION_KEY_PLAN] = plan
            # Early check if there's an active Plan for the current session
@ -188,7 +197,7 @@ class FlowExecutorView(APIView):
                    self.plan = self._initiate_plan()
                except FlowNonApplicableException as exc:
                    self._logger.warning("f(exec): Flow not applicable to current user", exc=exc)
-                    return to_stage_response(self.request, self.handle_invalid_flow(exc))
+                    return self.handle_invalid_flow(exc)
                except EmptyFlowException as exc:
                    self._logger.warning("f(exec): Flow is empty", exc=exc)
                    # To match behaviour with loading an empty flow plan from cache,
@ -380,6 +389,8 @@ class FlowExecutorView(APIView):
            "f(exec): Stage ok",
            stage_class=class_to_path(self.current_stage_view.__class__),
        )
        if isinstance(self.current_stage_view, StageView):
            self.current_stage_view.cleanup()
        self.request.session.get(SESSION_KEY_HISTORY, []).append(deepcopy(self.plan))
        self.plan.pop()
        self.request.session[SESSION_KEY_PLAN] = self.plan
@ -416,11 +427,14 @@ class FlowExecutorView(APIView):
            SESSION_KEY_APPLICATION_PRE,
            SESSION_KEY_PLAN,
            SESSION_KEY_GET,
            # We might need the initial POST payloads for later requests
            # SESSION_KEY_POST,
            # We don't delete the history on purpose, as a user might
            # still be inspecting it.
            # It's only deleted on a fresh executions
            # SESSION_KEY_HISTORY,
        ]
        self._logger.debug("f(exec): cleaning up")
        for key in keys_to_delete:
            if key in self.request.session:
                del self.request.session[key]
@ -466,6 +480,20 @@ class ToDefaultFlow(View):
    designation: Optional[FlowDesignation] = None
    def flow_by_policy(self, request: HttpRequest, **flow_filter) -> Optional[Flow]:
        """Get a Flow by `**flow_filter` and check if the request from `request` can access it."""
        flows = Flow.objects.filter(**flow_filter).order_by("slug")
        for flow in flows:
            engine = PolicyEngine(flow, request.user, request)
            engine.build()
            result = engine.result
            if result.passing:
                LOGGER.debug("flow_by_policy: flow passing", flow=flow)
                return flow
            LOGGER.warning("flow_by_policy: flow not passing", flow=flow, messages=result.messages)
        LOGGER.debug("flow_by_policy: no flow found", filters=flow_filter)
        return None
    def dispatch(self, request: HttpRequest) -> HttpResponse:
        tenant: Tenant = request.tenant
        flow = None
@ -476,7 +504,7 @@ class ToDefaultFlow(View):
            flow = tenant.flow_invalidation
        # If no flow was set, get the first based on slug and policy
        if not flow:
-            flow = Flow.with_policy(request, designation=self.designation)
+            flow = self.flow_by_policy(request, designation=self.designation)
        # If we still don't have a flow, 404
        if not flow:
            raise Http404
--- a/authentik/lib/default.yml
+++ b/authentik/lib/default.yml
@ -1,3 +1,4 @@
 # update website/docs/installation/configuration.md
 # This is the default configuration file
 postgresql:
  host: localhost
@ -57,6 +58,10 @@ outposts:
  container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
  discover: true
 ldap:
  tls:
    ciphers: null
 cookie_domain: null
 disable_update_check: false
 disable_startup_analytics: false
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -1,5 +1,5 @@
 """authentik sentry integration"""
-from typing import Optional
+from typing import Any, Optional
 from aioredis.errors import ConnectionClosedError, ReplyError
 from billiard.exceptions import SoftTimeLimitExceeded, WorkerLostError
@ -17,7 +17,7 @@ from ldap3.core.exceptions import LDAPException
 from redis.exceptions import ConnectionError as RedisConnectionError
 from redis.exceptions import RedisError, ResponseError
 from rest_framework.exceptions import APIException
-from sentry_sdk import Hub
+from sentry_sdk import HttpTransport, Hub
 from sentry_sdk import init as sentry_sdk_init
 from sentry_sdk.api import set_tag
 from sentry_sdk.integrations.celery import CeleryIntegration
@ -30,6 +30,7 @@ from websockets.exceptions import WebSocketException
 from authentik import __version__, get_build_hash
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import authentik_user_agent
 from authentik.lib.utils.reflection import class_to_path, get_env
 LOGGER = get_logger()
@ -52,11 +53,18 @@ class SentryIgnoredException(Exception):
    """Base Class for all errors that are suppressed, and not sent to sentry."""
 class SentryTransport(HttpTransport):
    """Custom sentry transport with custom user-agent"""
    def __init__(self, options: dict[str, Any]) -> None:
        super().__init__(options)
        self._auth = self.parsed_dsn.to_auth(authentik_user_agent())
 def sentry_init(**sentry_init_kwargs):
    """Configure sentry SDK"""
    sentry_env = CONFIG.y("error_reporting.environment", "customer")
    kwargs = {
        "traces_sample_rate": float(CONFIG.y("error_reporting.sample_rate", 0.5)),
        "environment": sentry_env,
        "send_default_pii": CONFIG.y_bool("error_reporting.send_pii", False),
    }
@ -71,7 +79,9 @@ def sentry_init(**sentry_init_kwargs):
            ThreadingIntegration(propagate_hub=True),
        ],
        before_send=before_send,
        traces_sampler=traces_sampler,
        release=f"authentik@{__version__}",
        transport=SentryTransport,
        **kwargs,
    )
    set_tag("authentik.build_hash", get_build_hash("tagged"))
@ -83,6 +93,15 @@ def sentry_init(**sentry_init_kwargs):
    )
 def traces_sampler(sampling_context: dict) -> float:
    """Custom sampler to ignore certain routes"""
    path = sampling_context.get("asgi_scope", {}).get("path", "")
    # Ignore all healthcheck routes
    if path.startswith("/-/health") or path.startswith("/-/metrics"):
        return 0
    return float(CONFIG.y("error_reporting.sample_rate", 0.5))
 def before_send(event: dict, hint: dict) -> Optional[dict]:
    """Check if error is database error, and ignore if so"""
    # pylint: disable=no-name-in-module
--- a/authentik/lib/utils/errors.py
+++ b/authentik/lib/utils/errors.py
@ -1,10 +1,18 @@
 """error utils"""
-from traceback import format_tb
+from traceback import extract_tb
-TRACEBACK_HEADER = "Traceback (most recent call last):\n"
+from authentik.lib.utils.reflection import class_to_path
 TRACEBACK_HEADER = "Traceback (most recent call last):"
 def exception_to_string(exc: Exception) -> str:
    """Convert exception to string stackrace"""
    # Either use passed original exception or whatever we have
-    return TRACEBACK_HEADER + "".join(format_tb(exc.__traceback__)) + str(exc)
+    return "\n".join(
        [
            TRACEBACK_HEADER,
            *[x.rstrip() for x in extract_tb(exc.__traceback__).format()],
            f"{class_to_path(exc.__class__)}: {str(exc)}",
        ]
    )
--- a/authentik/lib/xml.py
+++ b/authentik/lib/xml.py
@ -0,0 +1,12 @@
 """XML Utilities"""
 from lxml.etree import XMLParser, fromstring  # nosec
 def get_lxml_parser():
    """Get XML parser"""
    return XMLParser(resolve_entities=False)
 def lxml_from_string(text: str):
    """Wrapper around fromstring"""
    return fromstring(text, parser=get_lxml_parser())
--- a/authentik/managed/apps.py
+++ b/authentik/managed/apps.py
@ -12,5 +12,4 @@ class AuthentikManagedConfig(AppConfig):
    def ready(self) -> None:
        from authentik.managed.tasks import managed_reconcile
-        # pyright: reportGeneralTypeIssues=false
+        managed_reconcile.delay()
        managed_reconcile.delay()  # pylint: disable=no-value-for-parameter
--- a/authentik/managed/tasks.py
+++ b/authentik/managed/tasks.py
@ -11,7 +11,11 @@ from authentik.events.monitored_tasks import (
 from authentik.managed.manager import ObjectManager
-@CELERY_APP.task(bind=True, base=MonitoredTask)
+@CELERY_APP.task(
    bind=True,
    base=MonitoredTask,
    retry_backoff=True,
 )
@prefill_task
 def managed_reconcile(self: MonitoredTask):
    """Run ObjectManager to ensure objects are up-to-date"""
@ -22,3 +26,4 @@ def managed_reconcile(self: MonitoredTask):
        )
    except DatabaseError as exc:  # pragma: no cover
        self.set_status(TaskResult(TaskResultStatus.WARNING, [str(exc)]))
        self.retry()
--- a/authentik/outposts/api/service_connections.py
+++ b/authentik/outposts/api/service_connections.py
@ -118,6 +118,7 @@ class DockerServiceConnectionViewSet(UsedByMixin, ModelViewSet):
    serializer_class = DockerServiceConnectionSerializer
    filterset_fields = ["name", "local", "url", "tls_verification", "tls_authentication"]
    ordering = ["name"]
    search_fields = ["name"]
 class KubernetesServiceConnectionSerializer(ServiceConnectionSerializer):
@ -152,3 +153,4 @@ class KubernetesServiceConnectionViewSet(UsedByMixin, ModelViewSet):
    serializer_class = KubernetesServiceConnectionSerializer
    filterset_fields = ["name", "local"]
    ordering = ["name"]
    search_fields = ["name"]
--- a/authentik/outposts/apps.py
+++ b/authentik/outposts/apps.py
@ -2,11 +2,20 @@
 from importlib import import_module
 from django.apps import AppConfig
-from django.db import ProgrammingError
+from prometheus_client import Gauge
 from structlog.stdlib import get_logger
 LOGGER = get_logger()
 GAUGE_OUTPOSTS_CONNECTED = Gauge(
    "authentik_outposts_connected", "Currently connected outposts", ["outpost", "uid", "expected"]
 )
 GAUGE_OUTPOSTS_LAST_UPDATE = Gauge(
    "authentik_outposts_last_update",
    "Last update from any outpost",
    ["outpost", "uid", "version"],
 )
 class AuthentikOutpostConfig(AppConfig):
    """authentik outposts app config"""
@ -18,10 +27,3 @@ class AuthentikOutpostConfig(AppConfig):
    def ready(self):
        import_module("authentik.outposts.signals")
        import_module("authentik.outposts.managed")
        try:
            from authentik.outposts.tasks import outpost_controller_all, outpost_local_connection
            outpost_local_connection.delay()
            outpost_controller_all.delay()
        except ProgrammingError:
            pass
--- a/Show More
+++ b/Show More