providers/proxy: rework endpoints logic (#4993 )

* providers/proxy: rework endpoints logic again...this time with tests and better logic Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
blueprints: allow setting of token key in blueprint context (#4995 )
2023-03-18 18:55:30 +01:00 · 2023-03-18 18:55:25 +01:00 · 2023-03-18 18:54:41 +01:00 · 2023-03-18 18:54:33 +01:00 · 2023-03-18 18:53:16 +01:00 · 2023-03-16 18:09:53 +01:00
440 changed files with 13406 additions and 10604 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2023.2.1
+current_version = 2023.3.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)
--- a/.editorconfig
+++ b/.editorconfig
@ -7,8 +7,11 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
-[html]
+[*.html]
 indent_size = 2
-[yaml]
+[*.{yaml,yml}]
 indent_size = 2
 [*.go]
 indent_style = tab
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -80,6 +80,7 @@ jobs:
        run: poetry run python -m lifecycle.migrate
  test-unittest:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v3
      - name: Setup authentik env
@ -94,6 +95,7 @@ jobs:
          flags: unit
  test-integration:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
      - uses: actions/checkout@v3
      - name: Setup authentik env
@ -111,6 +113,7 @@ jobs:
  test-e2e:
    name: test-e2e (${{ matrix.job.name }})
    runs-on: ubuntu-latest
    timeout-minutes: 30
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/ghcr-retention.yml
+++ b/.github/workflows/ghcr-retention.yml
@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Delete 'dev' containers older than a week
-        uses: snok/container-retention-policy@v1
+        uses: snok/container-retention-policy@v2
        with:
          image-names: dev-server,dev-ldap,dev-proxy
          cut-off: One week ago UTC
--- a/.gitignore
+++ b/.gitignore
@ -200,3 +200,6 @@ media/
 .idea/
 /gen-*/
 data/
 # Local Netlify folder
 .netlify
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@ -0,0 +1,20 @@
 {
    "recommendations": [
        "EditorConfig.EditorConfig",
        "bashmish.es6-string-css",
        "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
        "dbaeumer.vscode-eslint",
        "esbenp.prettier-vscode",
        "golang.go",
        "Gruntfuggly.todo-tree",
        "mechatroner.rainbow-csv",
        "ms-python.black-formatter",
        "ms-python.isort",
        "ms-python.pylint",
        "ms-python.python",
        "ms-python.vscode-pylance",
        "redhat.vscode-yaml",
        "Tobermory.es6-string-html",
        "unifiedjs.vscode-mdx"
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -16,7 +16,8 @@
        "passwordless",
        "kubernetes",
        "sso",
-        "slo"
+        "slo",
        "scim",
    ],
    "python.linting.pylintEnabled": true,
    "todo-tree.tree.showCountsInTree": true,
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -154,12 +154,19 @@ While the prerequisites above must be satisfied prior to having your pull reques
 ## Styleguides
 ### PR naming
 -   Use the format of `<package>: <verb> <description>`
    -   See [here](#authentik-packages) for `package`
    -   Example: `providers/saml2: fix parsing of requests`
 ### Git Commit Messages
 -   Use the format of `<package>: <verb> <description>`
    -   See [here](#authentik-packages) for `package`
    -   Example: `providers/saml2: fix parsing of requests`
 -   Reference issues and pull requests liberally after the first line
 -   Naming of commits within a PR does not need to adhere to the guidelines as we squash merge PRs
 ### Python Styleguide
--- a/4
+++ b/4
@ -31,7 +31,7 @@ RUN pip install --no-cache-dir poetry && \
    poetry export -f requirements.txt --dev --output requirements-dev.txt
 # Stage 4: Build go proxy
-FROM docker.io/golang:1.20.0-bullseye AS go-builder
+FROM docker.io/golang:1.20.2-bullseye AS go-builder
 WORKDIR /work
@ -96,7 +96,7 @@ RUN apt-get update && \
 COPY ./authentik/ /authentik
 COPY ./pyproject.toml /
-COPY ./xml /xml
+COPY ./schemas /schemas
 COPY ./locale /locale
 COPY ./tests /tests
 COPY ./manage.py /
--- a/SECURITY.md
+++ b/SECURITY.md
@ -6,8 +6,8 @@ Authentik takes security very seriously. We follow the rules of [responsible dis
 | Version   | Supported          |
 | --------- | ------------------ |
-| 2022.12.x | :white_check_mark: |
+| 2023.2.x  | :white_check_mark: |
-| 2023.1.x  | :white_check_mark: |
+| 2023.3.x  | :white_check_mark: |
 ## Reporting a Vulnerability
--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@
 from os import environ
 from typing import Optional
-__version__ = "2023.2.1"
+__version__ = "2023.3.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"
--- a/authentik/admin/tests/test_api.py
+++ b/authentik/admin/tests/test_api.py
@ -9,6 +9,7 @@ from authentik.blueprints.tests import reconcile_app
 from authentik.core.models import Group, User
 from authentik.core.tasks import clean_expired_models
 from authentik.events.monitored_tasks import TaskResultStatus
 from authentik.lib.generators import generate_id
 class TestAdminAPI(TestCase):
@ -16,8 +17,8 @@ class TestAdminAPI(TestCase):
    def setUp(self) -> None:
        super().setUp()
-        self.user = User.objects.create(username="test-user")
+        self.user = User.objects.create(username=generate_id())
-        self.group = Group.objects.create(name="superusers", is_superuser=True)
+        self.group = Group.objects.create(name=generate_id(), is_superuser=True)
        self.group.users.add(self.user)
        self.group.save()
        self.client.force_login(self.user)
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@ -4,6 +4,7 @@ from base64 import b64encode
 from django.conf import settings
 from django.test import TestCase
 from django.utils import timezone
 from rest_framework.exceptions import AuthenticationFailed
 from authentik.api.authentication import bearer_auth
@ -68,6 +69,7 @@ class TestAPIAuth(TestCase):
            user=create_test_admin_user(),
            provider=provider,
            token=generate_id(),
            auth_time=timezone.now(),
            _scope=SCOPE_AUTHENTIK_API,
            _id_token=json.dumps({}),
        )
@ -82,6 +84,7 @@ class TestAPIAuth(TestCase):
            user=create_test_admin_user(),
            provider=provider,
            token=generate_id(),
            auth_time=timezone.now(),
            _scope="",
            _id_token=json.dumps({}),
        )
--- a/authentik/api/tests/test_decorators.py
+++ b/authentik/api/tests/test_decorators.py
@ -4,6 +4,7 @@ from guardian.shortcuts import assign_perm
 from rest_framework.test import APITestCase
 from authentik.core.models import Application, User
 from authentik.lib.generators import generate_id
 class TestAPIDecorators(APITestCase):
@ -16,7 +17,7 @@ class TestAPIDecorators(APITestCase):
    def test_obj_perm_denied(self):
        """Test object perm denied"""
        self.client.force_login(self.user)
-        app = Application.objects.create(name="denied", slug="denied")
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
        response = self.client.get(
            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
        )
@ -25,7 +26,7 @@ class TestAPIDecorators(APITestCase):
    def test_other_perm_denied(self):
        """Test other perm denied"""
        self.client.force_login(self.user)
-        app = Application.objects.create(name="denied", slug="denied")
+        app = Application.objects.create(name=generate_id(), slug=generate_id())
        assign_perm("authentik_core.view_application", self.user, app)
        response = self.client.get(
            reverse("authentik_api:application-metrics", kwargs={"slug": app.slug})
--- a/authentik/api/v3/urls.py
+++ b/authentik/api/v3/urls.py
@ -58,6 +58,8 @@ from authentik.providers.oauth2.api.tokens import (
 from authentik.providers.proxy.api import ProxyOutpostConfigViewSet, ProxyProviderViewSet
 from authentik.providers.saml.api.property_mapping import SAMLPropertyMappingViewSet
 from authentik.providers.saml.api.providers import SAMLProviderViewSet
 from authentik.providers.scim.api.property_mapping import SCIMMappingViewSet
 from authentik.providers.scim.api.providers import SCIMProviderViewSet
 from authentik.sources.ldap.api import LDAPPropertyMappingViewSet, LDAPSourceViewSet
 from authentik.sources.oauth.api.source import OAuthSourceViewSet
 from authentik.sources.oauth.api.source_connection import UserOAuthSourceConnectionViewSet
@ -163,6 +165,7 @@ router.register("providers/ldap", LDAPProviderViewSet)
 router.register("providers/proxy", ProxyProviderViewSet)
 router.register("providers/oauth2", OAuth2ProviderViewSet)
 router.register("providers/saml", SAMLProviderViewSet)
 router.register("providers/scim", SCIMProviderViewSet)
 router.register("oauth2/authorization_codes", AuthorizationCodeViewSet)
 router.register("oauth2/refresh_tokens", RefreshTokenViewSet)
@ -173,6 +176,7 @@ router.register("propertymappings/ldap", LDAPPropertyMappingViewSet)
 router.register("propertymappings/saml", SAMLPropertyMappingViewSet)
 router.register("propertymappings/scope", ScopeMappingViewSet)
 router.register("propertymappings/notification", NotificationWebhookMappingViewSet)
 router.register("propertymappings/scim", SCIMMappingViewSet)
 router.register("authenticators/all", DeviceViewSet, basename="device")
 router.register("authenticators/duo", DuoDeviceViewSet)
--- a/authentik/blueprints/apps.py
+++ b/authentik/blueprints/apps.py
@ -55,11 +55,11 @@ class AuthentikBlueprintsConfig(ManagedAppConfig):
        """Load v1 tasks"""
        self.import_module("authentik.blueprints.v1.tasks")
-    def reconcile_blueprints_discover(self):
+    def reconcile_blueprints_discovery(self):
        """Run blueprint discovery"""
-        from authentik.blueprints.v1.tasks import blueprints_discover, clear_failed_blueprints
+        from authentik.blueprints.v1.tasks import blueprints_discovery, clear_failed_blueprints
-        blueprints_discover.delay()
+        blueprints_discovery.delay()
        clear_failed_blueprints.delay()
    def import_models(self):
--- a/authentik/blueprints/management/commands/apply_blueprint.py
+++ b/authentik/blueprints/management/commands/apply_blueprint.py
@ -19,10 +19,8 @@ class Command(BaseCommand):
        for blueprint_path in options.get("blueprints", []):
            content = BlueprintInstance(path=blueprint_path).retrieve()
            importer = Importer(content)
-            valid, logs = importer.validate()
+            valid, _ = importer.validate()
            if not valid:
                for log in logs:
                    getattr(LOGGER, log.pop("log_level"))(**log)
                self.stderr.write("blueprint invalid")
                sys_exit(1)
            importer.apply()
--- a/authentik/blueprints/settings.py
+++ b/authentik/blueprints/settings.py
@ -5,7 +5,7 @@ from authentik.lib.utils.time import fqdn_rand
 CELERY_BEAT_SCHEDULE = {
    "blueprints_v1_discover": {
-        "task": "authentik.blueprints.v1.tasks.blueprints_discover",
+        "task": "authentik.blueprints.v1.tasks.blueprints_discovery",
        "schedule": crontab(minute=fqdn_rand("blueprints_v1_discover"), hour="*"),
        "options": {"queue": "authentik_scheduled"},
    },
--- a/authentik/blueprints/tests/init.py
+++ b/authentik/blueprints/tests/init.py
@ -1,6 +1,5 @@
 """Blueprint helpers"""
 from functools import wraps
 from pathlib import Path
 from typing import Callable
 from django.apps import apps
@ -45,13 +44,3 @@ def reconcile_app(app_name: str):
        return wrapper
    return wrapper_outer
 def load_yaml_fixture(path: str, **kwargs) -> str:
    """Load yaml fixture, optionally formatting it with kwargs"""
    with open(Path(__file__).resolve().parent / Path(path), "r", encoding="utf-8") as _fixture:
        fixture = _fixture.read()
        try:
            return fixture % kwargs
        except TypeError:
            return fixture
--- a/authentik/blueprints/tests/test_v1.py
+++ b/authentik/blueprints/tests/test_v1.py
@ -3,12 +3,12 @@ from os import environ
 from django.test import TransactionTestCase
 from authentik.blueprints.tests import load_yaml_fixture
 from authentik.blueprints.v1.exporter import FlowExporter
 from authentik.blueprints.v1.importer import Importer, transaction_rollback
 from authentik.core.models import Group
 from authentik.flows.models import Flow, FlowDesignation, FlowStageBinding
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
 from authentik.sources.oauth.models import OAuthSource
@ -113,14 +113,14 @@ class TestBlueprintsV1(TransactionTestCase):
        """Test export and import it twice"""
        count_initial = Prompt.objects.filter(field_key="username").count()
-        importer = Importer(load_yaml_fixture("fixtures/static_prompt_export.yaml"))
+        importer = Importer(load_fixture("fixtures/static_prompt_export.yaml"))
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
        count_before = Prompt.objects.filter(field_key="username").count()
        self.assertEqual(count_initial + 1, count_before)
-        importer = Importer(load_yaml_fixture("fixtures/static_prompt_export.yaml"))
+        importer = Importer(load_fixture("fixtures/static_prompt_export.yaml"))
        self.assertTrue(importer.apply())
        self.assertEqual(Prompt.objects.filter(field_key="username").count(), count_before)
@ -130,7 +130,7 @@ class TestBlueprintsV1(TransactionTestCase):
        ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").delete()
        Group.objects.filter(name="test").delete()
        environ["foo"] = generate_id()
-        importer = Importer(load_yaml_fixture("fixtures/tags.yaml"), {"bar": "baz"})
+        importer = Importer(load_fixture("fixtures/tags.yaml"), {"bar": "baz"})
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
        policy = ExpressionPolicy.objects.filter(name="foo-bar-baz-qux").first()
--- a/authentik/blueprints/tests/test_v1_conditions.py
+++ b/authentik/blueprints/tests/test_v1_conditions.py
@ -1,10 +1,10 @@
 """Test blueprints v1"""
 from django.test import TransactionTestCase
 from authentik.blueprints.tests import load_yaml_fixture
 from authentik.blueprints.v1.importer import Importer
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
 class TestBlueprintsV1Conditions(TransactionTestCase):
@ -14,7 +14,7 @@ class TestBlueprintsV1Conditions(TransactionTestCase):
        """Test conditions fulfilled"""
        flow_slug1 = generate_id()
        flow_slug2 = generate_id()
-        import_yaml = load_yaml_fixture(
+        import_yaml = load_fixture(
            "fixtures/conditions_fulfilled.yaml", id1=flow_slug1, id2=flow_slug2
        )
@ -31,7 +31,7 @@ class TestBlueprintsV1Conditions(TransactionTestCase):
        """Test conditions not fulfilled"""
        flow_slug1 = generate_id()
        flow_slug2 = generate_id()
-        import_yaml = load_yaml_fixture(
+        import_yaml = load_fixture(
            "fixtures/conditions_not_fulfilled.yaml", id1=flow_slug1, id2=flow_slug2
        )
--- a/authentik/blueprints/tests/test_v1_state.py
+++ b/authentik/blueprints/tests/test_v1_state.py
@ -1,10 +1,10 @@
 """Test blueprints v1"""
 from django.test import TransactionTestCase
 from authentik.blueprints.tests import load_yaml_fixture
 from authentik.blueprints.v1.importer import Importer
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
 class TestBlueprintsV1State(TransactionTestCase):
@ -13,7 +13,7 @@ class TestBlueprintsV1State(TransactionTestCase):
    def test_state_present(self):
        """Test state present"""
        flow_slug = generate_id()
-        import_yaml = load_yaml_fixture("fixtures/state_present.yaml", id=flow_slug)
+        import_yaml = load_fixture("fixtures/state_present.yaml", id=flow_slug)
        importer = Importer(import_yaml)
        self.assertTrue(importer.validate()[0])
@ -39,7 +39,7 @@ class TestBlueprintsV1State(TransactionTestCase):
    def test_state_created(self):
        """Test state created"""
        flow_slug = generate_id()
-        import_yaml = load_yaml_fixture("fixtures/state_created.yaml", id=flow_slug)
+        import_yaml = load_fixture("fixtures/state_created.yaml", id=flow_slug)
        importer = Importer(import_yaml)
        self.assertTrue(importer.validate()[0])
@ -65,7 +65,7 @@ class TestBlueprintsV1State(TransactionTestCase):
    def test_state_absent(self):
        """Test state absent"""
        flow_slug = generate_id()
-        import_yaml = load_yaml_fixture("fixtures/state_created.yaml", id=flow_slug)
+        import_yaml = load_fixture("fixtures/state_created.yaml", id=flow_slug)
        importer = Importer(import_yaml)
        self.assertTrue(importer.validate()[0])
@ -74,7 +74,7 @@ class TestBlueprintsV1State(TransactionTestCase):
        flow: Flow = Flow.objects.filter(slug=flow_slug).first()
        self.assertEqual(flow.slug, flow_slug)
-        import_yaml = load_yaml_fixture("fixtures/state_absent.yaml", id=flow_slug)
+        import_yaml = load_fixture("fixtures/state_absent.yaml", id=flow_slug)
        importer = Importer(import_yaml)
        self.assertTrue(importer.validate()[0])
        self.assertTrue(importer.apply())
--- a/authentik/blueprints/tests/test_v1_tasks.py
+++ b/authentik/blueprints/tests/test_v1_tasks.py
@ -6,7 +6,7 @@ from django.test import TransactionTestCase
 from yaml import dump
 from authentik.blueprints.models import BlueprintInstance, BlueprintInstanceStatus
-from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_discover, blueprints_find
+from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_discovery, blueprints_find
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id
@ -53,7 +53,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
            file.seek(0)
            file_hash = sha512(file.read().encode()).hexdigest()
            file.flush()
-            blueprints_discover()  # pylint: disable=no-value-for-parameter
+            blueprints_discovery()  # pylint: disable=no-value-for-parameter
            instance = BlueprintInstance.objects.filter(name=blueprint_id).first()
            self.assertEqual(instance.last_applied_hash, file_hash)
            self.assertEqual(
@ -81,7 +81,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                )
            )
            file.flush()
-            blueprints_discover()  # pylint: disable=no-value-for-parameter
+            blueprints_discovery()  # pylint: disable=no-value-for-parameter
            blueprint = BlueprintInstance.objects.filter(name="foo").first()
            self.assertEqual(
                blueprint.last_applied_hash,
@ -106,7 +106,7 @@ class TestBlueprintsV1Tasks(TransactionTestCase):
                )
            )
            file.flush()
-            blueprints_discover()  # pylint: disable=no-value-for-parameter
+            blueprints_discovery()  # pylint: disable=no-value-for-parameter
            blueprint.refresh_from_db()
            self.assertEqual(
                blueprint.last_applied_hash,
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -40,6 +40,10 @@ from authentik.lib.models import SerializerModel
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 # Context set when the serializer is created in a blueprint context
 # Update website/developer-docs/blueprints/v1/models.md when used
 SERIALIZER_CONTEXT_BLUEPRINT = "blueprint_entry"
 def is_model_allowed(model: type[Model]) -> bool:
    """Check if model is allowed"""
@ -158,7 +162,12 @@ class Importer:
            raise EntryInvalidError(f"Model {model} not allowed")
        if issubclass(model, BaseMetaModel):
            serializer_class: type[Serializer] = model.serializer()
-            serializer = serializer_class(data=entry.get_attrs(self.__import))
+            serializer = serializer_class(
                data=entry.get_attrs(self.__import),
                context={
                    SERIALIZER_CONTEXT_BLUEPRINT: entry,
                },
            )
            try:
                serializer.is_valid(raise_exception=True)
            except ValidationError as exc:
@ -217,7 +226,12 @@ class Importer:
        always_merger.merge(full_data, updated_identifiers)
        serializer_kwargs["data"] = full_data
-        serializer: Serializer = model().serializer(**serializer_kwargs)
+        serializer: Serializer = model().serializer(
            context={
                SERIALIZER_CONTEXT_BLUEPRINT: entry,
            },
            **serializer_kwargs,
        )
        try:
            serializer.is_valid(raise_exception=True)
        except ValidationError as exc:
--- a/authentik/blueprints/v1/tasks.py
+++ b/authentik/blueprints/v1/tasks.py
@ -76,7 +76,7 @@ class BlueprintEventHandler(FileSystemEventHandler):
            return
        if isinstance(event, FileCreatedEvent):
            LOGGER.debug("new blueprint file created, starting discovery")
-            blueprints_discover.delay()
+            blueprints_discovery.delay()
        if isinstance(event, FileModifiedEvent):
            path = Path(event.src_path)
            root = Path(CONFIG.y("blueprints_dir")).absolute()
@ -134,7 +134,7 @@ def blueprints_find():
    throws=(DatabaseError, ProgrammingError, InternalError), base=MonitoredTask, bind=True
 )
@prefill_task
-def blueprints_discover(self: MonitoredTask):
+def blueprints_discovery(self: MonitoredTask):
    """Find blueprints and check if they need to be created in the database"""
    count = 0
    for blueprint in blueprints_find():
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@ -37,7 +37,6 @@ from authentik.lib.utils.file import (
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.types import PolicyResult
 from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED
 LOGGER = get_logger()
@ -186,10 +185,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        if superuser_full_list and request.user.is_superuser:
            return super().list(request)
        # To prevent the user from having to double login when prompt is set to login
        # and the user has just signed it. This session variable is set in the UserLoginStage
        # and is (quite hackily) removed from the session in applications's API's List method
        self.request.session.pop(USER_LOGIN_AUTHENTICATED, None)
        queryset = self._filter_queryset_for_list(self.get_queryset())
        self.paginate_queryset(queryset)
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@ -24,7 +24,6 @@ from authentik.core.models import Group, User
 class GroupMemberSerializer(ModelSerializer):
    """Stripped down user serializer to show relevant users for groups"""
    avatar = CharField(read_only=True)
    attributes = JSONField(validators=[is_dict], required=False)
    uid = CharField(read_only=True)
@ -37,7 +36,6 @@ class GroupMemberSerializer(ModelSerializer):
            "is_active",
            "last_login",
            "email",
            "avatar",
            "attributes",
            "uid",
        ]
--- a/authentik/core/api/providers.py
+++ b/authentik/core/api/providers.py
@ -44,6 +44,9 @@ class ProviderSerializer(ModelSerializer, MetaNameSerializer):
            "verbose_name_plural",
            "meta_model_name",
        ]
        extra_kwargs = {
            "authorization_flow": {"required": True, "allow_null": False},
        }
 class ProviderViewSet(
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@ -206,5 +206,6 @@ class UserSourceConnectionViewSet(
    queryset = UserSourceConnection.objects.all()
    serializer_class = UserSourceConnectionSerializer
    permission_classes = [OwnerSuperuserPermissions]
    filterset_fields = ["user"]
    filter_backends = [OwnerFilter, DjangoFilterBackend, OrderingFilter, SearchFilter]
    ordering = ["pk"]
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@ -16,6 +16,7 @@ from rest_framework.viewsets import ModelViewSet
 from authentik.api.authorization import OwnerSuperuserPermissions
 from authentik.api.decorators import permission_required
 from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import PassiveSerializer
@ -29,9 +30,20 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
    user_obj = UserSerializer(required=False, source="user", read_only=True)
    def __init__(self, *args, **kwargs) -> None:
        super().__init__(*args, **kwargs)
        if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
            self.fields["key"] = CharField()
    def validate(self, attrs: dict[Any, str]) -> dict[Any, str]:
        """Ensure only API or App password tokens are created."""
-        request: Request = self.context["request"]
+        request: Request = self.context.get("request")
        if not request:
            if "user" not in attrs:
                raise ValidationError("Missing user")
            if "intent" not in attrs:
                raise ValidationError("Missing intent")
        else:
            attrs.setdefault("user", request.user)
        attrs.setdefault("intent", TokenIntents.INTENT_API)
        if attrs.get("intent") not in [TokenIntents.INTENT_API, TokenIntents.INTENT_APP_PASSWORD]:
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -38,6 +38,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import (
    BooleanField,
    DateTimeField,
    ListSerializer,
    ModelSerializer,
    PrimaryKeyRelatedField,
@ -67,6 +68,7 @@ from authentik.core.models import (
    User,
 )
 from authentik.events.models import EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import FlowToken
 from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER, FlowPlanner
 from authentik.flows.views.executor import QS_KEY_TOKEN
@ -325,12 +327,16 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        user: User = self.get_object()
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        try:
            plan = planner.plan(
                self.request._request,
                {
                    PLAN_CONTEXT_PENDING_USER: user,
                },
            )
        except FlowNonApplicableException:
            LOGGER.warning("Recovery flow not applicable to user")
            return None, None
        token, __ = FlowToken.objects.update_or_create(
            identifier=f"{user.uid}-password-reset",
            defaults={
@ -353,6 +359,11 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            {
                "name": CharField(required=True),
                "create_group": BooleanField(default=False),
                "expiring": BooleanField(default=True),
                "expires": DateTimeField(
                    required=False,
                    help_text="If not provided, valid for 360 days",
                ),
            },
        ),
        responses={
@ -373,14 +384,20 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        """Create a new user account that is marked as a service account"""
        username = request.data.get("name")
        create_group = request.data.get("create_group", False)
        expiring = request.data.get("expiring", True)
        expires = request.data.get("expires", now() + timedelta(days=360))
        with atomic():
            try:
-                user = User.objects.create(
+                user: User = User.objects.create(
                    username=username,
                    name=username,
-                    attributes={USER_ATTRIBUTE_SA: True, USER_ATTRIBUTE_TOKEN_EXPIRING: False},
+                    attributes={USER_ATTRIBUTE_SA: True, USER_ATTRIBUTE_TOKEN_EXPIRING: expiring},
                    path=USER_PATH_SERVICE_ACCOUNT,
                )
                user.set_unusable_password()
                user.save()
                response = {
                    "username": user.username,
                    "user_uid": user.uid,
@ -396,7 +413,8 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                    identifier=slugify(f"service-account-{username}-password"),
                    intent=TokenIntents.INTENT_APP_PASSWORD,
                    user=user,
-                    expires=now() + timedelta(days=360),
+                    expires=expires,
                    expiring=expiring,
                )
                response["token"] = token.key
                return Response(response)
--- a/authentik/core/expression/evaluator.py
+++ b/authentik/core/expression/evaluator.py
@ -1,8 +1,9 @@
 """Property Mapping Evaluator"""
-from typing import Optional
+from typing import Any, Optional
 from django.db.models import Model
 from django.http import HttpRequest
 from prometheus_client import Histogram
 from authentik.core.models import User
 from authentik.events.models import Event, EventAction
@ -10,6 +11,12 @@ from authentik.lib.expression.evaluator import BaseEvaluator
 from authentik.lib.utils.errors import exception_to_string
 from authentik.policies.types import PolicyRequest
 PROPERTY_MAPPING_TIME = Histogram(
    "authentik_property_mapping_execution_time",
    "Evaluation time of property mappings",
    ["mapping_name"],
 )
 class PropertyMappingEvaluator(BaseEvaluator):
    """Custom Evaluator that adds some different context variables."""
@ -49,3 +56,7 @@ class PropertyMappingEvaluator(BaseEvaluator):
            event.from_http(req.http_request, req.user)
            return
        event.save()
    def evaluate(self, *args, **kwargs) -> Any:
        with PROPERTY_MAPPING_TIME.labels(mapping_name=self._filename).time():
            return super().evaluate(*args, **kwargs)
--- a/authentik/core/migrations/0002_auto_20200523_1133_squashed_0011_provider_name_temp.py
+++ b/authentik/core/migrations/0002_auto_20200523_1133_squashed_0011_provider_name_temp.py
@ -18,13 +18,13 @@ def create_default_user(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    db_alias = schema_editor.connection.alias
    akadmin, _ = User.objects.using(db_alias).get_or_create(
-        username="akadmin", email="root@localhost", name="authentik Default Admin"
+        username="akadmin",
        email=environ.get("AUTHENTIK_BOOTSTRAP_EMAIL", "root@localhost"),
        name="authentik Default Admin",
    )
    password = None
    if "TF_BUILD" in environ or settings.TEST:
        password = "akadmin"  # noqa # nosec
    if "AK_ADMIN_PASS" in environ:
        password = environ["AK_ADMIN_PASS"]
    if "AUTHENTIK_BOOTSTRAP_PASSWORD" in environ:
        password = environ["AUTHENTIK_BOOTSTRAP_PASSWORD"]
    if password:
--- a/authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py
+++ b/authentik/core/migrations/0018_auto_20210330_1345_squashed_0028_alter_token_intent.py
@ -46,13 +46,9 @@ def create_default_user_token(apps: Apps, schema_editor: BaseDatabaseSchemaEdito
    akadmin = User.objects.using(db_alias).filter(username="akadmin")
    if not akadmin.exists():
        return
-    key = None
+    if "AUTHENTIK_BOOTSTRAP_TOKEN" not in environ:
    if "AK_ADMIN_TOKEN" in environ:
        key = environ["AK_ADMIN_TOKEN"]
    if "AUTHENTIK_BOOTSTRAP_TOKEN" in environ:
        key = environ["AUTHENTIK_BOOTSTRAP_TOKEN"]
    if not key:
        return
    key = environ["AUTHENTIK_BOOTSTRAP_TOKEN"]
    Token.objects.using(db_alias).create(
        identifier="authentik-bootstrap-token",
        user=akadmin.first(),
@ -186,7 +182,9 @@ class Migration(migrations.Migration):
            model_name="application",
            name="meta_launch_url",
            field=models.TextField(
-                blank=True, default="", validators=[authentik.lib.models.DomainlessURLValidator()]
+                blank=True,
                default="",
                validators=[authentik.lib.models.DomainlessFormattedURLValidator()],
            ),
        ),
        migrations.RunPython(
--- a/authentik/core/migrations/0025_alter_provider_authorization_flow.py
+++ b/authentik/core/migrations/0025_alter_provider_authorization_flow.py
@ -0,0 +1,25 @@
 # Generated by Django 4.1.7 on 2023-03-02 21:32
 import django.db.models.deletion
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_flows", "0025_alter_flowstagebinding_evaluate_on_plan_and_more"),
        ("authentik_core", "0024_source_icon"),
    ]
    operations = [
        migrations.AlterField(
            model_name="provider",
            name="authorization_flow",
            field=models.ForeignKey(
                help_text="Flow used when authorizing this provider.",
                null=True,
                on_delete=django.db.models.deletion.CASCADE,
                related_name="provider_authorization",
                to="authentik_flows.flow",
            ),
        ),
    ]
--- a/authentik/core/migrations/0026_alter_propertymapping_name_alter_provider_name.py
+++ b/authentik/core/migrations/0026_alter_propertymapping_name_alter_provider_name.py
@ -0,0 +1,26 @@
 # Generated by Django 4.1.7 on 2023-03-07 13:41
 from django.db import migrations, models
 from authentik.lib.migrations import fallback_names
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_core", "0025_alter_provider_authorization_flow"),
    ]
    operations = [
        migrations.RunPython(fallback_names("authentik_core", "propertymapping", "name")),
        migrations.RunPython(fallback_names("authentik_core", "provider", "name")),
        migrations.AlterField(
            model_name="propertymapping",
            name="name",
            field=models.TextField(unique=True),
        ),
        migrations.AlterField(
            model_name="provider",
            name="name",
            field=models.TextField(unique=True),
        ),
    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@ -22,12 +22,15 @@ from structlog.stdlib import get_logger
 from authentik.blueprints.models import ManagedModel
 from authentik.core.exceptions import PropertyMappingExpressionException
 from authentik.core.signals import password_changed
 from authentik.core.types import UILoginButton, UserSettingSerializer
 from authentik.lib.avatars import get_avatar
 from authentik.lib.config import CONFIG
 from authentik.lib.generators import generate_id
-from authentik.lib.models import CreatedUpdatedModel, DomainlessURLValidator, SerializerModel
+from authentik.lib.models import (
    CreatedUpdatedModel,
    DomainlessFormattedURLValidator,
    SerializerModel,
 )
 from authentik.lib.utils.http import get_client_ip
 from authentik.policies.models import PolicyBindingModel
@ -189,6 +192,8 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
    def set_password(self, raw_password, signal=True):
        if self.pk and signal:
            from authentik.core.signals import password_changed
            password_changed.send(sender=self, user=self, password=raw_password)
        self.password_change_date = now()
        return super().set_password(raw_password)
@ -242,11 +247,12 @@ class User(SerializerModel, GuardianUserMixin, AbstractUser):
 class Provider(SerializerModel):
    """Application-independent Provider instance. For example SAML2 Remote, OAuth2 Application"""
-    name = models.TextField()
+    name = models.TextField(unique=True)
    authorization_flow = models.ForeignKey(
        "authentik_flows.Flow",
        on_delete=models.CASCADE,
        null=True,
        help_text=_("Flow used when authorizing this provider."),
        related_name="provider_authorization",
    )
@ -289,7 +295,7 @@ class Application(SerializerModel, PolicyBindingModel):
    )
    meta_launch_url = models.TextField(
-        default="", blank=True, validators=[DomainlessURLValidator()]
+        default="", blank=True, validators=[DomainlessFormattedURLValidator()]
    )
    open_in_new_tab = models.BooleanField(
@ -606,7 +612,7 @@ class PropertyMapping(SerializerModel, ManagedModel):
    """User-defined key -> x mapping which can be used by providers to expose extra data."""
    pm_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    name = models.TextField()
+    name = models.TextField(unique=True)
    expression = models.TextField()
    objects = InheritanceManager()
@ -629,7 +635,7 @@ class PropertyMapping(SerializerModel, ManagedModel):
        try:
            return evaluator.evaluate(self.expression)
        except Exception as exc:
-            raise PropertyMappingExpressionException(str(exc)) from exc
+            raise PropertyMappingExpressionException(exc) from exc
    def __str__(self):
        return f"Property Mapping {self.name}"
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@ -10,25 +10,25 @@ from django.db.models.signals import post_save, pre_delete
 from django.dispatch import receiver
 from django.http.request import HttpRequest
 from authentik.core.models import Application, AuthenticatedSession
 # Arguments: user: User, password: str
 password_changed = Signal()
 # Arguments: credentials: dict[str, any], request: HttpRequest, stage: Stage
 login_failed = Signal()
 if TYPE_CHECKING:
-    from authentik.core.models import AuthenticatedSession, User
+    from authentik.core.models import User
-@receiver(post_save)
+@receiver(post_save, sender=Application)
 def post_save_application(sender: type[Model], instance, created: bool, **_):
    """Clear user's application cache upon application creation"""
    from authentik.core.api.applications import user_app_cache_key
    from authentik.core.models import Application
    if sender != Application:
        return
    if not created:  # pragma: no cover
        return
    # Also delete user application cache
    keys = cache.keys(user_app_cache_key("*"))
    cache.delete_many(keys)
@ -37,7 +37,6 @@ def post_save_application(sender: type[Model], instance, created: bool, **_):
@receiver(user_logged_in)
 def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
    """Create an AuthenticatedSession from request"""
    from authentik.core.models import AuthenticatedSession
    session = AuthenticatedSession.from_request(request, user)
    if session:
@ -47,18 +46,11 @@ def user_logged_in_session(sender, request: HttpRequest, user: "User", **_):
@receiver(user_logged_out)
 def user_logged_out_session(sender, request: HttpRequest, user: "User", **_):
    """Delete AuthenticatedSession if it exists"""
    from authentik.core.models import AuthenticatedSession
    AuthenticatedSession.objects.filter(session_key=request.session.session_key).delete()
-@receiver(pre_delete)
+@receiver(pre_delete, sender=AuthenticatedSession)
 def authenticated_session_delete(sender: type[Model], instance: "AuthenticatedSession", **_):
    """Delete session when authenticated session is deleted"""
    from authentik.core.models import AuthenticatedSession
    if sender != AuthenticatedSession:
        return
    cache_key = f"{KEY_PREFIX}{instance.session_key}"
    cache.delete(cache_key)
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -16,7 +16,8 @@
        {% block head_before %}
        {% endblock %}
        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}">
+        <link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
        <link rel="stylesheet" type="text/css" href="{% static 'dist/custom.css' %}" data-inject>
        <script src="{% static 'dist/poly.js' %}" type="module"></script>
        {% block head %}
        {% endblock %}
--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@ -37,6 +37,22 @@ class TestApplicationsAPI(APITestCase):
            order=0,
        )
    def test_formatted_launch_url(self):
        """Test formatted launch URL"""
        self.client.force_login(self.user)
        self.assertEqual(
            self.client.patch(
                reverse("authentik_api:application-detail", kwargs={"slug": self.allowed.slug}),
                {"meta_launch_url": "https://%(username)s-test.test.goauthentik.io/%(username)s"},
            ).status_code,
            200,
        )
        self.allowed.refresh_from_db()
        self.assertEqual(
            self.allowed.get_launch_url(self.user),
            f"https://{self.user.username}-test.test.goauthentik.io/{self.user.username}",
        )
    def test_set_icon(self):
        """Test set_icon"""
        file = ContentFile(b"text", "name")
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@ -5,6 +5,7 @@ from django.urls.base import reverse
 from guardian.shortcuts import get_anonymous_user
 from rest_framework.test import APITestCase
 from authentik.core.api.tokens import TokenSerializer
 from authentik.core.models import USER_ATTRIBUTE_TOKEN_EXPIRING, Token, TokenIntents, User
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
@ -99,3 +100,16 @@ class TestTokenAPI(APITestCase):
        self.assertEqual(len(body["results"]), 2)
        self.assertEqual(body["results"][0]["identifier"], token_should.identifier)
        self.assertEqual(body["results"][1]["identifier"], token_should_not.identifier)
    def test_serializer_no_request(self):
        """Test serializer without request"""
        self.assertTrue(
            TokenSerializer(
                data={
                    "identifier": generate_id(),
                    "intent": TokenIntents.INTENT_APP_PASSWORD,
                    "key": generate_id(),
                    "user": self.user.pk,
                }
            ).is_valid(raise_exception=True)
        )
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -1,11 +1,19 @@
 """Test Users API"""
 from datetime import datetime
 from django.contrib.sessions.backends.cache import KEY_PREFIX
 from django.core.cache import cache
 from django.urls.base import reverse
 from rest_framework.test import APITestCase
-from authentik.core.models import AuthenticatedSession, User
+from authentik.core.models import (
    USER_ATTRIBUTE_SA,
    USER_ATTRIBUTE_TOKEN_EXPIRING,
    AuthenticatedSession,
    Token,
    User,
 )
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
 from authentik.flows.models import FlowDesignation
 from authentik.lib.generators import generate_id, generate_key
@ -130,7 +138,71 @@ class TestUsersAPI(APITestCase):
            },
        )
        self.assertEqual(response.status_code, 200)
-        self.assertTrue(User.objects.filter(username="test-sa").exists())
+
        user_filter = User.objects.filter(
            username="test-sa",
            attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: True, USER_ATTRIBUTE_SA: True},
        )
        self.assertTrue(user_filter.exists())
        user: User = user_filter.first()
        self.assertFalse(user.has_usable_password())
        token_filter = Token.objects.filter(user=user)
        self.assertTrue(token_filter.exists())
        self.assertTrue(token_filter.first().expiring)
    def test_service_account_no_expire(self):
        """Service account creation without token expiration"""
        self.client.force_login(self.admin)
        response = self.client.post(
            reverse("authentik_api:user-service-account"),
            data={
                "name": "test-sa",
                "create_group": True,
                "expiring": False,
            },
        )
        self.assertEqual(response.status_code, 200)
        user_filter = User.objects.filter(
            username="test-sa",
            attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: False, USER_ATTRIBUTE_SA: True},
        )
        self.assertTrue(user_filter.exists())
        user: User = user_filter.first()
        self.assertFalse(user.has_usable_password())
        token_filter = Token.objects.filter(user=user)
        self.assertTrue(token_filter.exists())
        self.assertFalse(token_filter.first().expiring)
    def test_service_account_with_custom_expire(self):
        """Service account creation with custom token expiration date"""
        self.client.force_login(self.admin)
        expire_on = datetime(2050, 11, 11, 11, 11, 11).astimezone()
        response = self.client.post(
            reverse("authentik_api:user-service-account"),
            data={
                "name": "test-sa",
                "create_group": True,
                "expires": expire_on.isoformat(),
            },
        )
        self.assertEqual(response.status_code, 200)
        user_filter = User.objects.filter(
            username="test-sa",
            attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: True, USER_ATTRIBUTE_SA: True},
        )
        self.assertTrue(user_filter.exists())
        user: User = user_filter.first()
        self.assertFalse(user.has_usable_password())
        token_filter = Token.objects.filter(user=user)
        self.assertTrue(token_filter.exists())
        token = token_filter.first()
        self.assertTrue(token.expiring)
        self.assertEqual(token.expires, expire_on)
    def test_service_account_invalid(self):
        """Service account creation (twice with same name, expect error)"""
@ -143,7 +215,19 @@ class TestUsersAPI(APITestCase):
            },
        )
        self.assertEqual(response.status_code, 200)
-        self.assertTrue(User.objects.filter(username="test-sa").exists())
+
        user_filter = User.objects.filter(
            username="test-sa",
            attributes={USER_ATTRIBUTE_TOKEN_EXPIRING: True, USER_ATTRIBUTE_SA: True},
        )
        self.assertTrue(user_filter.exists())
        user: User = user_filter.first()
        self.assertFalse(user.has_usable_password())
        token_filter = Token.objects.filter(user=user)
        self.assertTrue(token_filter.exists())
        self.assertTrue(token_filter.first().expiring)
        response = self.client.post(
            reverse("authentik_api:user-service-account"),
            data={
--- a/authentik/core/views/apps.py
+++ b/authentik/core/views/apps.py
@ -11,6 +11,7 @@ from authentik.flows.challenge import (
    HttpChallengeResponse,
    RedirectChallenge,
 )
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
@ -41,6 +42,7 @@ class RedirectToAppLaunch(View):
        flow = tenant.flow_authentication
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        try:
            plan = planner.plan(
                request,
                {
@ -50,6 +52,8 @@ class RedirectToAppLaunch(View):
                    PLAN_CONTEXT_CONSENT_PERMISSIONS: [],
                },
            )
        except FlowNonApplicableException:
            raise Http404
        plan.insert_stage(in_memory_stage(RedirectToAppStage))
        request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs("authentik_core:if-flow", request.GET, flow_slug=flow.slug)
--- a/authentik/events/middleware.py
+++ b/authentik/events/middleware.py
@ -7,13 +7,14 @@ from django.conf import settings
 from django.contrib.sessions.models import Session
 from django.core.exceptions import SuspiciousOperation
 from django.db.models import Model
-from django.db.models.signals import post_save, pre_delete
+from django.db.models.signals import m2m_changed, post_save, pre_delete
 from django.http import HttpRequest, HttpResponse
 from django_otp.plugins.otp_static.models import StaticToken
 from guardian.models import UserObjectPermission
 from authentik.core.models import (
    AuthenticatedSession,
    Group,
    PropertyMapping,
    Provider,
    Source,
@ -28,6 +29,7 @@ from authentik.lib.utils.errors import exception_to_string
 from authentik.outposts.models import OutpostServiceConnection
 from authentik.policies.models import Policy, PolicyBindingModel
 from authentik.providers.oauth2.models import AccessToken, AuthorizationCode, RefreshToken
 from authentik.providers.scim.models import SCIMGroup, SCIMUser
 IGNORED_MODELS = (
    Event,
@ -48,6 +50,8 @@ IGNORED_MODELS = (
    AuthorizationCode,
    AccessToken,
    RefreshToken,
    SCIMUser,
    SCIMGroup,
 )
@ -58,6 +62,13 @@ def should_log_model(model: Model) -> bool:
    return model.__class__ not in IGNORED_MODELS
 def should_log_m2m(model: Model) -> bool:
    """Return true if m2m operation should be logged"""
    if model.__class__ in [User, Group]:
        return True
    return False
 class EventNewThread(Thread):
    """Create Event in background thread"""
@ -96,6 +107,7 @@ class AuditMiddleware:
            return
        post_save_handler = partial(self.post_save_handler, user=request.user, request=request)
        pre_delete_handler = partial(self.pre_delete_handler, user=request.user, request=request)
        m2m_changed_handler = partial(self.m2m_changed_handler, user=request.user, request=request)
        post_save.connect(
            post_save_handler,
            dispatch_uid=request.request_id,
@ -106,6 +118,11 @@ class AuditMiddleware:
            dispatch_uid=request.request_id,
            weak=False,
        )
        m2m_changed.connect(
            m2m_changed_handler,
            dispatch_uid=request.request_id,
            weak=False,
        )
    def disconnect(self, request: HttpRequest):
        """Disconnect signals"""
@ -113,6 +130,7 @@ class AuditMiddleware:
            return
        post_save.disconnect(dispatch_uid=request.request_id)
        pre_delete.disconnect(dispatch_uid=request.request_id)
        m2m_changed.disconnect(dispatch_uid=request.request_id)
    def __call__(self, request: HttpRequest) -> HttpResponse:
        self.connect(request)
@ -167,3 +185,20 @@ class AuditMiddleware:
            user=user,
            model=model_to_dict(instance),
        ).run()
    @staticmethod
    def m2m_changed_handler(
        user: User, request: HttpRequest, sender, instance: Model, action: str, **_
    ):
        """Signal handler for all object's m2m_changed"""
        if action not in ["pre_add", "pre_remove", "post_clear"]:
            return
        if not should_log_m2m(instance):
            return
        EventNewThread(
            EventAction.MODEL_UPDATED,
            request,
            user=user,
            model=model_to_dict(instance),
        ).run()
--- a/authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py
+++ b/authentik/events/migrations/0001_squashed_0019_alter_notificationtransport_webhook_url.py
@ -2,7 +2,6 @@
 import uuid
 from datetime import timedelta
 from typing import Iterable
 import django.db.models.deletion
 from django.apps.registry import Apps
@ -13,6 +12,7 @@ from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 import authentik.events.models
 import authentik.lib.models
 from authentik.events.models import EventAction, NotificationSeverity, TransportMode
 from authentik.lib.migrations import progress_bar
 def convert_user_to_json(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
@ -43,49 +43,6 @@ def token_view_to_secret_view(apps: Apps, schema_editor: BaseDatabaseSchemaEdito
    Event.objects.using(db_alias).bulk_update(events, ["context", "action"])
 # Taken from https://stackoverflow.com/questions/3173320/text-progress-bar-in-the-console
 def progress_bar(
    iterable: Iterable,
    prefix="Writing: ",
    suffix=" finished",
    decimals=1,
    length=100,
    fill="█",
    print_end="\r",
 ):
    """
    Call in a loop to create terminal progress bar
    @params:
        iteration   - Required  : current iteration (Int)
        total       - Required  : total iterations (Int)
        prefix      - Optional  : prefix string (Str)
        suffix      - Optional  : suffix string (Str)
        decimals    - Optional  : positive number of decimals in percent complete (Int)
        length      - Optional  : character length of bar (Int)
        fill        - Optional  : bar fill character (Str)
        print_end   - Optional  : end character (e.g. "\r", "\r\n") (Str)
    """
    total = len(iterable)
    if total < 1:
        return
    def print_progress_bar(iteration):
        """Progress Bar Printing Function"""
        percent = ("{0:." + str(decimals) + "f}").format(100 * (iteration / float(total)))
        filledLength = int(length * iteration // total)
        bar = fill * filledLength + "-" * (length - filledLength)
        print(f"\r{prefix} |{bar}| {percent}% {suffix}", end=print_end)
    # Initial Call
    print_progress_bar(0)
    # Update Progress Bar
    for i, item in enumerate(iterable):
        yield item
        print_progress_bar(i + 1)
    # Print New Line on Complete
    print()
 def update_expires(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    db_alias = schema_editor.connection.alias
    Event = apps.get_model("authentik_events", "event")
--- a/authentik/events/monitored_tasks.py
+++ b/authentik/events/monitored_tasks.py
@ -41,7 +41,7 @@ class TaskResult:
    def with_error(self, exc: Exception) -> "TaskResult":
        """Since errors might not always be pickle-able, set the traceback"""
-        self.messages.append(str(exc))
+        self.messages.append(exception_to_string(exc))
        return self
@ -111,6 +111,7 @@ class MonitoredTask(Task):
    _result: Optional[TaskResult]
    _uid: Optional[str]
    start: Optional[float] = None
    def __init__(self, *args, **kwargs) -> None:
        super().__init__(*args, **kwargs)
@ -118,7 +119,6 @@ class MonitoredTask(Task):
        self._uid = None
        self._result = None
        self.result_timeout_hours = 6
        self.start = default_timer()
    def set_uid(self, uid: str):
        """Set UID, so in the case of an unexpected error its saved correctly"""
@ -128,6 +128,10 @@ class MonitoredTask(Task):
        """Set result for current run, will overwrite previous result."""
        self._result = result
    def before_start(self, task_id, args, kwargs):
        self.start = default_timer()
        return super().before_start(task_id, args, kwargs)
    # pylint: disable=too-many-arguments
    def after_return(self, status, retval, task_id, args: list[Any], kwargs: dict[str, Any], einfo):
        super().after_return(status, retval, task_id, args, kwargs, einfo=einfo)
@ -138,7 +142,7 @@ class MonitoredTask(Task):
        info = TaskInfo(
            task_name=self.__name__,
            task_description=self.__doc__,
-            start_timestamp=self.start,
+            start_timestamp=self.start or default_timer(),
            finish_timestamp=default_timer(),
            finish_time=datetime.now(),
            result=self._result,
@ -162,7 +166,7 @@ class MonitoredTask(Task):
        TaskInfo(
            task_name=self.__name__,
            task_description=self.__doc__,
-            start_timestamp=self.start,
+            start_timestamp=self.start or default_timer(),
            finish_timestamp=default_timer(),
            finish_time=datetime.now(),
            result=self._result,
--- a/authentik/flows/api/bindings.py
+++ b/authentik/flows/api/bindings.py
@ -1,4 +1,7 @@
 """Flow Binding API Views"""
 from typing import Any
 from rest_framework.exceptions import ValidationError
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet
@ -12,6 +15,13 @@ class FlowStageBindingSerializer(ModelSerializer):
    stage_obj = StageSerializer(read_only=True, source="stage")
    def validate(self, attrs: dict[str, Any]) -> dict[str, Any]:
        evaluate_on_plan = attrs.get("evaluate_on_plan", False)
        re_evaluate_policies = attrs.get("re_evaluate_policies", True)
        if not evaluate_on_plan and not re_evaluate_policies:
            raise ValidationError("Either evaluation on plan or evaluation on run must be enabled")
        return super().validate(attrs)
    class Meta:
        model = FlowStageBinding
        fields = [
--- a/authentik/flows/api/flows_diagram.py
+++ b/authentik/flows/api/flows_diagram.py
@ -8,7 +8,7 @@ from rest_framework.serializers import CharField
 from authentik.core.api.utils import PassiveSerializer
 from authentik.core.models import User
-from authentik.flows.models import Flow, FlowStageBinding
+from authentik.flows.models import Flow, FlowAuthenticationRequirement, FlowStageBinding
@dataclass
@ -160,12 +160,37 @@ class FlowDiagram:
            )
        return stages + elements
    def get_flow_auth_requirement(self) -> list[DiagramElement]:
        """Get flow authentication requirement"""
        end_el = DiagramElement(
            "done",
            _("End of the flow"),
            _("Requirement not fulfilled"),
            style=["[[", "]]"],
        )
        elements = []
        if self.flow.authentication == FlowAuthenticationRequirement.NONE:
            return []
        auth = DiagramElement(
            "flow_auth_requirement",
            _("Flow authentication requirement") + "\n" + self.flow.authentication,
        )
        elements.append(auth)
        end_el.source = [auth]
        elements.append(end_el)
        elements.append(
            DiagramElement("flow_start", "placeholder", _("Requirement fulfilled"), source=[auth])
        )
        return elements
    def build(self) -> str:
        """Build flowchart"""
        all_elements = [
            "graph TD",
        ]
        all_elements.extend(self.get_flow_auth_requirement())
        pre_flow_policies_element = DiagramElement(
            "flow_pre", _("Pre-flow policies"), style=["[[", "]]"]
        )
@ -179,6 +204,7 @@ class FlowDiagram:
                    _("End of the flow"),
                    _("Policy denied"),
                    flow_policies,
                    style=["[[", "]]"],
                )
            )
--- a/authentik/flows/migrations/0025_alter_flowstagebinding_evaluate_on_plan_and_more.py
+++ b/authentik/flows/migrations/0025_alter_flowstagebinding_evaluate_on_plan_and_more.py
@ -0,0 +1,26 @@
 # Generated by Django 4.1.7 on 2023-02-25 15:51
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_flows", "0024_flow_authentication"),
    ]
    operations = [
        migrations.AlterField(
            model_name="flowstagebinding",
            name="evaluate_on_plan",
            field=models.BooleanField(
                default=False, help_text="Evaluate policies during the Flow planning process."
            ),
        ),
        migrations.AlterField(
            model_name="flowstagebinding",
            name="re_evaluate_policies",
            field=models.BooleanField(
                default=True, help_text="Evaluate policies when the Stage is present to the user."
            ),
        ),
    ]
--- a/authentik/flows/models.py
+++ b/authentik/flows/models.py
@ -211,14 +211,11 @@ class FlowStageBinding(SerializerModel, PolicyBindingModel):
    stage = InheritanceForeignKey(Stage, on_delete=models.CASCADE)
    evaluate_on_plan = models.BooleanField(
-        default=True,
+        default=False,
-        help_text=_(
+        help_text=_("Evaluate policies during the Flow planning process."),
            "Evaluate policies during the Flow planning process. "
            "Disable this for input-based policies."
        ),
    )
    re_evaluate_policies = models.BooleanField(
-        default=False,
+        default=True,
        help_text=_("Evaluate policies when the Stage is present to the user."),
    )
--- a/authentik/flows/planner.py
+++ b/authentik/flows/planner.py
@ -147,7 +147,6 @@ class FlowPlanner:
    ) -> FlowPlan:
        """Check each of the flows' policies, check policies for each stage with PolicyBinding
        and return ordered list"""
        self._check_authentication(request)
        with Hub.current.start_span(
            op="authentik.flow.planner.plan", description=self.flow.slug
        ) as span:
@ -165,6 +164,12 @@ class FlowPlanner:
                user = default_context[PLAN_CONTEXT_PENDING_USER]
            else:
                user = request.user
                # We only need to check the flow authentication if it's planned without a user
                # in the context, as a user in the context can only be set via the explicit code API
                # or if a flow is restarted due to `invalid_response_action` being set to
                # `restart_with_context`, which can only happen if the user was already authorized
                # to use the flow
                self._check_authentication(request)
            # First off, check the flow's direct policy bindings
            # to make sure the user even has access to the flow
            engine = PolicyEngine(self.flow, user, request)
@ -261,7 +266,6 @@ class FlowPlanner:
                    marker = ReevaluateMarker(binding=binding)
                if stage:
                    plan.append(binding, marker)
            HIST_FLOWS_PLAN_TIME.labels(flow_slug=self.flow.slug)
        self._logger.debug(
            "f(plan): finished building",
        )
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -7,6 +7,7 @@ from django.http.request import QueryDict
 from django.http.response import HttpResponse
 from django.urls import reverse
 from django.views.generic.base import View
 from prometheus_client import Histogram
 from rest_framework.request import Request
 from sentry_sdk.hub import Hub
 from structlog.stdlib import BoundLogger, get_logger
@ -31,6 +32,11 @@ if TYPE_CHECKING:
    from authentik.flows.views.executor import FlowExecutorView
 PLAN_CONTEXT_PENDING_USER_IDENTIFIER = "pending_user_identifier"
 HIST_FLOWS_STAGE_TIME = Histogram(
    "authentik_flows_stage_time",
    "Duration taken by different parts of stages",
    ["stage_type", "method"],
 )
 class StageView(View):
@ -109,14 +115,24 @@ class ChallengeStageView(StageView):
                    keep_context=keep_context,
                )
                return self.executor.restart_flow(keep_context)
-            with Hub.current.start_span(
+            with (
                Hub.current.start_span(
                    op="authentik.flow.stage.challenge_invalid",
                    description=self.__class__.__name__,
                ),
                HIST_FLOWS_STAGE_TIME.labels(
                    stage_type=self.__class__.__name__, method="challenge_invalid"
                ).time(),
            ):
                return self.challenge_invalid(challenge)
-        with Hub.current.start_span(
+        with (
            Hub.current.start_span(
                op="authentik.flow.stage.challenge_valid",
                description=self.__class__.__name__,
            ),
            HIST_FLOWS_STAGE_TIME.labels(
                stage_type=self.__class__.__name__, method="challenge_valid"
            ).time(),
        ):
            return self.challenge_valid(challenge)
@ -135,9 +151,14 @@ class ChallengeStageView(StageView):
            return self.executor.flow.title
    def _get_challenge(self, *args, **kwargs) -> Challenge:
-        with Hub.current.start_span(
+        with (
            Hub.current.start_span(
                op="authentik.flow.stage.get_challenge",
                description=self.__class__.__name__,
            ),
            HIST_FLOWS_STAGE_TIME.labels(
                stage_type=self.__class__.__name__, method="get_challenge"
            ).time(),
        ):
            challenge = self.get_challenge(*args, **kwargs)
        with Hub.current.start_span(
@ -210,7 +231,7 @@ class AccessDeniedChallengeView(ChallengeStageView):
    def get_challenge(self, *args, **kwargs) -> Challenge:
        return AccessDeniedChallenge(
            data={
-                "error_message": self.error_message or "Unknown error",
+                "error_message": str(self.error_message or "Unknown error"),
                "type": ChallengeTypes.NATIVE.value,
                "component": "ak-stage-access-denied",
            }
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@ -162,7 +162,7 @@ class FlowExecutorView(APIView):
            token.delete()
        if not isinstance(plan, FlowPlan):
            return None
-        plan.context[PLAN_CONTEXT_IS_RESTORED] = True
+        plan.context[PLAN_CONTEXT_IS_RESTORED] = token
        self._logger.debug("f(exec): restored flow plan from token", plan=plan)
        return plan
@ -561,9 +561,13 @@ class ConfigureFlowInitView(LoginRequiredMixin, View):
            LOGGER.debug("Stage has no configure_flow set", stage=stage)
            raise Http404
        try:
            plan = FlowPlanner(stage.configure_flow).plan(
                request, {PLAN_CONTEXT_PENDING_USER: request.user}
            )
        except FlowNonApplicableException:
            LOGGER.warning("Flow not applicable to user")
            raise Http404
        request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
            "authentik_core:if-flow",
--- a/authentik/lib/avatars.py
+++ b/authentik/lib/avatars.py
@ -1,10 +1,11 @@
 """Avatar utils"""
 from base64 import b64encode
-from functools import cache
+from functools import cache as funccache
 from hashlib import md5
 from typing import TYPE_CHECKING, Optional
 from urllib.parse import urlencode
 from django.core.cache import cache
 from django.templatetags.static import static
 from lxml import etree  # nosec
 from lxml.etree import Element, SubElement  # nosec
@ -15,6 +16,7 @@ from authentik.lib.utils.http import get_http_session
 GRAVATAR_URL = "https://secure.gravatar.com"
 DEFAULT_AVATAR = static("dist/assets/images/user_default.png")
 CACHE_KEY_GRAVATAR = "goauthentik.io/lib/avatars/"
 if TYPE_CHECKING:
    from authentik.core.models import User
@ -50,22 +52,24 @@ def avatar_mode_gravatar(user: "User", mode: str) -> Optional[str]:
    parameters = [("size", "158"), ("rating", "g"), ("default", "404")]
    gravatar_url = f"{GRAVATAR_URL}/avatar/{mail_hash}?{urlencode(parameters, doseq=True)}"
-    @cache
+    full_key = CACHE_KEY_GRAVATAR + mail_hash
-    def check_non_default(url: str):
+    if cache.has_key(full_key):
-        """Cache HEAD check, based on URL"""
+        cache.touch(full_key)
        return cache.get(full_key)
    try:
        # Since we specify a default of 404, do a HEAD request
        # (HEAD since we don't need the body)
        # so if that returns a 404, move onto the next mode
-            res = get_http_session().head(url, timeout=5)
+        res = get_http_session().head(gravatar_url, timeout=5)
        if res.status_code == 404:
            cache.set(full_key, None)
            return None
        res.raise_for_status()
    except RequestException:
-            return url
+        return gravatar_url
-        return url
+    cache.set(full_key, gravatar_url)
-
+    return gravatar_url
    return check_non_default(gravatar_url)
 def generate_colors(text: str) -> tuple[str, str]:
@ -83,10 +87,10 @@ def generate_colors(text: str) -> tuple[str, str]:
    return bg_hex, text_hex
-@cache
+@funccache
 # pylint: disable=too-many-arguments,too-many-locals
 def generate_avatar_from_name(
-    user: "User",
+    name: str,
    length: int = 2,
    size: int = 64,
    rounded: bool = False,
@ -98,8 +102,6 @@ def generate_avatar_from_name(
    Inspired from: https://github.com/LasseRafn/ui-avatars
    """
    name = user.name if user.name != "" else "a k"
    name_parts = name.split()
    # Only abbreviate first and last name
    if len(name_parts) > 2:
@ -152,7 +154,7 @@ def generate_avatar_from_name(
 def avatar_mode_generated(user: "User", mode: str) -> Optional[str]:
    """Wrapper that converts generated avatar to base64 svg"""
-    svg = generate_avatar_from_name(user)
+    svg = generate_avatar_from_name(user.name if user.name.strip() != "" else "a k")
    return f"data:image/svg+xml;base64,{b64encode(svg.encode('utf-8')).decode('utf-8')}"
--- a/authentik/lib/expression/evaluator.py
+++ b/authentik/lib/expression/evaluator.py
@ -1,9 +1,11 @@
 """authentik expression policy evaluator"""
 import re
 import socket
 from ipaddress import ip_address, ip_network
 from textwrap import indent
 from typing import Any, Iterable, Optional
 from cachetools import TLRUCache, cached
 from django.core.exceptions import FieldError
 from django_otp import devices_for_user
 from rest_framework.serializers import ValidationError
@ -41,6 +43,8 @@ class BaseEvaluator:
            "ak_is_group_member": BaseEvaluator.expr_is_group_member,
            "ak_user_by": BaseEvaluator.expr_user_by,
            "ak_user_has_authenticator": BaseEvaluator.expr_func_user_has_authenticator,
            "resolve_dns": BaseEvaluator.expr_resolve_dns,
            "reverse_dns": BaseEvaluator.expr_reverse_dns,
            "ak_create_event": self.expr_event_create,
            "ak_logger": get_logger(self._filename).bind(),
            "requests": get_http_session(),
@ -49,6 +53,39 @@ class BaseEvaluator:
        }
        self._context = {}
    @cached(cache=TLRUCache(maxsize=32, ttu=lambda key, value, now: now + 180))
    @staticmethod
    def expr_resolve_dns(host: str, ip_version: Optional[int] = None) -> list[str]:
        """Resolve host to a list of IPv4 and/or IPv6 addresses."""
        # Although it seems to be fine (raising OSError), docs warn
        # against passing `None` for both the host and the port
        # https://docs.python.org/3/library/socket.html#socket.getaddrinfo
        host = host or ""
        ip_list = []
        family = 0
        if ip_version == 4:
            family = socket.AF_INET
        if ip_version == 6:
            family = socket.AF_INET6
        try:
            for ip_addr in socket.getaddrinfo(host, None, family=family):
                ip_list.append(str(ip_addr[4][0]))
        except OSError:
            pass
        return list(set(ip_list))
    @cached(cache=TLRUCache(maxsize=32, ttu=lambda key, value, now: now + 180))
    @staticmethod
    def expr_reverse_dns(ip_addr: str) -> str:
        """Perform a reverse DNS lookup."""
        try:
            return socket.getfqdn(ip_addr)
        except OSError:
            return ip_addr
    @staticmethod
    def expr_flatten(value: list[Any] | Any) -> Optional[Any]:
        """Flatten `value` if its a list"""
--- a/authentik/lib/migrations.py
+++ b/authentik/lib/migrations.py
@ -0,0 +1,58 @@
 """Migration helpers"""
 from typing import Iterable
 from django.apps.registry import Apps
 from django.db.backends.base.schema import BaseDatabaseSchemaEditor
 def fallback_names(app: str, model: str, field: str):
    """Factory function that checks all instances of `app`.`model` instance's `field`
    to prevent any duplicates"""
    def migrator(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
        db_alias = schema_editor.connection.alias
        klass = apps.get_model(app, model)
        seen_names = []
        for obj in klass.objects.using(db_alias).all():
            value = getattr(obj, field)
            if value not in seen_names:
                seen_names.append(value)
                continue
            new_value = value + "_2"
            setattr(obj, field, new_value)
            obj.save()
    return migrator
 def progress_bar(iterable: Iterable):
    """Call in a loop to create terminal progress bar
    https://stackoverflow.com/questions/3173320/text-progress-bar-in-the-console"""
    prefix = "Writing: "
    suffix = " finished"
    decimals = 1
    length = 100
    fill = "█"
    print_end = "\r"
    total = len(iterable)
    if total < 1:
        return
    def print_progress_bar(iteration):
        """Progress Bar Printing Function"""
        percent = ("{0:." + str(decimals) + "f}").format(100 * (iteration / float(total)))
        filled_length = int(length * iteration // total)
        bar = fill * filled_length + "-" * (length - filled_length)
        print(f"\r{prefix} |{bar}| {percent}% {suffix}", end=print_end)
    # Initial Call
    print_progress_bar(0)
    # Update Progress Bar
    for i, item in enumerate(iterable):
        yield item
        print_progress_bar(i + 1)
    # Print New Line on Complete
    print()
--- a/authentik/lib/models.py
+++ b/authentik/lib/models.py
@ -74,3 +74,22 @@ class DomainlessURLValidator(URLValidator):
        if scheme not in self.schemes:
            value = "default" + value
        super().__call__(value)
 class DomainlessFormattedURLValidator(DomainlessURLValidator):
    """URL validator which allows for python format strings"""
    def __init__(self, *args, **kwargs) -> None:
        super().__init__(*args, **kwargs)
        self.formatter_re = r"([%\(\)a-zA-Z])*"
        self.host_re = "(" + self.formatter_re + self.hostname_re + self.domain_re + "|localhost)"
        self.regex = _lazy_re_compile(
            r"^(?:[a-z0-9.+-]*)://"  # scheme is validated separately
            r"(?:[^\s:@/]+(?::[^\s:@/]*)?@)?"  # user:pass authentication
            r"(?:" + self.ipv4_re + "|" + self.ipv6_re + "|" + self.host_re + ")"
            r"(?::\d{2,5})?"  # port
            r"(?:[/?#][^\s]*)?"  # resource path
            r"\Z",
            re.IGNORECASE,
        )
        self.schemes = ["http", "https", "blank"] + list(self.schemes)
--- a/authentik/lib/sentry.py
+++ b/authentik/lib/sentry.py
@ -4,7 +4,6 @@ from typing import Any, Optional
 from billiard.exceptions import SoftTimeLimitExceeded, WorkerLostError
 from celery.exceptions import CeleryError
 from channels.middleware import BaseMiddleware
 from channels_redis.core import ChannelFull
 from django.conf import settings
 from django.core.exceptions import ImproperlyConfigured, SuspiciousOperation, ValidationError
@ -17,37 +16,24 @@ from ldap3.core.exceptions import LDAPException
 from redis.exceptions import ConnectionError as RedisConnectionError
 from redis.exceptions import RedisError, ResponseError
 from rest_framework.exceptions import APIException
-from sentry_sdk import HttpTransport, Hub
+from sentry_sdk import HttpTransport
 from sentry_sdk import init as sentry_sdk_init
 from sentry_sdk.api import set_tag
 from sentry_sdk.integrations.celery import CeleryIntegration
 from sentry_sdk.integrations.django import DjangoIntegration
 from sentry_sdk.integrations.redis import RedisIntegration
 from sentry_sdk.integrations.threading import ThreadingIntegration
 from sentry_sdk.tracing import Transaction
 from structlog.stdlib import get_logger
 from websockets.exceptions import WebSocketException
 from authentik import __version__, get_build_hash
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.http import authentik_user_agent
-from authentik.lib.utils.reflection import class_to_path, get_env
+from authentik.lib.utils.reflection import get_env
 LOGGER = get_logger()
 class SentryWSMiddleware(BaseMiddleware):
    """Sentry Websocket middleweare to set the transaction name based on
    consumer class path"""
    async def __call__(self, scope, receive, send):
        transaction: Optional[Transaction] = Hub.current.scope.transaction
        class_path = class_to_path(self.inner.consumer_class)
        if transaction:
            transaction.name = class_path
        return await self.inner(scope, receive, send)
 class SentryIgnoredException(Exception):
    """Base Class for all errors that are suppressed, and not sent to sentry."""
@ -94,9 +80,12 @@ def sentry_init(**sentry_init_kwargs):
 def traces_sampler(sampling_context: dict) -> float:
    """Custom sampler to ignore certain routes"""
    path = sampling_context.get("asgi_scope", {}).get("path", "")
    _type = sampling_context.get("asgi_scope", {}).get("type", "")
    # Ignore all healthcheck routes
    if path.startswith("/-/health") or path.startswith("/-/metrics"):
        return 0
    if _type == "websocket":
        return 0
    return float(CONFIG.y("error_reporting.sample_rate", 0.1))
--- a/authentik/lib/tests/utils.py
+++ b/authentik/lib/tests/utils.py
@ -1,4 +1,7 @@
 """Test utils"""
 from inspect import currentframe
 from pathlib import Path
 from django.contrib.messages.middleware import MessageMiddleware
 from django.contrib.sessions.middleware import SessionMiddleware
 from django.http import HttpRequest
@ -11,6 +14,21 @@ def dummy_get_response(request: HttpRequest):  # pragma: no cover
    return None
 def load_fixture(path: str, **kwargs) -> str:
    """Load fixture, optionally formatting it with kwargs"""
    current = currentframe()
    parent = current.f_back
    calling_file_path = parent.f_globals["__file__"]
    with open(
        Path(calling_file_path).resolve().parent / Path(path), "r", encoding="utf-8"
    ) as _fixture:
        fixture = _fixture.read()
        try:
            return fixture % kwargs
        except TypeError:
            return fixture
 def get_request(*args, user=None, **kwargs):
    """Get a request with usable session"""
    request = RequestFactory().get(*args, **kwargs)
--- a/authentik/lib/utils/http.py
+++ b/authentik/lib/utils/http.py
@ -38,13 +38,17 @@ def _get_outpost_override_ip(request: HttpRequest) -> Optional[str]:
    if OUTPOST_REMOTE_IP_HEADER not in request.META or OUTPOST_TOKEN_HEADER not in request.META:
        return None
    fake_ip = request.META[OUTPOST_REMOTE_IP_HEADER]
-    tokens = Token.filter_not_expired(
+    token = (
        Token.filter_not_expired(
            key=request.META.get(OUTPOST_TOKEN_HEADER), intent=TokenIntents.INTENT_API
        )
-    if not tokens.exists():
+        .select_related("user")
        .first()
    )
    if not token:
        LOGGER.warning("Attempted remote-ip override without token", fake_ip=fake_ip)
        return None
-    user = tokens.first().user
+    user = token.user
    if not user.group_attributes(request).get(USER_ATTRIBUTE_CAN_OVERRIDE_IP, False):
        LOGGER.warning(
            "Remote-IP override: user doesn't have permission",
--- a/authentik/lib/xml.py
+++ b/authentik/lib/xml.py
@ -9,4 +9,4 @@ def get_lxml_parser():
 def lxml_from_string(text: str):
    """Wrapper around fromstring"""
-    return fromstring(text, parser=get_lxml_parser())
+    return fromstring(text, parser=get_lxml_parser())  # nosec
--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@ -16,7 +16,6 @@ from authentik.outposts.controllers.k8s.triggers import NeedsRecreate, NeedsUpda
 if TYPE_CHECKING:
    from authentik.outposts.controllers.kubernetes import KubernetesController
 # pylint: disable=invalid-name
 T = TypeVar("T", V1Pod, V1Deployment)
@ -56,6 +55,7 @@ class KubernetesObjectReconciler(Generic[T]):
            }
        ).lower()
    # pylint: disable=invalid-name
    def up(self):
        """Create object if it doesn't exist, update if needed or recreate if needed."""
        current = None
--- a/authentik/outposts/migrations/0019_alter_outpost_name_and_more.py
+++ b/authentik/outposts/migrations/0019_alter_outpost_name_and_more.py
@ -0,0 +1,28 @@
 # Generated by Django 4.1.7 on 2023-03-07 13:41
 from django.db import migrations, models
 from authentik.lib.migrations import fallback_names
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_outposts", "0018_kubernetesserviceconnection_verify_ssl"),
    ]
    operations = [
        migrations.RunPython(fallback_names("authentik_outposts", "outpost", "name")),
        migrations.RunPython(
            fallback_names("authentik_outposts", "outpostserviceconnection", "name")
        ),
        migrations.AlterField(
            model_name="outpost",
            name="name",
            field=models.TextField(unique=True),
        ),
        migrations.AlterField(
            model_name="outpostserviceconnection",
            name="name",
            field=models.TextField(unique=True),
        ),
    ]
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -113,7 +113,7 @@ class OutpostServiceConnection(models.Model):
    """Connection details for an Outpost Controller, like Docker or Kubernetes"""
    uuid = models.UUIDField(default=uuid4, editable=False, primary_key=True)
-    name = models.TextField()
+    name = models.TextField(unique=True)
    local = models.BooleanField(
        default=False,
@ -239,7 +239,7 @@ class Outpost(SerializerModel, ManagedModel):
    """Outpost instance which manages a service user and token"""
    uuid = models.UUIDField(default=uuid4, editable=False, primary_key=True)
-    name = models.TextField()
+    name = models.TextField(unique=True)
    type = models.TextField(choices=OutpostType.choices, default=OutpostType.PROXY)
    service_connection = InheritanceForeignKey(
--- a/authentik/outposts/settings.py
+++ b/authentik/outposts/settings.py
@ -19,9 +19,9 @@ CELERY_BEAT_SCHEDULE = {
        "schedule": crontab(minute=fqdn_rand("outpost_token_ensurer"), hour="*/8"),
        "options": {"queue": "authentik_scheduled"},
    },
-    "outpost_local_connection": {
+    "outpost_connection_discovery": {
-        "task": "authentik.outposts.tasks.outpost_local_connection",
+        "task": "authentik.outposts.tasks.outpost_connection_discovery",
-        "schedule": crontab(minute=fqdn_rand("outpost_local_connection"), hour="*/8"),
+        "schedule": crontab(minute=fqdn_rand("outpost_connection_discovery"), hour="*/8"),
        "options": {"queue": "authentik_scheduled"},
    },
 }
--- a/authentik/outposts/tasks.py
+++ b/authentik/outposts/tasks.py
@ -7,7 +7,6 @@ from urllib.parse import urlparse
 import yaml
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.core.cache import cache
 from django.db import DatabaseError, InternalError, ProgrammingError
 from django.db.models.base import Model
@ -43,6 +42,7 @@ from authentik.providers.ldap.controllers.kubernetes import LDAPKubernetesContro
 from authentik.providers.proxy.controllers.docker import ProxyDockerController
 from authentik.providers.proxy.controllers.kubernetes import ProxyKubernetesController
 from authentik.root.celery import CELERY_APP
 from authentik.root.messages.storage import closing_send
 LOGGER = get_logger()
 CACHE_KEY_OUTPOST_DOWN = "outpost_teardown_%s"
@ -217,50 +217,52 @@ def outpost_post_save(model_class: str, model_pk: Any):
 def outpost_send_update(model_instace: Model):
    """Send outpost update to all registered outposts, regardless to which authentik
    instance they are connected"""
    channel_layer = get_channel_layer()
    if isinstance(model_instace, OutpostModel):
        for outpost in model_instace.outpost_set.all():
-            _outpost_single_update(outpost, channel_layer)
+            _outpost_single_update(outpost)
    elif isinstance(model_instace, Outpost):
-        _outpost_single_update(model_instace, channel_layer)
+        _outpost_single_update(model_instace)
-def _outpost_single_update(outpost: Outpost, layer=None):
+def _outpost_single_update(outpost: Outpost):
    """Update outpost instances connected to a single outpost"""
    # Ensure token again, because this function is called when anything related to an
    # OutpostModel is saved, so we can be sure permissions are right
    _ = outpost.token
    outpost.build_user_permissions(outpost.user)
    if not layer:  # pragma: no cover
        layer = get_channel_layer()
    for state in OutpostState.for_outpost(outpost):
        for channel in state.channel_ids:
            LOGGER.debug("sending update", channel=channel, instance=state.uid, outpost=outpost)
-            async_to_sync(layer.send)(channel, {"type": "event.update"})
+            async_to_sync(closing_send)(channel, {"type": "event.update"})
-@CELERY_APP.task()
+@CELERY_APP.task(
-def outpost_local_connection():
+    base=MonitoredTask,
    bind=True,
 )
 def outpost_connection_discovery(self: MonitoredTask):
    """Checks the local environment and create Service connections."""
    status = TaskResult(TaskResultStatus.SUCCESSFUL)
    if not CONFIG.y_bool("outposts.discover"):
-        LOGGER.info("Outpost integration discovery is disabled")
+        status.messages.append("Outpost integration discovery is disabled")
        self.set_status(status)
        return
    # Explicitly check against token filename, as that's
    # only present when the integration is enabled
    if Path(SERVICE_TOKEN_FILENAME).exists():
-        LOGGER.info("Detected in-cluster Kubernetes Config")
+        status.messages.append("Detected in-cluster Kubernetes Config")
        if not KubernetesServiceConnection.objects.filter(local=True).exists():
-            LOGGER.debug("Created Service Connection for in-cluster")
+            status.messages.append("Created Service Connection for in-cluster")
            KubernetesServiceConnection.objects.create(
                name="Local Kubernetes Cluster", local=True, kubeconfig={}
            )
    # For development, check for the existence of a kubeconfig file
    kubeconfig_path = Path(KUBE_CONFIG_DEFAULT_LOCATION).expanduser()
    if kubeconfig_path.exists():
-        LOGGER.info("Detected kubeconfig")
+        status.messages.append("Detected kubeconfig")
        kubeconfig_local_name = f"k8s-{gethostname()}"
        if not KubernetesServiceConnection.objects.filter(name=kubeconfig_local_name).exists():
-            LOGGER.debug("Creating kubeconfig Service Connection")
+            status.messages.append("Creating kubeconfig Service Connection")
            with kubeconfig_path.open("r", encoding="utf8") as _kubeconfig:
                KubernetesServiceConnection.objects.create(
                    name=kubeconfig_local_name,
@ -269,11 +271,12 @@ def outpost_local_connection():
    unix_socket_path = urlparse(DEFAULT_UNIX_SOCKET).path
    socket = Path(unix_socket_path)
    if socket.exists() and access(socket, R_OK):
-        LOGGER.info("Detected local docker socket")
+        status.messages.append("Detected local docker socket")
        if len(DockerServiceConnection.objects.filter(local=True)) == 0:
-            LOGGER.debug("Created Service Connection for docker")
+            status.messages.append("Created Service Connection for docker")
            DockerServiceConnection.objects.create(
                name="Local Docker connection",
                local=True,
                url=unix_socket_path,
            )
    self.set_status(status)
--- a/authentik/outposts/tests/test_api.py
+++ b/authentik/outposts/tests/test_api.py
@ -4,6 +4,7 @@ from rest_framework.test import APITestCase
 from authentik.core.models import PropertyMapping
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.api.outposts import OutpostSerializer
 from authentik.outposts.models import OutpostType, default_outpost_config
 from authentik.providers.ldap.models import LDAPProvider
@ -16,7 +17,7 @@ class TestOutpostServiceConnectionsAPI(APITestCase):
    def setUp(self) -> None:
        super().setUp()
        self.mapping = PropertyMapping.objects.create(
-            name="dummy", expression="""return {'foo': 'bar'}"""
+            name=generate_id(), expression="""return {'foo': 'bar'}"""
        )
        self.user = create_test_admin_user()
        self.client.force_login(self.user)
@ -25,12 +26,12 @@ class TestOutpostServiceConnectionsAPI(APITestCase):
        """Test Outpost validation"""
        valid = OutpostSerializer(
            data={
-                "name": "foo",
+                "name": generate_id(),
                "type": OutpostType.PROXY,
                "config": default_outpost_config(),
                "providers": [
                    ProxyProvider.objects.create(
-                        name="test", authorization_flow=create_test_flow()
+                        name=generate_id(), authorization_flow=create_test_flow()
                    ).pk
                ],
            }
@ -38,12 +39,12 @@ class TestOutpostServiceConnectionsAPI(APITestCase):
        self.assertTrue(valid.is_valid())
        invalid = OutpostSerializer(
            data={
-                "name": "foo",
+                "name": generate_id(),
                "type": OutpostType.PROXY,
                "config": default_outpost_config(),
                "providers": [
                    LDAPProvider.objects.create(
-                        name="test", authorization_flow=create_test_flow()
+                        name=generate_id(), authorization_flow=create_test_flow()
                    ).pk
                ],
            }
@ -60,15 +61,19 @@ class TestOutpostServiceConnectionsAPI(APITestCase):
    def test_outpost_config(self):
        """Test Outpost's config field"""
-        provider = ProxyProvider.objects.create(name="test", authorization_flow=create_test_flow())
+        provider = ProxyProvider.objects.create(
-        invalid = OutpostSerializer(data={"name": "foo", "providers": [provider.pk], "config": ""})
+            name=generate_id(), authorization_flow=create_test_flow()
        )
        invalid = OutpostSerializer(
            data={"name": generate_id(), "providers": [provider.pk], "config": ""}
        )
        self.assertFalse(invalid.is_valid())
        self.assertIn("config", invalid.errors)
        valid = OutpostSerializer(
            data={
-                "name": "foo",
+                "name": generate_id(),
                "providers": [provider.pk],
-                "config": default_outpost_config("foo"),
+                "config": default_outpost_config(generate_id()),
                "type": OutpostType.PROXY,
            }
        )
--- a/authentik/policies/apps.py
+++ b/authentik/policies/apps.py
@ -7,11 +7,6 @@ GAUGE_POLICIES_CACHED = Gauge(
    "authentik_policies_cached",
    "Cached Policies",
 )
 HIST_POLICIES_BUILD_TIME = Histogram(
    "authentik_policies_build_time",
    "Execution times complete policy result to an object",
    ["object_pk", "object_type"],
 )
 HIST_POLICIES_EXECUTION_TIME = Histogram(
    "authentik_policies_execution_time",
--- a/authentik/policies/engine.py
+++ b/authentik/policies/engine.py
@ -10,7 +10,6 @@ from sentry_sdk.tracing import Span
 from structlog.stdlib import BoundLogger, get_logger
 from authentik.core.models import User
 from authentik.policies.apps import HIST_POLICIES_BUILD_TIME
 from authentik.policies.exceptions import PolicyEngineException
 from authentik.policies.models import Policy, PolicyBinding, PolicyBindingModel, PolicyEngineMode
 from authentik.policies.process import PolicyProcess, cache_key
@ -86,10 +85,6 @@ class PolicyEngine:
                op="authentik.policy.engine.build",
                description=self.__pbm,
            ) as span,
            HIST_POLICIES_BUILD_TIME.labels(
                object_pk=str(self.__pbm.pk),
                object_type=f"{self.__pbm._meta.app_label}.{self.__pbm._meta.model_name}",
            ).time(),
        ):
            span: Span
            span.set_data("pbm", self.__pbm)
--- a/authentik/policies/migrations/0010_alter_policy_name.py
+++ b/authentik/policies/migrations/0010_alter_policy_name.py
@ -0,0 +1,20 @@
 # Generated by Django 4.1.7 on 2023-03-07 13:41
 from django.db import migrations, models
 from authentik.lib.migrations import fallback_names
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_policies", "0009_alter_policy_name"),
    ]
    operations = [
        migrations.RunPython(fallback_names("authentik_policies", "policy", "name")),
        migrations.AlterField(
            model_name="policy",
            name="name",
            field=models.TextField(unique=True),
        ),
    ]
--- a/authentik/policies/models.py
+++ b/authentik/policies/models.py
@ -158,7 +158,7 @@ class Policy(SerializerModel, CreatedUpdatedModel):
    policy_uuid = models.UUIDField(primary_key=True, editable=False, default=uuid4)
-    name = models.TextField()
+    name = models.TextField(unique=True)
    execution_logging = models.BooleanField(
        default=False,
--- a/authentik/policies/tests/test_engine.py
+++ b/authentik/policies/tests/test_engine.py
@ -2,7 +2,8 @@
 from django.core.cache import cache
 from django.test import TestCase
-from authentik.core.models import User
+from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.policies.dummy.models import DummyPolicy
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.exceptions import PolicyEngineException
@ -17,11 +18,17 @@ class TestPolicyEngine(TestCase):
    def setUp(self):
        clear_policy_cache()
-        self.user = User.objects.create_user(username="policyuser")
+        self.user = create_test_admin_user()
-        self.policy_false = DummyPolicy.objects.create(result=False, wait_min=0, wait_max=1)
+        self.policy_false = DummyPolicy.objects.create(
-        self.policy_true = DummyPolicy.objects.create(result=True, wait_min=0, wait_max=1)
+            name=generate_id(), result=False, wait_min=0, wait_max=1
-        self.policy_wrong_type = Policy.objects.create(name="wrong_type")
+        )
-        self.policy_raises = ExpressionPolicy.objects.create(name="raises", expression="{{ 0/0 }}")
+        self.policy_true = DummyPolicy.objects.create(
            name=generate_id(), result=True, wait_min=0, wait_max=1
        )
        self.policy_wrong_type = Policy.objects.create(name=generate_id())
        self.policy_raises = ExpressionPolicy.objects.create(
            name=generate_id(), expression="{{ 0/0 }}"
        )
    def test_engine_empty(self):
        """Ensure empty policy list passes"""
--- a/authentik/providers/ldap/api.py
+++ b/authentik/providers/ldap/api.py
@ -26,6 +26,7 @@ class LDAPProviderSerializer(ProviderSerializer):
            "search_mode",
            "bind_mode",
        ]
        extra_kwargs = ProviderSerializer.Meta.extra_kwargs
 class LDAPProviderViewSet(UsedByMixin, ModelViewSet):
--- a/authentik/providers/oauth2/api/providers.py
+++ b/authentik/providers/oauth2/api/providers.py
@ -1,5 +1,6 @@
 """OAuth2Provider API Views"""
 from django.urls import reverse
 from django.utils import timezone
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.fields import CharField
@ -38,6 +39,7 @@ class OAuth2ProviderSerializer(ProviderSerializer):
            "issuer_mode",
            "jwks_sources",
        ]
        extra_kwargs = ProviderSerializer.Meta.extra_kwargs
 class OAuth2ProviderSetupURLs(PassiveSerializer):
@ -153,6 +155,7 @@ class OAuth2ProviderViewSet(UsedByMixin, ModelViewSet):
                user=request.user,
                provider=provider,
                _scope=" ".join(scope_names),
                auth_time=timezone.now(),
            ),
            request,
        )
--- a/authentik/providers/oauth2/errors.py
+++ b/authentik/providers/oauth2/errors.py
@ -141,15 +141,20 @@ class AuthorizeError(OAuth2Error):
        ),
    }
    # pylint: disable=too-many-arguments
    def __init__(
        self,
        redirect_uri: str,
        error: str,
        grant_type: str,
        state: str,
        description: Optional[str] = None,
    ):
        super().__init__()
        self.error = error
        if description:
            self.description = description
        else:
            self.description = self.errors[error]
        self.redirect_uri = redirect_uri
        self.grant_type = grant_type
@ -169,10 +174,12 @@ class AuthorizeError(OAuth2Error):
        # See:
        # http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthError
-        hash_or_question = "#" if self.grant_type == GrantTypes.IMPLICIT else "?"
+        fragment_or_query = (
            "#" if self.grant_type in [GrantTypes.IMPLICIT, GrantTypes.HYBRID] else "?"
        )
        uri = (
-            f"{self.redirect_uri}{hash_or_question}error="
+            f"{self.redirect_uri}{fragment_or_query}error="
            f"{self.error}&error_description={description}"
        )
--- a/authentik/providers/oauth2/id_token.py
+++ b/authentik/providers/oauth2/id_token.py
@ -110,12 +110,11 @@ class IDToken:
        # Convert datetimes into timestamps.
        now = timezone.now()
        id_token.iat = int(now.timestamp())
        id_token.auth_time = int(token.auth_time.timestamp())
        # We use the timestamp of the user's last successful login (EventAction.LOGIN) for auth_time
        auth_event = get_login_event(request)
        if auth_event:
            auth_time = auth_event.created
            id_token.auth_time = int(auth_time.timestamp())
            # Also check which method was used for authentication
            method = auth_event.context.get(PLAN_CONTEXT_METHOD, "")
            method_args = auth_event.context.get(PLAN_CONTEXT_METHOD_ARGS, {})
--- a/authentik/providers/oauth2/migrations/0015_accesstoken_auth_time_authorizationcode_auth_time_and_more.py
+++ b/authentik/providers/oauth2/migrations/0015_accesstoken_auth_time_authorizationcode_auth_time_and_more.py
@ -0,0 +1,40 @@
 # Generated by Django 4.1.7 on 2023-02-22 22:23
 import django.utils.timezone
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ("authentik_providers_oauth2", "0014_alter_refreshtoken_options_and_more"),
    ]
    operations = [
        migrations.AddField(
            model_name="accesstoken",
            name="auth_time",
            field=models.DateTimeField(
                default=django.utils.timezone.now,
                verbose_name="Authentication time",
            ),
            preserve_default=False,
        ),
        migrations.AddField(
            model_name="authorizationcode",
            name="auth_time",
            field=models.DateTimeField(
                default=django.utils.timezone.now,
                verbose_name="Authentication time",
            ),
            preserve_default=False,
        ),
        migrations.AddField(
            model_name="refreshtoken",
            name="auth_time",
            field=models.DateTimeField(
                default=django.utils.timezone.now,
                verbose_name="Authentication time",
            ),
            preserve_default=False,
        ),
    ]
--- a/authentik/providers/oauth2/models.py
+++ b/authentik/providers/oauth2/models.py
@ -226,7 +226,7 @@ class OAuth2Provider(Provider):
    def get_issuer(self, request: HttpRequest) -> Optional[str]:
        """Get issuer, based on request"""
        if self.issuer_mode == IssuerMode.GLOBAL:
-            return request.build_absolute_uri("/")
+            return request.build_absolute_uri(reverse("authentik_core:root-redirect"))
        try:
            url = reverse(
                "authentik_providers_oauth2:provider-root",
@ -282,6 +282,7 @@ class BaseGrantModel(models.Model):
    user = models.ForeignKey(User, verbose_name=_("User"), on_delete=models.CASCADE)
    revoked = models.BooleanField(default=False)
    _scope = models.TextField(default="", verbose_name=_("Scopes"))
    auth_time = models.DateTimeField(verbose_name="Authentication time")
    @property
    def scope(self) -> list[str]:
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -204,6 +204,7 @@ class TestAuthorize(OAuthTestCase):
                "redirect_uri": "http://local.invalid/Foo",
                "scope": "openid",
                "state": "foo",
                "nonce": generate_id(),
            },
        )
        self.assertEqual(
@ -325,6 +326,7 @@ class TestAuthorize(OAuthTestCase):
                    "state": state,
                    "scope": "openid",
                    "redirect_uri": "http://localhost",
                    "nonce": generate_id(),
                },
            )
            response = self.client.get(
@ -353,6 +355,62 @@ class TestAuthorize(OAuthTestCase):
                delta=5,
            )
    def test_full_fragment_code(self):
        """Test full authorization"""
        flow = create_test_flow()
        provider: OAuth2Provider = OAuth2Provider.objects.create(
            name=generate_id(),
            client_id="test",
            client_secret=generate_key(),
            authorization_flow=flow,
            redirect_uris="http://localhost",
            signing_key=self.keypair,
        )
        Application.objects.create(name="app", slug="app", provider=provider)
        state = generate_id()
        user = create_test_admin_user()
        self.client.force_login(user)
        with patch(
            "authentik.providers.oauth2.id_token.get_login_event",
            MagicMock(
                return_value=Event(
                    action=EventAction.LOGIN,
                    context={PLAN_CONTEXT_METHOD: "password"},
                    created=now(),
                )
            ),
        ):
            # Step 1, initiate params and get redirect to flow
            self.client.get(
                reverse("authentik_providers_oauth2:authorize"),
                data={
                    "response_type": "code",
                    "response_mode": "fragment",
                    "client_id": "test",
                    "state": state,
                    "scope": "openid",
                    "redirect_uri": "http://localhost",
                    "nonce": generate_id(),
                },
            )
            response = self.client.get(
                reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug}),
            )
            code: AuthorizationCode = AuthorizationCode.objects.filter(user=user).first()
            self.assertJSONEqual(
                response.content.decode(),
                {
                    "component": "xak-flow-redirect",
                    "type": ChallengeTypes.REDIRECT.value,
                    "to": (f"http://localhost#code={code.code}" f"&state={state}"),
                },
            )
            self.assertAlmostEqual(
                code.expires.timestamp() - now().timestamp(),
                timedelta_from_string(provider.access_code_validity).total_seconds(),
                delta=5,
            )
    def test_full_form_post_id_token(self):
        """Test full authorization (form_post response)"""
        flow = create_test_flow()
@ -378,6 +436,7 @@ class TestAuthorize(OAuthTestCase):
                "state": state,
                "scope": "openid",
                "redirect_uri": "http://localhost",
                "nonce": generate_id(),
            },
        )
        response = self.client.get(
--- a/authentik/providers/oauth2/tests/test_introspect.py
+++ b/authentik/providers/oauth2/tests/test_introspect.py
@ -4,6 +4,7 @@ from base64 import b64encode
 from dataclasses import asdict
 from django.urls import reverse
 from django.utils import timezone
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
@ -41,6 +42,7 @@ class TesOAuth2Introspection(OAuthTestCase):
            provider=self.provider,
            user=self.user,
            token=generate_id(),
            auth_time=timezone.now(),
            _scope="openid user profile",
            _id_token=json.dumps(
                asdict(
@ -72,6 +74,7 @@ class TesOAuth2Introspection(OAuthTestCase):
            provider=self.provider,
            user=self.user,
            token=generate_id(),
            auth_time=timezone.now(),
            _scope="openid user profile",
            _id_token=json.dumps(
                asdict(
--- a/authentik/providers/oauth2/tests/test_revoke.py
+++ b/authentik/providers/oauth2/tests/test_revoke.py
@ -4,6 +4,7 @@ from base64 import b64encode
 from dataclasses import asdict
 from django.urls import reverse
 from django.utils import timezone
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_cert, create_test_flow
@ -40,6 +41,7 @@ class TesOAuth2Revoke(OAuthTestCase):
            provider=self.provider,
            user=self.user,
            token=generate_id(),
            auth_time=timezone.now(),
            _scope="openid user profile",
            _id_token=json.dumps(
                asdict(
@ -62,6 +64,7 @@ class TesOAuth2Revoke(OAuthTestCase):
            provider=self.provider,
            user=self.user,
            token=generate_id(),
            auth_time=timezone.now(),
            _scope="openid user profile",
            _id_token=json.dumps(
                asdict(
--- a/authentik/providers/oauth2/tests/test_token.py
+++ b/authentik/providers/oauth2/tests/test_token.py
@ -4,6 +4,7 @@ from json import dumps
 from django.test import RequestFactory
 from django.urls import reverse
 from django.utils import timezone
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
@ -45,7 +46,9 @@ class TestToken(OAuthTestCase):
        )
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
        user = create_test_admin_user()
-        code = AuthorizationCode.objects.create(code="foobar", provider=provider, user=user)
+        code = AuthorizationCode.objects.create(
            code="foobar", provider=provider, user=user, auth_time=timezone.now()
        )
        request = self.factory.post(
            "/",
            data={
@ -99,6 +102,7 @@ class TestToken(OAuthTestCase):
            provider=provider,
            user=user,
            token=generate_id(),
            auth_time=timezone.now(),
        )
        request = self.factory.post(
            "/",
@ -127,7 +131,9 @@ class TestToken(OAuthTestCase):
        self.app.save()
        header = b64encode(f"{provider.client_id}:{provider.client_secret}".encode()).decode()
        user = create_test_admin_user()
-        code = AuthorizationCode.objects.create(code="foobar", provider=provider, user=user)
+        code = AuthorizationCode.objects.create(
            code="foobar", provider=provider, user=user, auth_time=timezone.now()
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
            data={
@ -173,6 +179,7 @@ class TestToken(OAuthTestCase):
            user=user,
            token=generate_id(),
            _id_token=dumps({}),
            auth_time=timezone.now(),
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
@ -221,6 +228,7 @@ class TestToken(OAuthTestCase):
            user=user,
            token=generate_id(),
            _id_token=dumps({}),
            auth_time=timezone.now(),
        )
        response = self.client.post(
            reverse("authentik_providers_oauth2:token"),
@ -271,6 +279,7 @@ class TestToken(OAuthTestCase):
            user=user,
            token=generate_id(),
            _id_token=dumps({}),
            auth_time=timezone.now(),
        )
        # Create initial refresh token
        response = self.client.post(
--- a/authentik/providers/oauth2/tests/test_userinfo.py
+++ b/authentik/providers/oauth2/tests/test_userinfo.py
@ -3,6 +3,7 @@ import json
 from dataclasses import asdict
 from django.urls import reverse
 from django.utils import timezone
 from authentik.blueprints.tests import apply_blueprint
 from authentik.core.models import Application
@ -37,6 +38,7 @@ class TestUserinfo(OAuthTestCase):
            provider=self.provider,
            user=self.user,
            token=generate_id(),
            auth_time=timezone.now(),
            _scope="openid user profile",
            _id_token=json.dumps(
                asdict(
@ -56,7 +58,6 @@ class TestUserinfo(OAuthTestCase):
            {
                "name": self.user.name,
                "given_name": self.user.name,
                "family_name": "",
                "preferred_username": self.user.name,
                "nickname": self.user.name,
                "groups": [group.name for group in self.user.ak_groups.all()],
@ -79,7 +80,6 @@ class TestUserinfo(OAuthTestCase):
            {
                "name": self.user.name,
                "given_name": self.user.name,
                "family_name": "",
                "preferred_username": self.user.name,
                "nickname": self.user.name,
                "groups": [group.name for group in self.user.ak_groups.all()],
--- a/authentik/providers/oauth2/urls.py
+++ b/authentik/providers/oauth2/urls.py
@ -42,7 +42,7 @@ urlpatterns = [
    path("<slug:application_slug>/jwks/", JWKSView.as_view(), name="jwks"),
    path(
        "<slug:application_slug>/",
-        RedirectView.as_view(pattern_name="authentk_providers_oauth2:provider-info"),
+        RedirectView.as_view(pattern_name="authentik_providers_oauth2:provider-info"),
        name="provider-root",
    ),
    path(
--- a/authentik/providers/oauth2/utils.py
+++ b/authentik/providers/oauth2/utils.py
@ -146,9 +146,10 @@ def protected_resource_view(scopes: list[str]):
                    LOGGER.warning("Revoked token was used", access_token=access_token)
                    Event.new(
                        action=EventAction.SUSPICIOUS_REQUEST,
-                        message="Revoked refresh token was used",
+                        message="Revoked access token was used",
-                        token=access_token,
+                        token=token,
-                    ).from_http(request)
+                        provider=token.provider,
                    ).from_http(request, user=token.user)
                    raise BearerTokenError("invalid_token")
                if not set(scopes).issubset(set(token.scope)):
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -17,13 +17,14 @@ from structlog.stdlib import get_logger
 from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
-from authentik.events.utils import get_user
+from authentik.events.signals import get_login_event
 from authentik.flows.challenge import (
    PLAN_CONTEXT_TITLE,
    AutosubmitChallenge,
    ChallengeTypes,
    HttpChallengeResponse,
 )
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.stage import StageView
@ -64,12 +65,11 @@ from authentik.stages.consent.stage import (
    PLAN_CONTEXT_CONSENT_PERMISSIONS,
    ConsentStageView,
 )
 from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED
 LOGGER = get_logger()
 PLAN_CONTEXT_PARAMS = "params"
-SESSION_KEY_NEEDS_LOGIN = "authentik/providers/oauth2/needs_login"
+SESSION_KEY_LAST_LOGIN_UID = "authentik/providers/oauth2/last_login_uid"
 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSENT, PROMPT_LOGIN}
@ -158,13 +158,14 @@ class OAuthAuthorizationParams:
            request=query_dict.get("request", None),
            max_age=int(max_age) if max_age else None,
            code_challenge=query_dict.get("code_challenge"),
-            code_challenge_method=query_dict.get("code_challenge_method"),
+            code_challenge_method=query_dict.get("code_challenge_method", "plain"),
        )
    def __post_init__(self):
-        try:
+        self.provider: OAuth2Provider = OAuth2Provider.objects.filter(
-            self.provider: OAuth2Provider = OAuth2Provider.objects.get(client_id=self.client_id)
+            client_id=self.client_id
-        except OAuth2Provider.DoesNotExist:
+        ).first()
        if not self.provider:
            LOGGER.warning("Invalid client identifier", client_id=self.client_id)
            raise ClientIdError(client_id=self.client_id)
        self.check_redirect_uri()
@ -234,40 +235,54 @@ class OAuthAuthorizationParams:
    def check_nonce(self):
        """Nonce parameter validation."""
-        # https://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDTValidation
+        # nonce is required for all flows that return an id_token from the authorization endpoint,
-        # Nonce is only required for Implicit flows
+        # see https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest or
-        if self.grant_type != GrantTypes.IMPLICIT:
+        # https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken and
        # https://bitbucket.org/openid/connect/issues/972/nonce-requirement-in-hybrid-auth-request
        if self.response_type not in [
            ResponseTypes.ID_TOKEN,
            ResponseTypes.ID_TOKEN_TOKEN,
            ResponseTypes.CODE_ID_TOKEN,
            ResponseTypes.CODE_ID_TOKEN_TOKEN,
        ]:
            return
        if SCOPE_OPENID not in self.scope:
            return
        if not self.nonce:
            self.nonce = self.state
            LOGGER.warning("Using state as nonce for OpenID Request")
        if not self.nonce:
            if SCOPE_OPENID in self.scope:
            LOGGER.warning("Missing nonce for OpenID Request")
-                raise AuthorizeError(
+            raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type, self.state)
                    self.redirect_uri, "invalid_request", self.grant_type, self.state
                )
    def check_code_challenge(self):
        """PKCE validation of the transformation method."""
        if self.code_challenge and self.code_challenge_method not in ["plain", "S256"]:
-            raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type, self.state)
+            raise AuthorizeError(
                self.redirect_uri,
                "invalid_request",
                self.grant_type,
                self.state,
                f"Unsupported challenge method {self.code_challenge_method}",
            )
    def create_code(self, request: HttpRequest) -> AuthorizationCode:
        """Create an AuthorizationCode object for the request"""
-        code = AuthorizationCode()
+        auth_event = get_login_event(request)
        code.user = request.user
        code.provider = self.provider
-        code.code = uuid4().hex
+        now = timezone.now()
        code = AuthorizationCode(
            user=request.user,
            provider=self.provider,
            auth_time=auth_event.created if auth_event else now,
            code=uuid4().hex,
            expires=now + timedelta_from_string(self.provider.access_code_validity),
            scope=self.scope,
            nonce=self.nonce,
        )
        if self.code_challenge and self.code_challenge_method:
            code.code_challenge = self.code_challenge
            code.code_challenge_method = self.code_challenge_method
        code.expires = timezone.now() + timedelta_from_string(self.provider.access_code_validity)
        code.scope = self.scope
        code.nonce = self.nonce
        return code
@ -302,7 +317,6 @@ class AuthorizationFlowInitView(PolicyAccessView):
                self.params.grant_type,
                self.params.state,
            )
            error.to_event(redirect_uri=error.redirect_uri).from_http(self.request)
            raise RequestValidationError(error.get_response(self.request))
    def resolve_provider_application(self):
@ -322,32 +336,45 @@ class AuthorizationFlowInitView(PolicyAccessView):
    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Start FlowPLanner, return to flow executor shell"""
        # Require a login event to be set, otherwise make the user re-login
        login_event = get_login_event(request)
        if not login_event:
            LOGGER.warning("request with no login event")
            return self.handle_no_permission()
        login_uid = str(login_event.pk)
        # After we've checked permissions, and the user has access, check if we need
        # to re-authenticate the user
        if self.params.max_age:
-            current_age: timedelta = (
+            # Attempt to check via the session's login event if set, otherwise we can't
-                timezone.now()
+            # check
-                - Event.objects.filter(action=EventAction.LOGIN, user=get_user(self.request.user))
+            login_time = login_event.created
-                .latest("created")
+            current_age: timedelta = timezone.now() - login_time
                .created
            )
            if current_age.total_seconds() > self.params.max_age:
                LOGGER.debug(
                    "Triggering authentication as max_age requirement",
                    max_age=self.params.max_age,
                    ago=int(current_age.total_seconds()),
                )
                # Since we already need to re-authenticate the user, set the old login UID
                # in case this request has both max_age and prompt=login
                self.request.session[SESSION_KEY_LAST_LOGIN_UID] = login_uid
                return self.handle_no_permission()
        # If prompt=login, we need to re-authenticate the user regardless
        # Check if we're not already doing the re-authentication
        if PROMPT_LOGIN in self.params.prompt:
            # No previous login UID saved, so save the current uid and trigger
            # re-login, or previous login UID matches current one, so no re-login happened yet
            if (
-            PROMPT_LOGIN in self.params.prompt
+                SESSION_KEY_LAST_LOGIN_UID not in self.request.session
-            and SESSION_KEY_NEEDS_LOGIN not in self.request.session
+                or login_uid == self.request.session[SESSION_KEY_LAST_LOGIN_UID]
            # To prevent the user from having to double login when prompt is set to login
            # and the user has just signed it. This session variable is set in the UserLoginStage
            # and is (quite hackily) removed from the session in applications's API's List method
            and USER_LOGIN_AUTHENTICATED not in self.request.session
            ):
-            self.request.session[SESSION_KEY_NEEDS_LOGIN] = True
+                self.request.session[SESSION_KEY_LAST_LOGIN_UID] = login_uid
                return self.handle_no_permission()
        scope_descriptions = UserInfoView().get_scope_descriptions(self.params.scope)
        # Regardless, we start the planner and return to it
        planner = FlowPlanner(self.provider.authorization_flow)
        planner.allow_empty_flows = True
        try:
            plan = planner.plan(
                self.request,
                {
@ -361,6 +388,8 @@ class AuthorizationFlowInitView(PolicyAccessView):
                    PLAN_CONTEXT_CONSENT_PERMISSIONS: scope_descriptions,
                },
            )
        except FlowNonApplicableException:
            return self.handle_no_permission_authenticated()
        # OpenID clients can specify a `prompt` parameter, and if its set to consent we
        # need to inject a consent stage
        if PROMPT_CONSENT in self.params.prompt:
@ -485,6 +514,11 @@ class OAuthFulfillmentStage(StageView):
                return urlunsplit(uri)
            if self.params.response_mode == ResponseMode.FRAGMENT:
                query_fragment = {}
                if self.params.grant_type in [GrantTypes.AUTHORIZATION_CODE]:
                    query_fragment["code"] = code.code
                    query_fragment["state"] = [str(self.params.state) if self.params.state else ""]
                else:
                    query_fragment = self.create_implicit_response(code)
                uri = uri._replace(
@ -518,6 +552,7 @@ class OAuthFulfillmentStage(StageView):
    def create_implicit_response(self, code: Optional[AuthorizationCode]) -> dict:
        """Create implicit response's URL Fragment dictionary"""
        query_fragment = {}
        auth_event = get_login_event(self.request)
        now = timezone.now()
        access_token_expiry = now + timedelta_from_string(self.provider.access_token_validity)
@ -526,6 +561,7 @@ class OAuthFulfillmentStage(StageView):
            scope=self.params.scope,
            expires=access_token_expiry,
            provider=self.provider,
            auth_time=auth_event.created if auth_event else now,
        )
        id_token = IDToken.new(self.provider, token, self.request)
@ -546,6 +582,8 @@ class OAuthFulfillmentStage(StageView):
            ResponseTypes.CODE_TOKEN,
        ]:
            query_fragment["access_token"] = token.token
            # Get at_hash of the current token and update the id_token
            id_token.at_hash = token.at_hash
        # Check if response_type must include id_token in the response.
        if self.params.response_type in [
@ -554,8 +592,6 @@ class OAuthFulfillmentStage(StageView):
            ResponseTypes.CODE_ID_TOKEN,
            ResponseTypes.CODE_ID_TOKEN_TOKEN,
        ]:
            # Get at_hash of the current token and update the id_token
            id_token.at_hash = token.at_hash
            query_fragment["id_token"] = self.provider.encode(id_token.to_dict())
            token._id_token = dumps(id_token.to_dict())
--- a/authentik/providers/oauth2/views/device_init.py
+++ b/authentik/providers/oauth2/views/device_init.py
@ -10,6 +10,7 @@ from structlog.stdlib import get_logger
 from authentik.core.models import Application
 from authentik.flows.challenge import Challenge, ChallengeResponse, ChallengeTypes
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
@ -57,6 +58,7 @@ def validate_code(code: int, request: HttpRequest) -> Optional[HttpResponse]:
    scope_descriptions = UserInfoView().get_scope_descriptions(token.scope)
    planner = FlowPlanner(token.provider.authorization_flow)
    planner.allow_empty_flows = True
    try:
        plan = planner.plan(
            request,
            {
@ -70,6 +72,9 @@ def validate_code(code: int, request: HttpRequest) -> Optional[HttpResponse]:
                PLAN_CONTEXT_CONSENT_PERMISSIONS: scope_descriptions,
            },
        )
    except FlowNonApplicableException:
        LOGGER.warning("Flow not applicable to user")
        return None
    plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
    request.session[SESSION_KEY_PLAN] = plan
    return redirect_with_qs(
@ -97,7 +102,11 @@ class DeviceEntryView(View):
        # Regardless, we start the planner and return to it
        planner = FlowPlanner(device_flow)
        planner.allow_empty_flows = True
        try:
            plan = planner.plan(self.request)
        except FlowNonApplicableException:
            LOGGER.warning("Flow not applicable to user")
            return HttpResponse(status=404)
        plan.append_stage(in_memory_stage(OAuthDeviceCodeStage))
        self.request.session[SESSION_KEY_PLAN] = plan
--- a/authentik/providers/oauth2/views/token.py
+++ b/authentik/providers/oauth2/views/token.py
@ -26,6 +26,7 @@ from authentik.core.models import (
    User,
 )
 from authentik.events.models import Event, EventAction
 from authentik.events.signals import get_login_event
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
@ -262,8 +263,9 @@ class TokenParams:
            Event.new(
                action=EventAction.SUSPICIOUS_REQUEST,
                message="Revoked refresh token was used",
-                token=raw_token,
+                token=self.refresh_token,
-            ).from_http(request)
+                provider=self.refresh_token.provider,
            ).from_http(request, user=self.refresh_token.user)
            raise TokenError("invalid_grant")
    def __post_init_client_credentials(self, request: HttpRequest):
@ -478,6 +480,7 @@ class TokenView(View):
            expires=access_token_expiry,
            # Keep same scopes as previous token
            scope=self.params.authorization_code.scope,
            auth_time=self.params.authorization_code.auth_time,
        )
        access_token.id_token = IDToken.new(
            self.provider,
@ -492,6 +495,7 @@ class TokenView(View):
            scope=self.params.authorization_code.scope,
            expires=refresh_token_expiry,
            provider=self.provider,
            auth_time=self.params.authorization_code.auth_time,
        )
        id_token = IDToken.new(
            self.provider,
@ -520,7 +524,6 @@ class TokenView(View):
        unauthorized_scopes = set(self.params.scope) - set(self.params.refresh_token.scope)
        if unauthorized_scopes:
            raise TokenError("invalid_scope")
        now = timezone.now()
        access_token_expiry = now + timedelta_from_string(self.provider.access_token_validity)
        access_token = AccessToken(
@ -529,6 +532,7 @@ class TokenView(View):
            expires=access_token_expiry,
            # Keep same scopes as previous token
            scope=self.params.refresh_token.scope,
            auth_time=self.params.refresh_token.auth_time,
        )
        access_token.id_token = IDToken.new(
            self.provider,
@ -543,6 +547,7 @@ class TokenView(View):
            scope=self.params.refresh_token.scope,
            expires=refresh_token_expiry,
            provider=self.provider,
            auth_time=self.params.refresh_token.auth_time,
        )
        id_token = IDToken.new(
            self.provider,
@ -577,6 +582,7 @@ class TokenView(View):
            user=self.params.user,
            expires=access_token_expiry,
            scope=self.params.scope,
            auth_time=now,
        )
        access_token.id_token = IDToken.new(
            self.provider,
@ -599,11 +605,13 @@ class TokenView(View):
            raise DeviceCodeError("authorization_pending")
        now = timezone.now()
        access_token_expiry = now + timedelta_from_string(self.provider.access_token_validity)
        auth_event = get_login_event(self.request)
        access_token = AccessToken(
            provider=self.provider,
            user=self.params.device_code.user,
            expires=access_token_expiry,
            scope=self.params.device_code.scope,
            auth_time=auth_event.created if auth_event else now,
        )
        access_token.id_token = IDToken.new(
            self.provider,
@ -618,6 +626,7 @@ class TokenView(View):
            scope=self.params.device_code.scope,
            expires=refresh_token_expiry,
            provider=self.provider,
            auth_time=auth_event.created if auth_event else now,
        )
        id_token = IDToken.new(
            self.provider,
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@ -95,6 +95,7 @@ class ProxyProviderSerializer(ProviderSerializer):
            "refresh_token_validity",
            "outpost_set",
        ]
        extra_kwargs = ProviderSerializer.Meta.extra_kwargs
 class ProxyProviderViewSet(UsedByMixin, ModelViewSet):
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@ -154,6 +154,7 @@ class SAMLProviderSerializer(ProviderSerializer):
            "url_slo_post",
            "url_slo_redirect",
        ]
        extra_kwargs = ProviderSerializer.Meta.extra_kwargs
 class SAMLMetadataSerializer(PassiveSerializer):
--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@ -73,9 +73,9 @@ class AssertionProcessor:
        # https://commons.lbl.gov/display/IDMgmt/Attribute+Definitions
        attribute_statement = Element(f"{{{NS_SAML_ASSERTION}}}AttributeStatement")
        user = self.http_request.user
-        for mapping in self.provider.property_mappings.all().select_subclasses():
+        for mapping in SAMLPropertyMapping.objects.filter(provider=self.provider).order_by(
-            if not isinstance(mapping, SAMLPropertyMapping):
+            "saml_name"
-                continue
+        ):
            try:
                mapping: SAMLPropertyMapping
                value = mapping.evaluate(
--- a/authentik/providers/saml/settings.py
+++ b/authentik/providers/saml/settings.py
@ -1,6 +0,0 @@
 """saml provider settings"""
 AUTHENTIK_PROVIDERS_SAML_PROCESSORS = [
    "authentik.providers.saml.processors.generic",
    "authentik.providers.saml.processors.salesforce",
 ]
--- a/authentik/providers/saml/tests/test_api.py
+++ b/authentik/providers/saml/tests/test_api.py
@ -10,8 +10,8 @@ from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.flows.models import FlowDesignation
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
 from authentik.providers.saml.models import SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.tests.test_metadata import load_fixture
 class TestSAMLProviderAPI(APITestCase):
--- a/authentik/providers/saml/tests/test_metadata.py
+++ b/authentik/providers/saml/tests/test_metadata.py
@ -1,6 +1,4 @@
 """Test Service-Provider Metadata Parser"""
 from pathlib import Path
 import xmlsec
 from defusedxml.lxml import fromstring
 from django.test import RequestFactory, TestCase
@ -9,6 +7,7 @@ from lxml import etree  # nosec
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_cert, create_test_flow
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
 from authentik.lib.xml import lxml_from_string
 from authentik.providers.saml.models import SAMLBindings, SAMLPropertyMapping, SAMLProvider
 from authentik.providers.saml.processors.metadata import MetadataProcessor
@ -16,12 +15,6 @@ from authentik.providers.saml.processors.metadata_parser import ServiceProviderM
 from authentik.sources.saml.processors.constants import NS_MAP
 def load_fixture(path: str, **kwargs) -> str:
    """Load fixture"""
    with open(Path(__file__).resolve().parent / Path(path), "r", encoding="utf-8") as _fixture:
        return _fixture.read()
 class TestServiceProviderMetadataParser(TestCase):
    """Test ServiceProviderMetadataParser parsing and creation of SAML Provider"""
@ -59,7 +52,7 @@ class TestServiceProviderMetadataParser(TestCase):
        request = self.factory.get("/")
        metadata = lxml_from_string(MetadataProcessor(provider, request).build_entity_descriptor())
-        schema = etree.XMLSchema(etree.parse("xml/saml-schema-metadata-2.0.xsd"))  # nosec
+        schema = etree.XMLSchema(etree.parse("schemas/saml-schema-metadata-2.0.xsd"))  # nosec
        self.assertTrue(schema.validate(metadata))
    def test_simple(self):
--- a/authentik/providers/saml/tests/test_schema.py
+++ b/authentik/providers/saml/tests/test_schema.py
@ -46,7 +46,7 @@ class TestSchema(TestCase):
        metadata = lxml_from_string(request)
-        schema = etree.XMLSchema(etree.parse("xml/saml-schema-protocol-2.0.xsd"))  # nosec
+        schema = etree.XMLSchema(etree.parse("schemas/saml-schema-protocol-2.0.xsd"))  # nosec
        self.assertTrue(schema.validate(metadata))
    def test_response_schema(self):
@ -67,5 +67,5 @@ class TestSchema(TestCase):
        metadata = lxml_from_string(response)
-        schema = etree.XMLSchema(etree.parse("xml/saml-schema-protocol-2.0.xsd"))
+        schema = etree.XMLSchema(etree.parse("schemas/saml-schema-protocol-2.0.xsd"))  # nosec
        self.assertTrue(schema.validate(metadata))
--- a/authentik/providers/saml/views/sso.py
+++ b/authentik/providers/saml/views/sso.py
@ -1,7 +1,7 @@
 """authentik SAML IDP Views"""
 from typing import Optional
-from django.http import HttpRequest, HttpResponse
+from django.http import Http404, HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404
 from django.utils.decorators import method_decorator
 from django.utils.translation import gettext as _
@ -11,6 +11,7 @@ from structlog.stdlib import get_logger
 from authentik.core.models import Application
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.views.executor import SESSION_KEY_PLAN, SESSION_KEY_POST
@ -60,6 +61,7 @@ class SAMLSSOView(PolicyAccessView):
        # Regardless, we start the planner and return to it
        planner = FlowPlanner(self.provider.authorization_flow)
        planner.allow_empty_flows = True
        try:
            plan = planner.plan(
                request,
                {
@ -70,6 +72,8 @@ class SAMLSSOView(PolicyAccessView):
                    PLAN_CONTEXT_CONSENT_PERMISSIONS: [],
                },
            )
        except FlowNonApplicableException:
            raise Http404
        plan.append_stage(in_memory_stage(SAMLFlowFinalView))
        request.session[SESSION_KEY_PLAN] = plan
        return redirect_with_qs(
--- a/authentik/providers/scim/init.py
+++ b/authentik/providers/scim/init.py
--- a/authentik/providers/scim/api/init.py
+++ b/authentik/providers/scim/api/init.py
--- a/authentik/providers/scim/api/property_mapping.py
+++ b/authentik/providers/scim/api/property_mapping.py
@ -0,0 +1,38 @@
 """scim Property mappings API Views"""
 from django_filters.filters import AllValuesMultipleFilter
 from django_filters.filterset import FilterSet
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema_field
 from rest_framework.viewsets import ModelViewSet
 from authentik.core.api.propertymappings import PropertyMappingSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.providers.scim.models import SCIMMapping
 class SCIMMappingSerializer(PropertyMappingSerializer):
    """SCIMMapping Serializer"""
    class Meta:
        model = SCIMMapping
        fields = PropertyMappingSerializer.Meta.fields
 class SCIMMappingFilter(FilterSet):
    """Filter for SCIMMapping"""
    managed = extend_schema_field(OpenApiTypes.STR)(AllValuesMultipleFilter(field_name="managed"))
    class Meta:
        model = SCIMMapping
        fields = "__all__"
 class SCIMMappingViewSet(UsedByMixin, ModelViewSet):
    """SCIMMapping Viewset"""
    queryset = SCIMMapping.objects.all()
    serializer_class = SCIMMappingSerializer
    filterset_class = SCIMMappingFilter
    search_fields = ["name"]
    ordering = ["name"]
--- a/authentik/providers/scim/api/providers.py
+++ b/authentik/providers/scim/api/providers.py
@ -0,0 +1,62 @@
 """SCIM Provider API Views"""
 from django.utils.text import slugify
 from drf_spectacular.utils import OpenApiResponse, extend_schema
 from rest_framework.decorators import action
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet
 from authentik.admin.api.tasks import TaskSerializer
 from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.events.monitored_tasks import TaskInfo
 from authentik.providers.scim.models import SCIMProvider
 class SCIMProviderSerializer(ProviderSerializer):
    """SCIMProvider Serializer"""
    class Meta:
        model = SCIMProvider
        fields = [
            "pk",
            "name",
            "property_mappings",
            "property_mappings_group",
            "component",
            "assigned_application_slug",
            "assigned_application_name",
            "verbose_name",
            "verbose_name_plural",
            "meta_model_name",
            "url",
            "token",
            "exclude_users_service_account",
            "filter_group",
        ]
        extra_kwargs = {}
 class SCIMProviderViewSet(UsedByMixin, ModelViewSet):
    """SCIMProvider Viewset"""
    queryset = SCIMProvider.objects.all()
    serializer_class = SCIMProviderSerializer
    filterset_fields = ["name", "exclude_users_service_account", "url", "filter_group"]
    search_fields = ["name", "url"]
    ordering = ["name", "url"]
    @extend_schema(
        responses={
            200: TaskSerializer(),
            404: OpenApiResponse(description="Task not found"),
        }
    )
    @action(methods=["GET"], detail=True, pagination_class=None, filter_backends=[])
    def sync_status(self, request: Request, pk: int) -> Response:
        """Get provider's sync status"""
        provider = self.get_object()
        task = TaskInfo.by_name(f"scim_sync:{slugify(provider.name)}")
        if not task:
            return Response(status=404)
        return Response(TaskSerializer(task).data)
--- a/Show More
+++ b/Show More