stages/consent: fix error when requests with identical empty permissions

closes #3280

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2022.7.2
+current_version = 2022.7.3
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)

.github/workflows/ci-outpost.yml

@@ -111,7 +111,7 @@ jobs:
       - uses: actions/setup-go@v3
         with:
           go-version: "^1.17"
-      - uses: actions/setup-node@v3.3.0
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'

.github/workflows/ci-web.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.3.0
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'
@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.3.0
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'
@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.3.0
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'
@@ -78,7 +78,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.3.0
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'

.github/workflows/ci-website.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3.3.0
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'

.github/workflows/release-publish.yml

@@ -100,7 +100,7 @@ jobs:
       - uses: actions/setup-go@v3
         with:
           go-version: "^1.17"
-      - uses: actions/setup-node@v3.3.0
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           cache: 'npm'

.github/workflows/web-api-publish.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@v3.3.0
+      - uses: actions/setup-node@v3.4.1
         with:
           node-version: '16'
           registry-url: 'https://registry.npmjs.org'

Dockerfile

@@ -29,7 +29,7 @@ RUN pip install --no-cache-dir poetry && \
     poetry export -f requirements.txt --dev --output requirements-dev.txt
 
 # Stage 4: Build go proxy
-FROM docker.io/golang:1.18.3-bullseye AS builder
+FROM docker.io/golang:1.18.4-bullseye AS builder
 
 WORKDIR /work
 

authentik/__init__.py

@@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
 
-__version__ = "2022.7.2"
+__version__ = "2022.7.3"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
 
 

authentik/core/middleware.py

@@ -56,7 +56,7 @@ class RequestIDMiddleware:
         response[RESPONSE_HEADER_ID] = request.request_id
         setattr(response, "ak_context", {})
         response.ak_context.update(LOCAL.authentik)
-        response.ak_context[KEY_USER] = request.user.username
+        response.ak_context.setdefault(KEY_USER, request.user.username)
         for key in list(LOCAL.authentik.keys()):
             del LOCAL.authentik[key]
         return response

authentik/core/models.py

@@ -482,8 +482,9 @@ class ExpiringModel(models.Model):
     def filter_not_expired(cls, **kwargs) -> QuerySet:
         """Filer for tokens which are not expired yet or are not expiring,
         and match filters in `kwargs`"""
-        expired = Q(expires__lt=now(), expiring=True)
-        return cls.objects.exclude(expired).filter(**kwargs)
+        for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):
+            obj.delete()
+        return cls.objects.filter(**kwargs)
 
     @property
     def is_expired(self) -> bool:

authentik/managed/apps.py

@@ -8,3 +8,8 @@ class AuthentikManagedConfig(AppConfig):
     name = "authentik.managed"
     label = "authentik_managed"
     verbose_name = "authentik Managed"
+
+    def ready(self) -> None:
+        from authentik.managed.tasks import managed_reconcile
+
+        managed_reconcile.delay()

authentik/managed/tasks.py

@@ -11,7 +11,11 @@ from authentik.events.monitored_tasks import (
 from authentik.managed.manager import ObjectManager
 
 
-@CELERY_APP.task(bind=True, base=MonitoredTask)
+@CELERY_APP.task(
+    bind=True,
+    base=MonitoredTask,
+    retry_backoff=True,
+)
 @prefill_task
 def managed_reconcile(self: MonitoredTask):
     """Run ObjectManager to ensure objects are up-to-date"""
@@ -22,3 +26,4 @@ def managed_reconcile(self: MonitoredTask):
         )
     except DatabaseError as exc:  # pragma: no cover
         self.set_status(TaskResult(TaskResultStatus.WARNING, [str(exc)]))
+        self.retry()

authentik/providers/oauth2/utils.py

@@ -10,6 +10,7 @@ from django.http.response import HttpResponseRedirect
 from django.utils.cache import patch_vary_headers
 from structlog.stdlib import get_logger
 
+from authentik.core.middleware import KEY_USER
 from authentik.events.models import Event, EventAction
 from authentik.providers.oauth2.errors import BearerTokenError
 from authentik.providers.oauth2.models import OAuth2Provider, RefreshToken
@@ -165,7 +166,10 @@ def protected_resource_view(scopes: list[str]):
                 ] = f'error="{error.code}", error_description="{error.description}"'
                 return response
             kwargs["token"] = token
-            return view(request, *args, **kwargs)
+            response = view(request, *args, **kwargs)
+            setattr(response, "ak_context", {})
+            response.ak_context[KEY_USER] = token.user.username
+            return response
 
         return view_wrapper
 

authentik/sources/oauth/types/oidc.py

@@ -27,7 +27,7 @@ class OpenIDConnectOAuth2Callback(OAuthCallback):
         info: dict[str, Any],
     ) -> dict[str, Any]:
         return {
-            "username": info.get("nickname"),
+            "username": info.get("nickname", info.get("prefered_username")),
             "email": info.get("email"),
             "name": info.get("name"),
         }

authentik/stages/consent/api.py

@@ -5,6 +5,7 @@ from rest_framework import mixins
 from rest_framework.filters import OrderingFilter, SearchFilter
 from rest_framework.viewsets import GenericViewSet, ModelViewSet
 
+from authentik.api.authorization import OwnerFilter, OwnerSuperuserPermissions
 from authentik.core.api.applications import ApplicationSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
@@ -56,12 +57,9 @@ class UserConsentViewSet(
     serializer_class = UserConsentSerializer
     filterset_fields = ["user", "application"]
     ordering = ["application", "expires"]
-    filter_backends = [
-        DjangoFilterBackend,
-        OrderingFilter,
-        SearchFilter,
-    ]
     search_fields = ["user__username"]
+    permission_classes = [OwnerSuperuserPermissions]
+    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
 
     def get_queryset(self):
         user = self.request.user if self.request else get_anonymous_user()

authentik/stages/consent/stage.py

@@ -1,5 +1,6 @@
 """authentik consent stage"""
 from typing import Optional
+from uuid import uuid4
 
 from django.http import HttpRequest, HttpResponse
 from django.utils.timezone import now
@@ -20,7 +21,8 @@ from authentik.stages.consent.models import ConsentMode, ConsentStage, UserConse
 PLAN_CONTEXT_CONSENT_TITLE = "consent_title"
 PLAN_CONTEXT_CONSENT_HEADER = "consent_header"
 PLAN_CONTEXT_CONSENT_PERMISSIONS = "consent_permissions"
-PLAN_CONTEXT_CONSNET_EXTRA_PERMISSIONS = "consent_additional_permissions"
+PLAN_CONTEXT_CONSENT_EXTRA_PERMISSIONS = "consent_additional_permissions"
+SESSION_KEY_CONSENT_TOKEN = "authentik/stages/consent/token"  # nosec
 
 
 class ConsentChallenge(WithUserInfoChallenge):
@@ -30,12 +32,14 @@ class ConsentChallenge(WithUserInfoChallenge):
     permissions = PermissionSerializer(many=True)
     additional_permissions = PermissionSerializer(many=True)
     component = CharField(default="ak-stage-consent")
+    token = CharField(required=True)
 
 
 class ConsentChallengeResponse(ChallengeResponse):
     """Consent challenge response, any valid response request is valid"""
 
     component = CharField(default="ak-stage-consent")
+    token = CharField(required=True)
 
 
 class ConsentStageView(ChallengeStageView):
@@ -44,12 +48,15 @@ class ConsentStageView(ChallengeStageView):
     response_class = ConsentChallengeResponse
 
     def get_challenge(self) -> Challenge:
+        token = str(uuid4())
+        self.request.session[SESSION_KEY_CONSENT_TOKEN] = token
         data = {
             "type": ChallengeTypes.NATIVE.value,
             "permissions": self.executor.plan.context.get(PLAN_CONTEXT_CONSENT_PERMISSIONS, []),
             "additional_permissions": self.executor.plan.context.get(
-                PLAN_CONTEXT_CONSNET_EXTRA_PERMISSIONS, []
+                PLAN_CONTEXT_CONSENT_EXTRA_PERMISSIONS, []
             ),
+            "token": token,
         }
         if PLAN_CONTEXT_CONSENT_TITLE in self.executor.plan.context:
             data["title"] = self.executor.plan.context[PLAN_CONTEXT_CONSENT_TITLE]
@@ -85,14 +92,14 @@ class ConsentStageView(ChallengeStageView):
 
         if consent:
             perms = self.executor.plan.context.get(PLAN_CONTEXT_CONSENT_PERMISSIONS, [])
-            allowed_perms = set(consent.permissions.split(" "))
+            allowed_perms = set(consent.permissions.split(" ") if consent.permissions != "" else [])
             requested_perms = set(x["id"] for x in perms)
 
             if allowed_perms != requested_perms:
                 self.executor.plan.context[PLAN_CONTEXT_CONSENT_PERMISSIONS] = [
                     x for x in perms if x["id"] in allowed_perms
                 ]
-                self.executor.plan.context[PLAN_CONTEXT_CONSNET_EXTRA_PERMISSIONS] = [
+                self.executor.plan.context[PLAN_CONTEXT_CONSENT_EXTRA_PERMISSIONS] = [
                     x for x in perms if x["id"] in requested_perms.difference(allowed_perms)
                 ]
                 return super().get(request, *args, **kwargs)
@@ -102,13 +109,15 @@ class ConsentStageView(ChallengeStageView):
         return super().get(request, *args, **kwargs)
 
     def challenge_valid(self, response: ChallengeResponse) -> HttpResponse:
+        if response.data["token"] != self.request.session[SESSION_KEY_CONSENT_TOKEN]:
+            return self.get(self.request)
         current_stage: ConsentStage = self.executor.current_stage
         if PLAN_CONTEXT_APPLICATION not in self.executor.plan.context:
             return self.executor.stage_ok()
         application = self.executor.plan.context[PLAN_CONTEXT_APPLICATION]
         permissions = self.executor.plan.context.get(
             PLAN_CONTEXT_CONSENT_PERMISSIONS, []
-        ) + self.executor.plan.context.get(PLAN_CONTEXT_CONSNET_EXTRA_PERMISSIONS, [])
+        ) + self.executor.plan.context.get(PLAN_CONTEXT_CONSENT_EXTRA_PERMISSIONS, [])
         permissions_string = " ".join(x["id"] for x in permissions)
         # Make this StageView work when injected, in which case `current_stage` is an instance
         # of the base class, and we don't save any consent, as it is assumed to be a one-time
@@ -116,18 +125,14 @@ class ConsentStageView(ChallengeStageView):
         if not isinstance(current_stage, ConsentStage):
             return self.executor.stage_ok()
         # Since we only get here when no consent exists, we can create it without update
+        consent = UserConsent(
+            user=self.request.user,
+            application=application,
+            permissions=permissions_string,
+        )
         if current_stage.mode == ConsentMode.PERMANENT:
-            UserConsent.objects.create(
-                user=self.request.user,
-                application=application,
-                expiring=False,
-                permissions=permissions_string,
-            )
+            consent.expiring = False
         if current_stage.mode == ConsentMode.EXPIRING:
-            UserConsent.objects.create(
-                user=self.request.user,
-                application=application,
-                expires=now() + timedelta_from_string(current_stage.consent_expire_in),
-                permissions=permissions_string,
-            )
+            consent.expires = now() + timedelta_from_string(current_stage.consent_expire_in)
+        consent.save()
         return self.executor.stage_ok()

authentik/stages/consent/tests.py

@@ -1,5 +1,6 @@
 """consent tests"""
 from time import sleep
+from uuid import uuid4
 
 from django.urls import reverse
 
@@ -14,7 +15,10 @@ from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
 from authentik.stages.consent.models import ConsentMode, ConsentStage, UserConsent
-from authentik.stages.consent.stage import PLAN_CONTEXT_CONSENT_PERMISSIONS
+from authentik.stages.consent.stage import (
+    PLAN_CONTEXT_CONSENT_PERMISSIONS,
+    SESSION_KEY_CONSENT_TOKEN,
+)
 
 
 class TestConsentStage(FlowTestCase):
@@ -37,10 +41,13 @@ class TestConsentStage(FlowTestCase):
         plan = FlowPlan(flow_pk=flow.pk.hex, bindings=[binding], markers=[StageMarker()])
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
+        session[SESSION_KEY_CONSENT_TOKEN] = str(uuid4())
         session.save()
         response = self.client.post(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-            {},
+            {
+                "token": session[SESSION_KEY_CONSENT_TOKEN],
+            },
         )
         # pylint: disable=no-member
         self.assertEqual(response.status_code, 200)
@@ -62,10 +69,13 @@ class TestConsentStage(FlowTestCase):
         )
         session = self.client.session
         session[SESSION_KEY_PLAN] = plan
+        session[SESSION_KEY_CONSENT_TOKEN] = str(uuid4())
         session.save()
         response = self.client.post(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-            {},
+            {
+                "token": session[SESSION_KEY_CONSENT_TOKEN],
+            },
         )
         self.assertEqual(response.status_code, 200)
         self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
@@ -96,7 +106,7 @@ class TestConsentStage(FlowTestCase):
             {},
         )
         self.assertEqual(response.status_code, 200)
-        self.assertStageResponse(
+        raw_res = self.assertStageResponse(
             response,
             flow,
             self.user,
@@ -105,7 +115,9 @@ class TestConsentStage(FlowTestCase):
         )
         response = self.client.post(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-            {},
+            {
+                "token": raw_res["token"],
+            },
         )
         self.assertEqual(response.status_code, 200)
         self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
@@ -144,7 +156,7 @@ class TestConsentStage(FlowTestCase):
             {},
         )
         self.assertEqual(response.status_code, 200)
-        self.assertStageResponse(
+        raw_res = self.assertStageResponse(
             response,
             flow,
             self.user,
@@ -155,7 +167,9 @@ class TestConsentStage(FlowTestCase):
         )
         response = self.client.post(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-            {},
+            {
+                "token": raw_res["token"],
+            },
         )
         self.assertEqual(response.status_code, 200)
         self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
@@ -187,7 +201,7 @@ class TestConsentStage(FlowTestCase):
             {},
         )
         self.assertEqual(response.status_code, 200)
-        self.assertStageResponse(
+        raw_res = self.assertStageResponse(
             response,
             flow,
             self.user,
@@ -200,7 +214,9 @@ class TestConsentStage(FlowTestCase):
         )
         response = self.client.post(
             reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
-            {},
+            {
+                "token": raw_res["token"],
+            },
         )
         self.assertEqual(response.status_code, 200)
         self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
@@ -209,3 +225,70 @@ class TestConsentStage(FlowTestCase):
                 user=self.user, application=self.application, permissions="foo bar"
             ).exists()
         )
+
+    def test_permanent_same(self):
+        """Test permanent consent from user"""
+        self.client.force_login(self.user)
+        flow = create_test_flow(FlowDesignation.AUTHENTICATION)
+        stage = ConsentStage.objects.create(name=generate_id(), mode=ConsentMode.PERMANENT)
+        binding = FlowStageBinding.objects.create(target=flow, stage=stage, order=2)
+
+        plan = FlowPlan(
+            flow_pk=flow.pk.hex,
+            bindings=[binding],
+            markers=[StageMarker()],
+            context={
+                PLAN_CONTEXT_APPLICATION: self.application,
+            },
+        )
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        # First, consent with a single permission
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+            {},
+        )
+        self.assertEqual(response.status_code, 200)
+        raw_res = self.assertStageResponse(
+            response,
+            flow,
+            self.user,
+            permissions=[],
+            additional_permissions=[],
+        )
+        response = self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+            {
+                "token": raw_res["token"],
+            },
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertStageRedirects(response, reverse("authentik_core:root-redirect"))
+        self.assertTrue(
+            UserConsent.objects.filter(
+                user=self.user, application=self.application, permissions=""
+            ).exists()
+        )
+
+        # Request again with the same perms
+        plan = FlowPlan(
+            flow_pk=flow.pk.hex,
+            bindings=[binding],
+            markers=[StageMarker()],
+            context={
+                PLAN_CONTEXT_APPLICATION: self.application,
+                PLAN_CONTEXT_CONSENT_PERMISSIONS: [],
+            },
+        )
+        session = self.client.session
+        session[SESSION_KEY_PLAN] = plan
+        session.save()
+
+        response = self.client.get(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
+            {},
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertStageResponse(response, component="xak-flow-redirect")

authentik/stages/prompt/models.py

@@ -1,5 +1,6 @@
 """prompt models"""
 from base64 import b64decode
+from binascii import Error
 from typing import Any, Optional
 from urllib.parse import urlparse
 from uuid import uuid4
@@ -90,7 +91,11 @@ class InlineFileField(CharField):
         _mime, _, enc = header.partition(";")
         if enc != "base64":
             raise ValidationError("Invalid encoding")
-        data = b64decode(encoded.encode()).decode()
+        try:
+            data = b64decode(encoded.encode()).decode()
+        except (UnicodeDecodeError, UnicodeEncodeError, ValueError, Error):
+            LOGGER.info("failed to decode base64 of file field, keeping base64")
+            data = encoded
         return super().to_internal_value(data)
 
 
@@ -148,6 +153,8 @@ class Prompt(SerializerModel):
             kwargs["allow_blank"] = not self.required
         if self.type == FieldTypes.TEXT_READ_ONLY:
             field_class = ReadOnlyField
+            # required can't be set for ReadOnlyField
+            kwargs["required"] = False
         if self.type == FieldTypes.EMAIL:
             field_class = EmailField
             kwargs["allow_blank"] = not self.required

authentik/stages/prompt/tests.py

@@ -120,6 +120,10 @@ class TestPromptStage(FlowTestCase):
             InlineFileField().to_internal_value("data:mine/type;base64,Zm9v"),
             "foo",
         )
+        self.assertEqual(
+            InlineFileField().to_internal_value("data:mine/type;base64,Zm9vqwer"),
+            "Zm9vqwer",
+        )
 
     def test_render(self):
         """Test render of form, check if all prompts are rendered correctly"""

docker-compose.yml

@@ -29,7 +29,7 @@ services:
       retries: 5
       timeout: 3s
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.3}
     restart: unless-stopped
     command: server
     environment:
@@ -50,7 +50,7 @@ services:
       - "0.0.0.0:${AUTHENTIK_PORT_HTTP:-9000}:9000"
       - "0.0.0.0:${AUTHENTIK_PORT_HTTPS:-9443}:9443"
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.2}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.3}
     restart: unless-stopped
     command: worker
     environment:

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/getsentry/sentry-go v0.13.0
 	github.com/go-ldap/ldap/v3 v3.4.3
 	github.com/go-openapi/runtime v0.24.1
-	github.com/go-openapi/strfmt v0.21.2
+	github.com/go-openapi/strfmt v0.21.3
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/handlers v1.5.1
@@ -25,7 +25,7 @@ require (
 	github.com/quasoft/memstore v0.0.0-20191010062613-2bce066d2b0b
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.8.0
-	goauthentik.io/api/v3 v3.2022071.2
+	goauthentik.io/api/v3 v3.2022072.1
 	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	gopkg.in/boj/redistore.v1 v1.0.0-20160128113310-fc113767cd6b
@@ -51,7 +51,6 @@ require (
 	github.com/go-openapi/spec v0.20.4 // indirect
 	github.com/go-openapi/swag v0.21.1 // indirect
 	github.com/go-openapi/validate v0.21.0 // indirect
-	github.com/go-stack/stack v1.8.1 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -64,8 +63,8 @@ require (
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
-	go.mongodb.org/mongo-driver v1.8.3 // indirect
-	golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 // indirect
+	go.mongodb.org/mongo-driver v1.10.0 // indirect
+	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect
 	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
 	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
 	golang.org/x/text v0.3.7 // indirect

go.sum

@@ -112,8 +112,9 @@ github.com/go-openapi/spec v0.20.4 h1:O8hJrt0UMnhHcluhIdUgCLRWyM2x7QkBXRvOs7m+O1
 github.com/go-openapi/spec v0.20.4/go.mod h1:faYFR1CvsJZ0mNsmsphTMSoRrNV3TEDoAM7FOEWeq8I=
 github.com/go-openapi/strfmt v0.21.0/go.mod h1:ZRQ409bWMj+SOgXofQAGTIo2Ebu72Gs+WaRADcS5iNg=
 github.com/go-openapi/strfmt v0.21.1/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k=
-github.com/go-openapi/strfmt v0.21.2 h1:5NDNgadiX1Vhemth/TH4gCGopWSTdDjxl60H3B7f+os=
 github.com/go-openapi/strfmt v0.21.2/go.mod h1:I/XVKeLc5+MM5oPNN7P6urMOpuLXEcNrCX/rPGuWb0k=
+github.com/go-openapi/strfmt v0.21.3 h1:xwhj5X6CjXEZZHMWy1zKJxvW9AfHC9pkyUjLvHtKG7o=
+github.com/go-openapi/strfmt v0.21.3/go.mod h1:k+RzNO0Da+k3FrrynSNN8F7n/peCmQQqbbXjtDfvmGg=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-openapi/swag v0.21.1 h1:wm0rhTb5z7qpJRHBdPOMuY4QjVUMbF6/kwoYeRAOrKU=
@@ -121,7 +122,6 @@ github.com/go-openapi/swag v0.21.1/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/e
 github.com/go-openapi/validate v0.21.0 h1:+Wqk39yKOhfpLqNLEC0/eViCkzM5FVXVqrvt526+wcI=
 github.com/go-openapi/validate v0.21.0/go.mod h1:rjnrwK57VJ7A8xqfpAOEKRH8yQSGUriMu5/zuPSQ1hg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-stack/stack v1.8.1 h1:ntEHSVwIt7PNXNpgPmVfMrNhLtgjlmnZha2kOpuRiDw=
 github.com/go-stack/stack v1.8.1/go.mod h1:dcoOX6HbPZSZptuspn9bctJ+N/CnF5gGygcUP3XYfe4=
 github.com/gobuffalo/attrs v0.0.0-20190224210810-a9411de4debd/go.mod h1:4duuawTqi2wkkpB4ePgWMaai6/Kc6WEz83bhFwpHzj0=
 github.com/gobuffalo/depgen v0.0.0-20190329151759-d478694a28d3/go.mod h1:3STtPUQYuzV0gBVOY3vy6CfMm/ljR4pABfrTeHNLHUY=
@@ -345,23 +345,26 @@ github.com/tidwall/pretty v1.0.0 h1:HsD+QiTn7sK6flMKIvNmpqz1qrpP3Ps6jOKIKMooyg4=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs=
+github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g=
 github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM=
+github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8=
 github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.mongodb.org/mongo-driver v1.7.3/go.mod h1:NqaYOwnXWr5Pm7AOpO5QFxKJ503nbMse/R79oO62zWg=
 go.mongodb.org/mongo-driver v1.7.5/go.mod h1:VXEWRZ6URJIkUq2SCAyapmhH0ZLRBP+FT4xhp5Zvxng=
-go.mongodb.org/mongo-driver v1.8.3 h1:TDKlTkGDKm9kkJVUOAXDK5/fkqKHJVwYQSpoRfB43R4=
 go.mongodb.org/mongo-driver v1.8.3/go.mod h1:0sQWfOeY63QTntERDJJ/0SuKK0T1uVSgKCuAROlKEPY=
+go.mongodb.org/mongo-driver v1.10.0 h1:UtV6N5k14upNp4LTduX0QCufG124fSu25Wz9tu94GLg=
+go.mongodb.org/mongo-driver v1.10.0/go.mod h1:wsihk0Kdgv8Kqu1Anit4sfK+22vSFbUrAVEYRhCXrA8=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0=
-goauthentik.io/api/v3 v3.2022071.2 h1:ss3dnXtdCCfqnbQt+LjNbl//JmsUP3bJf7knf0SyICU=
-goauthentik.io/api/v3 v3.2022071.2/go.mod h1:QM9J32HgYE4gL71lWAfAoXSPdSmLVLW08itfLI3Mo10=
+goauthentik.io/api/v3 v3.2022072.1 h1:VOtw22wuRNNDgfg4eLZ3ZToy1hejqY7NbrzyyRMwSo4=
+goauthentik.io/api/v3 v3.2022072.1/go.mod h1:QM9J32HgYE4gL71lWAfAoXSPdSmLVLW08itfLI3Mo10=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
@@ -371,8 +374,9 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 h1:tkVvjkPTB7pnW3jnid7kNyAMPVWllTNOf/qKDze4p9o=
 golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=

internal/constants/constants.go

@@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }
 
-const VERSION = "2022.7.2"
+const VERSION = "2022.7.3"

ldap.Dockerfile

@@ -1,5 +1,5 @@
 # Stage 1: Build
-FROM docker.io/golang:1.18.3-bullseye AS builder
+FROM docker.io/golang:1.18.4-bullseye AS builder
 
 WORKDIR /go/src/goauthentik.io
 

lifecycle/migrate.py

@@ -51,7 +51,6 @@ def release_lock():
 
 
 if __name__ == "__main__":
-
     conn = connect(
         dbname=CONFIG.y("postgresql.name"),
         user=CONFIG.y("postgresql.user"),

poetry.lock

@@ -369,7 +369,7 @@ tests = ["pytest", "pytest-django", "pytest-asyncio", "async-timeout", "coverage
 
 [[package]]
 name = "channels-redis"
-version = "3.4.0"
+version = "3.4.1"
 description = "Redis-backed ASGI channel layer implementation"
 category = "main"
 optional = false
@@ -475,7 +475,7 @@ python-versions = "*"
 
 [[package]]
 name = "coverage"
-version = "6.4.1"
+version = "6.4.2"
 description = "Code coverage measurement for Python"
 category = "dev"
 optional = false
@@ -1322,7 +1322,7 @@ tests = ["pytest (>=6.0.0,<7.0.0)", "coverage[toml] (==5.0.4)"]
 
 [[package]]
 name = "pylint"
-version = "2.14.4"
+version = "2.14.5"
 description = "python code static checker"
 category = "dev"
 optional = false
@@ -1611,7 +1611,7 @@ urllib3 = {version = ">=1.26,<2.0", extras = ["secure", "socks"]}
 
 [[package]]
 name = "sentry-sdk"
-version = "1.6.0"
+version = "1.7.2"
 description = "Python client for Sentry (https://sentry.io)"
 category = "main"
 optional = false
@@ -1965,7 +1965,7 @@ python-versions = "*"
 
 [[package]]
 name = "webauthn"
-version = "1.5.2"
+version = "1.6.0"
 description = "Pythonic WebAuthn"
 category = "main"
 optional = false
@@ -2350,8 +2350,8 @@ channels = [
     {file = "channels-3.0.5.tar.gz", hash = "sha256:a3dc3339cc033e7c2afe083fb3dedf74fc5009815967e317e080e7bfdc92ea26"},
 ]
 channels-redis = [
-    {file = "channels_redis-3.4.0-py3-none-any.whl", hash = "sha256:6e4565b7c11c6bcde5d48556cb83bd043779697ff03811867d2f895aa6170d56"},
-    {file = "channels_redis-3.4.0.tar.gz", hash = "sha256:5dffd4cc16174125bd4043fc8fe7462ca7403cf801d59a9fa7410ed101fa6a57"},
+    {file = "channels_redis-3.4.1-py3-none-any.whl", hash = "sha256:ba7e2ad170f273c372812dd32aaac102d68d4e508172abb1cfda3160b7333890"},
+    {file = "channels_redis-3.4.1.tar.gz", hash = "sha256:78e4a2f2b2a744fe5a87848ec36b5ee49f522c6808cefe6c583663d0d531faa8"},
 ]
 charset-normalizer = [
     {file = "charset-normalizer-2.0.12.tar.gz", hash = "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597"},
@@ -2386,47 +2386,47 @@ constantly = [
     {file = "constantly-15.1.0.tar.gz", hash = "sha256:586372eb92059873e29eba4f9dec8381541b4d3834660707faf8ba59146dfc35"},
 ]
 coverage = [
-    {file = "coverage-6.4.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:f1d5aa2703e1dab4ae6cf416eb0095304f49d004c39e9db1d86f57924f43006b"},
-    {file = "coverage-6.4.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:4ce1b258493cbf8aec43e9b50d89982346b98e9ffdfaae8ae5793bc112fb0068"},
-    {file = "coverage-6.4.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:83c4e737f60c6936460c5be330d296dd5b48b3963f48634c53b3f7deb0f34ec4"},
-    {file = "coverage-6.4.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:84e65ef149028516c6d64461b95a8dbcfce95cfd5b9eb634320596173332ea84"},
-    {file = "coverage-6.4.1-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f69718750eaae75efe506406c490d6fc5a6161d047206cc63ce25527e8a3adad"},
-    {file = "coverage-6.4.1-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:e57816f8ffe46b1df8f12e1b348f06d164fd5219beba7d9433ba79608ef011cc"},
-    {file = "coverage-6.4.1-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:01c5615d13f3dd3aa8543afc069e5319cfa0c7d712f6e04b920431e5c564a749"},
-    {file = "coverage-6.4.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:75ab269400706fab15981fd4bd5080c56bd5cc07c3bccb86aab5e1d5a88dc8f4"},
-    {file = "coverage-6.4.1-cp310-cp310-win32.whl", hash = "sha256:a7f3049243783df2e6cc6deafc49ea123522b59f464831476d3d1448e30d72df"},
-    {file = "coverage-6.4.1-cp310-cp310-win_amd64.whl", hash = "sha256:ee2ddcac99b2d2aec413e36d7a429ae9ebcadf912946b13ffa88e7d4c9b712d6"},
-    {file = "coverage-6.4.1-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:fb73e0011b8793c053bfa85e53129ba5f0250fdc0392c1591fd35d915ec75c46"},
-    {file = "coverage-6.4.1-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:106c16dfe494de3193ec55cac9640dd039b66e196e4641fa8ac396181578b982"},
-    {file = "coverage-6.4.1-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:87f4f3df85aa39da00fd3ec4b5abeb7407e82b68c7c5ad181308b0e2526da5d4"},
-    {file = "coverage-6.4.1-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:961e2fb0680b4f5ad63234e0bf55dfb90d302740ae9c7ed0120677a94a1590cb"},
-    {file = "coverage-6.4.1-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:cec3a0f75c8f1031825e19cd86ee787e87cf03e4fd2865c79c057092e69e3a3b"},
-    {file = "coverage-6.4.1-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:129cd05ba6f0d08a766d942a9ed4b29283aff7b2cccf5b7ce279d50796860bb3"},
-    {file = "coverage-6.4.1-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:bf5601c33213d3cb19d17a796f8a14a9eaa5e87629a53979a5981e3e3ae166f6"},
-    {file = "coverage-6.4.1-cp37-cp37m-win32.whl", hash = "sha256:269eaa2c20a13a5bf17558d4dc91a8d078c4fa1872f25303dddcbba3a813085e"},
-    {file = "coverage-6.4.1-cp37-cp37m-win_amd64.whl", hash = "sha256:f02cbbf8119db68455b9d763f2f8737bb7db7e43720afa07d8eb1604e5c5ae28"},
-    {file = "coverage-6.4.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:ffa9297c3a453fba4717d06df579af42ab9a28022444cae7fa605af4df612d54"},
-    {file = "coverage-6.4.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:145f296d00441ca703a659e8f3eb48ae39fb083baba2d7ce4482fb2723e050d9"},
-    {file = "coverage-6.4.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d67d44996140af8b84284e5e7d398e589574b376fb4de8ccd28d82ad8e3bea13"},
-    {file = "coverage-6.4.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2bd9a6fc18aab8d2e18f89b7ff91c0f34ff4d5e0ba0b33e989b3cd4194c81fd9"},
-    {file = "coverage-6.4.1-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3384f2a3652cef289e38100f2d037956194a837221edd520a7ee5b42d00cc605"},
-    {file = "coverage-6.4.1-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:9b3e07152b4563722be523e8cd0b209e0d1a373022cfbde395ebb6575bf6790d"},
-    {file = "coverage-6.4.1-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:1480ff858b4113db2718848d7b2d1b75bc79895a9c22e76a221b9d8d62496428"},
-    {file = "coverage-6.4.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:865d69ae811a392f4d06bde506d531f6a28a00af36f5c8649684a9e5e4a85c83"},
-    {file = "coverage-6.4.1-cp38-cp38-win32.whl", hash = "sha256:664a47ce62fe4bef9e2d2c430306e1428ecea207ffd68649e3b942fa8ea83b0b"},
-    {file = "coverage-6.4.1-cp38-cp38-win_amd64.whl", hash = "sha256:26dff09fb0d82693ba9e6231248641d60ba606150d02ed45110f9ec26404ed1c"},
-    {file = "coverage-6.4.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:d9c80df769f5ec05ad21ea34be7458d1dc51ff1fb4b2219e77fe24edf462d6df"},
-    {file = "coverage-6.4.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:39ee53946bf009788108b4dd2894bf1349b4e0ca18c2016ffa7d26ce46b8f10d"},
-    {file = "coverage-6.4.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f5b66caa62922531059bc5ac04f836860412f7f88d38a476eda0a6f11d4724f4"},
-    {file = "coverage-6.4.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:fd180ed867e289964404051a958f7cccabdeed423f91a899829264bb7974d3d3"},
-    {file = "coverage-6.4.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:84631e81dd053e8a0d4967cedab6db94345f1c36107c71698f746cb2636c63e3"},
-    {file = "coverage-6.4.1-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:8c08da0bd238f2970230c2a0d28ff0e99961598cb2e810245d7fc5afcf1254e8"},
-    {file = "coverage-6.4.1-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:d42c549a8f41dc103a8004b9f0c433e2086add8a719da00e246e17cbe4056f72"},
-    {file = "coverage-6.4.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:309ce4a522ed5fca432af4ebe0f32b21d6d7ccbb0f5fcc99290e71feba67c264"},
-    {file = "coverage-6.4.1-cp39-cp39-win32.whl", hash = "sha256:fdb6f7bd51c2d1714cea40718f6149ad9be6a2ee7d93b19e9f00934c0f2a74d9"},
-    {file = "coverage-6.4.1-cp39-cp39-win_amd64.whl", hash = "sha256:342d4aefd1c3e7f620a13f4fe563154d808b69cccef415415aece4c786665397"},
-    {file = "coverage-6.4.1-pp36.pp37.pp38-none-any.whl", hash = "sha256:4803e7ccf93230accb928f3a68f00ffa80a88213af98ed338a57ad021ef06815"},
-    {file = "coverage-6.4.1.tar.gz", hash = "sha256:4321f075095a096e70aff1d002030ee612b65a205a0a0f5b815280d5dc58100c"},
+    {file = "coverage-6.4.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:a9032f9b7d38bdf882ac9f66ebde3afb8145f0d4c24b2e600bc4c6304aafb87e"},
+    {file = "coverage-6.4.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:e0524adb49c716ca763dbc1d27bedce36b14f33e6b8af6dba56886476b42957c"},
+    {file = "coverage-6.4.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d4548be38a1c810d79e097a38107b6bf2ff42151900e47d49635be69943763d8"},
+    {file = "coverage-6.4.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f23876b018dfa5d3e98e96f5644b109090f16a4acb22064e0f06933663005d39"},
+    {file = "coverage-6.4.2-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6fe75dcfcb889b6800f072f2af5a331342d63d0c1b3d2bf0f7b4f6c353e8c9c0"},
+    {file = "coverage-6.4.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:2f8553878a24b00d5ab04b7a92a2af50409247ca5c4b7a2bf4eabe94ed20d3ee"},
+    {file = "coverage-6.4.2-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:d774d9e97007b018a651eadc1b3970ed20237395527e22cbeb743d8e73e0563d"},
+    {file = "coverage-6.4.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:d56f105592188ce7a797b2bd94b4a8cb2e36d5d9b0d8a1d2060ff2a71e6b9bbc"},
+    {file = "coverage-6.4.2-cp310-cp310-win32.whl", hash = "sha256:d230d333b0be8042ac34808ad722eabba30036232e7a6fb3e317c49f61c93386"},
+    {file = "coverage-6.4.2-cp310-cp310-win_amd64.whl", hash = "sha256:5ef42e1db047ca42827a85e34abe973971c635f83aed49611b7f3ab49d0130f0"},
+    {file = "coverage-6.4.2-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:25b7ec944f114f70803d6529394b64f8749e93cbfac0fe6c5ea1b7e6c14e8a46"},
+    {file = "coverage-6.4.2-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7bb00521ab4f99fdce2d5c05a91bddc0280f0afaee0e0a00425e28e209d4af07"},
+    {file = "coverage-6.4.2-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:2dff52b3e7f76ada36f82124703f4953186d9029d00d6287f17c68a75e2e6039"},
+    {file = "coverage-6.4.2-cp37-cp37m-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:147605e1702d996279bb3cc3b164f408698850011210d133a2cb96a73a2f7996"},
+    {file = "coverage-6.4.2-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:422fa44070b42fef9fb8dabd5af03861708cdd6deb69463adc2130b7bf81332f"},
+    {file = "coverage-6.4.2-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:8af6c26ba8df6338e57bedbf916d76bdae6308e57fc8f14397f03b5da8622b4e"},
+    {file = "coverage-6.4.2-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:5336e0352c0b12c7e72727d50ff02557005f79a0b8dcad9219c7c4940a930083"},
+    {file = "coverage-6.4.2-cp37-cp37m-win32.whl", hash = "sha256:0f211df2cba951ffcae210ee00e54921ab42e2b64e0bf2c0befc977377fb09b7"},
+    {file = "coverage-6.4.2-cp37-cp37m-win_amd64.whl", hash = "sha256:a13772c19619118903d65a91f1d5fea84be494d12fd406d06c849b00d31bf120"},
+    {file = "coverage-6.4.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:f7bd0ffbcd03dc39490a1f40b2669cc414fae0c4e16b77bb26806a4d0b7d1452"},
+    {file = "coverage-6.4.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:0895ea6e6f7f9939166cc835df8fa4599e2d9b759b02d1521b574e13b859ac32"},
+    {file = "coverage-6.4.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d4e7ced84a11c10160c0697a6cc0b214a5d7ab21dfec1cd46e89fbf77cc66fae"},
+    {file = "coverage-6.4.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:80db4a47a199c4563d4a25919ff29c97c87569130375beca3483b41ad5f698e8"},
+    {file = "coverage-6.4.2-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3def6791adf580d66f025223078dc84c64696a26f174131059ce8e91452584e1"},
+    {file = "coverage-6.4.2-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:4f89d8e03c8a3757aae65570d14033e8edf192ee9298303db15955cadcff0c63"},
+    {file = "coverage-6.4.2-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:6d0b48aff8e9720bdec315d67723f0babd936a7211dc5df453ddf76f89c59933"},
+    {file = "coverage-6.4.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:2b20286c2b726f94e766e86a3fddb7b7e37af5d0c635bdfa7e4399bc523563de"},
+    {file = "coverage-6.4.2-cp38-cp38-win32.whl", hash = "sha256:d714af0bdba67739598849c9f18efdcc5a0412f4993914a0ec5ce0f1e864d783"},
+    {file = "coverage-6.4.2-cp38-cp38-win_amd64.whl", hash = "sha256:5f65e5d3ff2d895dab76b1faca4586b970a99b5d4b24e9aafffc0ce94a6022d6"},
+    {file = "coverage-6.4.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:a697977157adc052284a7160569b36a8bbec09db3c3220642e6323b47cec090f"},
+    {file = "coverage-6.4.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:c77943ef768276b61c96a3eb854eba55633c7a3fddf0a79f82805f232326d33f"},
+    {file = "coverage-6.4.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:54d8d0e073a7f238f0666d3c7c0d37469b2aa43311e4024c925ee14f5d5a1cbe"},
+    {file = "coverage-6.4.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:f22325010d8824594820d6ce84fa830838f581a7fd86a9235f0d2ed6deb61e29"},
+    {file = "coverage-6.4.2-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:24b04d305ea172ccb21bee5bacd559383cba2c6fcdef85b7701cf2de4188aa55"},
+    {file = "coverage-6.4.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:866ebf42b4c5dbafd64455b0a1cd5aa7b4837a894809413b930026c91e18090b"},
+    {file = "coverage-6.4.2-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:e36750fbbc422c1c46c9d13b937ab437138b998fe74a635ec88989afb57a3978"},
+    {file = "coverage-6.4.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:79419370d6a637cb18553ecb25228893966bd7935a9120fa454e7076f13b627c"},
+    {file = "coverage-6.4.2-cp39-cp39-win32.whl", hash = "sha256:b5e28db9199dd3833cc8a07fa6cf429a01227b5d429facb56eccd765050c26cd"},
+    {file = "coverage-6.4.2-cp39-cp39-win_amd64.whl", hash = "sha256:edfdabe7aa4f97ed2b9dd5dde52d2bb29cb466993bb9d612ddd10d0085a683cf"},
+    {file = "coverage-6.4.2-pp36.pp37.pp38-none-any.whl", hash = "sha256:e2618cb2cf5a7cc8d698306e42ebcacd02fb7ef8cfc18485c59394152c70be97"},
+    {file = "coverage-6.4.2.tar.gz", hash = "sha256:6c3ccfe89c36f3e5b9837b9ee507472310164f352c9fe332120b764c9d60adbe"},
 ]
 cryptography = [
     {file = "cryptography-37.0.2-cp36-abi3-macosx_10_10_universal2.whl", hash = "sha256:ef15c2df7656763b4ff20a9bc4381d8352e6640cfeb95c2972c38ef508e75181"},
@@ -2797,7 +2797,6 @@ lxml = [
     {file = "lxml-4.9.1-cp27-cp27m-win_amd64.whl", hash = "sha256:4cfbe42c686f33944e12f45a27d25a492cc0e43e1dc1da5d6a87cbcaf2e95627"},
     {file = "lxml-4.9.1-cp27-cp27mu-manylinux_2_5_i686.manylinux1_i686.whl", hash = "sha256:dad7b164905d3e534883281c050180afcf1e230c3d4a54e8038aa5cfcf312b84"},
     {file = "lxml-4.9.1-cp27-cp27mu-manylinux_2_5_x86_64.manylinux1_x86_64.whl", hash = "sha256:a614e4afed58c14254e67862456d212c4dcceebab2eaa44d627c2ca04bf86837"},
-    {file = "lxml-4.9.1-cp310-cp310-macosx_10_15_universal2.whl", hash = "sha256:49a866923e69bc7da45a0565636243707c22752fc38f6b9d5c8428a86121022c"},
     {file = "lxml-4.9.1-cp310-cp310-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_24_i686.whl", hash = "sha256:f9ced82717c7ec65a67667bb05865ffe38af0e835cdd78728f1209c8fffe0cad"},
     {file = "lxml-4.9.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.manylinux_2_24_aarch64.whl", hash = "sha256:d9fc0bf3ff86c17348dfc5d322f627d78273eba545db865c3cd14b3f19e57fa5"},
     {file = "lxml-4.9.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.manylinux_2_24_x86_64.whl", hash = "sha256:e5f66bdf0976ec667fc4594d2812a00b07ed14d1b44259d19a41ae3fff99f2b8"},
@@ -3244,8 +3243,8 @@ pyjwt = [
     {file = "PyJWT-2.4.0.tar.gz", hash = "sha256:d42908208c699b3b973cbeb01a969ba6a96c821eefb1c5bfe4c390c01d67abba"},
 ]
 pylint = [
-    {file = "pylint-2.14.4-py3-none-any.whl", hash = "sha256:89b61867db16eefb7b3c5b84afc94081edaf11544189e2b238154677529ad69f"},
-    {file = "pylint-2.14.4.tar.gz", hash = "sha256:47705453aa9dce520e123a7d51843d5f0032cbfa06870f89f00927aa1f735a4a"},
+    {file = "pylint-2.14.5-py3-none-any.whl", hash = "sha256:fabe30000de7d07636d2e82c9a518ad5ad7908590fe135ace169b44839c15f90"},
+    {file = "pylint-2.14.5.tar.gz", hash = "sha256:487ce2192eee48211269a0e976421f334cf94de1806ca9d0a99449adcdf0285e"},
 ]
 pylint-django = [
     {file = "pylint-django-2.5.3.tar.gz", hash = "sha256:0ac090d106c62fe33782a1d01bda1610b761bb1c9bf5035ced9d5f23a13d8591"},
@@ -3400,8 +3399,8 @@ selenium = [
     {file = "selenium-4.3.0-py3-none-any.whl", hash = "sha256:f67402b8f973aaa98d9c55b8f9aa63532009cd1859b2222a8b9800354942d8bc"},
 ]
 sentry-sdk = [
-    {file = "sentry-sdk-1.6.0.tar.gz", hash = "sha256:b82ad57306d5546713f15d5d70daea0408cf7f998c7566db16e0e6257e51e561"},
-    {file = "sentry_sdk-1.6.0-py2.py3-none-any.whl", hash = "sha256:ddbd191b6f4e696b7845b4d87389898ae1207981faf114f968a57363aa6be03c"},
+    {file = "sentry-sdk-1.7.2.tar.gz", hash = "sha256:95fd321f583dfcfaf279a0b2cdc83d8d28c8b7cca4d2959fc4539bb4fecb56a0"},
+    {file = "sentry_sdk-1.7.2-py2.py3-none-any.whl", hash = "sha256:6f460da98b730d671510af18f119f96d01e3ba027ac0e985871abb3aede1c514"},
 ]
 service-identity = [
     {file = "service-identity-21.1.0.tar.gz", hash = "sha256:6e6c6086ca271dc11b033d17c3a8bea9f24ebff920c587da090afc9519419d34"},
@@ -3546,8 +3545,8 @@ wcwidth = [
     {file = "wcwidth-0.2.5.tar.gz", hash = "sha256:c4d647b99872929fdb7bdcaa4fbe7f01413ed3d98077df798530e5b04f116c83"},
 ]
 webauthn = [
-    {file = "webauthn-1.5.2-py3-none-any.whl", hash = "sha256:85b0780329755d3bb0cf9bf456002cddddf8718daa42293316d26c09c1eceec4"},
-    {file = "webauthn-1.5.2.tar.gz", hash = "sha256:44d57d953d712ac3db543b77ad69f176dc7ec531bd677e779951e3380ee6f5e6"},
+    {file = "webauthn-1.6.0-py3-none-any.whl", hash = "sha256:6811b3f1b5ff627dadfe9685a1eaf80cbb5689c35f9ae00d4ee63681c0dd64b2"},
+    {file = "webauthn-1.6.0.tar.gz", hash = "sha256:9c74b0e4aea4579fbf0ecb77a72d0b1cb7d7dcab7ca2d105474925b731178686"},
 ]
 websocket-client = [
     {file = "websocket-client-1.3.2.tar.gz", hash = "sha256:50b21db0058f7a953d67cc0445be4b948d7fc196ecbeb8083d68d94628e4abf6"},

proxy.Dockerfile

@@ -7,7 +7,7 @@ ENV NODE_ENV=production
 RUN cd /static && npm ci && npm run build-proxy
 
 # Stage 2: Build
-FROM docker.io/golang:1.18.3-bullseye AS builder
+FROM docker.io/golang:1.18.4-bullseye AS builder
 
 WORKDIR /go/src/goauthentik.io
 

pyproject.toml

@@ -90,7 +90,7 @@ addopts = "-p no:celery --junitxml=unittest.xml"
 
 [tool.poetry]
 name = "authentik"
-version = "2022.7.2"
+version = "2022.7.3"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]
 

schema.yml

@@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
   title: authentik
-  version: 2022.7.2
+  version: 2022.7.3
   description: Making authentication simple.
   contact:
     email: hello@goauthentik.io
@@ -179,6 +179,32 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+  /authenticators/admin/all/:
+    get:
+      operationId: authenticators_admin_all_list
+      description: Get all devices for current user
+      parameters:
+      - in: query
+        name: user
+        schema:
+          type: integer
+      tags:
+      - authenticators
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/Device'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /authenticators/admin/duo/:
     get:
       operationId: authenticators_admin_duo_list
@@ -407,6 +433,30 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+    post:
+      operationId: authenticators_admin_sms_create
+      description: Viewset for sms authenticator devices (for admins)
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/SMSDeviceRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '201':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/SMSDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /authenticators/admin/sms/{id}/:
     get:
       operationId: authenticators_admin_sms_retrieve
@@ -433,6 +483,88 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+    put:
+      operationId: authenticators_admin_sms_update
+      description: Viewset for sms authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this SMS Device.
+        required: true
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/SMSDeviceRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/SMSDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    patch:
+      operationId: authenticators_admin_sms_partial_update
+      description: Viewset for sms authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this SMS Device.
+        required: true
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/PatchedSMSDeviceRequest'
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/SMSDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    delete:
+      operationId: authenticators_admin_sms_destroy
+      description: Viewset for sms authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this SMS Device.
+        required: true
+      tags:
+      - authenticators
+      security:
+      - authentik: []
+      responses:
+        '204':
+          description: No response body
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /authenticators/admin/static/:
     get:
       operationId: authenticators_admin_static_list
@@ -481,6 +613,30 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+    post:
+      operationId: authenticators_admin_static_create
+      description: Viewset for static authenticator devices (for admins)
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/StaticDeviceRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '201':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/StaticDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /authenticators/admin/static/{id}/:
     get:
       operationId: authenticators_admin_static_retrieve
@@ -507,6 +663,88 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+    put:
+      operationId: authenticators_admin_static_update
+      description: Viewset for static authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this static device.
+        required: true
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/StaticDeviceRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/StaticDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    patch:
+      operationId: authenticators_admin_static_partial_update
+      description: Viewset for static authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this static device.
+        required: true
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/PatchedStaticDeviceRequest'
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/StaticDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    delete:
+      operationId: authenticators_admin_static_destroy
+      description: Viewset for static authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this static device.
+        required: true
+      tags:
+      - authenticators
+      security:
+      - authentik: []
+      responses:
+        '204':
+          description: No response body
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /authenticators/admin/totp/:
     get:
       operationId: authenticators_admin_totp_list
@@ -555,6 +793,30 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+    post:
+      operationId: authenticators_admin_totp_create
+      description: Viewset for totp authenticator devices (for admins)
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/TOTPDeviceRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '201':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/TOTPDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /authenticators/admin/totp/{id}/:
     get:
       operationId: authenticators_admin_totp_retrieve
@@ -581,6 +843,88 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+    put:
+      operationId: authenticators_admin_totp_update
+      description: Viewset for totp authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this TOTP device.
+        required: true
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/TOTPDeviceRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/TOTPDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    patch:
+      operationId: authenticators_admin_totp_partial_update
+      description: Viewset for totp authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this TOTP device.
+        required: true
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/PatchedTOTPDeviceRequest'
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/TOTPDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    delete:
+      operationId: authenticators_admin_totp_destroy
+      description: Viewset for totp authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this TOTP device.
+        required: true
+      tags:
+      - authenticators
+      security:
+      - authentik: []
+      responses:
+        '204':
+          description: No response body
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /authenticators/admin/webauthn/:
     get:
       operationId: authenticators_admin_webauthn_list
@@ -629,6 +973,30 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+    post:
+      operationId: authenticators_admin_webauthn_create
+      description: Viewset for WebAuthn authenticator devices (for admins)
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/WebAuthnDeviceRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '201':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/WebAuthnDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /authenticators/admin/webauthn/{id}/:
     get:
       operationId: authenticators_admin_webauthn_retrieve
@@ -655,6 +1023,88 @@ paths:
           $ref: '#/components/schemas/ValidationError'
         '403':
           $ref: '#/components/schemas/GenericError'
+    put:
+      operationId: authenticators_admin_webauthn_update
+      description: Viewset for WebAuthn authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this WebAuthn Device.
+        required: true
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/WebAuthnDeviceRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/WebAuthnDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    patch:
+      operationId: authenticators_admin_webauthn_partial_update
+      description: Viewset for WebAuthn authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this WebAuthn Device.
+        required: true
+      tags:
+      - authenticators
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/PatchedWebAuthnDeviceRequest'
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/WebAuthnDevice'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    delete:
+      operationId: authenticators_admin_webauthn_destroy
+      description: Viewset for WebAuthn authenticator devices (for admins)
+      parameters:
+      - in: path
+        name: id
+        schema:
+          type: integer
+        description: A unique integer value identifying this WebAuthn Device.
+        required: true
+      tags:
+      - authenticators
+      security:
+      - authentik: []
+      responses:
+        '204':
+          description: No response body
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /authenticators/all/:
     get:
       operationId: authenticators_all_list
@@ -1601,6 +2051,22 @@ paths:
       operationId: core_applications_list
       description: Custom list method that checks Policy based access instead of guardian
       parameters:
+      - in: query
+        name: group
+        schema:
+          type: string
+      - in: query
+        name: meta_description
+        schema:
+          type: string
+      - in: query
+        name: meta_launch_url
+        schema:
+          type: string
+      - in: query
+        name: meta_publisher
+        schema:
+          type: string
       - in: query
         name: name
         schema:
@@ -5403,7 +5869,7 @@ paths:
   /flows/instances/{slug}/export/:
     get:
       operationId: flows_instances_export_retrieve
-      description: Export flow to .akflow file
+      description: Export flow to .yaml file
       parameters:
       - in: path
         name: slug
@@ -5547,7 +6013,7 @@ paths:
   /flows/instances/import_flow/:
     post:
       operationId: flows_instances_import_flow_create
-      description: Import flow from .akflow file
+      description: Import flow from .yaml file
       tags:
       - flows
       requestBody:
@@ -5564,6 +6030,215 @@ paths:
           description: Bad request
         '403':
           $ref: '#/components/schemas/GenericError'
+  /managed/blueprints/:
+    get:
+      operationId: managed_blueprints_list
+      description: Blueprint instances
+      parameters:
+      - in: query
+        name: name
+        schema:
+          type: string
+      - name: ordering
+        required: false
+        in: query
+        description: Which field to use when ordering the results.
+        schema:
+          type: string
+      - name: page
+        required: false
+        in: query
+        description: A page number within the paginated result set.
+        schema:
+          type: integer
+      - name: page_size
+        required: false
+        in: query
+        description: Number of results to return per page.
+        schema:
+          type: integer
+      - in: query
+        name: path
+        schema:
+          type: string
+      - name: search
+        required: false
+        in: query
+        description: A search term.
+        schema:
+          type: string
+      tags:
+      - managed
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/PaginatedBlueprintInstanceList'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    post:
+      operationId: managed_blueprints_create
+      description: Blueprint instances
+      tags:
+      - managed
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/BlueprintInstanceRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '201':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/BlueprintInstance'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+  /managed/blueprints/{instance_uuid}/:
+    get:
+      operationId: managed_blueprints_retrieve
+      description: Blueprint instances
+      parameters:
+      - in: path
+        name: instance_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Blueprint Instance.
+        required: true
+      tags:
+      - managed
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/BlueprintInstance'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    put:
+      operationId: managed_blueprints_update
+      description: Blueprint instances
+      parameters:
+      - in: path
+        name: instance_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Blueprint Instance.
+        required: true
+      tags:
+      - managed
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/BlueprintInstanceRequest'
+        required: true
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/BlueprintInstance'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    patch:
+      operationId: managed_blueprints_partial_update
+      description: Blueprint instances
+      parameters:
+      - in: path
+        name: instance_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Blueprint Instance.
+        required: true
+      tags:
+      - managed
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/PatchedBlueprintInstanceRequest'
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/BlueprintInstance'
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+    delete:
+      operationId: managed_blueprints_destroy
+      description: Blueprint instances
+      parameters:
+      - in: path
+        name: instance_uuid
+        schema:
+          type: string
+          format: uuid
+        description: A UUID string identifying this Blueprint Instance.
+        required: true
+      tags:
+      - managed
+      security:
+      - authentik: []
+      responses:
+        '204':
+          description: No response body
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
+  /managed/blueprints/available/:
+    get:
+      operationId: managed_blueprints_available_list
+      description: Get blueprints
+      tags:
+      - managed
+      security:
+      - authentik: []
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  type: string
+          description: ''
+        '400':
+          $ref: '#/components/schemas/ValidationError'
+        '403':
+          $ref: '#/components/schemas/GenericError'
   /oauth2/authorization_codes/:
     get:
       operationId: oauth2_authorization_codes_list
@@ -7679,12 +8354,12 @@ paths:
           enum:
           - authentik.admin
           - authentik.api
+          - authentik.blueprints
           - authentik.core
           - authentik.crypto
           - authentik.events
           - authentik.flows
           - authentik.lib
-          - authentik.managed
           - authentik.outposts
           - authentik.policies
           - authentik.policies.dummy
@@ -19141,7 +19816,7 @@ components:
       - authentik.stages.user_logout
       - authentik.stages.user_write
       - authentik.tenants
-      - authentik.managed
+      - authentik.blueprints
       - authentik.core
       type: string
     AppleChallengeResponseRequest:
@@ -20187,6 +20862,60 @@ components:
       - POST
       - POST_AUTO
       type: string
+    BlueprintInstance:
+      type: object
+      description: Info about a single blueprint instance file
+      properties:
+        name:
+          type: string
+        path:
+          type: string
+        context:
+          type: object
+          additionalProperties: {}
+        last_applied:
+          type: string
+          format: date-time
+          readOnly: true
+        status:
+          $ref: '#/components/schemas/BlueprintInstanceStatusEnum'
+        enabled:
+          type: boolean
+      required:
+      - context
+      - last_applied
+      - name
+      - path
+      - status
+    BlueprintInstanceRequest:
+      type: object
+      description: Info about a single blueprint instance file
+      properties:
+        name:
+          type: string
+          minLength: 1
+        path:
+          type: string
+          minLength: 1
+        context:
+          type: object
+          additionalProperties: {}
+        status:
+          $ref: '#/components/schemas/BlueprintInstanceStatusEnum'
+        enabled:
+          type: boolean
+      required:
+      - context
+      - name
+      - path
+      - status
+    BlueprintInstanceStatusEnum:
+      enum:
+      - successful
+      - warning
+      - error
+      - unknown
+      type: string
     Cache:
       type: object
       description: Generic cache stats for an object
@@ -20523,11 +21252,14 @@ components:
           type: array
           items:
             $ref: '#/components/schemas/Permission'
+        token:
+          type: string
       required:
       - additional_permissions
       - pending_user
       - pending_user_avatar
       - permissions
+      - token
       - type
     ConsentChallengeResponseRequest:
       type: object
@@ -20537,6 +21269,11 @@ components:
           type: string
           minLength: 1
           default: ak-stage-consent
+        token:
+          type: string
+          minLength: 1
+      required:
+      - token
     ConsentStage:
       type: object
       description: ConsentStage Serializer
@@ -20742,7 +21479,10 @@ components:
         type:
           type: string
           readOnly: true
+        confirmed:
+          type: boolean
       required:
+      - confirmed
       - meta_model_name
       - name
       - pk
@@ -24096,6 +24836,41 @@ components:
       required:
       - pagination
       - results
+    PaginatedBlueprintInstanceList:
+      type: object
+      properties:
+        pagination:
+          type: object
+          properties:
+            next:
+              type: number
+            previous:
+              type: number
+            count:
+              type: number
+            current:
+              type: number
+            total_pages:
+              type: number
+            start_index:
+              type: number
+            end_index:
+              type: number
+          required:
+          - next
+          - previous
+          - count
+          - current
+          - total_pages
+          - start_index
+          - end_index
+        results:
+          type: array
+          items:
+            $ref: '#/components/schemas/BlueprintInstance'
+      required:
+      - pagination
+      - results
     PaginatedCaptchaStageList:
       type: object
       properties:
@@ -27003,6 +27778,23 @@ components:
           minLength: 1
           description: If any of the user's device has been used within this threshold,
             this stage will be skipped
+    PatchedBlueprintInstanceRequest:
+      type: object
+      description: Info about a single blueprint instance file
+      properties:
+        name:
+          type: string
+          minLength: 1
+        path:
+          type: string
+          minLength: 1
+        context:
+          type: object
+          additionalProperties: {}
+        status:
+          $ref: '#/components/schemas/BlueprintInstanceStatusEnum'
+        enabled:
+          type: boolean
     PatchedCaptchaStageRequest:
       type: object
       description: CaptchaStage Serializer
@@ -30822,13 +31614,6 @@ components:
           maxLength: 16
       required:
       - token
-    StatusEnum:
-      enum:
-      - SUCCESSFUL
-      - WARNING
-      - ERROR
-      - UNKNOWN
-      type: string
     SubModeEnum:
       enum:
       - hashed_user_id
@@ -30937,7 +31722,7 @@ components:
           type: string
           format: date-time
         status:
-          $ref: '#/components/schemas/StatusEnum'
+          $ref: '#/components/schemas/TaskStatusEnum'
         messages:
           type: array
           items: {}
@@ -30947,6 +31732,13 @@ components:
       - task_description
       - task_finish_timestamp
       - task_name
+    TaskStatusEnum:
+      enum:
+      - SUCCESSFUL
+      - WARNING
+      - ERROR
+      - UNKNOWN
+      type: string
     Tenant:
       type: object
       description: Tenant Serializer

web/package.json

@@ -52,10 +52,10 @@
         ]
     },
     "dependencies": {
-        "@babel/core": "^7.18.6",
-        "@babel/plugin-proposal-decorators": "^7.18.6",
-        "@babel/plugin-transform-runtime": "^7.18.6",
-        "@babel/preset-env": "^7.18.6",
+        "@babel/core": "^7.18.9",
+        "@babel/plugin-proposal-decorators": "^7.18.9",
+        "@babel/plugin-transform-runtime": "^7.18.9",
+        "@babel/preset-env": "^7.18.9",
         "@babel/preset-typescript": "^7.18.6",
         "@codemirror/lang-html": "^6.1.0",
         "@codemirror/lang-javascript": "^6.0.1",
@@ -64,7 +64,7 @@
         "@codemirror/legacy-modes": "^6.1.0",
         "@formatjs/intl-listformat": "^7.0.3",
         "@fortawesome/fontawesome-free": "^6.1.1",
-        "@goauthentik/api": "^2022.7.1-1657055474",
+        "@goauthentik/api": "^2022.7.3-1659304078",
         "@jackfranklin/rollup-plugin-markdown": "^0.4.0",
         "@lingui/cli": "^3.14.0",
         "@lingui/core": "^3.14.0",
@@ -78,15 +78,15 @@
         "@rollup/plugin-node-resolve": "^13.3.0",
         "@rollup/plugin-replace": "^4.0.0",
         "@rollup/plugin-typescript": "^8.3.3",
-        "@sentry/browser": "^7.5.0",
-        "@sentry/tracing": "^7.5.0",
+        "@sentry/browser": "^7.7.0",
+        "@sentry/tracing": "^7.7.0",
         "@squoosh/cli": "^0.7.2",
-        "@trivago/prettier-plugin-sort-imports": "^3.2.0",
+        "@trivago/prettier-plugin-sort-imports": "^3.3.0",
         "@types/chart.js": "^2.9.37",
         "@types/codemirror": "5.60.5",
         "@types/grecaptcha": "^3.0.4",
-        "@typescript-eslint/eslint-plugin": "^5.30.5",
-        "@typescript-eslint/parser": "^5.30.5",
+        "@typescript-eslint/eslint-plugin": "^5.30.7",
+        "@typescript-eslint/parser": "^5.30.7",
         "@webcomponents/webcomponentsjs": "^2.6.0",
         "babel-plugin-macros": "^3.1.0",
         "babel-plugin-tsconfig-paths": "^1.0.3",
@@ -96,17 +96,17 @@
         "codemirror": "^6.0.1",
         "construct-style-sheets-polyfill": "^3.1.0",
         "country-flag-icons": "^1.5.5",
-        "eslint": "^8.19.0",
+        "eslint": "^8.20.0",
         "eslint-config-google": "^0.14.0",
         "eslint-plugin-custom-elements": "0.0.6",
         "eslint-plugin-lit": "^1.6.1",
         "flowchart.js": "^1.17.1",
         "fuse.js": "^6.6.2",
         "lit": "^2.2.7",
-        "moment": "^2.29.3",
+        "moment": "^2.29.4",
         "prettier": "^2.7.1",
         "rapidoc": "^9.3.3",
-        "rollup": "^2.75.7",
+        "rollup": "^2.77.0",
         "rollup-plugin-copy": "^3.4.0",
         "rollup-plugin-cssimport": "^1.0.2",
         "rollup-plugin-minify-html-literals": "^1.2.6",

web/src/constants.ts

@@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2022.7.2";
+export const VERSION = "2022.7.3";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";
 

web/src/elements/CodeMirror.ts

@@ -85,8 +85,22 @@ export class CodeMirrorTextarea extends LitElement {
     constructor() {
         super();
         this.theme = new Compartment();
-        this.themeLight = EditorView.theme({}, { dark: false });
-        this.themeDark = EditorView.theme({}, { dark: true });
+        this.themeLight = EditorView.theme(
+            {
+                "&": {
+                    backgroundColor: "var(--pf-global--BackgroundColor--light-300)",
+                },
+            },
+            { dark: false },
+        );
+        this.themeDark = EditorView.theme(
+            {
+                "&": {
+                    backgroundColor: "var(--ak-dark-background-light)",
+                },
+            },
+            { dark: true },
+        );
     }
 
     private getInnerValue(): string {

web/src/elements/user/UserConsentList.ts

@@ -32,6 +32,7 @@ export class UserConsentList extends Table<UserConsent> {
         return [
             new TableColumn(t`Application`, "application"),
             new TableColumn(t`Expires`, "expires"),
+            new TableColumn(t`Permissions`, "permissions"),
         ];
     }
 
@@ -58,6 +59,10 @@ export class UserConsentList extends Table<UserConsent> {
     }
 
     row(item: UserConsent): TemplateResult[] {
-        return [html`${item.application.name}`, html`${item.expires?.toLocaleString()}`];
+        return [
+            html`${item.application.name}`,
+            html`${item.expires?.toLocaleString()}`,
+            html`${item.permissions || "-"}`,
+        ];
     }
 }

web/src/flows/stages/base.ts

@@ -23,17 +23,19 @@ export function readFileAsync(file: Blob) {
     });
 }
 
+export type KeyUnknown = {
+    [key: string]: unknown;
+};
+
 export class BaseStage<Tin, Tout> extends LitElement {
     host!: StageHost;
 
     @property({ attribute: false })
     challenge!: Tin;
 
-    async submitForm(e: Event): Promise<boolean> {
+    async submitForm(e: Event, defaults?: KeyUnknown): Promise<boolean> {
         e.preventDefault();
-        const object: {
-            [key: string]: unknown;
-        } = {};
+        const object: KeyUnknown = defaults || {};
         const form = new FormData(this.shadowRoot?.querySelector("form") || undefined);
 
         for await (const [key, value] of form.entries()) {

web/src/flows/stages/consent/ConsentStage.ts

@@ -107,7 +107,9 @@ export class ConsentStage extends BaseStage<ConsentChallenge, ConsentChallengeRe
                 <form
                     class="pf-c-form"
                     @submit=${(e: Event) => {
-                        this.submitForm(e);
+                        this.submitForm(e, {
+                            token: this.challenge.token,
+                        });
                     }}
                 >
                     <ak-form-static

web/src/pages/admin-overview/charts/LDAPSyncStatusChart.ts

@@ -7,7 +7,7 @@ import { t } from "@lingui/macro";
 
 import { customElement } from "lit/decorators.js";
 
-import { SourcesApi, StatusEnum } from "@goauthentik/api";
+import { SourcesApi, TaskStatusEnum } from "@goauthentik/api";
 
 interface LDAPSyncStats {
     healthy: number;
@@ -50,7 +50,7 @@ export class LDAPSyncStatusChart extends AKChart<LDAPSyncStats> {
                     });
 
                     health.forEach((task) => {
-                        if (task.status !== StatusEnum.Successful) {
+                        if (task.status !== TaskStatusEnum.Successful) {
                             sourceKey = "failed";
                         }
                         const now = new Date().getTime();

web/src/pages/sources/ldap/LDAPSourceViewPage.ts

@@ -24,7 +24,7 @@ import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFGrid from "@patternfly/patternfly/layouts/Grid/grid.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 
-import { LDAPSource, SourcesApi, StatusEnum } from "@goauthentik/api";
+import { LDAPSource, SourcesApi, TaskStatusEnum } from "@goauthentik/api";
 
 @customElement("ak-source-ldap-view")
 export class LDAPSourceViewPage extends LitElement {
@@ -145,9 +145,9 @@ export class LDAPSourceViewPage extends LitElement {
                                         return html`<ul class="pf-c-list">
                                             ${tasks.map((task) => {
                                                 let header = "";
-                                                if (task.status === StatusEnum.Warning) {
+                                                if (task.status === TaskStatusEnum.Warning) {
                                                     header = t`Task finished with warnings`;
-                                                } else if (task.status === StatusEnum.Error) {
+                                                } else if (task.status === TaskStatusEnum.Error) {
                                                     header = t`Task finished with errors`;
                                                 } else {
                                                     header = t`Last sync: ${task.taskFinishTimestamp.toLocaleString()}`;

web/src/pages/system-tasks/SystemTaskListPage.ts

@@ -14,7 +14,7 @@ import { customElement, property } from "lit/decorators.js";
 
 import PFDescriptionList from "@patternfly/patternfly/components/DescriptionList/description-list.css";
 
-import { AdminApi, StatusEnum, Task } from "@goauthentik/api";
+import { AdminApi, Task, TaskStatusEnum } from "@goauthentik/api";
 
 @customElement("ak-system-task-list")
 export class SystemTaskListPage extends TablePage<Task> {
@@ -67,11 +67,11 @@ export class SystemTaskListPage extends TablePage<Task> {
 
     taskStatus(task: Task): TemplateResult {
         switch (task.status) {
-            case StatusEnum.Successful:
+            case TaskStatusEnum.Successful:
                 return html`<ak-label color=${PFColor.Green}>${t`Successful`}</ak-label>`;
-            case StatusEnum.Warning:
+            case TaskStatusEnum.Warning:
                 return html`<ak-label color=${PFColor.Orange}>${t`Warning`}</ak-label>`;
-            case StatusEnum.Error:
+            case TaskStatusEnum.Error:
                 return html`<ak-label color=${PFColor.Red}>${t`Error`}</ak-label>`;
             default:
                 return html`<ak-label color=${PFColor.Grey}>${t`Unknown`}</ak-label>`;

website/docs/releases/v2022.7.md

@@ -87,6 +87,16 @@ slug: "2022.7"
 -   stages/prompt: add basic file field (#3156)
 -   tenants: add default_locale read only field, pre-hydrate in flows and read in autodetect as first choice
 
+## Fixed in 2022.7.3
+
+-   core: delete expired models when filtering instead of excluding them
+-   providers/oauth2: correctly log authenticated user for OAuth views using protected_resource_view
+-   sources/oauth: use oidc preferred_username if set, otherwise nickname
+-   stages/consent: fix permissions for consent API (allow owner to delete)
+-   stages/prompt: force required to false when using readonlyfield
+-   stages/prompt: try to base64 decode file, fallback to keeping value as-is
+-   web/elements: improve contrast for codemirror backgrounds
+
 ## Upgrading
 
 This release does not introduce any new requirements.

website/integrations/services/node-red/index.md

@@ -0,0 +1,106 @@
+---
+title: Node-RED
+---
+
+<span class="badge badge--secondary">Support level: Community</span>
+
+## What is Node-RED
+
+From https://nodered.org/
+
+:::note
+Node-RED is a programming tool for wiring together hardware devices, APIs and online services in new and interesting ways.
+
+It provides a browser-based editor that makes it easy to wire together flows using the wide range of nodes in the palette that can be deployed to its runtime in a single-click.
+:::
+
+:::warning
+This requires modification of the Node-RED settings.js and installing additional Passport-js packages, see [Securing Node-RED](https://nodered.org/docs/user-guide/runtime/securing-node-red#oauthopenid-based-authentication) documentation for further details.
+:::
+
+## Preparation
+
+The following placeholders will be used:
+
+-   `authentik.company` is the FQDN of authentik.
+-   `nodred.company` is the FQDN of Node-RED.
+
+### Step 1
+
+In authentik, create an _OAuth2/OpenID Provider_ (under _Resources/Providers_) with these settings:
+
+:::note
+Only settings that have been modified from default have been listed.
+:::
+
+-   Name: Node-RED
+
+**Protocol Settings**
+
+-   Redirect URIs/Origins (RegEx): https://nodred.company/auth/strategy/callback/
+-   Signing Key: Select any available key
+
+:::note
+Take note of the `Client ID` and `Client Secret`, you'll need to give them to Node-RED in _Step 3_.
+:::
+
+### Step 2
+
+In authentik, create an application (under _Resources/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings.
+
+:::note
+Only settings that have been modified from default have been listed.
+:::
+
+-   Name: Node-RED
+-   Slug: nodered-slug
+-   Provider: Node-RED
+
+Optionally you can link directly to the authentication strategy
+
+-   Launch URL: https://nodred.company/auth/strategy/
+
+### Step 3
+
+:::note
+Group based permissions are not implemented in the below example
+:::
+
+Use npm to install passport-openidconnect
+
+Navigate to the node-red `node_modules` directory, this is dependant on your chosen install method. In the official Node-RED docker container the `node_modules` directory is located in the data volume `data/node_modules/`. Alternatively enter the docker container `docker exec -it nodered bash` and `cd /data/node_modules` to utilise npm within the docker container.
+
+Run the command `npm install passport-openidconnect`
+
+### Step 4
+
+Edit the node-red settings.js file `/data/settings.js` to use the external authentication source via passport-openidconnect.
+
+```js
+adminAuth: {
+type:"strategy",
+strategy: {
+        name: "openidconnect",
+        label: 'Sign in with authentik',
+        icon:"fa-cloud",
+        strategy: require("passport-openidconnect").Strategy,
+        options: {
+                issuer: 'https://authentik.company/application/o/<application-slug>/',
+                authorizationURL: 'https://authentik.company/application/o/authorize/',
+                tokenURL: 'https://authentik.company/application/o/token/',
+                userInfoURL: 'https://authentik.company/application/o/userinfo/',
+                clientID: '<Client ID (Key): Step 2>',
+                clientSecret: '<Client Secret: Step 2>',
+                callbackURL: 'https://nodered.company/auth/strategy/callback/',
+                scope: ['email', 'profile', 'openid'],
+                proxy: true,
+        verify: function(issuer, profile, done) {
+                done(null, profile)
+        }
+      }
+    },
+    users: function(user) {
+        return Promise.resolve({ username: user, permissions: "*" });
+    }
+},
+```

website/integrations/services/rancher/index.md

@@ -26,7 +26,9 @@ Under _Property Mappings_, create a _SAML Property Mapping_. Give it a name like
 return f"{user.pk}-{user.username}"
 ```
 
-Create an application in authentik. Create a SAML provider with the following parameters:
+Create an application in authentik. Set the Launch URL to `https://rancher.company`, as Rancher does not currently support IdP-initiated logins.
+
+Create a SAML provider with the following parameters:
 
 -   ACS URL: `https://rancher.company/v1-saml/adfs/saml/acs`
 -   Audience: `https://rancher.company/v1-saml/adfs/saml/metadata`

website/package.json

@@ -14,8 +14,8 @@
         "prettier": "prettier --write ."
     },
     "dependencies": {
-        "@docusaurus/plugin-client-redirects": "2.0.0-beta.21",
-        "@docusaurus/preset-classic": "2.0.0-beta.21",
+        "@docusaurus/plugin-client-redirects": "2.0.0-rc.1",
+        "@docusaurus/preset-classic": "2.0.0-rc.1",
         "@mdx-js/react": "^1.6.22",
         "clsx": "^1.2.1",
         "postcss": "^8.4.14",
@@ -24,7 +24,7 @@
         "react-before-after-slider-component": "^1.1.3",
         "react-dom": "^17.0.2",
         "react-feather": "^2.0.10",
-        "react-toggle": "^4.1.2"
+        "react-toggle": "^4.1.3"
     },
     "browserslist": {
         "production": [

website/sidebarsIntegrations.js

@@ -88,6 +88,7 @@ module.exports = {
                     ],
                 },
                 "services/home-assistant/index",
+                "services/node-red/index",
                 "services/kimai/index",
                 "services/sonarr/index",
                 "services/tautulli/index",